From CSLabsWiki
IP Address(es):
Contact Person: Milton Griffin
Last Update: Febuary 2018
Services: OpenVPN 2.4.0

This service provides a VPN tunnel into COSI using the user's LDAP login. The configuration file is available for any member of COSI here.

Second Floor

The COSI second floor uses this service to share the networking infrastructure. All second floor machines have allocated COSI IP addresses as well as Talos DNS. The full documentation on how the link operates will be added later.

How To Run a Client

Each operating system has a different for running the VPN. Mac testing has not yet occurred.


Install OpenVPN-gui and move the configuration file to:

"C:/Program Files/OpenVPN/config/" in Windows

To start the VPN: start OpenVPN-gui, right click the icon in the notification area, click connect. NOTE: The configuration is plug and play for anything but Windows. For Windows clients, run (Win + r) regedit. Change


from 0 to 1. Next run services.msc, right click 'Routing and Remote Access', select properties, change it to automatic, then restart. When Windows boots, run OpenVPN-gui if it is not running. Right click the icon in the notification and click connect.


Install the OpenVPN package and move the configuration file to:

"/etc/openvpn/" for Linux service 

or anywhere for Linux general use. To start the VPN on Linux: run

sudo openvpn --config /location/of/cosi.ovpn

As a Linux service that will start when the computer boots: run

sudo systemctl enable openvpn@cosi.service


Install the OpenVPN-Connect app from the app store. Tap on the configuration file (easiest thru email) and select "Open in OpenVPN". The app will open with the configuration menu open. Press the connect switch to initiate the connection.


Install the OpenVPN-Connect app from the play store. Open the app and select "Import" from the drop down menu (3 dots). Choose an import method and navigate to the configuration file. Press the connect switch to initiate the connection.

Key Management

This section is for initial configuration

To make a new pki       : easyrsa init-pki
To make the revoke list : easyrsa gen-crl
To make the new CA      : easyrsa build-ca

This section explains how to make server and client certificates

To make the server      : easyrsa build-server-full servername nopass
To make the client      : easyrsa build-client-full clientname nopass

Move the needed files to the server's folder

The system CA   : cp -a /etc/easyrsa/pki/ca.crt /etc/openvpn/server/
The server crt  : cp -a /etc/easyrsa/pki/issued/servername.crt /etc/openvpn/server/server.crt
The server key  : cp -a /etc/easyrsa/pki/private/openvpn-server.key /etc/openvpn/server/server.key

The encryption uses a Diffie-Hellman

Go to the server folder : cd /etc/openvpn/main/
Generate the DH         : openssl dhparam -out dh2048.pem 2048

Server Configuration

To allow the system to forward traffic, modify /etc/sysctl.conf/network.conf to include:

net.ipv4.ip_forward = 1

and run:

iptables -t nat -I POSTROUTING -o ens3 -s -j MASQUERADE
iptables-save > /etc/iptables/iptables.rules

Server configuration file: THIS IS OUT OF DATE AS OF FEBUARY 2018

proto udp
port 1194
dev tun
topology subnet
keepalive 10 60
push "redirect-gateway def1"
push " 999"
push "dhcp-option DNS" 
dh      [inline]
ca      [inline]
cert    [inline]
key     [inline]
user nobody
group nobody
verb 3
log-append /var/log/openvpn.log
**dh ca cert and key omitted**

Client Configuration

Client configuration file: THIS IS OUT OF DATE AS OF FEBUARY 2018

proto udp
port 1194
dev tun
topology subnet
**ca, cert, and key omitted**