|
Size: 6137
Comment: Work on mac install.
|
Size: 7200
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 4: | Line 4: |
| === Mac OSX === You always have the option of installing the application using the instructions on the OpenVPN [http://www.openvpn.org web site], but the easier way, if you've Mac OS X 10.3 or higher, is to use the pre-packaged OpenVPN that includes a management GUI. |
|
| Line 5: | Line 7: |
| === Mac OSX === You always have the option of installing the application using the instructions on the OpenVPN [http://www.openvpn.org web site], but the easier way, if you've Mac OS X 10.3 or higher, is to use the pre-packaged OpenVPN that includes a management GUI. |
Note: This will probably work for Mac OS X 10.3 or 10.4 on the PPC/Intel architecture. If you have an older version we'll have to do something else. |
| Line 11: | Line 9: |
| Follow the installation instructions found at: http://www.tunnelblick.net/README.txt | Go to http://www.tunnelblick.net/ and download the latest released version which will extract itself upon downloading. Available [http://www.tunnelblick.net/Tunnelblick_3.0_B4.zip here] |
| Line 13: | Line 11: |
| When the instructions talk about creating your own personal configuration file, use the content of the [#client.conf client.conf] file given below. |
When the program is done downloading and extracts itself, place it in your applications folder then drag the icon in the applications folder to your dock. |
| Line 16: | Line 13: |
| When the instructions talk about "key files" you'll need to make a file named "albertslab.crt" using the [#albertslab.crt key data] given below. |
Open your home folder and go to Library. Then open the folder entitled openvpn. |
| Line 19: | Line 15: |
| [[Anchor(client.conf)]] | In this folder you will need to place two files in this directory. * The [http://papio.biology.duke.edu/babasewiki/BabaseVPN?action=AttachFile&do=get&target=openvpn.conf client.conf] which will be name openvpn.conf * The [http://papio.biology.duke.edu/babasewiki/BabaseVPN?action=AttachFile&do=get&target=albertslab.crt albertslab.crt] which will retain the same name When you run Tunnelblick you will, I think, want to configure it so that it does _not_ run the up/down scripts to change the nameserver. If you find this to be the case, please update this wiki with the proper instructions. [[Anchor(client.conf)]] |
| Line 21: | Line 22: |
{{{############################################## |
{{{ ############################################## |
| Line 106: | Line 107: |
| ca /etc/openvpn/albertslab.crt | ca albertslab.crt |
| Line 147: | Line 148: |
| Line 151: | Line 151: |
| Line 178: | Line 179: |
| When you start the VPN you will be asked for your Duke Biology Unix username and password. | |
| Line 179: | Line 181: |
| When you start the VPN you will be asked for your Duke Biology Unix username and password. | To test the vpn use the "ping" program to ping {{{papio-vpn.biology.duke.edu}}} (aka 172.16.3.1). If you get a response the VPN is working. To connect to papio using the VPN you cannot use {{{papio.biology.duke.edu}}}. Use {{{papio-vpn.biology.duke.edu}}} (172.16.3.1) instead. |
The [http://en.wikipedia.org/wiki/Virtual_private_network VPN] is implimented with [http://www.openvpn.org OpenVPN].
Installing the Babase VPN
Mac OSX
You always have the option of installing the application using the instructions on the OpenVPN [http://www.openvpn.org web site], but the easier way, if you've Mac OS X 10.3 or higher, is to use the pre-packaged OpenVPN that includes a management GUI.
Note: This will probably work for Mac OS X 10.3 or 10.4 on the PPC/Intel architecture. If you have an older version we'll have to do something else.
Go to http://www.tunnelblick.net/ and download the latest released version which will extract itself upon downloading. Available [http://www.tunnelblick.net/Tunnelblick_3.0_B4.zip here]
When the program is done downloading and extracts itself, place it in your applications folder then drag the icon in the applications folder to your dock.
Open your home folder and go to Library. Then open the folder entitled openvpn.
In this folder you will need to place two files in this directory.
