|
Note that this isn't a fully-supported service quite yet, though the intention is that it should become one very soon. As well as getting a bit more testing as a not-a-service, there are a couple of issues still to sort out first:
See devproj #101 for more details. Comments and corrections welcome.
These instructions should allow you to install and configure OpenVPN on self-managed machines so that they can connect to the Informatics endpoints, so allowing you to appear as though you are inside the Informatics network. Note that the configuration files linked from this page are in a protected location which is only accessible to Informatics users.
There are a couple of problems which VPN (Virtual Private Network) systems can help solve. The first is where you're working at a remote site but you need to appear as though you were a local network user in order to access some resources. The second is where there are restrictions on your network access, often for audit-trail reasons. A "VPN tunnel" is, essentially, a way to make your machine appear as though it's attached to the network somewhere other than where it really is.
The system we have adopted is OpenVPN: "OpenVPN is a full-featured open source SSL VPN solution that accommodates a wide range of configurations, including remote access, site-to-site VPNs, Wi-Fi security, and enterprise-scale remote access solutions with load balancing, failover, and fine-grained access-controls." We have OpenVPN configured in "road-warrior" mode, suitable for users who would like to tunnel to inside Informatics from outside sites. Tunnels are fully encrypted end-to-end between the remote clients and the local endpoints.
Using the Informatics OpenVPN means that you appear inside the Informatics network. This is in contrast with the central University VPN service, which will tunnel you to inside EdLAN but outside Informatics. This distinction may be important when accessing internal Informatics resources.
There are two Informatics OpenVPN endpoint machines, one located in the Forum and one notionally in Appleton Tower though currently decanted to Forrest Hill, each managing its own address ranges, with a separate client-configuration file for each. We suggest that you download and install both of these, and then select the appropriate endpoint when you bring a tunnel up. (It would be possible to create a unified configuration which would try both endponts and connect to whichever one answered first. In practice this is likely to lead to surprising-to-the-user behaviour, so we haven't provided such a configuration here; but it is easy to adapt these files.)
Note that OpenVPN uses its own transport protocol. OpenVPN clients can not connect to IPsec endpoints or PPTP endpoints, such as IS's, nor can their clients connect to an OpenVPN endpoint. (We did consider setting up such endpoints, but overall OpenVPN seems a better solution. IPsec is generally regarded as "complicated", while even the authors of poptop, the Linux PPTP implementation, recommend using something else where possible!)
The Informatics client configuration consists of several short files, which you should download and save as appropriate for your system. These are
There are a couple of optional additional configuration files available, which will redirect ALL traffic through the Forum and Appleton Tower endpoints. These might be useful when attached through a heavily-restricted connection method (such as the University's "central" wireless service), or where you need to present an EdLAN (i.e. 129.215/16) address to end sites. In general, though, the versions above are more efficient and robust. If you do want to have this option available, you should install these additional files in the same directory as the other files.
The FAQ and documents linked from it contain a lot of useful information which may help resolve problems.
OpenVPN and the configuration files here have been tested on Windows XP. Vista users should be sure to download the latest version of OpenVPN, as problems have been reported on the mailing lists with earlier versions.
The first thing to do is to install OpenVPN itself. Go to the OpenVPN "downloads" page, download and execute the version-2.1-or-later windows installer. NOTE that version 2.0.x or earlier will not work with our endpoints. Agree to the various requests to run/install things (in particular, the "tap" driver, which may not be signed), let them be installed in the default places, and install the default set of components. Then download the configuration files listed above and save them in the
C:\Program Files\OpenVPN\configfolder.
You should now find that you have shortcut to the OpenVPN application installed on your desktop. Double-click on it to start it, and an icon should appear in the right hand area of your taskbar. Right click on it to bring up the menu and select a configuration file to connect to the endpoint. Right click and select "disconnect" when you're finished.
Vista users please note that OpenVPN requires administrator rights in order to run properly. Select "run program as administrator" in the properties menu. Alternatively, setting the "startup type" to "automatic" has been suggested as a workaround.
We suggest using the Tunnelblick distribution for Macs. After installing it, download the configuration files listed above, and put them in
~/Library/openvpn/In this directory they're detected automatically on launch.
(At one point OpenVPN itself would not run on some Macs, as a result of problems with the tun driver, but these are believed to be fixed in the latest versions.)
OpenVPN works well on Linux and should work on *BSD. The first thing to do is to install OpenVPN itself. One option is to go to the OpenVPN "downloads" page, download the version-2.1-or-later tar.gz file, and build and install it to suit your distribution. NOTE that version 2.0.x or earlier will not work with our endpoints. The HOWTO file on the OpenVPN web site has some useful instructions for this. Alternatively, there are pre-packaged versions available for the most common package management systems.
Use the configuration files listed above. Put them where OpenVPN can find them, and start the OpenVPN daemon with your preferred configuration file as command-line parameter. Note that you may have to do this as root so that the daemon can create and/or configure its "tun" devices.
Using the Informatics OpenVPN means that you appear inside the Informatics network. This is in contrast with the central University VPN service, which will tunnel you to inside EdLAN but outside Informatics. This distinction may be important when accessing internal Informatics resources.
You have to use one of the "all" configurations: Forum or Appleton Tower. These will route external traffic through the tunnel, not just Informatics traffic, and so will bypass the filtering that's normally done by IS.
This is something which can be useful to work around heavily filtered network connections, where very little other than web traffic is permitted.
It would certainly be nice to offer such a service, but there are a couple of reasons why we don't (yet): the first is that current versions of OpenVPN are not quite flexible enough to allow them to manage two different types of connection at the same time; and the second is that tunnelling TCP protocols over a TCP-based transport can lead to performance issues which don't arise when tunnelling over a UDP-based transport, so it's better overall for us to support the latter. However, should later versions of OpenVPN allow us to implement something like this, we'll certainly consider doing so.
This kind of thing can happen when the remote sites are using your IP address to authenticate. Our default "via" configurations will send EdLAN traffic through the tunnel, but will leave everything else to go by its normal route. As a result, the remote site sees you as coming from your usual ISP address rather than the University.
The solution, in this case, is to use one of the "all" configurations. If you use these, all traffic is sent through the tunnel, and the remote sites see you as coming from a University IP address. Normally we recommend that you don't do this, as it's less robust and efficient, but in some cases such as this one it's necessary.
The configuration files linked here connect to the endpoints in password-authentication mode. OpenVPN also supports certificate-based authentication, and it is possible to connect to our endpoints in this way. Instead of validating a username and password, they will instead accept certificates issued by our kx509 service, and will validate them against the the appropriate CA chain. No additional password is required in this case, so extending the DICE single-signon paradigm.
This has been tested on DICE-based Linux, and works well. It should also in principal work using the kx509 plugin for Kerberos for Windows, which users of our AFS service may already have installed, but so far tests haven't been successful. There have been certificate-chain bugs reported in some versions of XP, though.
If you'd like to try this, we can offer some guidance as to what to put in your OpenVPN configuration files.
|
Informatics Forum, 10 Crichton Street, Edinburgh, EH8 9AB, Scotland, UK
Tel: +44 131 651 5661, Fax: +44 131 651 1426, E-mail: school-office@inf.ed.ac.uk Please contact our webadmin with any comments or corrections. Unless explicitly stated otherwise, all material is copyright © The University of Edinburgh |
