Difference between revisions of "OpenVPN"

From PDP/Grid Wiki
Jump to navigationJump to search
 
 
(One intermediate revision by one other user not shown)
Line 1: Line 1:
schrepel.nikhef.nl
+
This article explains how to configure your vpn client, so that you can access the network at NIKHEF.
boswachter.nikhef.nl
 
sloot.nikhef.nl
 
  
wipkip.nikhef.nl
+
== Configuration Files ==
 +
 
 +
The following configuration files need to be copy to ''$HOME/Library/Application Support/Tunnelblick/Configurations/''; the owner:group of the files are root:wheel and the permissions are rw-r--r--. The two CA crt files (salado-ca.crt & nikhef-ca.crt) need to be place in $HOME/.globus.
 +
The generate the proper CA bundles on the client side, use the [https://www.nikhef.nl/grid/ndpf/cabundle/ bundle generator]!
 +
 
 +
You can use '''Sloot''' as the primary vpn server and '''Boswachter''' as an alternative. '''Remote''' is for the remote location. '''Tunnel''' is to '''Schrepel''' and to put all your traffic over the line. '''Openvpn''' is to '''Schrepel''' and normal use. '''Wipkip-tunnel''' is handy if you want to encrypt all your traffic but don't want to use TCP for it.
 +
 
 +
 
 +
NOTE: change the names between '<' & '>' by either the hostname or the location of the CRTs/PEMs.
 +
 
 +
=== openvpn.conf ===
 +
 
 +
client
 +
comp-lzo
 +
comp-noadapt
 +
proto udp
 +
remote <SCHREPEL>
 +
port 1194
 +
dev tun
 +
tun-mtu 1500
 +
nobind
 +
persist-key
 +
persist-tun
 +
# security/certificate stuff:
 +
ns-cert-type server
 +
ca <NIKHEF-CA.CRT>
 +
cert <USERCERT.PEM>
 +
key <USERKEY.PEM>
 +
 
 +
=== boswachter.conf ===
 +
 
 +
client
 +
comp-lzo
 +
comp-noadapt
 +
proto udp
 +
remote <BOSWACHTER>
 +
port 1194
 +
dev tun
 +
tun-mtu 1500
 +
nobind
 +
persist-key
 +
persist-tun
 +
# security/certificate stuff:
 +
ns-cert-type server
 +
ca <NIKHEF-CA.CRT>
 +
cert <USERCERT.PEM>
 +
key <USERKEY.PEM>
 +
 
 +
=== remote.conf ===
 +
 
 +
client
 +
comp-lzo
 +
comp-noadapt
 +
proto udp
 +
#remote salado.nikhef.nl
 +
remote <KONIJN>
 +
remote <CAVIA>
 +
remote-random
 +
port 1194
 +
dev tap
 +
tun-mtu 1500
 +
nobind
 +
persist-key
 +
persist-tun
 +
# security/certificate stuff:
 +
ns-cert-type server
 +
ca <SALADO-CA.CRT>
 +
cert <USERCERT.PEM>
 +
key <USERKEY.PEM>
 +
 
 +
=== sloot.conf ===
 +
 
 +
client
 +
comp-lzo
 +
comp-noadapt
 +
proto udp
 +
remote <SLOOT>
 +
port 1194
 +
dev tun
 +
tun-mtu 1500
 +
nobind
 +
persist-key
 +
persist-tun
 +
# security/certificate stuff:
 +
ns-cert-type server
 +
ca <NIKHEF-CA.CRT>
 +
cert <USERCERT.PEM>
 +
key <USERKEY.PEM>
 +
 
 +
=== tunnel.conf ===
 +
 
 +
client
 +
comp-lzo
 +
comp-noadapt
 +
proto tcp
 +
remote 194.171.97.13
 +
#remote boswachter.nikhef.nl
 +
port 443
 +
dev tun
 +
tun-mtu 1500
 +
nobind
 +
persist-key
 +
persist-tun
 +
# security/certificate stuff:
 +
ns-cert-type server
 +
ca <NIKHEF-CA.CRT>
 +
cert <USERCERT.PEM>
 +
key <USERKEY.PEM>
 +
 
