|
These instructions should allow you to install and configure OpenVPN on self-managed machines so that they can connect to the Informatics endpoints, so allowing you to appear as though you are inside the Informatics network. Note that the configuration files linked from this page are in a protected location which is only accessible to Informatics users.
There are a couple of problems which VPN (Virtual Private Network) systems can help solve. The first is where you're working at a remote site but you need to appear as though you were a local network user in order to access some resources. The second is where there are restrictions on your network access, often for audit-trail reasons. A "VPN tunnel" is, essentially, a way to make your machine appear as though it's attached to the network somewhere other than where it really is.
The system we have adopted is OpenVPN: "OpenVPN is a full-featured open source SSL VPN solution that accommodates a wide range of configurations, including remote access, site-to-site VPNs, Wi-Fi security, and enterprise-scale remote access solutions with load balancing, failover, and fine-grained access-controls." We have OpenVPN configured in "road-warrior" mode, suitable for users who would like to tunnel to inside Informatics from outside sites. Tunnels are fully encrypted end-to-end between the remote clients and the local endpoints.
Using the Informatics OpenVPN means that you appear inside the Informatics network. This is in contrast with the central University VPN service, which will tunnel you to inside EdLAN but outside Informatics. This distinction may be important when accessing internal Informatics resources.
There are two Informatics OpenVPN endpoint machines, one located in the Forum and one in Appleton Tower, each managing its own address ranges, with a separate client-configuration file for each. We suggest that you download and install both of these, and then select the appropriate endpoint when you bring a tunnel up. (It would be possible to create a unified configuration which would try both endponts and connect to whichever one answered first. In practice this is likely to lead to surprising-to-the-user behaviour, so we haven't provided such a configuration here; but it is easy to adapt these files.)
Note that OpenVPN uses its own transport protocol. OpenVPN clients can not connect to IPsec endpoints or PPTP endpoints, such as IS's, nor can their clients connect to an OpenVPN endpoint. (We did consider setting up such endpoints, but overall OpenVPN seems a better solution. IPsec is generally regarded as "complicated", while even the authors of poptop, the Linux PPTP implementation, recommend using something else where possible!)
The Informatics-via-* and Informatics-all-* configurations may not work at the moment from the eduroam wireless service. This is believed to be a side effect of the way IS have the routing for the subnet configured. A workaround is to use one of the Informatics-only-* configurations instead. See below for the configuration files.
The Informatics-all-Forum configuration may not work at the moment when used from the "central" wireless service, due to the way the IS-run gateway is currently configured. If this is a problem for you, try the Informatics-all-AT configuration instead. See below for the configuration files.
See also the "questions" section below.
Please note: the configuration files linked from this page are tested together as a set. If you visit this page on several occasions to download files you may end up with some from several incompatible sets. We do not guarantee that this will work. We strongly recommend that if you come back to this page to download additional configuration files that you refresh any existing files at the same time so as to have a consistent set.
The Informatics client configuration consists of several short files, which you should download and save as appropriate for your system (see below). Be careful that your browser does not add anything to the filenames, as otherwise the files might not be found by the OpenVPN tools. These are
The configuration files are all in a cosign-protected directory, so you may be redirected to the login page for the first one. We suggest you left-click on the first of the files, go through the login screen, and then "save as". For subsequent files, and particularly the CA certificate, you will probably want to right-click and "save link as".
(These configuration files will cause OpenVPN to prompt you for a username and password. Alternatively, if you already have kerberos set up, perhaps for AFS use, you have the option of authenticating that way. See below for more information.)
There are some optional additional configuration files available:
The OpenVPN home site's FAQ and documents linked from it contain a lot of useful information which may help resolve problems.
OpenVPN and the configuration files here have been tested on Windows XP. Vista users should be sure to download the latest version of OpenVPN, as problems have been reported on the mailing lists with earlier versions.
The first thing to do is to install OpenVPN itself. Go to the OpenVPN "downloads" page, download and execute the version-2.2.1-or-later windows installer. NOTE that version 2.0.x or earlier will not work with our endpoints. Agree to the various requests to run/install things (in particular, the "tap" driver, which may not be signed), let them be installed in the default places, and install the default set of components. Then download the configuration files listed above and save them in the
C:\Program Files\OpenVPN\configfolder.
You should now find that you have a shortcut to the OpenVPN application installed on your desktop. Double-click on it to start it, and an icon should appear in the right hand area of your taskbar. Right click on it to bring up the menu and select a configuration file to connect to the endpoint. Right click and select "disconnect" when you're finished. The first time you do this you may be asked by your anti-virus system whether you should allow OpenVPN to run. If you are, you should agree to the request.
Windows 7 and Vista users please note that OpenVPN requires administrator rights in order to run properly. Select "run program as administrator" in the properties menu. Alternatively, setting the "startup type" to "automatic" has been suggested as a workaround.
We suggest using the Tunnelblick distribution for Macs. After installing it, download the configuration files listed above, and put them in
~/Library/openvpn/In this directory they're detected automatically on launch.
(At one point OpenVPN itself would not run on some Macs, as a result of problems with the tun driver, but these are believed to be fixed in the latest versions.)
