Difference between revisions of "OpenVPN"

From ITSwiki
Jump to: navigation, search
[unchecked revision][unchecked revision]
(Connecting using GUI)
(Windows)
 
(43 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 +
<div style="background-color: #FFFF00; border-style: dotted;"> This guide is for users at '''DTU Compute''' only</div>
 +
 +
 +
 
=OpenVPN for users with an account at DTU Compute=
 
=OpenVPN for users with an account at DTU Compute=
  
Line 6: Line 10:
  
 
Here you will be presented with two options:
 
Here you will be presented with two options:
 
Download old: should be used if you would like to redownload your existing certificate. E.g. if you would like to put it on multiple computers.
 
  
 
Download new: should be used if don't already have a certificate or if you would like to block your previous certificate (revoke your old certificate) and get a new certificate.
 
Download new: should be used if don't already have a certificate or if you would like to block your previous certificate (revoke your old certificate) and get a new certificate.
 +
 +
Download current: should be used if you would like to redownload your existing certificate. E.g. if you would like to put it on multiple computers.
  
 
==Linux==
 
==Linux==
 +
 +
It is recommended that your OpenVPN files lives in a directory called '''.pki''' in your home (in Fedora Linux it is necessary), so create this dir first if it doesn't exist, and unzip here:
 +
 +
mkdir ~/.pki
 +
unzip openvpn-abcd-2372ce1bea8340915a4129952a25a2d3235197d0.zip -d ~/.pki
  
 
=== Connecting using commandline===
 
=== Connecting using commandline===
  
  unzip openvpn-mttj-2372ce1bea8340915a4129952a25a2d3235197d0.zip
+
  cd ~/.pki/openvpn-abcd/
cd openvpn-mttj/Linux
+
  sudo openvpn DTU_Compute.ovpn
  sudo openvpn --config client.conf
+
  
 
===Connecting using GUI===
 
===Connecting using GUI===
  
For the Gnome Desktop (Ubuntu / Pop_OS! / Fedora) install this package:
+
'''Note:''' For the Gnome Desktop (Ubuntu / Pop_OS! / Fedora) install this package first (may be installed already):
 
  network-manager-openvpn-gnome
 
  network-manager-openvpn-gnome
  
 +
'''Add a new connection'''
 
* Open Network Settings
 
* Open Network Settings
 
* Add a VPN connection
 
* Add a VPN connection
* Select OpenVPN
+
* Import from file
 +
* Navigate (Ctrl + L) to ~/.pki/openvpn-abcd and select '''DTU_Compute.ovpn'''
  
VPN settings values
 
  
{| class="wikitable" width="50%" align="left"
+
[[File:Openvpn-settings1.png|400px]]
! scope="col" style="text-align: left" | Gateway
+
| openvpn.compute.dtu.dk
+
|-
+
! scope="col" style="text-align: left" | Type
+
| style="text-align: left" | Password with Certificates (TLS)
+
|-
+
! scope="col" style="text-align: left" | Username
+
| style="text-align: left" | Your DTU Compute username
+
|-
+
! scope="col" style="text-align: left" | Password
+
| style="text-align: left" | Your DTU Compute password
+
|-
+
! scope="col" style="text-align: left" | CA certificate
+
| style="text-align: left" | ca.crt
+
|-
+
! scope="col" style="text-align: left" | User Certificate
+
| style="text-align: left" | abcd--20120305133738.crt
+
|-
+
! scope="col" style="text-align: left" | User private key
+
| style="text-align: left" | abcd--20120305133738.key
+
|-
+
! scope="col" style="text-align: left" | User key password
+
| style="text-align: left" | Your DTU Compute password
+
|-
+
! scope="col" style="text-align: left" | Data compression (Advanced)
+
| style="text-align: left" | LZO
+
|}
+
<div style="clear:both;">
+
  
===Verify VPN connection is working===
+
[[File:Openvpn-settings2.png|400px]]
  
ssh your_username_here@serv1.compute.dtu.dk
+
[[File:Openvpn-settings3.png|400px]]
echo $SSH_CLIENT
+
  
If the return IP address is
+
===Verify VPN connection is working===
 +
====Web====
 +
https://vpn-test.compute.dtu.dk/
  
130.225.68.58 54448 22
+
The page should say "Success".
  
then the VPN connection is working, and you can now exit the SSH connection. The second value (54448) may differ.
+
====SSH====
 +
You should be able to access DTU Compute internal servers via SSH. If successful then the VPN connection is working.
  
