Commit 086a345a by Matthew Monaco

openvpn: Add configuration instructions

1 parent aeb9e0bd
-----BEGIN CERTIFICATE-----
MIIFijCCBHKgAwIBAgIJALfUH3KUz7InMA0GCSqGSIb3DQEBCwUAMIHdMQswCQYD
VQQGEwJVUzERMA8GA1UECBMIQ29sb3JhZG8xEDAOBgNVBAcTB0JvdWxkZXIxHzAd
BgNVBAoTFlVuaXZlcnNpdHkgb2YgQ29sb3JhZG8xJzAlBgNVBAsTHkRlcGFydG1l
bnQgb2YgQ29tcHV0ZXIgU2NpZW5jZTEiMCAGA1UEAxMZVW5pdmVyc2l0eSBvZiBD
b2xvcmFkbyBDQTEQMA4GA1UEKRMHRWFzeVJTQTEpMCcGCSqGSIb3DQEJARYaYWRt
aW5AY3NlbC5jcy5jb2xvcmFkby5lZHUwHhcNMTQwNTE1MDE0MDIwWhcNMjQwNTEy
MDE0MDIwWjCB3TELMAkGA1UEBhMCVVMxETAPBgNVBAgTCENvbG9yYWRvMRAwDgYD
VQQHEwdCb3VsZGVyMR8wHQYDVQQKExZVbml2ZXJzaXR5IG9mIENvbG9yYWRvMScw
JQYDVQQLEx5EZXBhcnRtZW50IG9mIENvbXB1dGVyIFNjaWVuY2UxIjAgBgNVBAMT
GVVuaXZlcnNpdHkgb2YgQ29sb3JhZG8gQ0ExEDAOBgNVBCkTB0Vhc3lSU0ExKTAn
BgkqhkiG9w0BCQEWGmFkbWluQGNzZWwuY3MuY29sb3JhZG8uZWR1MIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuUdUQzWcgVK70Hl4FXNyq90+LhALWz7V
baIXustC0Gb5sOubuzYf/KGWUqW7h3t2DLS5n7v+vbmHpA9WiUrZXl2tTf0yrTPP
uQpTRbPff7b+dSy/OJlgmvCw7nYbArbJ0ZfLHk5f2qorm8NW0xt+CKSOZYbyeXCt
yFXze9XZwyjng9IcEqr1MeUFlzIUPIj7NuoWcqjZHwp2nWKAwg+XcOcU6VpkhEIC
ScEQyEvZUGCdWCa8Xm4cqYybfrkRPKfojLEuz2cK9iLsoi3KUXcKJwIolqAiqgMR
2wQvLkbCYyWjp0JcY9uttEqjS9z31bUE1eo4LiGgkst+N4s26FwMHwIDAQABo4IB
STCCAUUwHQYDVR0OBBYEFO7iDG+8L+ZRfZfTh2xNHA9OdAjjMIIBFAYDVR0jBIIB
CzCCAQeAFO7iDG+8L+ZRfZfTh2xNHA9OdAjjoYHjpIHgMIHdMQswCQYDVQQGEwJV
UzERMA8GA1UECBMIQ29sb3JhZG8xEDAOBgNVBAcTB0JvdWxkZXIxHzAdBgNVBAoT
FlVuaXZlcnNpdHkgb2YgQ29sb3JhZG8xJzAlBgNVBAsTHkRlcGFydG1lbnQgb2Yg
Q29tcHV0ZXIgU2NpZW5jZTEiMCAGA1UEAxMZVW5pdmVyc2l0eSBvZiBDb2xvcmFk
byBDQTEQMA4GA1UEKRMHRWFzeVJTQTEpMCcGCSqGSIb3DQEJARYaYWRtaW5AY3Nl
bC5jcy5jb2xvcmFkby5lZHWCCQC31B9ylM+yJzAMBgNVHRMEBTADAQH/MA0GCSqG
SIb3DQEBCwUAA4IBAQCtJzXTdnM5NEwwRIN7Xzc70HN+O4MvI90Vpl1rADy3oVAi
lkss1xqvsDHz1ja9X7/sTS0YMgH7Qaw6eV3RL2O5O1wNqVrQCesk/TA95uTHGVKC
ICIm8JQwfc4A0zrmHF1kgrKi13ghwwovvA/DVM08v47yrbTkdn0I6Z8NzFeXAUj+
TkH4KmT3EhCDFFOoVKf2kuPxa3+kFxDjzTo60eyFZ/eW18j6u9rq9uKqlolVhGKU
UDzKc//L7NHoJQy5/Q7n+T8Y6iAVMMRqeC0wqlRAFg62kmc3o+8UOzqybhTBitcH
Y/yL1hYgj5t7pEoUzw3n1gOLqWphYy8x7Tk6MPNP
-----END CERTIFICATE-----
......@@ -25,7 +25,7 @@ A couple of things to note:
sure you transfer your key securely among machines. *There really isn't
a drawback to using separate keys though*.
