Difference between revisions of "VPN Access"
(→Install OpenVPN) |
|||
Line 18: | Line 18: | ||
This configuration routes all traffic trough ITP. This is useful if you want to download papers, which are restricted to the university network. | This configuration routes all traffic trough ITP. This is useful if you want to download papers, which are restricted to the university network. | ||
− | The second examples only routes the traffic going directly to the ITP trough the VPN and leaves your default gateway untouched. The only difference is the missing 'redirect-gateway' statement [http://th.physik.uni-frankfurt.de/~thw/vpn/itp. | + | The second examples only routes the traffic going directly to the ITP trough the VPN and leaves your default gateway untouched. The only difference is the missing 'redirect-gateway' statement [http://th.physik.uni-frankfurt.de/~thw/vpn/itp.ovpn] |
<pre> | <pre> | ||
Line 37: | Line 37: | ||
Download our CA (Certificate of Authority) [http://th.physik.uni-frankfurt.de/~thw/vpn/private-ca-itp.crt] and store it in the same place. This file is needed for the verification of the authenticity of the server. | Download our CA (Certificate of Authority) [http://th.physik.uni-frankfurt.de/~thw/vpn/private-ca-itp.crt] and store it in the same place. This file is needed for the verification of the authenticity of the server. | ||
− | For only accessing internal services and routing your the normal traffic to your normal uplink use the following configuration: [http://th.physik.uni-frankfurt.de/~thw/vpn/itp. | + | For only accessing internal services and routing your the normal traffic to your normal uplink use the following configuration: [http://th.physik.uni-frankfurt.de/~thw/vpn/itp.ovpn] |
<pre> | <pre> |
Revision as of 10:45, 19 March 2020
To get full access to our network from external locations we provide a VPN access based on openvpn. This is free software and part of every Linux distribution. The following guide has been tested with Ubuntu.
If you prefer a graphical configuration, we recommend the Networkmanager based setup:
It is available for Windows and MacOS too.
Contents
Install OpenVPN
It is not part of the default installation, but can easily installed using apt. Enter the following commands:
sudo apt install openvpn
This requires to enter your password to get super user privileges.
Command line configuration
We have setup a new VPN gateway. Please use this configuration and report problems.
This configuration routes all traffic trough ITP. This is useful if you want to download papers, which are restricted to the university network. The second examples only routes the traffic going directly to the ITP trough the VPN and leaves your default gateway untouched. The only difference is the missing 'redirect-gateway' statement [1]
client dev tun proto udp nobind remote vgw.itp.uni-frankfurt.de verify-x509-name vgw.itp.uni-frankfurt.de name remote-cert-tls server resolv-retry infinite auth-user-pass ca private-ca-itp.crt # Comment this, if you don't want to redirect the default gateway redirect-gateway def1
Download our CA (Certificate of Authority) [2] and store it in the same place. This file is needed for the verification of the authenticity of the server.
For only accessing internal services and routing your the normal traffic to your normal uplink use the following configuration: [3]
client dev tun proto udp nobind remote vgw.itp.uni-frankfurt.de verify-x509-name vgw.itp.uni-frankfurt.de name remote-cert-tls server resolv-retry infinite auth-user-pass ca private-ca-itp.crt
Start the VPN connection
Open a terminal and change to the path where the vpn config file is stored. Start the connection with
sudo openvpn itp.ovpn
where itp.ovpn is the name of the config file. openvpn needs root access, therefore you must enter your local password for sudo. After this you have to enter your ITP credentials (Username and Password).
If everything went fine the output will look like:
Fri Dec 7 15:03:00 2012 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page). Fri Dec 7 15:03:00 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Fri Dec 7 15:03:00 2012 UDPv4 link local: [undef] Fri Dec 7 15:03:00 2012 UDPv4 link remote: [AF_INET]141.2.246.2:1194 Fri Dec 7 15:03:00 2012 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Fri Dec 7 15:03:00 2012 [FIAS-ITP_Generic_VPN_Service] Peer Connection Initiated with [AF_INET]141.2.246.2:1194 Fri Dec 7 15:03:02 2012 TUN/TAP device tap0 opened Fri Dec 7 15:03:02 2012 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Fri Dec 7 15:03:02 2012 /sbin/ifconfig tap0 10.63.131.1 netmask 255.255.0.0 mtu 1500 broadcast 10.63.255.255 Fri Dec 7 15:03:02 2012 Initialization Sequence Completed
Termiate the session by pressing Ctrl-C in this terminal.
Previous VPN gateway (deperecated)
This is the old configuration, which will be retire in a few weeks. Please prefer the new setup.
This is fast and easy but requires to enter commands. Create the config file and store it anywhere you like:
client dev tap proto udp nobind remote vpn.th.physik.uni-frankfurt.de verify-x509-name vpn.th.physik.uni-frankfurt.de name remote-cert-tls server resolv-retry infinite auth-user-pass ca private-ca-itp.crt redirect-gateway def1
Download our CA (Certificate of Authority) [4] and store it in the same place. This file is needed for the verification of the authenticity of the server.
This configuration routes all traffic trough ITP. This is useful if you want to download papers, which are restricted to the university network. The second examples only routes the traffic going directly to the ITP trough the VPN and leaves your default gateway untouched. The only difference is the missing 'redirect-gateway' staetment.
client dev tap proto udp nobind remote vpn.th.physik.uni-frankfurt.de verify-x509-name vpn.th.physik.uni-frankfurt.de name remote-cert-tls server resolv-retry infinite auth-user-pass ca private-ca-itp.crt