Or your can test that the VPN connection is working by opening a Nautilus window. Press CTRL-L and type
+
====SMB====
 +
Or your can test that the VPN connection is working by opening a File Manager window. Press CTRL-L and type
  
 
  smb://nas1.compute.dtu.dk
 
  smb://nas1.compute.dtu.dk
Line 77: Line 61:
 
You will be prompted for:
 
You will be prompted for:
  
  Username: Enter the username that works for SunRay terminals and DTU Compute's Linux servers
+
  Username: Enter you DTU username
 
  Domain: win
 
  Domain: win
 
  Password: your password
 
  Password: your password
  
If success you will be able to see several shares.
+
If successful you will be able to see several shares.
  
==Windows==
+
===Limit VPN connection to DTU===
  
* Download the official OpenVPN Client for Windows: https://openvpn.net/community-downloads/
+
Make sure to limit the VPN access only to DTU resources, as otherwise all internet requests will be routed through the OpenVPN server. This is not sensible considering this may include streaming such as Youtube, Spotify, Netflix, etc.
  
* Run the setup and follow the installation steps (default installation - no need to change options). Confirm the Windows security messages.
+
* Open Network Settings
 +
* Select the VPN connection (the gear icon)
 +
* Select the IPv4 tab, and check the "Use this connection only for resources on its network"
  
* Download certificates and configuration file (cert.zip). Use your DTU credentials to login: https://openvpn.compute.dtu.dk
+
[[File:Openvpn-linux-ipv4.png|400px]]
'''Notice the two options on the site:'''
+
  
'''"Download old"''': You have already other devices using your Compute OpenVPN certificate, and need to setup a new device with the same certificate and configuration.
+
===Removing an old config===
  
'''"Download new"''': This will create a new certificate. Earlier certificates will not work anymore. If you have other devices using Compute OpenVPN, you must update the configuration with these files.
+
'''GUI'''
 +
* Open Network Settings
 +
* Select the old VPN connection (the gear icon)
 +
* Click Remove VPN
  
 +
'''Remove certs dir'''
 +
rm -rf ~/.pki/openvpn-abcd
  
* Unpack the downloaded cert.zip file. You will find 3 folders - go to the "Windows" folder, and copy all files to the OpenVPN configuration folder (By default C:/Program Files/OpenVPN/config/). Confirm the Windows security messages.
+
==Windows==
 +
* Visit https://openvpn.compute.dtu.dk and use your DTU initials to log in.
 +
 
 +
Here you will be presented with two options:
 +
 
 +
'''Download New''': should be used if don't already have a certificate or if you would like to block your previous certificate (revoke your old certificate) and get a new certificate.
 +
 
 +
'''Download Current''': should be used if you would like to redownload your existing certificate. E.g. if you would like to put it on multiple computers.
 +
 
 +
 
 +
* Download the official OpenVPN Client for Windows: https://openvpn.net/community-downloads/ '''Note:''' Needs to be version 2.5.x
 +
 
 +
* Run the setup and follow the installation steps (default installation - no need to change options). Confirm the Windows security messages.
  
* Right-click on the OpenVPN desktop icon. Click on "Settings" and go to the tab "Compatibility". Check "Run the program as administrator".
+
* Unpack the downloaded certs zip file and copy all files to the OpenVPN configuration folder: '''C:/Users/<username>/OpenVPN/config/''' (or this folder: '''C:/Program Files/OpenVPN/config/''')
  
* Start OpenVPN and in the task tray, either right-click and choose "Connect" or just double-click the task tray icon. In the login-box use DTU credentials.
+
* Run OpenVPN and double-click the icon in the task tray. Use DTU credentials to login.
  
