Jump to: navigation, search

Difference between revisions of "VPN Service"

Difference between revisions of "VPN Service"

(Add to HowTo category)
 
(10 intermediate revisions by 4 users not shown)
Line 1: Line 1:
 
[[Category:Services]]
 
[[Category:Services]]
 +
[[Category:HowTo]]
 
'''VPN Service''' can give access to internal network of labaki for remote members. All you need is an openvpn client and enabled LABaki credentials. This service can also be used to tunnel your internet requests through LABaki. This should not be enabled by default as it produces uneeded traffic to LABaki but it is a robust way to gain full internet access in restricted enviroments.
 
'''VPN Service''' can give access to internal network of labaki for remote members. All you need is an openvpn client and enabled LABaki credentials. This service can also be used to tunnel your internet requests through LABaki. This should not be enabled by default as it produces uneeded traffic to LABaki but it is a robust way to gain full internet access in restricted enviroments.
  
Line 5: Line 6:
 
In any type of OpenVPN client you will need the CA certificate. Copy-paste the following lines in a file named '''labaki-openvpn-ca.crt''' before continuing configure OpenVPN client.
 
In any type of OpenVPN client you will need the CA certificate. Copy-paste the following lines in a file named '''labaki-openvpn-ca.crt''' before continuing configure OpenVPN client.
  
 +
Download [https://owncloud.tolabaki.gr/index.php/s/lWCgrh6L1OLvJKD link]
 
<pre>
 
<pre>
 
-----BEGIN CERTIFICATE-----
 
-----BEGIN CERTIFICATE-----
Line 28: Line 30:
 
-----END CERTIFICATE-----
 
-----END CERTIFICATE-----
 
</pre>
 
</pre>
 +
  
 
=== Plain-Text OpenVPN configuration ===
 
=== Plain-Text OpenVPN configuration ===
 
If you have a client that accepts plain-text OpenVPN configuration then you can copy-paste the following text to a configuration file like '''labaki-vpn.conf'''.  
 
If you have a client that accepts plain-text OpenVPN configuration then you can copy-paste the following text to a configuration file like '''labaki-vpn.conf'''.  
 +
<p>Download [https://owncloud.tolabaki.gr/index.php/s/kD8hVHOrPHaiSlQ link]
 
<pre>
 
<pre>
 
client
 
client
Line 45: Line 49:
 
  sudo openvpn labaki-vpn.conf
 
  sudo openvpn labaki-vpn.conf
  
When the client starts it will ask for username and password. You should give the credentials you have to login to wiki/email or any other LABaki service.
+
When the client starts it will ask for username and password. You must give the same credentials as the one you use to login at wiki/email or any other LABaki service.
 
  Sat Oct 26 15:22:37 2013 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6]  [IPv6 payload 20110424-2 (2.2RC2)] built on Jun  4 2013
 
  Sat Oct 26 15:22:37 2013 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6]  [IPv6 payload 20110424-2 (2.2RC2)] built on Jun  4 2013
 
  Enter Auth Username: example-user
 
  Enter Auth Username: example-user
Line 53: Line 57:
 
Gnome network-manager comes with built in support to various VPN subsystems. You have to ensure though, that the needed plugins are installed on your system.
 
Gnome network-manager comes with built in support to various VPN subsystems. You have to ensure though, that the needed plugins are installed on your system.
  
On Debian/Ubuntu/Mint you can install the needed OpenVPN support by running
+
You can either install the needed software through your favourite package management tool (e.g. Synaptic) or on Debian/Ubuntu/Mint you can install the needed OpenVPN support by running
 
