OpenVPN

CSE OpenVPN Network

CSE runs a VPN using the OpenVPN software. This package works on all major operating systems and distributions and has a relatively straightforward setup across the board.

Overview

CSE's VPN service allows users to:
  • Encrypt network traffic between computers on CSE's untrusted or wireless subnetworks and CSE's servers and lab computers, and
  • Access computers on CSE's server, trusted and untrusted subnetworks in a secure fashion from outside of the university.
Each time a user connects their computer to CSE's VPN service they are required to enter their CSE username and password.

Basic Configuration

Essentially, you install openvpn, grab the config file and CA certificate file, and then run openvpn using the config file...

Install OpenVPN

For Windows, we recommend you visit the OpenVPN Community Software page and get an installer from there. Note that this package also includes the VNC server which is not generally required.
For MacOSX, you can visit the Tunnelblick (Homepage) and download the installer from there. For MacOSX, you might also wish to check out the Viscosity (Homepage).
On Linux/*NIX, there should be an openvpn package for whatever distribution you're running. On Debian: apt-get install openvpn.
On iOS (iPad and iPhone) you can download the free app called OpenVPN Connect from OpenVPN Technologies.

Configure OpenVPN: OSX, Linux & Windows

Download and save the CSE Certificate Authority file.
 
  Then save the following text in a configuration file:
  # OpenVPN config file for use with UNSW/CSE wireless
# get cacert.pem from http://www.cse.unsw.edu.au/cacert.pem
dev tun
remote wireless-vpn.cse.unsw.edu.au
tls-client
verify-x509-name wireless.vpn.cse.unsw.edu.au name
ca cacert.pem
proto udp
pull
auth-user-pass
 
Save this file using the filename wireless.ovpn for Windows. On Linux & MacOSX, use the filename wireless.conf The running instructions contains information on where to put these files (if it is important). For Windows installations, we recommend you place the wireless.opvn file and the cacert.pem in the OpenVPN configuration file directory for which you will find a shortcut in the OpenVPN program folder in the Windows Start Menu. By default, this is C:\Program Files\OpenVPN\config

Configure OpenVPN: iOS (iPad/iPhone)

All of the required keys and certificates mentioned above are embedded in the cse-smartphone.ovpn file. Only this one file needs to be copied over to your iPad or iPhone.
  1. Download the cse-smartphone.ovpn file from the Download section at the end of this page.
  2. Start iTunes with your device connected to the computer.
  3. Select your device and then select the "Apps" screen.
  4. Scroll down to File Sharing and select the OpenVPN app.
  5. Drag the cse-smartphone.ovpn into the Documents window.
  6. Open the OpenVPN app on your iPad or iPhone.
  7. Select iTunes Sync as the method to import your profile.
  8. Select the wireless-vpn... profile.
  9. Enter your CSE user name and password.
  10. Connect.

Run OpenVPN

Linux/*NIX

If you want to run Openvpn manually on Linux you should not put the config file in /etc/openvpn, otherwise it will get run automatically at reboot. Put it somewhere else, and run: sudo /usr/sbin/openvpn --config wireless.conf You will be prompted for username and password, and then it should all start working. If you are logged in as root (which should generally be avoided) you can leave-off the sudo.

Running OpenVPN automatically on Linux

If you place the wireless.conf file (and cacert.pem) in /etc/openvpn, then openvpn will be run on this config file every time your computer boots. With the default configuration this can be awkward because it will prompt for a username and password and the boot sequence will not complete until these are given. An alternative is to place the username and password, each on a separate line, in a file, e.g. /etc/openvpn/userpass. Then change the auth-user-pass line in wireless.conf to have the name of the file as well. e.g. auth-user-pass /etc/openvpn/userpass For you own security you should not use your normal password, but a special authentication token. To test this out (without the need to reboot), run /etc/init.d/openvpn start

MacOSX

Manually create the .opvn file as described in this step, and download CSE Certificate Authority file to the same local directory as the .opvn file. You will use both two files when configuring your OpenVPN client. Tunnelblick (Homepage) and Viscosity (Homepage) are two recommended OpenVPN clients. Follow the instructions for your chosen application to import and use these files.

Importing Configuration file into Tunnelblick

After install Tunnelblick on your mac, double-click wireless.opvn file(which manually created in previous step).
Choose to install Configuration file for either yourself (Only Me) or for All users on your mac.
(if the cacert.pem is saved in the same directory as wireless.opvn file, it will be imported automatically)

Microsoft Windows

The openvpn installation on MS-Windows associated the OpenVPN program with .ovpn files. If you simply open (double-click) wireless.ovpn the file will be opened in an editor so you can review it. If you right-click you will get a menu which includes "Start OpenVPN on this config file". If you select that it will run OpenVPN and prompt for username and password.