  
Line 108: Line 110:
  
 
===Verify VPN connection is working===
 
===Verify VPN connection is working===
 +
====Web====
 +
https://vpn-test.compute.dtu.dk/
  
 +
The page should say "Success".
 +
 +
====Network Shares====
 
Type:
 
Type:
  
Line 121: Line 128:
 
  \\nas1.compute.dtu.dk\winhome\your_username_here
 
  \\nas1.compute.dtu.dk\winhome\your_username_here
  
Note: When prompted for a username/password, the username in that particular box must be prefixed with '''WIN\''' (e.g. "WIN\abcd")
+
Note: When prompted for a username/password, the username in '''that particular box''' must be prefixed with '''WIN\''' (e.g. "WIN\abcd")
  
==Mac (tested on 10.12.3)==
+
===Removing an old config===
  
Install Tunnelblick 3.7.0 (build 4790) from [http://tunnelblick.net/ http://tunnelblick.net] (Tunnelblick is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/gpl-2.0.html |GNU General Public License version 2] as published by the [http://fsf.org/ |Free Software Foundation].)
+
Delete the openvpn certs folder from where you placed it ('''C:/Program Files/OpenVPN/config/''' or '''C:/Users/abcd/OpenVPN/config/''')
  
PLEASE NOTE THE HOMEPAGE - They are pretty good at telling you what version to download/install  - - - - - - - > - - - - > - - - - [[File:Tunnelblick.png|300px|thumb|right|alt text]]
+
The connection is now gone as an option in the OpenVPN GUI.
  
Once installed - follow the Tunnelblick guides on How To Add a Configuration.
+
==Mac==
  
Start with downloading a Certificat here [https://openvpn.compute.dtu.dk/ https://openvpn.compute.dtu.dk]
+
* Unzip the downloaded certs zip to any folder
 +
* Install '''Tunnelblick''' from [http://tunnelblick.net/ http://tunnelblick.net]
 +
* Once installed - follow the Tunnelblick guides on How To Add a Configuration. Basically drag the '''DTU_Compute.ovpn''' client config to the Tunnelblick menu bar icon.
 +
* Click on Tunnelblick icon in menu bar and connect using your '''DTU login'''.
  
[[Image:452-Authentification.jpg| 500x300px |Authentification.jpg]]
+
===Verify VPN connection is working===
 
+
====Web====
Once authentificated, download the zipped certificate
+
https://vpn-test.compute.dtu.dk/
  
[[Image:453-Download_new.jpg| 500x300px |Download_new.jpg]]
+
The page should say "Success".
  
Once downloaded, unzip it to any folder. '''THEN''' you are back info the Tunnelblick-guide on how-to-create-a-connection, and '''NOW '''you have the configuration files.
+
====SSH====
 +
You should be able to access DTU Compute internal servers via SSH. If successful then the VPN connection is working.
  
Place them in the opened folder, and you are ready.
+
====SMB====
 
+
Or you can try to connect to a network share:
Click on Tunnelblick icon in top bar and connect using your '''DTU login'''.
+
Use Finder - choose Go - ConnectToServer: '''smb://nas1.compute.dtu.dk'''
 
+
[[Image:455-unzipped_and_moved.jpg| 500x300px |unzipped_and_moved.jpg]]
+
 
+
ps - you might want to rename the connection just created - "client" is not a very good name, but you cannot do this while connected.
+
 
+
Test your connection: use Finder - chose Go - ConnectToServer: '''smb://nas1.compute.dtu.dk'''
+
  
 
You will be prompted for:
 
You will be prompted for:
Line 158: Line 163:
  
 
If success you will be able to see several shares. If you should do anything wrong - or a new cetificate should be issued, just delete the connection and create a new one with the proper certificate etc.
 
