CSE OpenVPN Network

CSE runs a VPN using the OpenVPN software. This package works on all major operating systems and distributions and has a relatively straightforward setup across the board.

Overview

CSE's VPN service allows users to:

Encrypt network traffic between computers on CSE's untrusted or wireless subnetworks and CSE's servers and lab computers, and
Access computers on CSE's server, trusted and untrusted subnetworks in a secure fashion from outside of the university.

Each time a user connects their computer to CSE's VPN service they are required to enter their CSE username and password. Their username is used to "tag" the network traffic they generate. Traffic coming from outside of the university to the user via their VPN connection will be charged against their IP quota.

Basic Configuration

Essentially, you install openvpn, grab the config file and CA certificate file, and then run openvpn using the config file...

Install OpenVPN

For Windows, we recommend you visit the OpenVPN Community Software page and get an installer from there. Note that this package also includes the VNC server which is not generally required.

For MacOSX, you can visit the Tunnelblick Homepage and download the installer from there.

For MacOSX, you might also wish to check out the Viscosity Homepage.

On Linux/*NIX, there should be an openvpn package for whatever distribution you're running. On Debian: apt-get install openvpn.

Configure OpenVPN

Download and save the CSE Certificate Authority file.

Then save the following text in a configuration file:

# OpenVPN config file for use with UNSW/CSE wireless
# get cacert.pem from http://www.cse.unsw.edu.au/cacert.pem
dev tun
remote wireless-vpn.cse.unsw.edu.au
tls-client
tls-remote wireless.vpn.cse.unsw.edu.au
ca cacert.pem
proto udp
pull
auth-user-pass

Save using the filename wireless.ovpn for MS Windows. On other platforms use the filename wireless.conf

The running instructions contains information on where to put these files (if it is important).

For Windows installations, we recommend you place the wireless.opvn file and the cacert.pem in the OpenVPN configuration file directory for which you will find a shortcut in the OpenVPN program folder in the Windows Start Menu. By default, this is C:\Program Files\OpenVPN\config

Run OpenVPN

Linux/*NIX

If you want to run Openvpn manually on Linux you should not put the config file in /etc/openvpn, otherwise it will get run automatically at reboot. Put it somewhere else, and run: sudo /usr/sbin/openvpn --config wireless.conf You will be prompted for username and password, and then it should all start working.

If you are logged in as root (which should generally be avoided) you can leave-off the sudo.

Running OpenVPN automatically on Linux

If you place the wireless.conf file (and cacert.pem) in /etc/openvpn, then openvpn will be run on this config file every time your computer boots. With the default configuration this can be awkward because it will prompt for a username and password and the boot sequence will not complete until these are given.

An alternative is to place the username and password, each on a separate line, in a file, e.g. /etc/openvpn/userpass. Then change the auth-user-pass line in wireless.conf to have the name of the file as well. e.g.

auth-user-pass /etc/openvpn/userpass

For you own security you should not use your normal password, but a special authentication token.

To test this out (without the need to reboot), run /etc/init.d/openvpn start

MacOSX

You should grab the two Config Files, please make sure to put them in the openvpn directory (located in ~/Library/openvpn/ - the openvpn folder is a subfolder of the Library folder located in your home directory). OpenVPN will try to locate the key files in this directory, unless the paths to them are specified in the configuration file in absolute terms.

Then simply double click the tunnelblick app and you will see an icon appear in the top right of the menu bar. You can use this icon to connect/disconnect.

Microsoft Windows

The openvpn installation on MS-Windows associated the OpenVPN program with .ovpn files. If you simply open (double-click) wireless.ovpn the file will be opened in an editor so you can review it. If you right-click you will get a menu which includes "Start OpenVPN on this config file". If you select that it will run OpenVPN and prompt for username and password.

Windows XP

To do this, create a shortcut from openvpn (in \Program Files\openvpn\bin\openvpn.exe) to the folder where you have wireless.ovpn. Access the "shortcut" tab of the "properties" dialog for this shortcut and

Change the target to read: "C:\Program Files\OpenVPN\bin\openvpn.exe" "wireless.ovpn"
Clear the "start in" field or set it to name of folder with the wireless.ovpn file
tick "run as different user."

Now when you double-click on this shortcut, it should prompt for the Administrator password, then run openvpn successfully.

