====== Using the VPN ====== These notes describe how to use the OpenVPN-based Virtual Private Network provided by SC Lab. With it: * You can connect to sc1 and our other lab machines with a high level of security from wherever you are, so long as you can connect to a network that will allow you to make an https connection * You can set up a fixed ip address for a machine, even if it is actually moving around and has a different ip address every time, and even if it's behind a firewall that blocks incoming traffic. It is virtually un-blockable (blocking it would almost certainly also block all internet banking, internet marketing sites etc.). * I would strongly advise using it if you currently have a windows machine with a fixed ip address: put it behind a natting/firewalling router, and it will be much safer, but you can still log into it from wherever you want (even linux clients will be safer configured this way... the only disadvantage is, you will need to set up an openvpn client on any machine that you want to use to log into it) * [[http://en.gentoo-wiki.com/wiki/HOWTO_OpenVPN_Linux_Server_Windows_Client | Setting up a windows vpn client]] ====== Setting up a new VPN client ====== * Ask Bob to generate certificates for you. You need to tell him - What name you would like for your machine - Whether you need * a fixed address (i.e. you will need to log into this machine remotely) * a dhcp address (you will only use this machine to log into other machines over the vpn) * [[resource:info:bobvpn|What Bob needs to do]] (ignore this section): * [[.:install|Install openvpn]] - On linux, you will probably put all the configuration files in /etc/openvpn (if you are using fedora 10 or greater, you can use the System/Preferences/Internet and Network/Network Connections menu, then VPN/Add/OpenVPN instead; it will set up most of the configuration for you) - On macintosh, put them in /Users//Library/openvpn unless you are doing a custom install - especially if you use [[http://code.google.com/p/tunnelblick/|Tunnelblick]]. If you want the client to start up automatically when you boot, you will need to [[.:macstartup|do a little more]]. - On MS Windows, put them in PATH-TO-OPENVPN\config. It will be 'C:\Program Files\OpenVPN\config' unless you change it. You can get a GUI version at http://openvpn.se/ for easier use. * Bob will give you client certificate files containing the files below. You should put the first two in a directory, in an appropriate place, called certs. It needs to be writeable only by you, but world-readable. You must also create a separate directory, keys, in which you place .key. The keys directory, and .key, must be readable only by you. This is critically important! On linux/mac, this means permissions should be 600. In old redhat-based distros, these files go in /etc/pki/tls; if you use the Fedora 10 or later metwork menu, you need to put them in your own home directory). If you asked for a fixed ip address, Bob will tell you it (it will have the form 10.160.81.x) - {{cacrt.text|ca.crt}} - .crt - .key * You need to create an appropriate .conf file in your openvpn directory (see Bob's below) - not needed if you are using the menus on fedora * File permissions: if you are using unix-like systems, all your permissions should be 644 (755 for directories), except for the keys file and directory, which should be 600 (700). If you are using [[.:selinux|selinux]], it's [[.:vpnselinux|a little more complicated]]. * Security: note that the openvpn server does not provide firewalling for you. It's safest to treat it like the internet, and only allow services from it that you would allow from the general internet (generally, that means don't change your firewall settings just because you set up openvpn). If you need to allow particular services, just open them specifically in your firewall for the openvpn interface (probably tun0 on your machine), and for addresses in our VPN range (10.160.80.0 to 10.160.81.255). For example, you may wish to open the ssh port. If you're using the default firewall software under most linux systems, you will probably need to install some more sophisticated firewall software; a good alternative is [[http://www.fwbuilder.org/|fwbuilder]]. One additional issue: openvpn uses ICMP for signalling, more broadly than some firewalls allow by default. If you can't get our VPN to work, or your connection keeps dropping out, you may need to open ICMP more broadly to get a stable connection (if this is the cause of the problems, you should be able to see ICMP packets being blocked from tun0 in your logs). If you do so, you should restrict the opening as above, to addresses in our VPN range (10.160.80.0 to 10.160.81.255) on the VPN interface (tun0). Opening ICMP risks ICMP flood attacks, but it's unlikely that they would originate in our VPN, so it should be safe so long as you only open the port to the VPN. *Special issues for the Fedora 10+ gui: * VPN Tab *You need to specify sc1.snu.ac.kr as the Gateway *You need to specify the authentication type as Certificates (TLS) *You must point all three certificates to the ones you installed a few steps earlier *Please click on the "Advanced" Button and: *Tick "Use custom gateway port" and re-set it to 443 (not 1194) *Tick "Use LZO data compression" *IPv4 Settings *Please click on the "Routes" Button and: *Tick "Use this connection only for resources on its network" * Open your tunnel and you're away (With a GUI version in MS Windows, you can open the tunnel by right-clicking the config file or a tray icon on a taskbar) * {{openvpnconf.text|Sample client configuration file}} (Works on macintosh and linux. For MSW, it's the same with some obvious exceptions like using double backslash '\\' instead of '/' for file separator. Refer to {{clientovpn.text|Sample for MSW}}.) * For Windows Vista, if you are using a dhcp address rather than a fixed address, you need to add two more lines to the client configuration file. route-method exe route-delay 2 Please note that this configuration uses the https port 443, rather than the proper vpn port, 1194. This means you can be very confident that it won't be blocked, wherever you are using it from (and if you're behind a proxy, the proxy will almost certainly pass it too). NAT should also not cause any problems. You will need to change the lines: ca /Users/rim/Library/openvpn/certs/ca.crt cert /Users/rim/Library/openvpn/certs/bobsmac.crt key /Users/rim/Library/openvpn/keys/bobsmac.key or on MSW ca PATH-TO-CERTS\\ca.crt cert PATH-TO-CERTS\\bobsmac.crt key PATH-TO-KEYS\\bobsmac.key ;user nobody ;group nobody Useful vpn addresses: 10.160.81.65 sc 10.160.80.1 sc1