OpenVPN

This service provides a VPN tunnel into COSI using the user's LDAP login. The configuration file is available for any member of COSI here.

Second Floor

The COSI second floor uses this service to share the networking infrastructure. All second floor machines have allocated COSI IP addresses as well as Talos DNS. The full documentation on how the link operates will be added later.

How To Run a Client

Each operating system has a different for running the VPN. Mac testing has not yet occurred.

Windows

Install OpenVPN-gui and move the configuration file to:

"C:/Program Files/OpenVPN/config/" in Windows

To start the VPN: start OpenVPN-gui, right click the icon in the notification area, click connect. NOTE: The configuration is plug and play for anything but Windows. For Windows clients, run (Win + r) regedit. Change

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter 

from 0 to 1. Next run services.msc, right click 'Routing and Remote Access', select properties, change it to automatic, then restart. When Windows boots, run OpenVPN-gui if it is not running. Right click the icon in the notification and click connect.

Linux

Install the OpenVPN package and move the configuration file to:

"/etc/openvpn/" for Linux service 

or anywhere for Linux general use. To start the VPN on Linux: run

sudo openvpn --config /location/of/cosi.ovpn

As a Linux service that will start when the computer boots: run

sudo systemctl enable openvpn@cosi.service

iOS

Install the OpenVPN-Connect app from the app store. Tap on the configuration file (easiest thru email) and select "Open in OpenVPN". The app will open with the configuration menu open. Press the connect switch to initiate the connection.

Android

Install the OpenVPN-Connect app from the play store. Open the app and select "Import" from the drop down menu (3 dots). Choose an import method and navigate to the configuration file. Press the connect switch to initiate the connection.

Key Management

This section is for initial configuration

To make a new pki       : easyrsa init-pki
To make the revoke list : easyrsa gen-crl
To make the new CA      : easyrsa build-ca

This section explains how to make server and client certificates

To make the server      : easyrsa build-server-full servername nopass
To make the client      : easyrsa build-client-full clientname nopass

Move the needed files to the server's folder

The system CA   : cp -a /etc/easyrsa/pki/ca.crt /etc/openvpn/server/pyxis.ca
The server crt  : cp -a /etc/easyrsa/pki/issued/servername.crt /etc/openvpn/server/server.crt
The server key  : cp -a /etc/easyrsa/pki/private/openvpn-server.key /etc/openvpn/server/server.key

The encryption uses a Diffie-Hellman

Go to the server folder : cd /etc/openvpn/main/
Generate the DH         : openssl dhparam -out dh2048.pem 2048

Server Configuration

To allow the system to forward traffic, modify /etc/sysctl.conf/network.conf to include:

net.ipv4.ip_forward = 1

and run:

iptables -t nat -I POSTROUTING -o ens3 -s 10.200.0.0/24 -j MASQUERADE
iptables-save > /etc/iptables/iptables.rules

Server configuration file: THIS IS OUT OF DATE AS OF FEBUARY 2018

proto udp
port 1194
dev tun
server 10.200.0.0 255.255.255.0
topology subnet
persist-key
persist-tun
keepalive 10 60
push "redirect-gateway def1"
push "0.0.0.0 0.0.0.0 10.200.0.1 999"
push "dhcp-option DNS 128.153.145.3" 
dh      [inline]
ca      [inline]
cert    [inline]
key     [inline]
duplicate-cn
user nobody
group nobody
verb 3
daemon
log-append /var/log/openvpn.log
**dh ca cert and key omitted**

Client Configuration

Client configuration file: THIS IS OUT OF DATE AS OF FEBUARY 2018

client
proto udp
remote 128.153.145.248
port 1194
dev tun
nobind
topology subnet
pull
**ca, cert, and key omitted**