The [http://papio.biology.duke.edu/babasewiki/BabaseVPN?action=AttachFile&do=get&target=openvpn.conf client.conf] which will be name openvpn.conf
The [http://papio.biology.duke.edu/babasewiki/BabaseVPN?action=AttachFile&do=get&target=albertslab.crt albertslab.crt] which will retain the same name
When you run Tunnelblick you will, I think, want to configure it so that it does _not_ run the up/down scripts to change the nameserver. If you find this to be the case, please update this wiki with the proper instructions. Anchor(client.conf)
The client.conf file
############################################## # Client-side OpenVPN 2.0 config file # # for connecting to the babase VPN on. # # papio.biology.duke.edu. # # # # On Windows, you might want to rename this # # file so it has a .ovpn extension # ############################################## # Specify that we are a client and that we # will be pulling certain config file directives # from the server. client # Use the same setting as you are using on # the server. # On most systems, the VPN will not function # unless you partially or fully disable # the firewall for the TUN/TAP interface. ;dev tap dev tun # Windows needs the TAP-Win32 adapter name # from the Network Connections panel # if you have more than one. On XP SP2, # you may need to disable the firewall # for the TAP adapter. ;dev-node MyTap # Are we connecting to a TCP or # UDP server? Use the same setting as # on the server. ;proto tcp proto udp # The hostname/IP and port of the server. # You can have multiple remote entries # to load balance between the servers. remote papio.biology.duke.edu 1194 ;remote my-server-2 1194 # Choose a random host from the remote # list for load-balancing. Otherwise # try hosts in the order specified. ;remote-random # Keep trying indefinitely to resolve the # host name of the OpenVPN server. Very useful # on machines which are not permanently connected # to the internet such as laptops. resolv-retry infinite # Most clients don't need to bind to # a specific local port number. nobind # Downgrade privileges after initialization (non-Windows only) user nobody ;group nobody # Try to preserve some state across restarts. persist-key persist-tun # If you are connecting through an # HTTP proxy to reach the actual OpenVPN # server, put the proxy server/IP and # port number here. See the man page # if your proxy server requires # authentication. ;http-proxy-retry # retry on connection failures ;http-proxy [proxy server] [proxy port #] # Wireless networks often produce a lot # of duplicate packets. Set this flag # to silence duplicate packet warnings. ;mute-replay-warnings # SSL/TLS parms. # See the server config file for more # description. It's best to use # a separate .crt/.key file pair # for each client. A single ca # file can be used for all clients. ca albertslab.crt ;cert client.crt ;key client.key auth-user-pass # Verify server certificate by checking # that the certicate has the nsCertType # field set to "server". This is an # important precaution to protect against # a potential attack discussed here: # http://openvpn.net/howto.html#mitm # # To use this feature, you will need to generate # your server certificates with the nsCertType # field set to "server". The build-key-server # script in the easy-rsa folder will do this. ;ns-cert-type server ns-cert-type server # If a tls-auth key is used on the server # then every client must also have the key. ;tls-auth ta.key 1 # Select a cryptographic cipher. # If the cipher option is used on the server # then you must also specify it here. ;cipher x # Enable compression on the VPN link. # Don't enable this unless it is also # enabled in the server config file. ;comp-lzo # Set log file verbosity. verb 3 # Silence repeating messages ;mute 20
The root certificate authority
This data belongs in a file named: albertslab.crt
The root certificate authority certificate for the babase VPN is:
-----BEGIN CERTIFICATE----- MIID7jCCA1egAwIBAgIBADANBgkqhkiG9w0BAQQFADCBsTELMAkGA1UEBhMCVVMx CzAJBgNVBAgTAk5DMQ8wDQYDVQQHEwZEVVJIQU0xLDAqBgNVBAoTI0R1a2UgVW5p dmVyc2l0eSwgQmlvbG9neSBEZXBhcnRtZW50MRQwEgYDVQQLEwtBbGJlcnRzIExh YjEfMB0GA1UEAxMWcGFwaW8uYmlvbG9neS5kdWtlLmVkdTEfMB0GCSqGSIb3DQEJ ARYQYWxiZXJ0c0BkdWtlLmVkdTAeFw0wNzAxMTgxODMyMjhaFw0xNzAxMTUxODMy MjhaMIGxMQswCQYDVQQGEwJVUzELMAkGA1UECBMCTkMxDzANBgNVBAcTBkRVUkhB TTEsMCoGA1UEChMjRHVrZSBVbml2ZXJzaXR5LCBCaW9sb2d5IERlcGFydG1lbnQx FDASBgNVBAsTC0FsYmVydHMgTGFiMR8wHQYDVQQDExZwYXBpby5iaW9sb2d5LmR1 a2UuZWR1MR8wHQYJKoZIhvcNAQkBFhBhbGJlcnRzQGR1a2UuZWR1MIGfMA0GCSqG SIb3DQEBAQUAA4GNADCBiQKBgQDMrqCCviAKmIJ/Hkmg92Uh4UD0S38Z0sDAk9T1 yw/1LyMMP8I3jR0y5nGQaExk0bNSrcwp1FOLj/a7D965a2zYg2/0XyArEP+sQWsR F28QeTcr14M5g8aVY/SapxvhU2zQkrcq3Gzq+vJkfiorPadUPMLj4aliI4VZBvAo Zvy2/wIDAQABo4IBEjCCAQ4wHQYDVR0OBBYEFHf5eTppS3HZbpk8qv2vg24nb8ga MIHeBgNVHSMEgdYwgdOAFHf5eTppS3HZbpk8qv2vg24nb8gaoYG3pIG0MIGxMQsw CQYDVQQGEwJVUzELMAkGA1UECBMCTkMxDzANBgNVBAcTBkRVUkhBTTEsMCoGA1UE ChMjRHVrZSBVbml2ZXJzaXR5LCBCaW9sb2d5IERlcGFydG1lbnQxFDASBgNVBAsT C0FsYmVydHMgTGFiMR8wHQYDVQQDExZwYXBpby5iaW9sb2d5LmR1a2UuZWR1MR8w HQYJKoZIhvcNAQkBFhBhbGJlcnRzQGR1a2UuZWR1ggEAMAwGA1UdEwQFMAMBAf8w DQYJKoZIhvcNAQEEBQADgYEAIiyqufdwn4ud7RyU20RYsZjUACygVGRwkZzk1h/l bmrw5L0CB48+LpraG0pPRduyn156RD313+MqOu2RD50aT7MuJUMu4uaBU/qEpiTk prVz3ACeiAlnnaTSdJl6n55Dc059vr2pxBZ8rLDIRaK9TDEwTSHPyzfmHExcAcRk JvE= -----END CERTIFICATE-----
Using the Babase VPN
When you start the VPN you will be asked for your Duke Biology Unix username and password.
To test the vpn use the "ping" program to ping papio-vpn.biology.duke.edu (aka 172.16.3.1). If you get a response the VPN is working.
To connect to papio using the VPN you cannot use papio.biology.duke.edu. Use papio-vpn.biology.duke.edu (172.16.3.1) instead.