OpenVPN has been tested and works well on Linux, and should work on *BSD. The first thing to do is to install OpenVPN itself, if a suitable version is not already in your distribution. One option is to go to the OpenVPN "downloads" page, download the version-2.2.1-or-later tar.gz file, and build and install it to suit your distribution. NOTE that version 2.0.x or earlier will not work with our endpoints. The HOWTO file on the OpenVPN web site has some useful instructions for this. Alternatively, there are pre-packaged versions available for the most common package management systems.
What you do next depends on whether you're using NetworkManager or not. (Our experience is that NetworkManager, at least in the version tested, doesn't seem to be flexible enough.)
If you are using NetworkManager, you need to install the OpenVPN plugin. How you do this depends again on your distribution, but there should be suitable pre-built versions available. Then proceed as follows:
Once you've done this you should find that NetworkManager gives you the option of starting up one of the VPN tunnels.
NOTE that due to what appears to be a limitation of at least some versions of the plugin's import mechanism, the configurations as imported will not set up routing correctly, but will instead send ALL traffic through the tunnel. We haven't found any workaround for this yet. (The version tested won't even export a complete configuration.)
Alternatively, if you're not using NetworkManager, load the configuration files listed above and put them where OpenVPN can find them, and start the OpenVPN daemon with your preferred configuration file as command-line parameter. Note that you may have to do this as root so that the daemon can create and/or configure its "tun" devices.
Using the Informatics OpenVPN means that you appear inside the Informatics network. This is in contrast with the central University VPN service, which will tunnel you to inside EdLAN but outside Informatics. This distinction may be important when accessing internal Informatics resources.
You have to use one of the "all" configurations: Forum or Appleton Tower. These will route external traffic through the tunnel, not just Informatics traffic, and so will bypass the filtering that's normally done by IS.
This is something which can be useful to work around heavily filtered network connections, where very little other than web traffic is permitted.
It would certainly be nice to offer such a service, but there are a couple of reasons why we don't (yet): the first is that current versions of OpenVPN are not quite flexible enough to allow them to manage two different types of connection at the same time; and the second is that tunnelling TCP protocols over a TCP-based transport can lead to performance issues which don't arise when tunnelling over a UDP-based transport, so it's better overall for us to support the latter. However, should later versions of OpenVPN allow us to implement something like this, we'll certainly consider doing so.
You can only connect one tunnel at a time to our endpoints. This is actually the default behaviour, and we have left it as-is to protect our endpoints from misbehaving NAT gateways, which might otherwise use up all of an endpoint's client-IP addresses and so deny service to other users.
We do have two endpoints, though, and you can bring up one tunnel to each independently.
This kind of thing can happen when the remote sites are using your IP address to authenticate. Our default "via" configurations will send EdLAN traffic through the tunnel, but will leave everything else to go by its normal route. As a result, the remote site sees you as coming from your usual ISP address rather than the University.
The solution, in this case, is to use one of the "all" configurations. If you use these, all traffic is sent through the tunnel, and the remote sites see you as coming from a University IP address. Normally we recommend that you don't do this, as it's less robust and efficient, but in some cases such as this one it's necessary.
Some browsers seem to like to append things to the names of the configuration files as you download them. Check that this hasn't happened. You may have to toggle some folder view options in order to see the full filenames.
We deliberately don't add any routes for these. They are defined as being for use within sites only. We have no way of knowing whether they are in use at your home site, or whether we would break your use of some other functionality by adding these. Therefore we don't.
If you do need these routes to be in place, and you have determined that you can do so safely, then simply edit the configuration file(s) and add appropriate "route" statements alongside the existing ones.
The configuration files described above connect to the endpoints in password-authentication mode. OpenVPN also supports certificate-based authentication, and it is possible to connect to our endpoints in this way. Rather than validating a username and password, they will instead accept certificates issued by our kx509 service, and will validate them against the the appropriate CA chain. No additional password is required in this case, so extending the DICE single-signon paradigm.
This has been tested on DICE-based Linux, and works well. If you'd like to try this on a self-managed Linux box, we can offer some guidance as to what to put in your OpenVPN configuration files.
Windows users should proceed as follows (note that this doesn't work properly with some revisions of XP due to what look like certificate-chaining bugs):
(If you happen to have identities from other than Informatics, you may have to edit these configuration files to use something more distinctive than "Ephemeral Key Certification Agency" as identifier. The "kxlist" command on a DICE machine will show your certificate, and might allow you to pick something. "vim for windows" works well for this kind of thing; it's the first hit in google when you search for that string.)
These configuration files are included here for convenience while developing our endpoints. They are liable to change without notice and are not guaranteed even to work. DON'T download them unless you're sure you know what you're doing! Do remember to download (or refresh) the "standard" configuration files listed above too.
|
Informatics Forum, 10 Crichton Street, Edinburgh, EH8 9AB, Scotland, UK
Tel: +44 131 651 5661, Fax: +44 131 651 1426, E-mail: school-office@inf.ed.ac.uk Please contact our webadmin with any comments or corrections. Unless explicitly stated otherwise, all material is copyright © The University of Edinburgh |