Windows Vista and Windows 7

You need to run the OpenVPN Gui as administrator. You can do this by right clicking on the icon and choosing "Run as Administrator". You can make this permanent by right clicking on the icon, selecting Properties, and then checking "Run this program as an administrator" from the Compatibility tab.

Additional Notes

Multiple Connections

OpenVPN normally identifies each connection by the username that was used for authentication. This means that you normally cannot have two concurrent OpenVPN connections that are authenticated with the same username. If you attempt to make a second connection with the same username, the first one will be disconnected.

To alleviate this, our VPN configuration allows you to add an arbitrary suffix to your username which is stripped off during authentication, effectively providing you with multiple unique usernames. So, if you have two computers for which you want to have VPN tunnels established, you could configure one to authenticate as myusername.notebook and the other as myusername.home. Note that the suffix is separated from the username by a period (dot, or fullstop).

External Sites

By default the VPN does not allow your network traffic to flow through it to the outside world. This means that when you try to connect to any sites outside of CSE the network traffic will flow directly between your computer and these sites, rather then being routed through the VPN and then to the sites.

Sometimes this isn't ideal, such as when when you are trying to access services subscribed to by UNSW which use UNSW's IP address to allow access. It is, however, possible to cause all your network traffic to be routed through CSE rather than just the network traffic for CSE's own subnetworks. To enable this, when you authenticate add a suffix beginning with the string ".setdefaultroute" to the end of your username. This causes a default route to be set for the VPN which routes all your traffic through CSE's VPN, not just the traffic addressed to CSE's subnetworks.

Note that if you are using a username suffix as described in the previous section, the .setdefaultroute suffix must appear after the arbitrary suffix you chose e.g. <username>.<arbitrary suffix>.setdefaultroute

There's a minor problem in this however, and that is when all of your traffic flows through the VPN your local DNS server may be unreachable. This is particularly a problem when you are using the VPN from home through something like an ADSL connection. In such a case your DNS server would normally be set to be the address of your ADSL router (e.g., 192.168.0.1), but once the VPN is set up this can no longer be reached.

A solution to this is to allow OpenVPN to reconfigure your DNS settings so that your computer uses the DNS servers at CSE. This makes sense and it also allows you to use short names for servers---such as "williams" instead of "williams.cse.unsw.edu.au".

To make this happen under Linux you need to install the following files in the configuration directory you use for OpenVPN and then restart the VPN on your computer:

wireless.conf.setdefaultroute

Add these lines to the end of wireless.conf file above:

up wireless-up
down wireless-down

wireless-up.setdefaultroute

#!/bin/sh
#
resolv_conf_new="/etc/resolv.conf.openvpn"
resolv_conf_old="/etc/resolv.conf.openvpn.keep"
#
rm -f "$resolv_conf_new $resolv_conf_old"
#
env > /tmp/dummy
#
n=1
dns_set=0
while true; do
        #
        eval v=\$foreign_option_$n
        if [ "a$v" = "a" ]; then break; fi
        #
        opt=`echo "$v" | cut -d' ' -f1`
        case $opt in
                dhcp-option)    subopt=`echo "$v" | cut -d' ' -f2`
                                param=`echo "$v" | cut -d' ' -f3`
                                case $subopt in
                                        DNS)    echo "nameserver $param" >> $resolv_conf_new
                                                dns_set=1
                                                ;;
                                        DOMAIN) echo "domain $param" >> $resolv_conf_new
                                                dns_set=1
                                                ;;
                                esac
                                ;;
        esac
        #
        n=$(($n + 1))
done
#
if [ $dns_set -ne 0 ]; then
        cp -p /etc/resolv.conf $resolv_conf_old
        mv -f $resolv_conf_new /etc/resolv.conf
fi

wireless-down.setdefaultroute

#!/bin/sh
#
resolv_conf_old="/etc/resolv.conf.openvpn.keep"
#
if [ -e $resolv_conf_old ]; then
        mv -f $resolv_conf_old /etc/resolv.conf
fi

Troubleshooting

There is a dynamic web page at http://www.cse.unsw.edu.au/wirelessvpn/test.php which will check where the incoming connection is coming from, and report if you seem to be using the VPN correctly.

cse taggi

OpenVPN