  sudo apt-get install network-manager-openvpn-gnome
 
  sudo apt-get install network-manager-openvpn-gnome
  
 +
After you have installed OpenVPN plugin, open the network settings:
 +
 +
('''For the most recent Gnome 3.14, which comes with the new stable Debian 8 "Jessie", look [[#Gnome 3.14 Configuration | below]].''')
 +
==== Create new VPN interface ====
 +
[[File:Labaki_vpn_step1.png| |]]
 +
# Press + button to add a new interface and choose VPN
 +
# Choose OpenVPN on the type and press '''Create'''
 +
----
 +
[[File:Labaki vpn step2.png]]
 +
# Setup a friendly name for the vpn
 +
# Set gateway to '''vpn.tolabaki.gr'''
 +
# Change authentication type to '''password'''
 +
# Put your LABaki '''username'''
 +
# Put your LABaki '''password''' and choose '''saved''' if you want to store the password
 +
# Choose the '''certificate''' file that you saved in the very first step of this guide.
 +
# Click '''Advanced''' to setup more options
 +
----
 +
[[File:Labaki vpn step3.png]]
 +
# Enable custom port and set it to '''443'''
 +
# Enable TCP mode.
 +
# Enable TAP device.
 +
----
 +
[[File:Labaki_vpn_step4.png]]
 +
# Choose '''IPv4 Settings''' Tab
 +
# Select '''Automatic (VPN) addresses only'''
 +
# Add DNS Servers '''10.176.0.10,10.176.0.11'''
 +
# Click on the '''Routes''' button
 +
----
 +
By default VPN subsystem tunnels all traffic through the VPN connection. It is advised to '''NOT''' use this feature unless you really need to use Internet through LABaki (restricted environments).
 +
 +
[[File:Labaki_vpn_step5.png]]
 +
# Ensure that is checked '''Use this connection only for resources on its network'''
 +
 +
 +
=== Gnome 3.14 Configuration ===
 +
[[Image:gnome3.14.1-vpn-step-1.png]]
 +
 +
[[Image:gnome3.14.1-vpn-step-2.png]]
 +
 +
[[Image:gnome3.14.1-vpn-step-3.png]]
 +
 +
[[Image:gnome3.14.1-vpn-step-4.png]]
 +
 +
[[Image:gnome3.14.1-vpn-step-5.png]]
 +
 +
[[Image:gnome3.14.1-vpn-step-6.png]]
  
[[File:Labaki_vpn_step1.png]]
+
[[Image:gnome3.14.1-vpn-step-7.png]]

Latest revision as of 22:00, 1 October 2017

VPN Service can give access to internal network of labaki for remote members. All you need is an openvpn client and enabled LABaki credentials. This service can also be used to tunnel your internet requests through LABaki. This should not be enabled by default as it produces uneeded traffic to LABaki but it is a robust way to gain full internet access in restricted enviroments.

OpenVPN Configuration[edit]

In any type of OpenVPN client you will need the CA certificate. Copy-paste the following lines in a file named labaki-openvpn-ca.crt before continuing configure OpenVPN client.

Download link

-----BEGIN CERTIFICATE-----
MIIDaTCCAtKgAwIBAgIJAOLJSHklCJs2MA0GCSqGSIb3DQEBBQUAMIGAMQswCQYD
VQQGEwJHUjEOMAwGA1UECBMFQ3JldGUxEzARBgNVBAcTCkhlcmFrbGVpb24xEjAQ
BgNVBAoTCVRvIExBQmFraTEVMBMGA1UEAxMMVG8gTEFCYWtpIENBMSEwHwYJKoZI
hvcNAQkBFhJzYWxvbmlAdG9sYWJha2kuZ3IwHhcNMTExMTE5MjIzMDI5WhcNMjEx
MTE2MjIzMDI5WjCBgDELMAkGA1UEBhMCR1IxDjAMBgNVBAgTBUNyZXRlMRMwEQYD
VQQHEwpIZXJha2xlaW9uMRIwEAYDVQQKEwlUbyBMQUJha2kxFTATBgNVBAMTDFRv
IExBQmFraSBDQTEhMB8GCSqGSIb3DQEJARYSc2Fsb25pQHRvbGFiYWtpLmdyMIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC0/9f5SHglvAv5dY2PgWzwRx8Gtx+C
Xd1HdHUKRnuTGk7uPyC4bfaTD1kHXo8kZm6jlMjYgBGiXyOL/GFBO4WbEZdaABL1
abdUt3tMx93g/MkHEpOxPs1t4iH9u+ZZFG6bXIXSyz6uTirnA/AVc4wDCAo/M5P6
awcp2rxAR1ecHQIDAQABo4HoMIHlMB0GA1UdDgQWBBQku4VQlRgsRt+1p+sZVszL
bFV/bDCBtQYDVR0jBIGtMIGqgBQku4VQlRgsRt+1p+sZVszLbFV/bKGBhqSBgzCB
gDELMAkGA1UEBhMCR1IxDjAMBgNVBAgTBUNyZXRlMRMwEQYDVQQHEwpIZXJha2xl
aW9uMRIwEAYDVQQKEwlUbyBMQUJha2kxFTATBgNVBAMTDFRvIExBQmFraSBDQTEh
MB8GCSqGSIb3DQEJARYSc2Fsb25pQHRvbGFiYWtpLmdyggkA4slIeSUImzYwDAYD
VR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCO9YoXGMd4Yp2Cf4HUWGRNP/tg
n3zVMVuXLILPZRIvxqTJHyWVCcdXGIllEgX4wZ+PvtjtFAGC9AOrQlCQMUsxuouj
xzRbSFTAWyYEnlDBOJ36577vaa/Dvrz98+k8/C6uUmHmdMBPxpR1ee4K/rzGDr6x
ZR3C2CYa5TLJJA64VA==
-----END CERTIFICATE-----


