OpenVPN
OpenVPN | |
IP Address(es): | 128.153.145.50 |
Contact Person: | Milton Griffin |
Last Update: | Febuary 2018 |
Services: | OpenVPN 2.4.0 |
This service provides a VPN tunnel into COSI using the user's LDAP login. The configuration file is available for any member of COSI here.
Contents
Second Floor
The COSI second floor uses this service to share the networking infrastructure. All second floor machines have allocated COSI IP addresses as well as Talos DNS. The full documentation on how the link operates will be added later.
How To Run a Client
Each operating system has a different for running the VPN. Mac testing has not yet occurred.
Windows
Install OpenVPN-gui and move the configuration file to:
"C:/Program Files/OpenVPN/config/" in Windows
To start the VPN: start OpenVPN-gui, right click the icon in the notification area, click connect. NOTE: The configuration is plug and play for anything but Windows. For Windows clients, run (Win + r) regedit. Change
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter
from 0 to 1. Next run services.msc, right click 'Routing and Remote Access', select properties, change it to automatic, then restart. When Windows boots, run OpenVPN-gui if it is not running. Right click the icon in the notification and click connect.
Linux
Install the OpenVPN package and move the configuration file to:
"/etc/openvpn/" for Linux service
or anywhere for Linux general use. To start the VPN on Linux: run
sudo openvpn --config /location/of/cosi.ovpn
As a Linux service that will start when the computer boots: run
sudo systemctl enable openvpn@cosi.service
iOS
Install the OpenVPN-Connect app from the app store. Tap on the configuration file (easiest thru email) and select "Open in OpenVPN". The app will open with the configuration menu open. Press the connect switch to initiate the connection.
Android
Install the OpenVPN-Connect app from the play store. Open the app and select "Import" from the drop down menu (3 dots). Choose an import method and navigate to the configuration file. Press the connect switch to initiate the connection.
Key Management
This section is for initial configuration
To make a new pki : easyrsa init-pki To make the revoke list : easyrsa gen-crl To make the new CA : easyrsa build-ca
This section explains how to make server and client certificates
To make the server : easyrsa build-server-full servername nopass To make the client : easyrsa build-client-full clientname nopass
Move the needed files to the server's folder
The system CA : cp -a /etc/easyrsa/pki/ca.crt /etc/openvpn/server/pyxis.ca The server crt : cp -a /etc/easyrsa/pki/issued/servername.crt /etc/openvpn/server/server.crt The server key : cp -a /etc/easyrsa/pki/private/openvpn-server.key /etc/openvpn/server/server.key
The encryption uses a Diffie-Hellman
Go to the server folder : cd /etc/openvpn/main/ Generate the DH : openssl dhparam -out dh2048.pem 2048
Server Configuration
To allow the system to forward traffic, modify /etc/sysctl.conf/network.conf to include:
net.ipv4.ip_forward = 1
and run:
iptables -t nat -I POSTROUTING -o ens3 -s 10.200.0.0/24 -j MASQUERADE iptables-save > /etc/iptables/iptables.rules
Server configuration file: THIS IS OUT OF DATE AS OF FEBUARY 2018
proto udp port 1194 dev tun server 10.200.0.0 255.255.255.0 topology subnet persist-key persist-tun keepalive 10 60 push "redirect-gateway def1" push "0.0.0.0 0.0.0.0 10.200.0.1 999" push "dhcp-option DNS 128.153.145.3" dh [inline] ca [inline] cert [inline] key [inline] duplicate-cn user nobody group nobody verb 3 daemon log-append /var/log/openvpn.log **dh ca cert and key omitted**
Client Configuration
Client configuration file: THIS IS OUT OF DATE AS OF FEBUARY 2018
client proto udp remote 128.153.145.248 port 1194 dev tun nobind topology subnet pull **ca, cert, and key omitted**