Difference between revisions of "OpenVPN"
(Edited the OpenVPN article) |
|||
| Line 3: | Line 3: | ||
== Configuration Files == | == Configuration Files == | ||
| − | The following configuration files need to be copy to ''$HOME/Library/Application Support/Tunnelblick/Configurations/''; the owner:group of the files are root:wheel and the permissions are rw-r--r--. The two CA crt files (salado-ca.crt & nikhef-ca.crt) need to be place in $HOME/.globus | + | The following configuration files need to be copy to ''$HOME/Library/Application Support/Tunnelblick/Configurations/''; the owner:group of the files are root:wheel and the permissions are rw-r--r--. The two CA crt files (salado-ca.crt & nikhef-ca.crt) need to be place in $HOME/.globus. |
| + | The generate the proper CA bundles on the client side, use the [https://www.nikhef.nl/grid/ndpf/cabundle/ bundle generator]! | ||
You can use '''Sloot''' as the primary vpn server and '''Boswachter''' as an alternative. '''Remote''' is for the remote location. '''Tunnel''' is to '''Schrepel''' and to put all your traffic over the line. '''Openvpn''' is to '''Schrepel''' and normal use. '''Wipkip-tunnel''' is handy if you want to encrypt all your traffic but don't want to use TCP for it. | You can use '''Sloot''' as the primary vpn server and '''Boswachter''' as an alternative. '''Remote''' is for the remote location. '''Tunnel''' is to '''Schrepel''' and to put all your traffic over the line. '''Openvpn''' is to '''Schrepel''' and normal use. '''Wipkip-tunnel''' is handy if you want to encrypt all your traffic but don't want to use TCP for it. | ||
| + | |||
NOTE: change the names between '<' & '>' by either the hostname or the location of the CRTs/PEMs. | NOTE: change the names between '<' & '>' by either the hostname or the location of the CRTs/PEMs. | ||
Latest revision as of 17:52, 15 March 2014
This article explains how to configure your vpn client, so that you can access the network at NIKHEF.
Configuration Files
The following configuration files need to be copy to $HOME/Library/Application Support/Tunnelblick/Configurations/; the owner:group of the files are root:wheel and the permissions are rw-r--r--. The two CA crt files (salado-ca.crt & nikhef-ca.crt) need to be place in $HOME/.globus. The generate the proper CA bundles on the client side, use the bundle generator!
You can use Sloot as the primary vpn server and Boswachter as an alternative. Remote is for the remote location. Tunnel is to Schrepel and to put all your traffic over the line. Openvpn is to Schrepel and normal use. Wipkip-tunnel is handy if you want to encrypt all your traffic but don't want to use TCP for it.
NOTE: change the names between '<' & '>' by either the hostname or the location of the CRTs/PEMs.
openvpn.conf
client comp-lzo comp-noadapt proto udp remote <SCHREPEL> port 1194 dev tun tun-mtu 1500 nobind persist-key persist-tun # security/certificate stuff: ns-cert-type server ca <NIKHEF-CA.CRT> cert <USERCERT.PEM> key <USERKEY.PEM>
boswachter.conf
client comp-lzo comp-noadapt proto udp remote <BOSWACHTER> port 1194 dev tun tun-mtu 1500 nobind persist-key persist-tun # security/certificate stuff: ns-cert-type server ca <NIKHEF-CA.CRT> cert <USERCERT.PEM> key <USERKEY.PEM>
remote.conf
client comp-lzo comp-noadapt proto udp #remote salado.nikhef.nl remote <KONIJN> remote <CAVIA> remote-random port 1194 dev tap tun-mtu 1500 nobind persist-key persist-tun # security/certificate stuff: ns-cert-type server ca <SALADO-CA.CRT> cert <USERCERT.PEM> key <USERKEY.PEM>
sloot.conf
client comp-lzo comp-noadapt proto udp remote <SLOOT> port 1194 dev tun tun-mtu 1500 nobind persist-key persist-tun # security/certificate stuff: ns-cert-type server ca <NIKHEF-CA.CRT> cert <USERCERT.PEM> key <USERKEY.PEM>
tunnel.conf
client comp-lzo comp-noadapt proto tcp remote 194.171.97.13 #remote boswachter.nikhef.nl port 443 dev tun tun-mtu 1500 nobind persist-key persist-tun # security/certificate stuff: ns-cert-type server ca <NIKHEF-CA.CRT> cert <USERCERT.PEM> key <USERKEY.PEM>
wipkip-tunnel.conf
client comp-lzo comp-noadapt proto udp remote 194.171.96.49 port 1195 dev tun tun-mtu 1500 nobind persist-key persist-tun # security/certificate stuff: ns-cert-type server ca <SALADO-CA.CRT> cert <USERCERT.PEM> key <USERKEY.PEM>
