This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
dslab:vpnconfig [2011/06/10 15:55] – [copy necessary key files to server] wedge | dslab:vpnconfig [2011/06/15 15:50] (current) – [copy necessary key files to server directory] hps1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ======DSLAB VPN access====== | ||
+ | The DSLAB provides OpenVPN access to authorized individuals. In order to utilize it, two steps need to take place: | ||
+ | - generate a certificate on the DSLAB router | ||
+ | - place the necessary cert/key files and config file on the client machine | ||
+ | |||
+ | =====Generate VPN certificates===== | ||
+ | To perform this step, one needs to become root on juicebar, and change into the **/ | ||
+ | |||
+ | Perform the following steps: | ||
+ | |||
+ | ====Establish variables==== | ||
+ | Run the **vars** script as follows: | ||
+ | |||
+ | <cli prompt="# | ||
+ | juicebar:/ | ||
+ | NOTE: If you run ./ | ||
+ | juicebar:/ | ||
+ | </ | ||
+ | |||
+ | <WRAP round warning box>You do **not** want to run clean-all, but you do want to see that message (and promptly ignore it). If you run clean-all, all existing certs/keys will be removed, preventing everyone from utilizing the DSLAB VPN</ | ||
+ | |||
+ | ====Generate the key==== | ||
+ | Next, we run the **build-key** script.. please substitute your DSLAB username in place of **// | ||
+ | |||
+ | <cli> | ||
+ | juicebar:/ | ||
+ | Generating a 1024 bit RSA private key | ||
+ | .......................++++++ | ||
+ | .............................................................................++++++ | ||
+ | writing new private key to ' | ||
+ | ----- | ||
+ | You are about to be asked to enter information that will be incorporated | ||
+ | into your certificate request. | ||
+ | What you are about to enter is what is called a Distinguished Name or a DN. | ||
+ | There are quite a few fields but you can leave some blank | ||
+ | For some fields there will be a default value, | ||
+ | If you enter ' | ||
+ | ----- | ||
+ | </ | ||
+ | |||
+ | You will then be immediately prompted for additional information that will be embedded within the key. For consistency, | ||
+ | |||
+ | Note that for several of the prompts, you'll just want to hit ENTER to accept the defaults. | ||
+ | |||
+ | <cli prompt=" | ||
+ | Country Name (2 letter code) [US]: | ||
+ | State or Province Name (full name) [NY]: | ||
+ | Locality Name (eg, city) [Upstate]: | ||
+ | Organization Name (eg, company) [BITS]: | ||
+ | Organizational Unit Name (eg, section) []:DSLAB | ||
+ | Common Name (eg, your name or your server' | ||
+ | Email Address [haas@corning-cc.edu]: | ||
+ | |||
+ | Please enter the following ' | ||
+ | to be sent with your certificate request | ||
+ | A challenge password []: | ||
+ | An optional company name []: | ||
+ | Using configuration from / | ||
+ | DEBUG[load_index]: | ||
+ | Check that the request matches the signature | ||
+ | Signature ok | ||
+ | The Subject' | ||
+ | countryName | ||
+ | stateOrProvinceName | ||
+ | localityName | ||
+ | organizationName | ||
+ | organizationalUnitName: | ||
+ | commonName | ||
+ | emailAddress | ||
+ | Certificate is to be certified until Jun 7 15:39:08 2021 GMT (3650 days) | ||
+ | Sign the certificate? | ||
+ | |||
+ | |||
+ | 1 out of 1 certificate requests certified, commit? [y/n]y | ||
+ | Write out database with 1 new entries | ||
+ | Data Base Updated | ||
+ | </ | ||
+ | |||
+ | ====archive the key files==== | ||
+ | With the new keys created, we should archive them up for transfer to our client machine. So, still on juicebar, do the following: | ||
+ | |||
+ | <cli prompt="# | ||
+ | juicebar:/ | ||
+ | juicebar:/ | ||
+ | ca.crt | ||
+ | client-username.crt | ||
+ | client-username.key | ||
+ | juicebar:/ | ||
+ | </ | ||
+ | |||
+ | ====copy necessary key files to server directory==== | ||
+ | Not only will you need some files on the client-side, | ||
+ | |||
+ | <cli> | ||
+ | juicebar:/ | ||
+ | juicebar:/ | ||
+ | </ | ||
+ | |||
+ | If you neglect to do this (or your keyfiles are removed from the **/ | ||
+ | |||
+ | ======VPN client config====== | ||
+ | |||
+ | There are mildly different ways to configure a VPN client depending on the OS. | ||
+ | |||
+ | =====Linux===== | ||
