8/17/2012

Using QUT Secure Access Service (SAS) on Ubuntu

QUT SAS allows QUT students and staff remote access to QUT resources securely. Unix and Unix-like operating systems such as Linux are not supported. The instruction on the QUT ITServices are pretty clear [1]. But I have duplicated some of it here for my reference. I tested the configuration on Ubuntu.

Install VPNC
    1. sudo apt-get install vpnc
Download or create the configuration file
The configuration file can be specified on the command line when executing vpnc, or /etc/vpnc/default.conf and /etc/vpnc.conf will be used. If you only using a single VPNC connection, then save the configuration file as /etc/vpnc.conf
Sample configuration file /etc/vpnc.conf. A sample configuration file is provided below. If you do not have a configuration and simple execute vpnc, you can still establish a connection by supplying the correct input at the prompts.
    1. https://secure.qut.edu.au/itservices/qut/qutservices/qutnetwork/qutsas/off-campus.conf
    2. Edit the configuration file to suit your credentials
Connecting and disconnection
Connecting is done by executing the vpnc command. You can explicity specify the configuration file to use at the command line. If no configuration files are specified and the default configuration files (/etc/vpnc.conf and /etc/vpnc/default.conf) are unavailable, then the application will prompt for input.
  1. /usr/sbin/vpnc /home/users/kush/qut-sas.conf #(connect)
  2. /usr/sbin/vpnc-disconnect #(disconnect)
Sample configuration file
IPSec gateway sas.qut.edu.au
IPSec ID qut
IPSec secret qutaccess
# student number
Xauth username nXXXXXXX
# password
Xauth password XXXXXXXX

Reference:
  1. https://secure.qut.edu.au/itservices/qut/qutservices/qutnetwork/qutsas/

8/10/2012

Connecting to OpenVPN from a Mac using Tunnelblink

To connect to an OpenVPN server you need an appropriate OpenVPN client installed to establish the SSL link. For Apple Mac OS X systems, TunnelBlick (http://code.google.com/p/tunnelblick/) is a good graphical user interface. At the time of this blog the current latest stable version of TunnelBlick available was 3.2.7. These instructions were executed on an Apple iMac running Mac OS X 10.7.4. As with all other posts on this blog, the purpose of this post is not to provide a tutorial, but instead to documents the steps taken, for my own benefit.

Download and install Tunnelblink

  1. Download the latest stable version of TunnelBlick (3.2.7).
  2. Click on the downloaded dmg package file to mount it.
  3. Once the Tunnelblink window is open double-click the Tunnelblink.app icon
  4. A warning may be displayed to indicate that the package may be unsafe as it was downloaded, continue by clicking the "Open" button
  5. Enter the system administrator credentials to start the install
  6. Once installation is completed, the installation succeeded window will be displayed, click the "Quit" button
  7. Close the Tunnelblink window, and eject the dmg package
  8. Start the Tunnelblink GUI by going to Applications and clicking Tunnelblink.app
  9. You should see a Tunnelblink icon up the top
The first time you start the Tunnelblink application
  1. A warning may be displayed to indicate that the package may be unsafe as it was downloaded, continue by clicking "Open" button
  2. When prompted, click on the "I have configuration files" button
Setting up the OpenVPN connection
  1. Then click on "OpenVPN Configuration(s)" button
  2. Select the "Create Tunnelblick VPN Configuration" button to generate a configuration based on your OpenVPN configuration files
  3. Take a note of the instructions in the dialog box and Click the "Done" button
  4. You may be prompted for automatic updates
    1. To prevent your system details (although it is anonymous) from being transmitted, uncheck the "Include anonymous system profile" 
    2. Then click on "Check Automatically" button to enable automatic checking of updates
  5. You should have a directory called "Empty Tunnelblick VPN Configuration" on your desktop
  6. Get the CA certificate (ca.crt), your private key (I used MACHINE.key as an example) and certificate (e.g. MACHINE.crt) and your client configuration file (this may be something like client.ovpn or client.conf). These should be provided by your network administrator.
    1. ca.crt
    2. MACHINE.crt
    3. MACHINE.key
    4. client-config.ovpn
  7. Copy or move the files above into the directory on your desktop
  8. Rename the directory into something meaningful with a .tblk extension, e.g. Office-VPN.tblk
  9. When prompted to add the .tblk extension click on the "Add" button, you should see the directory icon change to a Tunnelblink icon
  10. Double-click the renamed directory to install the configuration
  11. When prompted to continue the installation click the "Only Me" button
  12. Enter the system administrator credentials to complete the install
  13. Once installed, click the "OK button"
Changing DNS settings
  1. Right click on the Tunnelblink icon up the top
  2. Select VPN Details, then select the VPN connection you wish to edit, e.g. "Office-VPN"
  3. Select the "Settings" option on the middle of the window
  4. Change the "Set DNS/WINS" option to suit, e.g. You may want to disable DNS changes to be pushed through from the VPN tunnel, thus to use your existing nameserver configuration select "Do not set nameserver"
Connecting to the VPN