 +
=== wipkip-tunnel.conf ===
 +
 
 +
client
 +
comp-lzo
 +
comp-noadapt
 +
proto udp
 +
remote 194.171.96.49
 +
port 1195
 +
dev tun
 +
tun-mtu 1500
 +
nobind
 +
persist-key
 +
persist-tun
 +
# security/certificate stuff:
 +
ns-cert-type server
 +
ca <SALADO-CA.CRT>
 +
cert <USERCERT.PEM>
 +
key <USERKEY.PEM>

Latest revision as of 17:52, 15 March 2014

This article explains how to configure your vpn client, so that you can access the network at NIKHEF.

Configuration Files

The following configuration files need to be copy to $HOME/Library/Application Support/Tunnelblick/Configurations/; the owner:group of the files are root:wheel and the permissions are rw-r--r--. The two CA crt files (salado-ca.crt & nikhef-ca.crt) need to be place in $HOME/.globus. The generate the proper CA bundles on the client side, use the bundle generator!

You can use Sloot as the primary vpn server and Boswachter as an alternative. Remote is for the remote location. Tunnel is to Schrepel and to put all your traffic over the line. Openvpn is to Schrepel and normal use. Wipkip-tunnel is handy if you want to encrypt all your traffic but don't want to use TCP for it.


NOTE: change the names between '<' & '>' by either the hostname or the location of the CRTs/PEMs.

openvpn.conf

client
comp-lzo
comp-noadapt
proto	udp
remote	<SCHREPEL>
port	1194
dev	tun
tun-mtu	1500
nobind
persist-key
persist-tun
# security/certificate stuff:
ns-cert-type	server
ca 	<NIKHEF-CA.CRT>
cert 	<USERCERT.PEM>
key 	<USERKEY.PEM>

boswachter.conf

client
comp-lzo
comp-noadapt
proto	udp
remote	<BOSWACHTER>
port	1194
dev	tun
tun-mtu	1500
nobind
persist-key
persist-tun 
# security/certificate stuff:
ns-cert-type	server
ca 	<NIKHEF-CA.CRT>
cert 	<USERCERT.PEM>
key 	<USERKEY.PEM>

remote.conf

client
comp-lzo
comp-noadapt
proto	udp
#remote salado.nikhef.nl
remote	<KONIJN>
remote	<CAVIA>
remote-random
port	1194
dev	tap
tun-mtu	1500
nobind
persist-key
persist-tun
# security/certificate stuff:
ns-cert-type	server
ca 	<SALADO-CA.CRT>
cert 	<USERCERT.PEM>
key 	<USERKEY.PEM>

sloot.conf

client
comp-lzo
comp-noadapt
proto	udp
remote	<SLOOT>
port	1194
dev	tun
tun-mtu	1500
nobind
persist-key
persist-tun
# security/certificate stuff:
ns-cert-type	server
ca 	<NIKHEF-CA.CRT>
cert 	<USERCERT.PEM>
key 	<USERKEY.PEM>

tunnel.conf

client
comp-lzo
comp-noadapt
proto	tcp
remote	194.171.97.13
#remote	boswachter.nikhef.nl
port	443
dev	tun
tun-mtu	1500
nobind
persist-key
persist-tun
# security/certificate stuff:
ns-cert-type	server
ca 	<NIKHEF-CA.CRT>
cert 	<USERCERT.PEM>
key 	<USERKEY.PEM>

wipkip-tunnel.conf

client
comp-lzo
comp-noadapt
proto	udp
remote	194.171.96.49
port	1195
dev	tun
tun-mtu	1500
nobind
persist-key
persist-tun
# security/certificate stuff:
ns-cert-type	server
ca 	<SALADO-CA.CRT>
cert 	<USERCERT.PEM>
key 	<USERKEY.PEM>