+ | If your client is a Linux system, you'll need to install **OpenVPN** (on debian-like systems, there should be a package called **openvpn**). | ||
+ | |||
+ | If the installation of OpenVPN does not create **/ | ||
+ | |||
+ | ====keys==== | ||
+ | Remember that **client-username.tar** file you created when generating the key files? You'll want to copy that file to your local system, and place the contents into **/ | ||
+ | |||
+ | ====config==== | ||
+ | Additionally, | ||
+ | |||
+ | < | ||
+ | ############################################################################## | ||
+ | # | ||
+ | # DSLAB OpenVPN Client Configuration File (sample) | ||
+ | # | ||
+ | # This configuration is to facilitate the joining of the DSLAB VPN. | ||
+ | # | ||
+ | # | ||
+ | # name on the VPN certificate/ | ||
+ | # | ||
+ | ############################################################################## | ||
+ | |||
+ | ############################################################################## | ||
+ | # VPN Server Information | ||
+ | ############################################################################## | ||
+ | remote | ||
+ | port 1194 # Port on which to connect on server | ||
+ | proto | ||
+ | |||
+ | ############################################################################## | ||
+ | # | ||
+ | ############################################################################## | ||
+ | dev-type | ||
+ | dev | ||
+ | |||
+ | ############################################################################## | ||
+ | # | ||
+ | ############################################################################## | ||
+ | cd / | ||
+ | key | ||
+ | ca dslab/ | ||
+ | cert dslab/ | ||
+ | tls-cipher | ||
+ | |||
+ | ############################################################################## | ||
+ | # | ||
+ | ############################################################################## | ||
+ | comp-lzo | ||
+ | keepalive | ||
+ | nobind | ||
+ | persist-key | ||
+ | persist-tun | ||
+ | pull # Follow route suggestions of server | ||
+ | resolv-retry | ||
+ | route-delay | ||
+ | tls-client | ||
+ | |||
+ | ############################################################################## | ||
+ | # | ||
+ | ############################################################################## | ||
+ | chroot | ||
+ | user nobody | ||
+ | group | ||
+ | daemon | ||
+ | |||
+ | ############################################################################## | ||
+ | # | ||
+ | ############################################################################## | ||
+ | # | ||
+ | log-append | ||
+ | verb 3 # level of activity to log (0-11) | ||
+ | mute 20 # log at most N consecutive messages | ||
+ | |||
+ | ############################################################################## | ||
+ | </ | ||
+ | |||
+ | Obviously, replace client-**USER** with your username (the same you specified when generating the key). | ||
+ | |||
+ | Also, create a **/ | ||
+ | |||
+ | Finally, make sure that user **nobody** and group **nobody** exist (on some systems you may have a **nogroup** instead of **nobody**-- in which case change that line in the config appropriately). | ||
+ | |||
+ | With this set, we can begin to test our config. | ||
+ | |||
+ | As root on your local machine (you' | ||
+ | |||
+ | <cli prompt="# | ||
+ | yourmachine: | ||
+ | </ | ||
+ | |||
+ | If successful, your **tap0** interface (run **ifconfig**) will get an IP address and you'll be able to ping/ | ||
+ | |||
+ | Things rarely work fully on our first attempt... be it routes aren't properly propagated requiring additional tweaking, or DNS settings on the local machine need to be enhanced (add: nameserver 10.81.1.1 to your local **/ | ||
+ | |||
+ | Additionally, | ||
+ | |||
+ | =====Mac OS X===== | ||
+ | While one could probably configure OpenVPN manually, there exist some graphical tools that are quite effective. ViscosityVPN is $9 and well worth the investment. | ||
+ | |||
+ | Additionally, | ||
+ | |||
+ | =====OpenBSD===== | ||
+ | Configuration will be similar to Linux, but network devices will differ. | ||
+ | |||
+ | =====Windows===== | ||
+ | There IS an OpenVPN client for windows... ViscosityVPN! From the same developer that created the Mac version. |