  1. Once Tunnelblink has been installed and the configuration completed
  2. Right click the Tunnelblink icon up the top
  3. You should see the VPN connection, e.g. "Connect Office-VPN", select it to connect

Disconnecting from the VPN

  1. Once the VPN connection has been established and you wish to disconnect
  2. Right click the Tunnelblink icon up the top
  3. You should see the VPN connection, e.g. "Disconnect Office-VPN", select it to disconnect
Here is a sample client configuration file for reference, substitute the SERVER, PORT and MACHINE as appropriate
client
dev tun
proto udp
remote SERVER PORT
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert MACHINE.crt
key MACHINE.key
comp-lzo
verb 3
; the following lines are needed for Windows Vista, 7 and 8 machines, not needed for Windows XP
route-method exe
route-delay 2


References:

  1. http://code.google.com/p/tunnelblick/

8/08/2012

Installing OpenVPN 2.2 on CentOS 6.3 64bit

This post is just an update of a previous post that used CentOS 5.7 and OpenVPN 2.2 (http://nkush.blogspot.com.au/2011/10/installing-openvpn-22-on-centos-57.html). The basic instructions are the same, however this post uses some newer packages which may have been relocated to new URLs. Again this blog and the posts are mostly for my own reference and not intended as step-by-step instuctions for other systems/network administrators

Install RPMForge or RepoForge as it's now known[1]
  1. wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
  2. rpm -ivh rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
  3. yum update
Install and set-up the OpenVPN Server[2]
  1. yum -y install openvpn 
  2. cd /etc/openvpn/
  3. cp /usr/share/doc/openvpn-*/sample-config-files/server.conf .
  4. mkdir -p /etc/openvpn/easy-rsa/keys
  5. cd /etc/openvpn/easy-rsa
  6. cp -rf /usr/share/doc/openvpn-2.2.0/easy-rsa/2.0/* .
  7. chmod o+x,g+x clean-all, build-* vars whichopensslcnf pkitool inherit-inter list-crl revoke-full sign-req
 Set-up the OpenVPN Server environment, keys and certificates
  1. vi /etc/openvpn/easy-rsa/vars
    1. Also consider setting the key length using KEY_SIZE variable, 1024 is the default 2048 is better, but slows down the TLS, but I am paranoid and use 4096 bit keys
    2. Set the country (KEY_COUNTRY), state (KEY_PROVINCE), locality (KEY_CITY), organisation name (KEY_ORG), and support email (KEY_EMAIL)
    3. I used  PKCS11_MODULE_PATH=/ and a random PIN value
  2. Create a link to the openssl config file as openssl.cnf
    1. ln -s /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf   
  3. Create certificate for the server
    1. ./build-key-server NAME_OF_SERVER
    2. Answer the questions and commit the certificate into the database
  4. Create the Diffie Hellman files
    1. These files are used for the actual key exchange to ensure the confidentiality over an insecure channel. Based on the length of the key used (KEY_SIZE) it may take a while.
    2. ./build-dh
  5. Create the certificate for each client
    1. ./build-key CLIENT
  6. Edit the server configuration file 
    1. vi /etc/openvpn/server.conf
    2. Check/change
      1. local
      2. proto
      3. dev
      4. port
      5. ca
      6. cert
      7. key
      8. dh
      9. max-clients
      10. user
      11. group
      12. log-append
      13. verb
  7. Start everything
    1. /etc/rc.d/init/openvpn start
    2. chkconfig --level 235 openvpn on
Future post may include instructions on configuration of client as well as set-up of firewall rules for specific topologies (time permitting)

References
  1. http://wiki.centos.org/AdditionalResources/Repositories/RPMForge/#head-f0c3ecee3dbb407e4eed79a56ec0ae92d1398e01
  2. http://nkush.blogspot.com.au/2011/10/installing-openvpn-22-on-centos-57.htm