Difference between revisions of "OpenVPN"

From CSLabsWiki
Jump to: navigation, search
m (Changed some stuff)
(Changed location of file. Added LDAP login.)
 
(2 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
{{services
 
{{services
|ip_addr = 128.153.145.248:13130
+
|ip_addr = 128.153.145.50
 
|contact_person = [[User:milton|Milton Griffin]]
 
|contact_person = [[User:milton|Milton Griffin]]
|last_update = December 2017
+
|last_update = Febuary 2018
|host_vm = [[Pyxis]]
+
|services = ''OpenVPN 2.4.0''
|vm_host = [[7 Grand Dad]]
+
|category = cluster
|services = ''OpenVPN 2.4.4''
 
|category = VM
 
 
|handoff = yes
 
|handoff = yes
 
}}
 
}}
  
This service provides a VPN tunnel into COSI. The configuration file is available for any member of COSI in my home folder.
+
This service provides a VPN tunnel into COSI using the user's LDAP login. The configuration file is available for any member of COSI [http://128.153.145.3/cosi_ldap.ovpn here].
 
+
==Second Floor==
 +
The COSI second floor uses this service to share the networking infrastructure. All second floor machines have allocated COSI IP addresses as well as Talos DNS. The full documentation on how the link operates will be added later.
 
==How To Run a Client==
 
==How To Run a Client==
 
Each operating system has a different for running the VPN. Mac testing has not yet occurred.  
 
Each operating system has a different for running the VPN. Mac testing has not yet occurred.  
 
===Windows===
 
===Windows===
Install [[https://openvpn.net/index.php/open-source/downloads.html OpenVPN-gui]] and move the configuration file to:  
+
Install [https://openvpn.net/index.php/open-source/downloads.html OpenVPN-gui] and move the configuration file to:  
 
  "C:/Program Files/OpenVPN/config/" in Windows
 
  "C:/Program Files/OpenVPN/config/" in Windows
 
To start the VPN: start OpenVPN-gui, right click the icon in the notification area, click connect.  
 
To start the VPN: start OpenVPN-gui, right click the icon in the notification area, click connect.  
Line 73: Line 72:
 
  iptables-save > /etc/iptables/iptables.rules
 
  iptables-save > /etc/iptables/iptables.rules
  
Server configuration file:
+
Server configuration file: THIS IS OUT OF DATE AS OF FEBUARY 2018
 
  proto udp
 
  proto udp
 
  port 1194
 
  port 1194
Line 98: Line 97:
  
 
==Client Configuration==
 
==Client Configuration==
Client configuration file:
+
Client configuration file: THIS IS OUT OF DATE AS OF FEBUARY 2018
 
  client
 
  client
 
  proto udp
 
  proto udp

Latest revision as of 17:31, 23 February 2018

OpenVPN
IP Address(es): 128.153.145.50
Contact Person: Milton Griffin
Last Update: Febuary 2018
Services: OpenVPN 2.4.0


This service provides a VPN tunnel into COSI using the user's LDAP login. The configuration file is available for any member of COSI here.

Second Floor

The COSI second floor uses this service to share the networking infrastructure. All second floor machines have allocated COSI IP addresses as well as Talos DNS. The full documentation on how the link operates will be added later.

How To Run a Client

Each operating system has a different for running the VPN. Mac testing has not yet occurred.

Windows

Install OpenVPN-gui and move the configuration file to:

"C:/Program Files/OpenVPN/config/" in Windows

To start the VPN: start OpenVPN-gui, right click the icon in the notification area, click connect. NOTE: The configuration is plug and play for anything but Windows. For Windows clients, run (Win + r) regedit. Change

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter 

from 0 to 1. Next run services.msc, right click 'Routing and Remote Access', select properties, change it to automatic, then restart. When Windows boots, run OpenVPN-gui if it is not running. Right click the icon in the notification and click connect.

Linux

Install the OpenVPN package and move the configuration file to:

"/etc/openvpn/" for Linux service 

or anywhere for Linux general use. To start the VPN on Linux: run

sudo openvpn --config /location/of/cosi.ovpn

As a Linux service that will start when the computer boots: run

sudo systemctl enable openvpn@cosi.service

iOS

Install the OpenVPN-Connect app from the app store. Tap on the configuration file (easiest thru email) and select "Open in OpenVPN". The app will open with the configuration menu open. Press the connect switch to initiate the connection.

Android

Install the OpenVPN-Connect app from the play store. Open the app and select "Import" from the drop down menu (3 dots). Choose an import method and navigate to the configuration file. Press the connect switch to initiate the connection.

Key Management

This section is for initial configuration

To make a new pki       : easyrsa init-pki
To make the revoke list : easyrsa gen-crl
To make the new CA      : easyrsa build-ca

This section explains how to make server and client certificates

To make the server      : easyrsa build-server-full servername nopass
To make the client      : easyrsa build-client-full clientname nopass

Move the needed files to the server's folder

The system CA   : cp -a /etc/easyrsa/pki/ca.crt /etc/openvpn/server/pyxis.ca
The server crt  : cp -a /etc/easyrsa/pki/issued/servername.crt /etc/openvpn/server/server.crt
The server key  : cp -a /etc/easyrsa/pki/private/openvpn-server.key /etc/openvpn/server/server.key

The encryption uses a Diffie-Hellman

Go to the server folder : cd /etc/openvpn/main/
Generate the DH         : openssl dhparam -out dh2048.pem 2048

Server Configuration

To allow the system to forward traffic, modify /etc/sysctl.conf/network.conf to include:

net.ipv4.ip_forward = 1

and run:

iptables -t nat -I POSTROUTING -o ens3 -s 10.200.0.0/24 -j MASQUERADE
iptables-save > /etc/iptables/iptables.rules

Server configuration file: THIS IS OUT OF DATE AS OF FEBUARY 2018

proto udp
port 1194
dev tun
server 10.200.0.0 255.255.255.0
topology subnet
persist-key
persist-tun
keepalive 10 60
push "redirect-gateway def1"
push "0.0.0.0 0.0.0.0 10.200.0.1 999"
push "dhcp-option DNS 128.153.145.3" 
dh      [inline]
ca      [inline]
cert    [inline]
key     [inline]
duplicate-cn
user nobody
group nobody
verb 3
daemon
log-append /var/log/openvpn.log
**dh ca cert and key omitted**

Client Configuration

Client configuration file: THIS IS OUT OF DATE AS OF FEBUARY 2018

client
proto udp
remote 128.153.145.248
port 1194
dev tun
nobind
topology subnet
pull
**ca, cert, and key omitted**