Commit cce20b0f by Matthew Monaco

openvpn: point to vpn.cs.colorado.edu info page

1 parent 5dfa3170
Showing 1 changed file with 1 additions and 121 deletions
# CSEL OpenVPN
## Getting Access
To use the CSEL's [OpenVPN](https://openvpn.net) server, you need an
[OpenSSL](https://openssl.org) certificate signed by our certificate
authority. To get a certificate, start by choosing a *common name*. We
will only accept requests for names that match your `@colorado.edu`
email address plus a tag.
$ CN="matthew.monaco+desktop@colorado.edu"
$ openssl genrsa -out "$CN".key 2048
$ openssl req -new -key "$CN".key -out "$CN".csr -subj "/C=US/ST=Colorado/L=Boulder/O=University of Colorado/OU=Department of Computer Science/CN=$CN/emailAddress=admin@cs.colorado.edu"
A couple of things to note:
- The `.key` is **private**, do not share it. The `.csr` (certificate
signing request) is public, it can be shared.
- There can only be one active connection per certificate. It's fine to
use the same certificate on *e.g.*, your laptop and your desktop if
only one will be connected at a time.
- You can share one key among any number of certificates, however make
sure you transfer your key securely among machines. *There really isn't
a drawback to using separate keys though*.
- A keysize of 2048 is sufficient, but you can choose others such as 1024,
4192, etc if you so desire.
Once your `.csr` is generated, email it to
[admin@cs.colorado.edu](mailto:admin@cs.colorado.edu). We
will generate a `.crt` \(certificate\) for you and place it in your CSEL
home directory. The `.crt` is public, it can't be used for much without
the **private** `.key` file.
## Configuration
To connect to the CSEL's OpenVPN server, you need a few things:
- `csel.conf` - See below
- `csel-ca.crt` - The certificate authority's certificate. [You can get it here](csel-ca.crt)
- `<your cn>.key` - The private key that you created above
- `<your cn>.crt` - Your personal client certificate that we will
provide to you after you follow the directions above
- `csel-ta.key` - A semi-private file that will be provided to you
when you receive your client certificate(s)
On Linux (*nix in general) systems, these files would generally go under
`/etc/openvpn/`. However, when using NetworkManager or some other
wrapper around the official OpenVPN software, you may need to inspect
the options below and enter them into a GUI. On Mac and Windows,
configuration depends on the client. As a hint, it may be necessary to
pack them into a zip file with a `.ovpn` or some such extention.
This is an example configuration file. You may want to tweak some
settings.
```conf
# CSEL OpenVPN client
# see https://git.cs.colorado.edu/csel/www/blob/master/openvpn.md
# Basic connection settings
client
remote vpn.cs.colorado.edu
dev tun
dev-type tun
nobind
comp-lzo
# OpenSSL settings
ca csel-ca.crt # public file, provided on website
tls-auth csel-ta.key 1 # private file, provided by us
cert your.name+tag@colorado.edu.crt # public file, provided by us
key your.name+tag@colorado.edu.key # private file, created by you
remote-cert-tls server
# On Ubuntu, enable the update-resolv-conf script to
# automatically use the CSEL DNS servers while connected
#script-security 2
#up update-resolv-conf
#down update-resolv-conf
# These should be commented out on non-*nix systems.
# They should also be commented out when using the update-resolv-conf
# script, above
user nobody
group nobody
# These are all optional
persist-key
persist-tun
verb 3
mute 30
# By default the server connects your machine to the 'Lab Network'; this
# is the network that the PCs use. You can use the VPN to connect to
# campus in general, but first you must make sure that you ignore the
# OpenVPN server itself!
route remote_host 255.255.255.255 net_gateway
route 128.138.0.0 255.255.0.0
# You can also use the VPN as your default route. This isn't a great idea
# in general, so don't leave it on all of the time. However it will help
# you access academic papers from home. When using this, the two options
# above are redundant.
redirect-gateway
```
## Running
Once you have your configuration files in place, you just need to run
OpenVPN. On Ubuntu and other similar systems:
$ sudo service openvpn start csel
On systemd systems such as Archlinux, Fedora, and OpenSUSE(, and soon
Debian and Ubuntu):
$ sudo systemctl start openvpn@csel.service
<!-- vim: set nofoldenable tw=72 : -->
Please see [https://vpn.cs.colorado.edu](https://vpn.cs.colorado.edu).
Styling with Markdown is supported
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!