Difference between revisions of "OpenVPN"

From sshcWiki
Jump to navigation Jump to search
(As usual, an OS X open source project is better executed. Hooray NetworkManager)
m (Bot: Cosmetic changes)
 
(6 intermediate revisions by 2 users not shown)
Line 1: Line 1:
= VPN Access =  
+
= VPN Access =
We use OpenVPN (http://openvpn) as our VPN solution.
+
We use OpenVPN (http://openvpn.net) as our VPN solution.
  
== Gaining Access ==  
+
== Gaining Access ==
Your [[FreeIPA]] account needs to be a member of the <tt>openvpn_users</tt> group.  
+
Your [[FreeIPA]] account needs to be a member of the <tt>openvpn_users</tt> group. Send a request to [mailto:tech@sshchicago.org tech@sshchicago.org] if you'd like to be added!
  
== Requirements ==  
+
== Requirements ==
  
 
* You must have a copy of our HMAC key, please contact tech@sshchicago.org to get it.
 
* You must have a copy of our HMAC key, please contact tech@sshchicago.org to get it.
 
* You'll also need a copy of our [[SSHCHICAGO.ORG Certificate Authority (CA)]] certicate.
 
* You'll also need a copy of our [[SSHCHICAGO.ORG Certificate Authority (CA)]] certicate.
  
== Connection Information ==  
+
== Connection Information ==
 
Gateway: space.sshchicago.org
 
Gateway: space.sshchicago.org
 +
 
Port: 1194 (this is the default in OpenVPN)
 
Port: 1194 (this is the default in OpenVPN)
 +
 
Transport Protocol: UDP (also the default in OpenVPN)
 
Transport Protocol: UDP (also the default in OpenVPN)
 +
 
Authentication type: Username/Password (PKI disabled)
 
Authentication type: Username/Password (PKI disabled)
 +
 
Compression: LZO
 
Compression: LZO
  
= Connection Instructions =  
+
= Connection Instructions =
 
== Mac OS X ==
 
== Mac OS X ==
* Install Tunnelblick (https://code.google.com/p/tunnelblick/)  
+
* Install Tunnelblick (https://code.google.com/p/tunnelblick/)
 
* Get the SSH-Chicago.tblk config package from another member
 
* Get the SSH-Chicago.tblk config package from another member
 
* Double-click it.
 
* Double-click it.
 
* Log in with your SSH:Chicago (wiki) username and password
 
* Log in with your SSH:Chicago (wiki) username and password
  
== Linux (Tested on Fedora Core 20) ==  
+
== Linux (Tested on Fedora Core 20) ==
 +
* Create a certs directory and restore the SELinux context (<tt>mkdir ~/.certs && restorecon -R ~/.certs</tt>)
 
* Grab the HMAC key and store it in ~/.certs/
 
* Grab the HMAC key and store it in ~/.certs/
 
* Download a copy of the [[SSHCHICAGO.ORG Certificate Authority (CA)]] and store that in ~/.certs/ as well. (These two steps are required to comply with default SELinux regulations in Fedora)
 
* Download a copy of the [[SSHCHICAGO.ORG Certificate Authority (CA)]] and store that in ~/.certs/ as well. (These two steps are required to comply with default SELinux regulations in Fedora)
* Launch your Network Manager UI  
+
* Launch your Network Manager UI
 
* Add a VPN connection. Set stuff up like this:
 
* Add a VPN connection. Set stuff up like this:
 
** Name: ssh-c
 
** Name: ssh-c
Line 43: Line 48:
 
**** For Key File, chose the HMAC key you stored in ~/.certs/
 
**** For Key File, chose the HMAC key you stored in ~/.certs/
 
**** Key direction: "1"
 
**** Key direction: "1"
 +
** Flip to the IPv4 Settings Tab
 +
*** Click Routes...
 +
**** Check "Use this connection only for resources on its network"
 +
**** Click OK
 
* Click OK, and Apply
 
* Click OK, and Apply
* Connect.  
+
* Connect.
 +
 
 +
== Windows (Tested on Windows 7 x64 Professional) ==
 +
* Install the Windows OpenVPN client from https://openvpn.net/index.php/open-source/downloads.html
 +
* Get the sshc-openvpn-windows zip file, which contains a config file, HMAC key, and certificate.
 +
* Copy the contents of the zip into <tt>C:\Program Files\OpenVPN\Config</tt>.
 +
* Launch the OpenVPN UI using '''Run As Administrator'''
 +
* Right-click on the OpenVPN icon in your system tray and choose "Connect". When prompted, enter your wiki username and password.
 +
 
 +
= Testing that you have connected properly =
 +
Navigate to a server somewhere on our network that's not exposed to the internet. An example is:
 +
 
 +
http://monkey.sshchicago.org
  
== Windows ==
+
This one will say "It works!" if you've talked to it.

Latest revision as of 22:22, 27 February 2017

VPN Access

We use OpenVPN (http://openvpn.net) as our VPN solution.

Gaining Access

Your FreeIPA account needs to be a member of the openvpn_users group. Send a request to tech@sshchicago.org if you'd like to be added!

Requirements

Connection Information

Gateway: space.sshchicago.org

Port: 1194 (this is the default in OpenVPN)

Transport Protocol: UDP (also the default in OpenVPN)

Authentication type: Username/Password (PKI disabled)

Compression: LZO

Connection Instructions

Mac OS X

  • Install Tunnelblick (https://code.google.com/p/tunnelblick/)
  • Get the SSH-Chicago.tblk config package from another member
  • Double-click it.
  • Log in with your SSH:Chicago (wiki) username and password

Linux (Tested on Fedora Core 20)

  • Create a certs directory and restore the SELinux context (mkdir ~/.certs && restorecon -R ~/.certs)
  • Grab the HMAC key and store it in ~/.certs/
  • Download a copy of the SSHCHICAGO.ORG Certificate Authority (CA) and store that in ~/.certs/ as well. (These two steps are required to comply with default SELinux regulations in Fedora)
  • Launch your Network Manager UI
  • Add a VPN connection. Set stuff up like this:
    • Name: ssh-c
    • Gateway: space.sshchicago.org
    • Authentication:
      • Type: Password
      • User name: Your SSH:Chicago username.
      • Password: Your SSH:Chicago password.
      • CA Certificate: Choose the certificate you put in ~/.certs/
    • Click Advanced.
      • General:
        • Check the "Use LZO data compression" box.
      • TLS Authentication:
        • Check "Use additional TLS authentication".
        • For Key File, chose the HMAC key you stored in ~/.certs/
        • Key direction: "1"
    • Flip to the IPv4 Settings Tab
      • Click Routes...
        • Check "Use this connection only for resources on its network"
        • Click OK
  • Click OK, and Apply
  • Connect.

Windows (Tested on Windows 7 x64 Professional)

  • Install the Windows OpenVPN client from https://openvpn.net/index.php/open-source/downloads.html
  • Get the sshc-openvpn-windows zip file, which contains a config file, HMAC key, and certificate.
  • Copy the contents of the zip into C:\Program Files\OpenVPN\Config.
  • Launch the OpenVPN UI using Run As Administrator
  • Right-click on the OpenVPN icon in your system tray and choose "Connect". When prompted, enter your wiki username and password.

Testing that you have connected properly

Navigate to a server somewhere on our network that's not exposed to the internet. An example is:

http://monkey.sshchicago.org

This one will say "It works!" if you've talked to it.