Difference between revisions of "Openvpn"
(16 intermediate revisions by 9 users not shown) | |||
Line 1: | Line 1: | ||
==Introduction== | ==Introduction== | ||
− | OpenVPN is an open source Virtual | + | OpenVPN is an open source Virtual Private Network (VPN), which allows one to establish a tunnel for any IP subnetwork or virtual ethernet adapter e.i. TUN/TAP kernel device over any UDP/TCP port. At freegeek, we have one between our wireless and wired networks. |
+ | |||
+ | ==Key Generation== | ||
+ | |||
+ | To use the VPN, you will need the files ca.crt, foo.crt, and foo.key, and later on ta.key. | ||
+ | |||
+ | To generate them, you will need to follow these horrible, horrible steps: | ||
+ | |||
+ | Ask a sysadmin to run the following commands on our vpn server: (if this will be internet accessible, use vars.internet) | ||
+ | cd /etc/openvpn/easy-rsa | ||
+ | . ./vars | ||
+ | ./build-key ''clientname'' | ||
+ | |||
+ | These files will land in either ../keys or ../keys.internet, depending. | ||
+ | |||
+ | Securely copy the three files named after ''clientname'', plus ca.crt and ta.key, to your computer and put them in an unreadable directory, '''/etc/openvpn/keys/''' (system-wide) or '''~/.openvpn/''' (per-user; be sure to '''chmod -R go-rwx ~/.openvpn/'''). Don't leave any spare copies of those files lying around! | ||
==Installation== | ==Installation== | ||
+ | You can set up the VPN to be system-wide or to be per user. Using network-manager is probably easier. | ||
+ | |||
+ | ===Network Manager=== | ||
+ | |||
+ | On Debian or Ubuntu: | ||
+ | sudo aptitude install network-manager-openvpn-gnome | ||
+ | or | ||
+ | sudo aptitude install network-manager-openvpn-kde | ||
+ | |||
+ | In the network manager menu (click on the icon for your connection), go to "VPN Connections > Configure VPN...". Create a new VPN by clicking Add, selecting OpenVPN for the type, and click Create. Ask your system administrator for the IP address to put in the gateway box, and if your system administrator is forgetful, remind them to look at /etc/openvpn/server{,.internet}.conf on the firewall. | ||
+ | |||
+ | Name the connection name appropriately, then set the properties on the VPN tab: | ||
+ | |||
+ | Type: Certificates (TLS) | ||
+ | User Certificate: ~/.openvpn/foo.crt | ||
+ | CA Certificate: ~/.openvpn/ca.crt | ||
+ | Private Key: ~/.openvpn/foo.key | ||
+ | |||
+ | In the Advanced Settings, set the custom gateway port to 1193 if this is an internet connection (as opposed to using the default on the Free Geek wireless); turn on Use LZO Data Compression; on the security tab, set the cipher to BF-CBC and HMAC Authentication to SHA-1; and on the TLS Authentication tab, enable using additional TLS authentication, set the key file to ~/.openvpn/ta.key , and set the key direction to 1. | ||
+ | |||
+ | Finally, you may need to restart network-manager before you can connect: | ||
+ | sudo service network-manager restart | ||
+ | |||
+ | ===System-Wide Setup=== | ||
*on debian | *on debian | ||
− | + | apt-get install openvpn openssl resolvconf | |
*gentoo | *gentoo | ||
− | + | echo "ssl examples" >> /etc/portage/package.use | |
+ | emerge -av openvpn resolvconf-gentoo | ||
*Other | *Other | ||
Line 17: | Line 57: | ||
can be found here: http://openvpn.net/install.html | can be found here: http://openvpn.net/install.html | ||
− | + | ====Setup==== | |
− | ==Setup== | ||
Once installed you will need to set some things up. | Once installed you will need to set some things up. | ||
− | + | Here is a sample config (though you will need to edit a few lines). Copy and save this as '''/etc/openvpn/client.conf''' . | |
# both '#' and ';' act as comments | # both '#' and ';' act as comments | ||
client | client | ||
− | dev | + | dev tun |
proto udp | proto udp | ||
# change this to your server's address | # change this to your server's address | ||
− | remote | + | remote ASK_A_SYSADMIN 1194 |
resolv-retry infinite | resolv-retry infinite | ||
nobind | nobind | ||
persist-key | persist-key | ||
persist-tun | persist-tun | ||
− | |||
− | |||
tls-client | tls-client | ||
− | ca / | + | ca /etc/openvpn/keys/ca.crt |