If success you will be able to see several shares. If you should do anything wrong - or a new cetificate should be issued, just delete the connection and create a new one with the proper certificate etc.
 +
 +
===Limit VPN connection to DTU===
 +
 +
Make sure to limit the VPN access only to DTU resources, as otherwise all internet requests will be routed through the OpenVPN server. This is not sensible considering this may include streaming such as Youtube, Spotify, Netflix, etc.
 +
 +
* Click the Tunnelblick icon in the menu bar
 +
* Select '''VPN Details...'''
 +
* In the Configuration tab make sure the "Route all IPv4 traffic through the VPN" is not checked.
 +
 +
[[File:Tunnelblick_config.png|800px]]
 +
 +
===Removing an old config===
 +
 +
* Click the Tunnelblick icon in the menu bar
 +
* Select '''VPN Details...'''
 +
* With the configuration selected, in bottom left click the minus sign. Authorize the removal.
 +
* Delete the certs folder you unpacked.
  
 
==Android==
 
==Android==

Latest revision as of 14:36, 4 October 2023

This guide is for users at DTU Compute only


OpenVPN for users with an account at DTU Compute

Download certificate

Visit https://openvpn.compute.dtu.dk and use your DTU initials to log in.

Here you will be presented with two options:

Download new: should be used if don't already have a certificate or if you would like to block your previous certificate (revoke your old certificate) and get a new certificate.

Download current: should be used if you would like to redownload your existing certificate. E.g. if you would like to put it on multiple computers.

Linux

It is recommended that your OpenVPN files lives in a directory called .pki in your home (in Fedora Linux it is necessary), so create this dir first if it doesn't exist, and unzip here: 

mkdir ~/.pki
unzip openvpn-abcd-2372ce1bea8340915a4129952a25a2d3235197d0.zip -d ~/.pki

Connecting using commandline

cd ~/.pki/openvpn-abcd/
sudo openvpn DTU_Compute.ovpn

Connecting using GUI

Note: For the Gnome Desktop (Ubuntu / Pop_OS! / Fedora) install this package first (may be installed already): 

network-manager-openvpn-gnome

Add a new connection

  • Open Network Settings
  • Add a VPN connection
  • Import from file
  • Navigate (Ctrl + L) to ~/.pki/openvpn-abcd and select DTU_Compute.ovpn


Openvpn-settings1.png

Openvpn-settings2.png

Openvpn-settings3.png

Verify VPN connection is working

Web

https://vpn-test.compute.dtu.dk/

The page should say "Success".

SSH

You should be able to access DTU Compute internal servers via SSH. If successful then the VPN connection is working.

SMB

Or your can test that the VPN connection is working by opening a File Manager window. Press CTRL-L and type 

smb://nas1.compute.dtu.dk

You will be prompted for: 

Username: Enter you DTU username
Domain: win
Password: your password

If successful you will be able to see several shares.

Limit VPN connection to DTU

Make sure to limit the VPN access only to DTU resources, as otherwise all internet requests will be routed through the OpenVPN server. This is not sensible considering this may include streaming such as Youtube, Spotify, Netflix, etc.

  • Open Network Settings
  • Select the VPN connection (the gear icon)
  • Select the IPv4 tab, and check the "Use this connection only for resources on its network"

Openvpn-linux-ipv4.png

Removing an old config

GUI

  • Open Network Settings
  • Select the old VPN connection (the gear icon)
  • Click Remove VPN

Remove certs dir 

rm -rf ~/.pki/openvpn-abcd

Windows

Here you will be presented with two options:

Download New: should be used if don't already have a certificate or if you would like to block your previous certificate (revoke your old certificate) and get a new certificate.

Download Current: should be used if you would like to redownload your existing certificate. E.g. if you would like to put it on multiple computers.


  • Run the setup and follow the installation steps (default installation - no need to change options). Confirm the Windows security messages.
  • Unpack the downloaded certs zip file and copy all files to the OpenVPN configuration folder: C:/Users/<username>/OpenVPN/config/ (or this folder: C:/Program Files/OpenVPN/config/)
  • Run OpenVPN and double-click the icon in the task tray. Use DTU credentials to login.


openvpn-windows.png


Verify VPN connection is working

Web

https://vpn-test.compute.dtu.dk/

The page should say "Success".

