|
Size: 7057
Comment:
|
← Revision 38 as of 2018-01-24 20:16:04 ⇥
Size: 6398
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| The [http://en.wikipedia.org/wiki/Virtual_private_network VPN] is implimented with [http://www.openvpn.org OpenVPN]. | <<TableOfContents>> |
| Line 3: | Line 3: |
| == Installing the Babase VPN == === Mac OSX === You always have the option of installing the application using the instructions on the OpenVPN [http://www.openvpn.org web site], but the easier way, if you've Mac OS X 10.3 or higher, is to use the pre-packaged OpenVPN that includes a management GUI. |
= Important Note = After the ~Jan 2018 migration of Papio to a new VM at Duke with new security measures in place, all of the below information is no longer true. We are now using the [[DukeVPN|Duke VPN]]. |
| Line 7: | Line 6: |
| Note: This will probably work for Mac OS x 1.3. or 10.4 on the PPC/Intel architecture. If you have an older version we'll have to do something else. | ---- (The below information kept for archival purposes only) |
| Line 9: | Line 9: |
| Go to http://www.tunnelblick.net/ and download the latest released version which will extract itself upon downloading. Available [http://www.tunnelblick.net/Tunnelblick_3.0_B4.zip here] | The VPN ([[http://en.wikipedia.org/wiki/Virtual_private_network|Virtual Private Network]]) running on the Babase server uses the [[http://www.openvpn.org|OpenVPN]] implementation. |
| Line 11: | Line 11: |
| When the instructions talk about creating your own personal configuration file, use the content of the [#client.conf client.conf] file given below. | = Babase VPN on Mac OS X = You always have the option of installing the application using the instructions on the OpenVPN [[http://www.openvpn.org|web site]], but the easier way, if you've Mac OS X 10.3 or higher, is to use the pre-packaged OpenVPN called [[http://www.tunnelblick.net/|Tunnelblick]] that includes a management GUI. Babase supplies a pre-packaged version of Tunnelblick with configuation files built-in, but there may be newer Tunnelblick versions available on the Tunnelblick web site. |
| Line 13: | Line 14: |
| When the instructions talk about "key files" you'll need to make a file named "albertslab.crt" using the [#albertslab.crt key data] given below. | To install the Babase-supplied Tunnelblick version (obvious interactions omitted): |
| Line 15: | Line 16: |
| After installing the "everything" version, download and install the Tunnelblick 3.0_rc3 version. Replace the Tunnelblick in the Applications folder with the new version. | * Download the latest version of [[http://www.tunnelblick.net/|Tunnelblick]] * Unzip the folder * Open the folder * Double click on the Tunnelblick icon (a little tunnel) to launch the installer * You probably do '''not''' want to have the installed BabaseVPN configuration available to all users on your computer * Start Tunnelblick, a little tunnel icon will appear in the bar at top right of screen * When asked, you do '''not''' want to check for IP address change on VPN startup * You probably do want automatic checks for new Tunnelblick versions * Click on the little tunnel icon in the bar at the top right of the screen, and click on ''VPN Details...'' to get a configuration page: * Choose the BabaseVPN configuration by click * Choose to connect on Tunnelblick startup * Choose '''not''' to use a nameserver * Click "Connect" on the lower right |
| Line 17: | Line 30: |