Plain-Text OpenVPN configuration[edit]

If you have a client that accepts plain-text OpenVPN configuration then you can copy-paste the following text to a configuration file like labaki-vpn.conf.

Download link

client
dev tap
remote vpn.tolabaki.gr 443
proto tcp
ca labaki-openvpn-ca.crt
auth-user-pass

To connect to VPN then execute

openvpn labaki-vpn.conf

If you run linux and you don't have root privileges then you need to prefix command with sudo.

sudo openvpn labaki-vpn.conf

When the client starts it will ask for username and password. You must give the same credentials as the one you use to login at wiki/email or any other LABaki service.

Sat Oct 26 15:22:37 2013 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6]  [IPv6 payload 20110424-2 (2.2RC2)] built on Jun  4 2013
Enter Auth Username: example-user
Enter Auth Password:

Gnome Configuration[edit]

Gnome network-manager comes with built in support to various VPN subsystems. You have to ensure though, that the needed plugins are installed on your system.

You can either install the needed software through your favourite package management tool (e.g. Synaptic) or on Debian/Ubuntu/Mint you can install the needed OpenVPN support by running

sudo apt-get install network-manager-openvpn-gnome

After you have installed OpenVPN plugin, open the network settings:

(For the most recent Gnome 3.14, which comes with the new stable Debian 8 "Jessie", look below.)

Create new VPN interface[edit]

Labaki vpn step1.png

  1. Press + button to add a new interface and choose VPN
  2. Choose OpenVPN on the type and press Create

Labaki vpn step2.png

  1. Setup a friendly name for the vpn
  2. Set gateway to vpn.tolabaki.gr
  3. Change authentication type to password
  4. Put your LABaki username
  5. Put your LABaki password and choose saved if you want to store the password
  6. Choose the certificate file that you saved in the very first step of this guide.
  7. Click Advanced to setup more options

Labaki vpn step3.png

  1. Enable custom port and set it to 443
  2. Enable TCP mode.
  3. Enable TAP device.

Labaki vpn step4.png

  1. Choose IPv4 Settings Tab
  2. Select Automatic (VPN) addresses only
  3. Add DNS Servers 10.176.0.10,10.176.0.11
  4. Click on the Routes button

By default VPN subsystem tunnels all traffic through the VPN connection. It is advised to NOT use this feature unless you really need to use Internet through LABaki (restricted environments).

Labaki vpn step5.png

  1. Ensure that is checked Use this connection only for resources on its network


Gnome 3.14 Configuration[edit]

Gnome3.14.1-vpn-step-1.png

Gnome3.14.1-vpn-step-2.png

Gnome3.14.1-vpn-step-3.png

Gnome3.14.1-vpn-step-4.png

Gnome3.14.1-vpn-step-5.png

Gnome3.14.1-vpn-step-6.png

Gnome3.14.1-vpn-step-7.png