− | cert / | + | cert /etc/openvpn/keys/MY_VERY_OWN_PERSONAL.crt |
− | key / | + | key /etc/openvpn/keys/MY_VERY_OWN_PERSONAL.key |
− | |||
ns-cert-type server | ns-cert-type server | ||
− | + | tls-auth /etc/openvpn/keys/ta.key 1 | |
− | tls-auth / | + | cipher BF-CBC |
− | |||
− | |||
− | |||
− | cipher | ||
− | |||
comp-lzo | comp-lzo | ||
− | # | + | # enable execution of up/down scripts: |
− | # | + | script-security 2 |
− | # | + | # shipped with debian lenny and later: |
− | # | + | up /etc/openvpn/update-resolv-conf |
− | # | + | down /etc/openvpn/update-resolv-conf |
− | + | # alternate examples that do similar things: | |
+ | #up /etc/openvpn/freegeek-up | ||
+ | #down /etc/openvpn/freegeek-down | ||
+ | # force all traffic through VPN: | ||
+ | #redirect-gateway | ||
+ | |||
+ | For the ASK_A_SYSADMIN, use the firewall's wireless ip or its external ip, depending on whether this will be accessible from the internet. | ||
+ | For internet accessible, use 1193 instead of 1194. | ||
+ | |||
+ | The commented out up/down lines refer to alternate scripts, which you could copy from here: | ||
+ | |||
+ | #!/bin/bash | ||
+ | # freegeek-up | ||
+ | TEMPFILE=`mktemp /tmp/resolv.conf.XXXXXX` | ||
+ | echo search fglan >> $TEMPFILE | ||
+ | for DHCPOPTVAR in ${!foreign_option*} ; do | ||
+ | DHCPOPT="${!DHCPOPTVAR}" | ||
+ | if echo $DHCPOPT | grep -qe '^dhcp-option.DNS' ; then | ||
+ | echo $DHCPOPT | sed -re 's/dhcp-option.DNS.([0-9.]+)$/nameserver \1/' >> $TEMPFILE | ||
+ | fi | ||
+ | done | ||
+ | cat $TEMPFILE | resolvconf -a $dev | ||
+ | rm $TEMPFILE | ||
+ | |||
+ | and: | ||
+ | |||
+ | #!/bin/bash | ||
+ | # freegeek-down | ||
+ | rm /etc/resolvconf/run/interface/tun0 | ||
+ | resolvconf -u | ||
+ | |||
+ | ====Automate==== | ||
+ | |||
+ | '''NOTE: You must change the hashbang to "#!/bin/bash" as these scripts will now contain bashisms.''' | ||
− | + | * edit /etc/network/if-up.d/openvpn to include the following at the end of the file: | |
+ | if grep -q 'ESSID:"freegeek"' <(iwconfig $IFACE); then | ||
+ | openvpn --daemon --config /etc/openvpn/client.conf --script-security 2 | ||
+ | fi | ||
+ | * edit /etc/network/if-down.d/openvpn to include the following at the end of the file: | ||
+ | if grep -q 'ESSID:"freegeek"' <(iwconfig $IFACE); then | ||
+ | exec killall -q openvpn | ||
+ | fi | ||
− | + | ==Printing== | |
− | + | To allow access to the printserver, add "BrowseAddress ''your-tun0-ip''" to cupsd.conf on scribble and then restart cups. You should get a consistent ip address, so this should be stable unless we need to change the keys. | |
− | |||
− | |||
− | |||
− | |||
− | you can't | + | Alternatively, you can add scribble as a server to browse for printers on your localhost by doing the follow: |
+ | * Go to '''System -> Administration -> Printing''' | ||
+ | * Go to '''Server -> Settings''' | ||
+ | * Select the radio button next to 'Show printers shared by other systems' | ||
+ | * Expand the '''Advanced Server Settings''' menu | ||
+ | * Under '''Browse servers''', click the '''Add''' button and enter: <code>scribble</code> | ||
+ | ** If the '''Add''' button is greyed out, try applying the settings (click '''OK''') and bring up the Server Settings menu again. | ||
+ | * If the printers don't immediately show up, confirm you're connected to the VPN and then try restarting your local CUPS instance: | ||
+ | sudo service cups restart | ||
− | + | [[Category: Technocrats]] | |
− | |||
− | |||
− |
Latest revision as of 15:11, 7 May 2013
Introduction
OpenVPN is an open source Virtual Private Network (VPN), which allows one to establish a tunnel for any IP subnetwork or virtual ethernet adapter e.i. TUN/TAP kernel device over any UDP/TCP port. At freegeek, we have one between our wireless and wired networks.
Key Generation
To use the VPN, you will need the files ca.crt, foo.crt, and foo.key, and later on ta.key.
To generate them, you will need to follow these horrible, horrible steps:
Ask a sysadmin to run the following commands on our vpn server: (if this will be internet accessible, use vars.internet)
cd /etc/openvpn/easy-rsa . ./vars ./build-key clientname
These files will land in either ../keys or ../keys.internet, depending.