| When you run Tunnelblick you will, I think, want to configure it so that it does _not_ run the up/down scripts to change the nameserver. If you find this to be the case, please update this wiki with the proper instructions. [[Anchor(client.conf)]] | Tunnelblick is installed in your Applications folder. Double click on it to start the Babase VPN. Control Tunnelblick with the little tunnel icon at the top right of the screen. When it asks for your name and password, use your Papio name and password (in case these are different from your babase name and password). |
| Line 19: | Line 32: |
| === The client.conf file === {{{ ############################################## # Client-side OpenVPN 2.0 config file # # for connecting to the babase VPN on. # # papio.biology.duke.edu. # # # # On Windows, you might want to rename this # # file so it has a .ovpn extension # ############################################## |
See below regards using the Babase VPN. |
| Line 30: | Line 34: |
| # Specify that we are a client and that we # will be pulling certain config file directives # from the server. client |
Note: The OpenVPN configuration supplied with the Babase packaged version of Tunnelblick differs from the configuration linked below. The packaged configuration file does not drop root permissions since this seems to cause problems with packaged Tunnelblick version 3.3beta54. |
| Line 35: | Line 36: |
| # Use the same setting as you are using on # the server. # On most systems, the VPN will not function # unless you partially or fully disable # the firewall for the TUN/TAP interface. ;dev tap dev tun |
If installing a newer Tunnelblick version you will need the following configuration files: |
| Line 43: | Line 38: |
| # Windows needs the TAP-Win32 adapter name # from the Network Connections panel # if you have more than one. On XP SP2, # you may need to disable the firewall # for the TAP adapter. ;dev-node MyTap |
* [[https://papio.biology.duke.edu/babasewiki/BabaseVPN?action=AttachFile&do=get&target=papio-openvpn.conf|papio-openvpn.conf]] -- to connect to papio * [[https://papio.biology.duke.edu/babasewiki/BabaseVPN?action=AttachFile&do=get&target=abrp-genomics-openvpn.conf|abrp-genomics-openvpn.conf]] -- to connect to abrp-genomics * [[https://papio.biology.duke.edu/babasewiki/BabaseVPN?action=AttachFile&do=get&target=albertslab.crt|albertslab.crt]] |
| Line 50: | Line 42: |
| # Are we connecting to a TCP or # UDP server? Use the same setting as # on the server. ;proto tcp proto udp |
A Tunnelblick un-installer is avaialble on the Tunnelblick website. |
| Line 56: | Line 44: |
| # The hostname/IP and port of the server. # You can have multiple remote entries # to load balance between the servers. remote papio.biology.duke.edu 1194 ;remote my-server-2 1194 |
= Babase VPN on Windows XP = As Administrator, install [[http://www.openvpn.se/|OpenVPN GUI for Windows]]. Unless you already have OpenVPN (without GUI) installed on your computer, it is easiest to download and install the installation package with both OpenVPN and OpenVPN GUI. Once installation completes, you should notice a new OpenVPN GUI icon in your system tray (at the lower-right corner of your desktop). The icon should be lit red at this point, because you have not made a VPN connection yet. |
| Line 62: | Line 47: |
| # Choose a random host from the remote # list for load-balancing. Otherwise # try hosts in the order specified. ;remote-random |
Download the following two files, and place them in the {{{C:\Program Files\OpenVPN\config\}}} directory on your computer: |
| Line 67: | Line 49: |
