To use the CSEL's OpenVPN server, you need an
OpenSSL certificate signed by our certificate
authority. To get a certificate, start by choosing a common name. We
will only accept requests for names that match your
email address plus a tag.
$ CN="email@example.com" $ openssl genrsa -out "$CN".key 2048 $ openssl req -new -key "$CN".key -out "$CN".csr -subj "/C=US/ST=Colorado/L=Boulder/O=University of Colorado/OU=Department of Computer Science/CN=$CN/emailAddressfirstname.lastname@example.org"
A couple of things to note:
.keyis private, do not share it. The
.csr(certificate signing request) is public, it can be shared.
There can only be one active connection per certificate. It's fine to use the same certificate on e.g., your laptop and your desktop if only one will be connected at a time.
You can share one key among any number of certificates, however make sure you transfer your key securely among machines. There really isn't a drawback to using separate keys though.
A keysize of 2048 is sufficient, but you can choose others such as 1024, 4192, etc if you so desire.
.csr is generated, email it to
will generate a
.crt (certificate) for you and place it in your CSEL
home directory. The
.crt is public, it can't be used for much without
To connect to the CSEL's OpenVPN server, you need a few things:
csel.conf- See below
csel-ca.crt- The certificate authority's certificate. You can get it here
<your cn>.key- The private key that you created above
<your cn>.crt- Your personal client certificate that we will provide to you after you follow the directions above
csel-ta.key- A semi-private file that will be provided to you when you receive your client certificate(s)
On Linux (*nix in general) systems, these files would generally go under
/etc/openvpn/. However, when using NetworkManager or some other
wrapper around the official OpenVPN software, you may need to inspect
the options below and enter them into a GUI. On Mac and Windows,
configuration depends on the client. As a hint, it may be necessary to
pack them into a zip file with a
.ovpn or some such extention.
This is an example configuration file. You may want to tweak some settings.
# CSEL OpenVPN client # see https://git.cs.colorado.edu/csel/www/blob/master/openvpn.md # Basic connection settings client remote vpn.cs.colorado.edu dev tun dev-type tun nobind comp-lzo # OpenSSL settings ca csel-ca.crt # public file, provided on website tls-auth csel-ta.key 1 # private file, provided by us cert email@example.com # public file, provided by us key firstname.lastname@example.org # private file, created by you remote-cert-tls server # On Ubuntu, enable the update-resolv-conf script to # automatically use the CSEL DNS servers while connected #script-security 2 #up update-resolv-conf #down update-resolv-conf # These should be commented out on non-*nix systems. # They should also be commented out when using the update-resolv-conf # script, above user nobody group nobody # These are all optional persist-key persist-tun verb 3 mute 30 # By default the server connects your machine to the 'Lab Network'; this # is the network that the PCs use. You can use the VPN to connect to # campus in general, but first you must make sure that you ignore the # OpenVPN server itself! route remote_host 255.255.255.255 net_gateway route 220.127.116.11 255.255.0.0 # You can also use the VPN as your default route. This isn't a great idea # in general, so don't leave it on all of the time. However it will help # you access academic papers from home. When using this, the two options # above are redundant. redirect-gateway
Once you have your configuration files in place, you just need to run OpenVPN. On Ubuntu and other similar systems:
$ sudo service openvpn start csel
On systemd systems such as Archlinux, Fedora, and OpenSUSE(, and soon Debian and Ubuntu):
$ sudo systemctl start email@example.com