Difference between revisions of "VPN Access"

From IT Service Wiki
Jump to: navigation, search
Line 1: Line 1:
To get full access to our network from external locations we provide a VPN access based on openvpn. This is free software and part of every Linux distribution. The following guide has been tested with Ubuntu 12.04 to 15.04. It is available for Windows and MacOS too.
+
To get full access to our network from external locations we provide a VPN access based on openvpn. This is free software and part of every Linux distribution. The following guide has been tested with Ubuntu 12.04 to 15.10. It is available for Windows and MacOS too.
  
 
=== Install OpenVPN ===  
 
=== Install OpenVPN ===  
Line 14: Line 14:
  
 
<pre>
 
<pre>
# ITP OpenVPN configuration.
 
 
client
 
client
 
dev tap
 
dev tap
Line 20: Line 19:
 
nobind
 
nobind
 
remote vpn.th.physik.uni-frankfurt.de
 
remote vpn.th.physik.uni-frankfurt.de
tls-remote /CN=FIAS-ITP_Generic_VPN_Service
+
verify-x509-name vpn.th.physik.uni-frankfurt.de name
 
remote-cert-tls server
 
remote-cert-tls server
 
resolv-retry infinite
 
resolv-retry infinite
 
auth-user-pass
 
auth-user-pass
 +
ca private-ca-itp.crt
 +
redirect-gateway def1                     
 +
</pre>
 +
 +
Download our CA (Certificate of Authority) [http://th.physik.uni-frankfurt.de/~thw/vpn/private-ca-itp.crt] and store it in the same place. This file is needed for verifcation the authenticity of the server.
 +
 +
This configuration routes all traffic trough ITP, this is usful if you want to download papers, which are restricted to the university network.
 +
The second examples only routes the traffic going directly to the ITP trough the VPN and leavs your default gateway untouched. The only differenc is the missing 'redirect-gateway' statment.
  
# Adapt this to the path of our CA certificate file.
+
<pre>
ca localca.full.pem
 
  
# Comment out the following line to only route ITP connections over the VPN.
+
client
redirect-gateway def1
+
dev tap
                     
+
proto udp
 +
nobind
 +
remote vpn.th.physik.uni-frankfurt.de
 +
verify-x509-name vpn.th.physik.uni-frankfurt.de name
 +
remote-cert-tls server
 +
resolv-retry infinite
 +
auth-user-pass
 +
ca private-ca-itp.crt
 
</pre>
 
</pre>
 
Download our CA (Certificate of Authority) [http://th.physik.uni-frankfurt.de/~thw/vpn/localca.full.pem] and store it in the same place. This file is needed for verifcation the authenticity of the server.
 
  
 
=== Start the VPN connection ===
 
=== Start the VPN connection ===

Revision as of 16:13, 1 December 2015

To get full access to our network from external locations we provide a VPN access based on openvpn. This is free software and part of every Linux distribution. The following guide has been tested with Ubuntu 12.04 to 15.10. It is available for Windows and MacOS too.

Install OpenVPN

It is not part of the default installation, but can easily installed using apt. Enter the following commands:

 sudo apt-get install openvpn

The requieres to enter your password to get super user previleges.

Command line configuration

This is fast and easy but requieres to enter commands. Create or download [1] the config file and store it anywhere you like:

client
dev tap
proto udp
nobind
remote vpn.th.physik.uni-frankfurt.de
verify-x509-name vpn.th.physik.uni-frankfurt.de name
remote-cert-tls server
resolv-retry infinite
auth-user-pass
ca private-ca-itp.crt
redirect-gateway def1                       

Download our CA (Certificate of Authority) [2] and store it in the same place. This file is needed for verifcation the authenticity of the server.

This configuration routes all traffic trough ITP, this is usful if you want to download papers, which are restricted to the university network. The second examples only routes the traffic going directly to the ITP trough the VPN and leavs your default gateway untouched. The only differenc is the missing 'redirect-gateway' statment.


client
dev tap
proto udp
nobind
remote vpn.th.physik.uni-frankfurt.de
verify-x509-name vpn.th.physik.uni-frankfurt.de name
remote-cert-tls server
resolv-retry infinite
auth-user-pass
ca private-ca-itp.crt

Start the VPN connection

Open a terminal and change to the path where the vpn config file is stored. Start the connection with

 sudo openvpn itp.ovpn

where itp.ovpn is the name of the config file. openvpn need root access, therefor you must enter your local password for sudo. After this you have to enter your ITP credentials (Username and Password).

If everything went fine the output will look like:

Fri Dec  7 15:03:00 2012 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
Fri Dec  7 15:03:00 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Dec  7 15:03:00 2012 UDPv4 link local: [undef]
Fri Dec  7 15:03:00 2012 UDPv4 link remote: [AF_INET]141.2.246.2:1194
Fri Dec  7 15:03:00 2012 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Dec  7 15:03:00 2012 [FIAS-ITP_Generic_VPN_Service] Peer Connection Initiated with [AF_INET]141.2.246.2:1194
Fri Dec  7 15:03:02 2012 TUN/TAP device tap0 opened
Fri Dec  7 15:03:02 2012 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Dec  7 15:03:02 2012 /sbin/ifconfig tap0 10.63.131.1 netmask 255.255.0.0 mtu 1500 broadcast 10.63.255.255
Fri Dec  7 15:03:02 2012 Initialization Sequence Completed

Termiate the session by pressing Ctrl-C in this terminal.

Hacking around firewalls

If you have problems with firewalls, we provide some oder ports und protocols to circumvent these firewalls

Proto Port
tcp 1194
tcp 80
udp 53