Network Shares

Type: 

\\nas1.compute.dtu.dk

as the location in a window. If you see several shares, then the VPN connection is working.

If you want to access your private home directory, then type 

\\nas1.compute.dtu.dk\home\your_username_here
or
\\nas1.compute.dtu.dk\winhome\your_username_here

Note: When prompted for a username/password, the username in that particular box must be prefixed with WIN\ (e.g. "WIN\abcd")

Removing an old config

Delete the openvpn certs folder from where you placed it (C:/Program Files/OpenVPN/config/ or C:/Users/abcd/OpenVPN/config/)

The connection is now gone as an option in the OpenVPN GUI.

Mac

  • Unzip the downloaded certs zip to any folder
  • Install Tunnelblick from http://tunnelblick.net
  • Once installed - follow the Tunnelblick guides on How To Add a Configuration. Basically drag the DTU_Compute.ovpn client config to the Tunnelblick menu bar icon.
  • Click on Tunnelblick icon in menu bar and connect using your DTU login.

Verify VPN connection is working

Web

https://vpn-test.compute.dtu.dk/

The page should say "Success".

SSH

You should be able to access DTU Compute internal servers via SSH. If successful then the VPN connection is working.

SMB

Or you can try to connect to a network share: Use Finder - choose Go - ConnectToServer: smb://nas1.compute.dtu.dk

You will be prompted for: 

Username: Enter the same username that works for SunRay terminals and DTU Compute's Linux servers
Domain: win
Password: your password

If success you will be able to see several shares. If you should do anything wrong - or a new cetificate should be issued, just delete the connection and create a new one with the proper certificate etc.

Limit VPN connection to DTU

Make sure to limit the VPN access only to DTU resources, as otherwise all internet requests will be routed through the OpenVPN server. This is not sensible considering this may include streaming such as Youtube, Spotify, Netflix, etc.

  • Click the Tunnelblick icon in the menu bar
  • Select VPN Details...
  • In the Configuration tab make sure the "Route all IPv4 traffic through the VPN" is not checked.

Tunnelblick config.png

Removing an old config

  • Click the Tunnelblick icon in the menu bar
  • Select VPN Details...
  • With the configuration selected, in bottom left click the minus sign. Authorize the removal.
  • Delete the certs folder you unpacked.

Android

VPN will give you a VPN connection to DTU Compute's network. If you install apps for it, it can give you access to your files on the fileserver nas1.compute.dtu.dk with i.e. ES File Explorer or remote desktop access to a PC connected to DTU Compute's network, but it will not enable you to print to DTU Compute's printers (unless you find an app which can communicate with a CUPS printserver).

For Android 4 and 5 you can use The app OpenVPN Connect

  • From a PC Connect to: https://openvpn.compute.dtu.dk and authenticate using DTUlogin. Click the Download link.
  • Unpack the zip file and open the Windows folder
  • Unpack the certs.zip file and copy the contents to your phone, you can use a cable - in the example they where copied to /sdcard0/Download. For Android 4.4 you need to enable 'display advanced devices' to access the folder.

Example setup with OpenVPN Connect:

Profile Name: Compute

Server Address: openvpn.compute.dtu.dk

Choose the certificates:

/storage/sdcard0/Download/client.openvpn

Username <your DTU windows login>

Password <enter your password>

Android versions before 4.0

The app FEAT VPN can be used for Android versions before 4.0. It does not require root and works with openvpn.
There is a free Lite version, which can run 1 hour a day and a paid version without limits which costs about 25 kr.

To set it up:

Known problems: If you change between different wireless networks or between phone network and wireless, you may have to stop and start the service.

Retrieved from "https://itswiki.compute.dtu.dk/index.php?title=OpenVPN&oldid=4139"