Securely copy the three files named after clientname, plus ca.crt and ta.key, to your computer and put them in an unreadable directory, /etc/openvpn/keys/ (system-wide) or ~/.openvpn/ (per-user; be sure to chmod -R go-rwx ~/.openvpn/). Don't leave any spare copies of those files lying around!
Installation
You can set up the VPN to be system-wide or to be per user. Using network-manager is probably easier.
Network Manager
On Debian or Ubuntu:
sudo aptitude install network-manager-openvpn-gnome
or
sudo aptitude install network-manager-openvpn-kde
In the network manager menu (click on the icon for your connection), go to "VPN Connections > Configure VPN...". Create a new VPN by clicking Add, selecting OpenVPN for the type, and click Create. Ask your system administrator for the IP address to put in the gateway box, and if your system administrator is forgetful, remind them to look at /etc/openvpn/server{,.internet}.conf on the firewall.
Name the connection name appropriately, then set the properties on the VPN tab:
Type: Certificates (TLS) User Certificate: ~/.openvpn/foo.crt CA Certificate: ~/.openvpn/ca.crt Private Key: ~/.openvpn/foo.key
In the Advanced Settings, set the custom gateway port to 1193 if this is an internet connection (as opposed to using the default on the Free Geek wireless); turn on Use LZO Data Compression; on the security tab, set the cipher to BF-CBC and HMAC Authentication to SHA-1; and on the TLS Authentication tab, enable using additional TLS authentication, set the key file to ~/.openvpn/ta.key , and set the key direction to 1.
Finally, you may need to restart network-manager before you can connect:
sudo service network-manager restart
System-Wide Setup
- on debian
apt-get install openvpn openssl resolvconf
- gentoo
echo "ssl examples" >> /etc/portage/package.use emerge -av openvpn resolvconf-gentoo
- Other
can be found here: http://openvpn.net/install.html
Setup
Once installed you will need to set some things up.
Here is a sample config (though you will need to edit a few lines). Copy and save this as /etc/openvpn/client.conf .
# both '#' and ';' act as comments client dev tun proto udp # change this to your server's address remote ASK_A_SYSADMIN 1194 resolv-retry infinite nobind persist-key persist-tun tls-client ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/MY_VERY_OWN_PERSONAL.crt key /etc/openvpn/keys/MY_VERY_OWN_PERSONAL.key ns-cert-type server tls-auth /etc/openvpn/keys/ta.key 1 cipher BF-CBC comp-lzo # enable execution of up/down scripts: script-security 2 # shipped with debian lenny and later: up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf # alternate examples that do similar things: #up /etc/openvpn/freegeek-up #down /etc/openvpn/freegeek-down # force all traffic through VPN: #redirect-gateway
For the ASK_A_SYSADMIN, use the firewall's wireless ip or its external ip, depending on whether this will be accessible from the internet. For internet accessible, use 1193 instead of 1194.
The commented out up/down lines refer to alternate scripts, which you could copy from here:
#!/bin/bash # freegeek-up TEMPFILE=`mktemp /tmp/resolv.conf.XXXXXX` echo search fglan >> $TEMPFILE for DHCPOPTVAR in ${!foreign_option*} ; do DHCPOPT="${!DHCPOPTVAR}" if echo $DHCPOPT | grep -qe '^dhcp-option.DNS' ; then echo $DHCPOPT | sed -re 's/dhcp-option.DNS.([0-9.]+)$/nameserver \1/' >> $TEMPFILE fi done cat $TEMPFILE | resolvconf -a $dev rm $TEMPFILE
and:
#!/bin/bash # freegeek-down rm /etc/resolvconf/run/interface/tun0 resolvconf -u
Automate
NOTE: You must change the hashbang to "#!/bin/bash" as these scripts will now contain bashisms.
- edit /etc/network/if-up.d/openvpn to include the following at the end of the file:
if grep -q 'ESSID:"freegeek"' <(iwconfig $IFACE); then openvpn --daemon --config /etc/openvpn/client.conf --script-security 2 fi
- edit /etc/network/if-down.d/openvpn to include the following at the end of the file:
if grep -q 'ESSID:"freegeek"' <(iwconfig $IFACE); then exec killall -q openvpn fi
Printing
To allow access to the printserver, add "BrowseAddress your-tun0-ip" to cupsd.conf on scribble and then restart cups. You should get a consistent ip address, so this should be stable unless we need to change the keys.
Alternatively, you can add scribble as a server to browse for printers on your localhost by doing the follow:
- Go to System -> Administration -> Printing
- Go to Server -> Settings
- Select the radio button next to 'Show printers shared by other systems'
- Expand the Advanced Server Settings menu
- Under Browse servers, click the Add button and enter:
scribble
- If the Add button is greyed out, try applying the settings (click OK) and bring up the Server Settings menu again.
- If the printers don't immediately show up, confirm you're connected to the VPN and then try restarting your local CUPS instance:
sudo service cups restart