openvpn.md 4.27 KB

CSEL OpenVPN

Getting Access

To use the CSEL's OpenVPN server, you need an OpenSSL certificate signed by our certificate authority. To get a certificate, start by choosing a common name. We will only accept requests for names that match your @colorado.edu email address plus a tag.

$ CN="matthew.monaco+desktop@colorado.edu"
$ openssl genrsa -out "$CN".key 2048
$ openssl req -new -key "$CN".key -out "$CN".csr -subj "/C=US/ST=Colorado/L=Boulder/O=University of Colorado/OU=Department of Computer Science/CN=$CN/emailAddress=admin@cs.colorado.edu

A couple of things to note:

  • The .key is private, do not share it. The .csr (certificate signing request) is public, it can be shared.

  • There can only be one active connection per certificate. It's fine to use the same certificate on e.g., your laptop and your desktop if only one will be connected at a time.

  • You can share one key among any number of certificates, however make sure you transfer your key securely among machines. There really isn't a drawback to using separate keys though.

  • A keysize of 2048 is sufficient, but you can choose others such as 1024, 4192, etc if you so desire.

Once your .csr is generated, email it to admin@cs.colorado.edu. We will generate a .crt (certificate) for you and place it in your CSEL home directory. The .crt is public, it can't be used for much without the private .key file.

Configuration

To connect to the CSEL's OpenVPN server, you need a few things:

  • csel.conf - See below
  • csel-ca.crt - The certificate authority's certificate. You can get it here
  • <your cn>.key - The private key that you created above
  • <your cn>.crt - Your personal client certificate that we will provide to you after you follow the directions above
  • csel-ta.key - A semi-private file that will be provided to you when you receive your client certificate(s)

On Linux (*nix in general) systems, these files would generally go under /etc/openvpn/. However, when using NetworkManager or some other wrapper around the official OpenVPN software, you may need to inspect the options below and enter them into a GUI. On Mac and Windows, configuration depends on the client. As a hint, it may be necessary to pack them into a zip file with a .ovpn or some such extention.

This is an example configuration file. You may want to tweak some settings.

# CSEL OpenVPN client
# see https://git.cs.colorado.edu/csel/www/blob/master/openvpn.md

# Basic connection settings
client
remote   vpn.cs.colorado.edu
dev      tun
dev-type tun
nobind
comp-lzo

# OpenSSL settings
ca        csel-ca.crt                    # public file, provided on website
tls-auth  csel-ta.key 1                  # private file, provided by us
cert      your.name+tag@colorado.edu.crt # public file, provided by us
key       your.name+tag@colorado.edu.key # private file, created by you
remote-cert-tls server

# On Ubuntu, enable the update-resolv-conf script to
# automatically use the CSEL DNS servers while connected
#script-security 2
#up   update-resolv-conf
#down update-resolv-conf

# These should be commented out on non-*nix systems.
# They should also be commented out when using the update-resolv-conf
# script, above
user  nobody
group nobody

# These are all optional
persist-key
persist-tun
verb 3
mute 30

# By default the server connects your machine to the 'Lab Network'; this
# is the network that the PCs use. You can use the VPN to connect to
# campus in general, but first you must make sure that you ignore the
# OpenVPN server itself!
route remote_host 255.255.255.255 net_gateway
route 128.138.0.0 255.255.0.0

# You can also use the VPN as your default route. This isn't a great idea
# in general, so don't leave it on all of the time. However it will help
# you access academic papers from home. When using this, the two options
# above are redundant.
redirect-gateway

Running

Once you have your configuration files in place, you just need to run OpenVPN. On Ubuntu and other similar systems:

$ sudo service openvpn start csel

On systemd systems such as Archlinux, Fedora, and OpenSUSE(, and soon Debian and Ubuntu):

$ sudo systemctl start openvpn@csel.service