Differences between revisions 2 and 11 (spanning 9 versions)
Revision 2 as of 2015-02-27 12:04:37
Size: 2678
Editor: DavidAdam
Comment: flesh out connection instructions [DAA]
Revision 11 as of 2018-05-04 15:30:30
Size: 8236
Editor: 10
Comment:
Deletions are marked like this. Additions are marked like this.
Line 3: Line 3:
There are two VPN methods - the new IPsec VPN and the old PPTP VPN. The latter is deprecated. The new VPN works on all modern devices. There are two currently working VPN methods - OpenVPN and the IPsec VPN. The old PPTP VPN is deprecated.
Line 5: Line 5:
= Connecting to the VPN = The IPsec VPN is the easiest to use on Windows and is authenticated using your UCC username and password, however since [FVP] was not able to get it working by following the instructions below, he went and set up OpenVPN as well.
Line 7: Line 7:
== Windows 7 == = OpenVPN =

To connect to the UCC OpenVPN server, you will need to ask a wheel member to generate a client configuration with valid certificates.

This can be done by running `USER="<username>"; ssh root@murasoi "/etc/openvpn/server/uccvpn/client-gen-conf.sh $USER" > openvpn-config-$USER.conf`.

The resulting config file contains all the necessary information to connect to the VPN. Note: client certificates and corresponding private keys are stored in the file. Keep it safe.

== Installation ==

=== Windows ===

Download the OpenVPN "Community" installer from the [[OpenVPN community download page|https://openvpn.net/index.php/download/community-downloads.html]].

You should be able to find OpenVPN GUI in the start menu somewhere. Run it.

Place any configuration files in `C:\Program Files\OpenVPN\config\` or `C:\Program Files (x86)\OpenVPN\config\`. An submenu should appear in the context menu accessible via the OpenVPN GUI taskbar icon which lets you connect and disconnect from the VPN.

For more information, see the [[Easy Windows Guide|https://community.openvpn.net/openvpn/wiki/Easy_Windows_Guide]].

=== Linux (most distros) ===

Install the package `openvpn` using your favourite package manager. If you want to use NetworkManager integration, install `network-manager-openvpn` as well.

Some examples:

Debian: `apt-get install openvpn network-manager-openvpn`

Arch: `pacman -S openvpn networkmanager-openvpn`

If you use NetworkManager, you can select the option to import saved VPN configurations when adding a connection in the "Network Connections" interface.

If you want to use systemctl, place the file in `/etc/openvpn/client/` and run `systemctl start openvpn-client@<config-file-name>.service` to connect.

= IPsec (strongswan) =

== Connecting to the VPN ==

=== Windows 7 ===
Line 13: Line 51:
== Android == === Android ===
Line 37: Line 75:
== iPhone / iPad == === iPhone / iPad ===
Line 39: Line 77:
 * Someone who hates freedom to fill in. Should work with the pure IPsec option (where you get the Cisco logo).  * Technically could work with a deployed profile
 * Only problem is that the profile has to contain the user name, thapple.
 * If anyone really cares you can make a script that does it, ask zanchey@ for a sample
 * Might be better in OS 9
Line 41: Line 82:
== OS X == === OS X ===
Line 43: Line 84:
 * Who knows  * Works in Mac OS X System 10.11
Line 45: Line 86:
== Linux ==  1. Go into Sys Prefs -> Network
 1. Click +, Interface: VPN, VPN Type: IKEv2, Service Name: UCC or whatever, Click Create
 1. Server address: secure.ucc.asn.au, Remote ID: secure.ucc.asn.au, Local ID: your username or something personal
 1. Click Apply.
 1. Click Connect and it should work.
Line 47: Line 92:
 * There is a strongSwan plugin for NetworkMangler. I haven't been able to get it to work.
Line 49: Line 93:
= Technical bits = === Linux ===


 * There is a strongSwan plugin for NetworkMangler. --(I haven't been able to get it to work.)--


=== Arch ===
==== Installation ====
To get strongSwan working on Arch with networkManager requires building strongSwan from source. The easiest way to do this is by installing the following AUR packages: [[https://aur.archlinux.org/packages/strongswan/|strongswan]], [[https://aur.archlinux.org/packages/networkmanager-strongswan/|networkmanager-strongswan]]. For help with installing aur packages check the [[https://wiki.archlinux.org/index.php/Arch_User_Repository|AUR instructions on the arch wiki]].