| # Keep trying indefinitely to resolve the # host name of the OpenVPN server. Very useful # on machines which are not permanently connected # to the internet such as laptops. resolv-retry infinite |
* [[https://papio.biology.duke.edu/babasewiki/BabaseVPN?action=AttachFile&do=get&target=albertslab.crt|albertslab.crt]] * [[https://papio.biology.duke.edu/babasewiki/BabaseVPN?action=AttachFile&do=get&target=papio.ovpn|papio.ovpn]] -- to connect to papio * [[https://papio.biology.duke.edu/babasewiki/BabaseVPN?action=AttachFile&do=get&target=abrpgeno.ovpn|abrpgeno.ovpn]] -- to connect to abrp-genomics |
| Line 73: | Line 53: |
| # Most clients don't need to bind to # a specific local port number. nobind |
Now, to connect, right click on the OpenVPN GUI icon in your system tray, and choose "Connect". You will be prompted for your Duke Biology Unix user name and password. If the connection is successful, the icon will turn green. To disconnect, simply right lick on the icon and choose "Disconnect". |
| Line 77: | Line 55: |
| # Downgrade privileges after initialization (non-Windows only) user nobody ;group nobody |
== Optional Tweaks to Configuration == By default, OpenVPN GUI will start in your system tray whenever your computer starts up. If you do not want this behavior, you can use [[http://www.microsoft.com/technet/sysinternals/Utilities/AutoRuns.mspx|AutoRuns for Windows]] to tweak it. |
| Line 81: | Line 58: |
| # Try to preserve some state across restarts. persist-key persist-tun |
If you normally use your Windows XP computer as a non-Administrator user, you should create a shortcut to {{{C:\Program Files\OpenVPN\bin\openvpn-gui.exe}}}, right-click on the shortcut, select "Properties", click "Advanced..." and select "Run with different credentials". Now, when you double-click this shortcut, you should choose to run it as Administrator (VPN will not function correctly if you do not run it as Administrator). The How-To section of the [[http://openvpn.se/howto.html|OpenVPN GUI website]] has more information on how to run VPN as a non-admin user. |
| Line 85: | Line 60: |
| # If you are connecting through an # HTTP proxy to reach the actual OpenVPN # server, put the proxy server/IP and # port number here. See the man page # if your proxy server requires # authentication. ;http-proxy-retry # retry on connection failures ;http-proxy [proxy server] [proxy port #] |
= Notes on Using the Babase VPN = When you start the VPN you will be asked for your Duke Biology Unix user name and password. |
| Line 94: | Line 63: |
| # Wireless networks often produce a lot # of duplicate packets. Set this flag # to silence duplicate packet warnings. ;mute-replay-warnings # SSL/TLS parms. # See the server config file for more # description. It's best to use # a separate .crt/.key file pair # for each client. A single ca # file can be used for all clients. ca albertslab.crt ;cert client.crt ;key client.key auth-user-pass # Verify server certificate by checking # that the certicate has the nsCertType # field set to "server". This is an # important precaution to protect against # a potential attack discussed here: # http://openvpn.net/howto.html#mitm # # To use this feature, you will need to generate # your server certificates with the nsCertType # field set to "server". The build-key-server # script in the easy-rsa folder will do this. ;ns-cert-type server ns-cert-type server # If a tls-auth key is used on the server # then every client must also have the key. ;tls-auth ta.key 1 # Select a cryptographic cipher. # If the cipher option is used on the server # then you must also specify it