- A keysize of 2048 is sufficient, but you can choose others such as 1024
- A keysize of 2048 is sufficient, but you can choose others such as 1024,
4192, etc if you so desire.
Once your `.csr` is generated, email it to
......@@ -34,8 +34,77 @@ will generate a `.crt` \(certificate\) for you and place it in your CSEL
home directory. The `.crt` is public, it can't be used for much without
the **private** `.key` file.
## Connecting
## Configuration
TODO
To connect to the CSEL's OpenVPN server, you need a few things:
- `csel.conf` - See below
- `csel-ca.crt` - The certificate authority's certificate. [You can get it here](csel-ca.crt)
- `<your cn>.key` - The private key that you created above
- `<your cn>.crt` - Your personal client certificate that we will
provide to you after you follow the directions above
- `csel-ta.key` - A semi-private file that will be provided to you
when you receive your client certificate(s)
On Linux (*nix in general) systems, these files would generally go under
`/etc/openvpn/`. However, when using NetworkManager or some other
wrapper around the official OpenVPN software, you may need to inspect
the options below and enter them into a GUI. On Mac and Windows,
configuration depends on the client. As a hint, it may be necessary to
pack them into a zip file with a `.ovpn` or some such extention.
This is an example configuration file. You may want to tweak some
settings.
```conf
# CSEL OpenVPN client
# see https://git.cs.colorado.edu/csel/www/blob/master/openvpn.md
# Basic connection settings
client
remote vpn.cs.colorado.edu
dev-type tun
nobind
comp-lzo
# OpenSSL settings
ca csel-ca.crt # public file, provided on website
tls-auth csel-ta.key # private file, provided by us
cert your.name+tag@colorado.edu.crt # public file, provided by us
key your.name+tag@colorado.edu.key # private file, created by you
remote-cert-tls server
# On Ubuntu, enable the update-resolv-conf script to
# automatically use the CSEL DNS servers while connected
#script-security 2
#up update-resolv-conf
#down update-resolv-conf
# These should be commented out on non-*nix systems.
# They should also be commented out when using the update-resolv-conf
# script, above
user nobody
group nobody
# These are all optional
persist-key
persist-tun
verb 3
mute 30
# By default the server connects your machine to the 'Lab Network'; this
# is the network that the PCs use. You can use the VPN to connect to
# campus in general, but first you must make sure that you ignore the
# OpenVPN server itself!
route remote_host 255.255.255.255 net_gateway
route 128.138.0.0 255.255.0.0
# You can also use the VPN as your default route. This isn't a great idea
# in general, so don't leave it on all of the time. However it will help
# you access academic papers from home. When using this, the two options
# above are redundant.
redirect-gateway
```
<!-- vim: set nofoldenable tw=72 : -->
Styling with Markdown is supported
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!