CSE OpenVPN Network
CSE runs a VPN using the OpenVPN software. This package works on all major operating systems and distributions and has a relatively straightforward setup across the board.Contents:
Overview
This VPN is really a dual purpose VPN and can be used for authenticating access to the wireless subnet, and also for passing through our firewall to gain access to protected services from outside of the University.While we currently do not require VPN authentication to use the wireless subnet, we are likely to in the future. Also we currently cannot track IP usage for VPN access from outside the University, so rate limiting is used to make sure VPN access does not cause an undue traffic burden. It is expected that this will change in the future.
Basic Configuration
Essentially, you install openvpn, grab the config file and CA certificate file, and then run openvpn using the config file...Install OpenVPN
Generically, visit http://openvpn.net/ and get install files. They also have a page dedicated to GUI interfaces to OpenVPN.Otherwise....
On Linux/*NIX, there should be an openvpn package for whatever distribution you're running. On Debian: apt-get install openvpn.
For Windows, you can visit the OpenVPN Homepage and get the file there, or we've attached openvpn-2.0.7-install.exe - the OpenVPN 2.0.7 installer for Microsoft Windows. Another option is to visit
For MacOSX, you can visit the Tunnelblick Homepage and get an installer, or we've attached Tunnelblick_3.0_rc2.zip - the Tunnelblick 3.0rc2 installer for MacOSX
Configure OpenVPN
You will need the CSE Certificate Authority file, plus a configuration file.- wireless.conf: CSE OpenVPN configuration file (all but Microsoft Windows)
- wireless.ovpn: CSE OpenVPN configuration file (Microsoft Windows only)
NOTE When saving "cacert.pem" on MS-Windows, make sure to change the "Save as Type" from "Text Document" to "All Files". If you don't do this it will be saved as "cacert.pem.txt" and it won't work. If you are using Microsoft Internet Explorer, be sure to check that the filename is cacert.pem, as IE will try to save the file as cacert.cer. Make sure that you save the cacert.pem file in the same folder as the configuration file.
The running instructions contains information on where to put these files (if it is important).
Run OpenVPN
Visit the section nearest to your Operating System:Linux/*NIX
If you want to run Openvpn manually on Linux you should not put the config file in /etc/openvpn, otherwise it will get run automatically at reboot. Put it somewhere else, and runsudo /usr/sbin/openvpn --config wireless.conf
You will be prompted for username and password, and then it shold all start working.
If you are logged in as root (which should generally be avoided) you can leave-off the sudo.
Running OpenVPN automatically on Linux
If you place the wireless.conf file (and cacert.pem) in /etc/openvpn, then openvpn will be run on this config file every time your computer boots. With the default configuration this can be awkward because it will prompt for a username and password and the boot sequence will not complete until these are given.An alternative is to place the username and password, each on a separate line, in a file, e.g. /etc/openvpn/userpass. Then change the auth-user-pass line in wireless.conf to have the name of the file as well. e.g.
auth-user-pass /etc/openvpn/userpass
For you own security you should not use your normal password, but a special authentication token.
To test this out (without the need to reboot), run
/etc/init.d/openvpn start
(note: these instructions are based on the Debian distributon. Other distributions are likely to be similar but haven't been tested).
MacOSX
You should grab the two Config Files, please make sure to put them in the openvpn directory (located in ~/Library/openvpn/ - the openvpn folder is a subfolder of the Library folder located in your home directory). OpenVPN will try to locate the key files in this directory, unless the paths to them are specified in the configuration file in absolute terms.Then simply double click the tunnelblick app and you will see an icon appear in the top right of the menu bar. You can use this icon to connect/disconnect.
Microsoft Windows
The openvpn installation on MS-Windows associated the OpenVPN program with .ovpn files. If you simply open (double-click) wireless.ovpn the file will be opened in an editor so you can review it. If you right-click you will get a menu which includes "Start OpenVPN on this config file". If you select that it will run OpenVPN and prompt for username and password.Not Running as an Administrator?
Note that the above will only work if you have administrator privileges. If you do not, you need to run Openvpn as Administrator.To do this, create a shortcut from openvpn (in \Program Files\openvpn\bin\openvpn.exe) to the folder where you have wireless.ovpn. Access the "shortcut" tab of the "properties" dialog for this shortcut and
- Change the target to read: "C:\Program Files\OpenVPN\bin\openvpn.exe" "wireless.ovpn"
- Clear the "start in" field or set it to name of folder with the wireless.ovpn file
- tick "run as different user."
Now when you double-click on this shortcut, it should prompt for the Administrator password, then run openvpn successfully.
Additional Notes
External Sites
If you connect to the this VPN from off-campus, then you will not be able to make connections through the VPN to off-campus sites. You should, instead, connect directly to those sites (instead of coming in through our firewall and back out again). The default configuration will set up routes on your machine to encourage this - so it should "just work".Multiple Connections
OpenVPN identifies each connection by the username that was used to authenticate. This means that you cannot have two concurrent OpenVPN connections that are authneticated with the same username. If you attempt to make a second connection, the first one will be disconnected.To alleviate this, our wireless-VPN configuration allows you to add an arbitrary suffix to your username, thus effectively providing you will multiple unique usernames. Thus if you have two computers that you want to have VPN tunnels for, you could configure one to authentication as myusername.notebook and the other as myusername.home . Note that the suffix is separated from the username by a period (dot, or fullstop).