here. ;cipher x # Enable compression on the VPN link. # Don't enable this unless it is also # enabled in the server config file. ;comp-lzo # Set log file verbosity. verb 3 # Silence repeating messages ;mute 20}}} [[Anchor(albertslab.crt)]] === The root certificate authority === This data belongs in a file named: {{{albertslab.crt}}} The root certificate authority certificate for the babase VPN is: {{{ -----BEGIN CERTIFICATE----- MIID7jCCA1egAwIBAgIBADANBgkqhkiG9w0BAQQFADCBsTELMAkGA1UEBhMCVVMx CzAJBgNVBAgTAk5DMQ8wDQYDVQQHEwZEVVJIQU0xLDAqBgNVBAoTI0R1a2UgVW5p dmVyc2l0eSwgQmlvbG9neSBEZXBhcnRtZW50MRQwEgYDVQQLEwtBbGJlcnRzIExh YjEfMB0GA1UEAxMWcGFwaW8uYmlvbG9neS5kdWtlLmVkdTEfMB0GCSqGSIb3DQEJ ARYQYWxiZXJ0c0BkdWtlLmVkdTAeFw0wNzAxMTgxODMyMjhaFw0xNzAxMTUxODMy MjhaMIGxMQswCQYDVQQGEwJVUzELMAkGA1UECBMCTkMxDzANBgNVBAcTBkRVUkhB TTEsMCoGA1UEChMjRHVrZSBVbml2ZXJzaXR5LCBCaW9sb2d5IERlcGFydG1lbnQx FDASBgNVBAsTC0FsYmVydHMgTGFiMR8wHQYDVQQDExZwYXBpby5iaW9sb2d5LmR1 a2UuZWR1MR8wHQYJKoZIhvcNAQkBFhBhbGJlcnRzQGR1a2UuZWR1MIGfMA0GCSqG SIb3DQEBAQUAA4GNADCBiQKBgQDMrqCCviAKmIJ/Hkmg92Uh4UD0S38Z0sDAk9T1 yw/1LyMMP8I3jR0y5nGQaExk0bNSrcwp1FOLj/a7D965a2zYg2/0XyArEP+sQWsR F28QeTcr14M5g8aVY/SapxvhU2zQkrcq3Gzq+vJkfiorPadUPMLj4aliI4VZBvAo Zvy2/wIDAQABo4IBEjCCAQ4wHQYDVR0OBBYEFHf5eTppS3HZbpk8qv2vg24nb8ga MIHeBgNVHSMEgdYwgdOAFHf5eTppS3HZbpk8qv2vg24nb8gaoYG3pIG0MIGxMQsw CQYDVQQGEwJVUzELMAkGA1UECBMCTkMxDzANBgNVBAcTBkRVUkhBTTEsMCoGA1UE ChMjRHVrZSBVbml2ZXJzaXR5LCBCaW9sb2d5IERlcGFydG1lbnQxFDASBgNVBAsT C0FsYmVydHMgTGFiMR8wHQYDVQQDExZwYXBpby5iaW9sb2d5LmR1a2UuZWR1MR8w HQYJKoZIhvcNAQkBFhBhbGJlcnRzQGR1a2UuZWR1ggEAMAwGA1UdEwQFMAMBAf8w DQYJKoZIhvcNAQEEBQADgYEAIiyqufdwn4ud7RyU20RYsZjUACygVGRwkZzk1h/l bmrw5L0CB48+LpraG0pPRduyn156RD313+MqOu2RD50aT7MuJUMu4uaBU/qEpiTk prVz3ACeiAlnnaTSdJl6n55Dc059vr2pxBZ8rLDIRaK9TDEwTSHPyzfmHExcAcRk JvE= -----END CERTIFICATE-----}}} == Using the Babase VPN == When you start the VPN you will be asked for your Duke Biology Unix username and password. To test the vpn use the "ping" program to ping {{{papio-vpn.biology.duke.edu}}} (aka 172.16.3.1). If you get a response the VPN is working. |
== Testing A Connection to Papio == To test the VPN use the "ping" program to ping {{{papio-vpn.biology.duke.edu}}} (aka 172.16.3.1). If you get a response the VPN is working. |
| Line 182: | Line 67: |
== Testing A Connection to ABRP-Genomics == To test the VPN use the "ping" program to ping {{{abrp-genomics-vpn.biology.duke.edu}}} (aka 172.16.4.1). If you get a response the VPN is working. To connect to the server using the VPN you cannot use {{{abrp-genomics.biology.duke.edu}}}. Use {{{abrp-genomics-vpn.biology.duke.edu}}} (172.16.4.1) instead. To get to the test environment on ABRP-Genomics use the following URL in your web browser: http://abrp-genomics-vpn.biology.duke.edu/ |
Contents
Important Note
After the ~Jan 2018 migration of Papio to a new VM at Duke with new security measures in place, all of the below information is no longer true. We are now using the Duke VPN.
(The below information kept for archival purposes only)
The VPN (Virtual Private Network) running on the Babase server uses the OpenVPN implementation.
Babase VPN on Mac OS X
You always have the option of installing the application using the instructions on the OpenVPN web site, but the easier way, if you've Mac OS X 10.3 or higher, is to use the pre-packaged OpenVPN called Tunnelblick that includes a management GUI. Babase supplies a pre-packaged version of Tunnelblick with configuation files built-in, but there may be newer Tunnelblick versions available on the Tunnelblick web site.