Windows Vista, Windows 7 and above

To do this, copy over wireless.ovpn and cacert.pem to \Program Files\OpenVPN\config folder.
Create a shortcut for openvpn-gui.exe file which locates in C:\Program Files\OpenVPN\bin folder.
Right-click on this shortcut, then choose Properties -> Shortcut tab
  • Change the target to read: "C:\Program Files\OpenVPN\bin\openvpn-gui.exe" --connect wireless.ovpn
  • Switch to "Compatibility" tab, tick "Run this program as an administrator" under Privilege Level section
Now when you double-click on this shortcut, it should prompt for the Administrator password, then run openvpn successfully.
Please note: You need to run the OpenVPN Gui as administrator.
You can do this by right clicking on the icon and choosing "Run as Administrator". You can make this permanent by right clicking on the icon, selecting Properties, and then checking "Run this program as an administrator" from the Compatibility tab.

Replacing CA certificate file

To replace a CA certificate file for a connection configuration file, you can simply locate the existing CA(.pem file) in your local computer then replace it with the updated one.

MacOSX

The CA file saved in the same directory as the configuration file depending on whether it is for All users or Only yourself:
location for All Users /Library/Application Support/Tunnelblick/Shared/wireless.tblk/Contents/Resources location for the current logon user ~/Library/Application Support/Tunnelblick/Configurations/wireless.tblk/Contents/Resources (paths are written in MacOS Finder format. Accessing the paths via terminal, please replace " "(space) between the words "Application" and "Support" with "\ ")

Windows

The CA file on Windows is saved in the following directory: \Program Files\OpenVPN\config

Additional Notes

Multiple Connections

OpenVPN normally identifies each connection by the username that was used for authentication. This means that you normally cannot have two concurrent OpenVPN connections that are authenticated with the same username. If you attempt to make a second connection with the same username, the first one will be disconnected. To alleviate this, our VPN configuration allows you to add an arbitrary suffix to your username which is stripped off during authentication, effectively providing you with multiple unique usernames. So, if you have two computers for which you want to have VPN tunnels established, you could configure one to authenticate as myusername.notebook and the other as myusername.home. Note that the suffix is separated from the username by a period (dot, or fullstop).

External Sites

By default the VPN does not allow your network traffic to flow through it to the outside world. This means that when you try to connect to any sites outside of CSE the network traffic will flow directly between your computer and these sites, rather then being routed through the VPN and then to the sites. Sometimes this isn't ideal, such as when when you are trying to access services subscribed to by UNSW which use UNSW's IP address to allow access. It is, however, possible to cause all your network traffic to be routed through CSE rather than just the network traffic for CSE's own subnetworks. To enable this, when you authenticate add a suffix beginning with the string ".setdefaultroute" to the end of your username. This causes a default route to be set for the VPN which routes all your traffic through CSE's VPN, not just the traffic addressed to CSE's subnetworks. Note that if you are using a username suffix as described in the previous section, the .setdefaultroute suffix must appear after the arbitrary suffix you chose e.g. <username>.<arbitrary suffix>.setdefaultroute There's a minor problem in this however, and that is when all of your traffic flows through the VPN your local DNS server may be unreachable. This is particularly a problem when you are using the VPN from home through something like an ADSL connection. In such a case your DNS server would normally be set to be the address of your ADSL router (e.g., 192.168.0.1), but once the VPN is set up this can no longer be reached. A solution to this is to allow OpenVPN to reconfigure your DNS settings so that your computer uses the DNS servers at CSE. This makes sense and it also allows you to use short names for servers---such as "williams" instead of "williams.cse.unsw.edu.au". To make this happen under Linux you need to install the following files in the configuration directory you use for OpenVPN and then restart the VPN on your computer:

wireless.conf.setdefaultroute

Add these lines to the end of wireless.conf file above: up wireless-up down wireless-down

wireless-up.setdefaultroute

#!/bin/sh # resolv_conf_new="/etc/resolv.conf.openvpn" resolv_conf_old="/etc/resolv.conf.openvpn.keep" # rm -f "$resolv_conf_new $resolv_conf_old" # env > /tmp/dummy # n=1 dns_set=0 while true; do # eval v=\$foreign_option_$n if [ "a$v" = "a" ]; then break; fi # opt=`echo "$v" | cut -d' ' -f1` case $opt in dhcp-option) subopt=`echo "$v" | cut -d' ' -f2` param=`echo "$v" | cut -d' ' -f3` case $subopt in DNS) echo "nameserver $param" >> $resolv_conf_new dns_set=1 ;; DOMAIN) echo "domain $param" >> $resolv_conf_new dns_set=1 ;; esac ;; esac # n=$(($n + 1)) done # if [ $dns_set -ne 0 ]; then cp -p /etc/resolv.conf $resolv_conf_old mv -f $resolv_conf_new /etc/resolv.conf fi

wireless-down.setdefaultroute

#!/bin/sh # resolv_conf_old="/etc/resolv.conf.openvpn.keep" # if [ -e $resolv_conf_old ]; then mv -f $resolv_conf_old /etc/resolv.conf fi

Troubleshooting

There is a dynamic web page at http://www.cse.unsw.edu.au/wirelessvpn/test.php which will check where the incoming connection is coming from, and report if you seem to be using the VPN correctly.
Last edited by crh 06/03/2017

Downloads on this page:

Tags for this page:

VPN, openvpn, network, wireless