Difference between revisions of "Vpn"

From Pumping Station: One Wiki
Jump to: navigation, search
(Not even close to right)
Line 20: Line 20:
  
 
     sudo service openvpn start
 
     sudo service openvpn start
 +
 +
=== Linux (Gnome3/NetworkManager) ===
 +
   
 +
This works on a debian based system without SELinux enabled.  For SELinux systems, certificates/keys will need to be placed in ~/.certs, or another directory with the home_cert_t context applied.  See http://syslog.warten.de/2011/06/selinux-prevents-openvpn-from-reading-certs-in-home/ for more details on getting OpenVPN to read certificates stored in your home directory, on an SELinux enabled system.  As always, YMMV.
 +
 +
* First, you will need the openVPN plugin for NetworkManager.  On Debian, this can be installed with the "network-manager-openvpn-gnome" package.  In RedHat-land, this package is called NetworkManager-openvpn-gnome
 +
* Open Network Manager's "Network Settings" dialog.  (Found in Gnome3 by right clicking one of your existing connections in the system tray)
 +
* Add a new VPN connection with the "+" button.
 +
* Select "Password with Certificates (TLS)" in the drop-down for the Authentication Type.
 +
* Enter your PS1 credentials for Username and Password (Not private-key password, leave that blank)
 +
* Point User Certificate, CA Certificate, and Private Key to the following certs from ps1-vpn.zip, respectively: user-auth-client.crt, user-auth-server.bob.ad.pumpingstationone.org.ca.crt, user-auth-client.key
 +
* Under Advanced:
 +
** General Tab:
 +
*** Check both "Use LZO data compression" and "Set virtual device type", leaving the options for the latter as "TUN" and "(automatic)".
 +
** TLS Authentication Tab:
 +
*** Check "Use Additional TLS Authentication"
 +
*** Use Keyfile "user-auth-server.bob.ad.pumpingstationone.org.ta.key" from ps1-vpn.zip
 +
*** Set Key direction to 1
 +
 +
At this point, you should be able to toggle the connection on and get a working VPN connection.  Keep in mind that this will by default be routing all of your traffic over the VPN, which may or may not be desirable for you.  If you run into any issues, check dmesg/journald/syslog for any possible permissions or SELinux issues on accessing the certificates and keys.
  
 
=== Windows ===
 
=== Windows ===

Revision as of 18:25, 17 September 2015

Installing the Client

OS X

  1. Install TunnelBlick
  2. Download http://sally.ad.pumpingstationone.org/~hef/ps1-vpn.tblk.zip
  3. Unpack PS1 VPN.tblk
  4. Click PS1 VPN.tblk to install

linux (CLI)

  1. install openvpn via your favorite package manager
  2. download http://sally.ad.pumpingstationone.org/~hef/ps1-vpn.zip and extract the contents to /etc/openvpn/

arch

   sudo systemctl start openvpn@ps1-vpn

ubuntu/debian

   sudo service openvpn start

Linux (Gnome3/NetworkManager)

This works on a debian based system without SELinux enabled. For SELinux systems, certificates/keys will need to be placed in ~/.certs, or another directory with the home_cert_t context applied. See http://syslog.warten.de/2011/06/selinux-prevents-openvpn-from-reading-certs-in-home/ for more details on getting OpenVPN to read certificates stored in your home directory, on an SELinux enabled system. As always, YMMV.

  • First, you will need the openVPN plugin for NetworkManager. On Debian, this can be installed with the "network-manager-openvpn-gnome" package. In RedHat-land, this package is called NetworkManager-openvpn-gnome
  • Open Network Manager's "Network Settings" dialog. (Found in Gnome3 by right clicking one of your existing connections in the system tray)
  • Add a new VPN connection with the "+" button.
  • Select "Password with Certificates (TLS)" in the drop-down for the Authentication Type.
  • Enter your PS1 credentials for Username and Password (Not private-key password, leave that blank)
  • Point User Certificate, CA Certificate, and Private Key to the following certs from ps1-vpn.zip, respectively: user-auth-client.crt, user-auth-server.bob.ad.pumpingstationone.org.ca.crt, user-auth-client.key
  • Under Advanced:
    • General Tab:
      • Check both "Use LZO data compression" and "Set virtual device type", leaving the options for the latter as "TUN" and "(automatic)".
    • TLS Authentication Tab:
      • Check "Use Additional TLS Authentication"
      • Use Keyfile "user-auth-server.bob.ad.pumpingstationone.org.ta.key" from ps1-vpn.zip
      • Set Key direction to 1

At this point, you should be able to toggle the connection on and get a working VPN connection. Keep in mind that this will by default be routing all of your traffic over the VPN, which may or may not be desirable for you. If you run into any issues, check dmesg/journald/syslog for any possible permissions or SELinux issues on accessing the certificates and keys.

Windows

  1. Download and install the windows openvpn client from http://openvpn.net/index.php/open-source/downloads.html
  2. Open start >> All Programs >> OpenVPN >> Shortcuts >> OpenVPN configuration file directory
  3. Download http://sally.ad.pumpingstationone.org/~hef/ps1-vpn.zip
  4. unpack the contents of ps1-vpn.zip into the previously opened folder: C:\Program Files\OpenVPN\config
    1. Temporary workaround: rename ps1-vpn.conf to ps1-vpn.ovpn
  5. Right click on OpenVPN GUI >> Run As Administrator
  6. Right click on OpenVPN icon in task bar and select 'connect.' You will be prompted for your PS:1 username and password.


Vpn Server Info

There is an openvpn server up and running

  • Public interface: space.pumpingstationone. org:1194
  • The internal ip is 10.100.200.70
  • UDP port 1159 is forwarded from a public ip.

Upon connection, the following address ranges are forwarded to the vpn host.

   10.100.200.0/24
   10.100.0.0/20
   10.100.201.0/24
   10.100.202.0/24


The ip range for vpn connected clients is 10.100.201.0/24

router config

   /ip firewall nat add chain=dstnat dst-port=1194 action=dst-nat protocol=udp to-address=10.100.200.70 to-port=1194