To install the Babase-supplied Tunnelblick version (obvious interactions omitted):
Download the latest version of Tunnelblick
- Unzip the folder
- Open the folder
- Double click on the Tunnelblick icon (a little tunnel) to launch the installer
You probably do not want to have the installed BabaseVPN configuration available to all users on your computer
- Start Tunnelblick, a little tunnel icon will appear in the bar at top right of screen
When asked, you do not want to check for IP address change on VPN startup
- You probably do want automatic checks for new Tunnelblick versions
Click on the little tunnel icon in the bar at the top right of the screen, and click on VPN Details... to get a configuration page:
- Choose the BabaseVPN configuration by click
- Choose to connect on Tunnelblick startup
Choose not to use a nameserver
- Click "Connect" on the lower right
Tunnelblick is installed in your Applications folder. Double click on it to start the Babase VPN. Control Tunnelblick with the little tunnel icon at the top right of the screen. When it asks for your name and password, use your Papio name and password (in case these are different from your babase name and password).
See below regards using the Babase VPN.
Note: The OpenVPN configuration supplied with the Babase packaged version of Tunnelblick differs from the configuration linked below. The packaged configuration file does not drop root permissions since this seems to cause problems with packaged Tunnelblick version 3.3beta54.
If installing a newer Tunnelblick version you will need the following configuration files:
papio-openvpn.conf -- to connect to papio
abrp-genomics-openvpn.conf -- to connect to abrp-genomics
A Tunnelblick un-installer is avaialble on the Tunnelblick website.
Babase VPN on Windows XP
As Administrator, install OpenVPN GUI for Windows. Unless you already have OpenVPN (without GUI) installed on your computer, it is easiest to download and install the installation package with both OpenVPN and OpenVPN GUI. Once installation completes, you should notice a new OpenVPN GUI icon in your system tray (at the lower-right corner of your desktop). The icon should be lit red at this point, because you have not made a VPN connection yet.
Download the following two files, and place them in the C:\Program Files\OpenVPN\config\ directory on your computer:
papio.ovpn -- to connect to papio
abrpgeno.ovpn -- to connect to abrp-genomics
Now, to connect, right click on the OpenVPN GUI icon in your system tray, and choose "Connect". You will be prompted for your Duke Biology Unix user name and password. If the connection is successful, the icon will turn green. To disconnect, simply right lick on the icon and choose "Disconnect".
Optional Tweaks to Configuration
By default, OpenVPN GUI will start in your system tray whenever your computer starts up. If you do not want this behavior, you can use AutoRuns for Windows to tweak it.
If you normally use your Windows XP computer as a non-Administrator user, you should create a shortcut to C:\Program Files\OpenVPN\bin\openvpn-gui.exe, right-click on the shortcut, select "Properties", click "Advanced..." and select "Run with different credentials". Now, when you double-click this shortcut, you should choose to run it as Administrator (VPN will not function correctly if you do not run it as Administrator). The How-To section of the OpenVPN GUI website has more information on how to run VPN as a non-admin user.
Notes on Using the Babase VPN
When you start the VPN you will be asked for your Duke Biology Unix user name and password.
Testing A Connection to Papio
To test the VPN use the "ping" program to ping papio-vpn.biology.duke.edu (aka 172.16.3.1). If you get a response the VPN is working.
To connect to papio using the VPN you cannot use papio.biology.duke.edu. Use papio-vpn.biology.duke.edu (172.16.3.1) instead.
Testing A Connection to ABRP-Genomics
To test the VPN use the "ping" program to ping abrp-genomics-vpn.biology.duke.edu (aka 172.16.4.1). If you get a response the VPN is working.
To connect to the server using the VPN you cannot use abrp-genomics.biology.duke.edu. Use abrp-genomics-vpn.biology.duke.edu (172.16.4.1) instead.
To get to the test environment on ABRP-Genomics use the following URL in your web browser: http://abrp-genomics-vpn.biology.duke.edu/