When installing strongSwan you will need to make some changes to the PKGBUILD of strongswan package as networkManager support is not enabled by default.
In the PKGBUILD you will find the "depends" and "makedepends" lined and add {{{'libnm-glib'}}} to the end of both lines so that it looks like this:
{{{
depends=('curl' 'gmp' 'iproute2' 'openssl' 'sqlite' 'libcap' 'libsystemd' 'pam' 'libnm-glib')
makedepends=('curl' 'gmp' 'iproute2' 'openssl' 'sqlite' 'libcap' 'libsystemd' 'systemd' 'pam' 'libnm-glib')
}}}
You then need to edit the {{{build()}}} section of the PKGBUILD by appending the {{{--enable-nm}}} option so that the section looks like this:
{{{
 build() {
  cd "${srcdir}/${pkgname}-${pkgver}"

  ./configure --prefix=/usr \
        --sbindir=/usr/bin \
        --sysconfdir=/etc \
        --libexecdir=/usr/lib \
        --with-ipsecdir=/usr/lib/strongswan \
        --enable-sqlite \
        --enable-openssl --enable-curl \
        --enable-sql --enable-attr-sql \
        --enable-farp --enable-dhcp \
        --enable-eap-sim --enable-eap-sim-file --enable-eap-simaka-pseudonym \
        --enable-eap-simaka-reauth --enable-eap-identity --enable-eap-md5 \
        --enable-eap-gtc --enable-eap-aka --enable-eap-aka-3gpp2 \
        --enable-eap-mschapv2 --enable-eap-radius --enable-xauth-eap \
        --enable-ha --enable-vici --enable-swanctl --enable-systemd --enable-ext-auth \
        --disable-mysql --disable-ldap --enable-cmd --enable-forecast --enable-connmark \
        --enable-aesni --enable-eap-ttls --enable-radattr --enable-xauth-pam --enable-xauth-noauth \
        --enable-eap-dynamic --enable-eap-peap --enable-eap-tls --enable-chapoly --enable-unity \
        --with-capabilities=libcap --enable-newhope --enable-ntru --enable-mgf1 --enable-sha3 \
        --enable-bliss \
        --enable-nm # <-- this line added to enable networkManager support
# --enable-ruby-gems --enable-python-eggs
  make
}
}}}
At this point you should be able to continue installing the package as per usual and then install networkmanager-strongswan.

==== Configuration ====
 * Use networkManager to create a new "IPsec/IKEv2 (strongswan)" connection
 * Authentication is "EAP"
 * Gateway address is `secure.ucc.asn.au`
 * Certificate - Select "COMODO_RSA_Certification_Authority.pem" (navigate to /etc/ssl/certs)
 * Username and password are your UCC username and password
 * Select the "request an inner IP address" option
 * Save the profile
 * connect to the profile using networkManager

== Technical bits ==

Connecting to the UCC VPN allows you access to internal resources that are normally firewalled off.

There are two currently working VPN methods - OpenVPN and the IPsec VPN. The old PPTP VPN is deprecated.

The IPsec VPN is the easiest to use on Windows and is authenticated using your UCC username and password, however since [FVP] was not able to get it working by following the instructions below, he went and set up OpenVPN as well.

OpenVPN

To connect to the UCC OpenVPN server, you will need to ask a wheel member to generate a client configuration with valid certificates.

This can be done by running USER="<username>"; ssh root@murasoi "/etc/openvpn/server/uccvpn/client-gen-conf.sh $USER" > openvpn-config-$USER.conf.

The resulting config file contains all the necessary information to connect to the VPN. Note: client certificates and corresponding private keys are stored in the file. Keep it safe.

Installation

Windows

Download the OpenVPN "Community" installer from the https://openvpn.net/index.php/download/community-downloads.html.

You should be able to find OpenVPN GUI in the start menu somewhere. Run it.

Place any configuration files in C:\Program Files\OpenVPN\config\ or C:\Program Files (x86)\OpenVPN\config\. An submenu should appear in the context menu accessible via the OpenVPN GUI taskbar icon which lets you connect and disconnect from the VPN.

For more information, see the https://community.openvpn.net/openvpn/wiki/Easy_Windows_Guide.

Linux (most distros)

Install the package openvpn using your favourite package manager. If you want to use NetworkManager integration, install network-manager-openvpn as well.

Some examples:

Debian: apt-get install openvpn network-manager-openvpn

Arch: pacman -S openvpn networkmanager-openvpn

If you use NetworkManager, you can select the option to import saved VPN configurations when adding a connection in the "Network Connections" interface.

If you want to use systemctl, place the file in /etc/openvpn/client/ and run systemctl start openvpn-client@<config-file-name>.service to connect.

IPsec (strongswan)

Connecting to the VPN

Windows 7

Follow the directions from the strongSwan wiki

  • Use secure.ucc.asn.au as the Internet address

  • No need to set any advanced settings (if you do, you want IKEv2 and authentication via EAP-MSCHAPv2) .

Android

Option 1 - preferred:

  • Install the strongSwan VPN client.

  • Start the newly-installed application.
  • Add VPN Profile.
  • Profile name is "UCC".
  • Gateway is secure.ucc.asn.au.

  • Type is the default "IKEv2 EAP (Username/password)"
  • Username and password are your UCC credentials.
  • Leave "CA certificate: Select automatically" checked.
  • Save the profile.

When you connect you will get a big warning about using a third-party VPN application; this is expected.

Option 2 - less preferred as there is no mutual authentication (I think) - this means it is much more trivial to MITM the connection.

  • Create a new VPN connection (Settings - More - VPN)
  • Name is "UCC"
  • Type is "IPsec Hybrid RSA"
  • Server address is secure.ucc.asn.au

  • IPsec CA certificate - leave as "don't verify" (WTF Android, you have to manually install a CA and you can't use a system one, this is a total pain)
  • IPsec server certificate - leave as "received from server"
  • Save the profile
  • Connect using your UCC username and password.

iPhone / iPad

  • Technically could work with a deployed profile
  • Only problem is that the profile has to contain the user name, thapple.
  • If anyone really cares you can make a script that does it, ask zanchey@ for a sample
  • Might be better in OS 9

OS X

  • Works in Mac OS X System 10.11
  • Go into Sys Prefs -> Network

  • Click +, Interface: VPN, VPN Type: IKEv2, Service Name: UCC or whatever, Click Create
  • Server address: secure.ucc.asn.au, Remote ID: secure.ucc.asn.au, Local ID: your username or something personal
  • Click Apply.
  • Click Connect and it should work.

Linux

  • There is a strongSwan plugin for NetworkMangler. I haven't been able to get it to work.

Arch

Installation

To get strongSwan working on Arch with networkManager requires building strongSwan from source. The easiest way to do this is by installing the following AUR packages: strongswan, networkmanager-strongswan. For help with installing aur packages check the AUR instructions on the arch wiki.

When installing strongSwan you will need to make some changes to the PKGBUILD of strongswan package as networkManager support is not enabled by default. In the PKGBUILD you will find the "depends" and "makedepends" lined and add 'libnm-glib' to the end of both lines so that it looks like this:

depends=('curl' 'gmp' 'iproute2' 'openssl' 'sqlite' 'libcap' 'libsystemd' 'pam' 'libnm-glib')
makedepends=('curl' 'gmp' 'iproute2' 'openssl' 'sqlite' 'libcap' 'libsystemd' 'systemd' 'pam' 'libnm-glib')

You then need to edit the build() section of the PKGBUILD by appending the --enable-nm option so that the section looks like this:

 build() {
  cd "${srcdir}/${pkgname}-${pkgver}"

  ./configure --prefix=/usr \
        --sbindir=/usr/bin \
        --sysconfdir=/etc \
        --libexecdir=/usr/lib \
        --with-ipsecdir=/usr/lib/strongswan \
        --enable-sqlite \
        --enable-openssl --enable-curl \
        --enable-sql --enable-attr-sql \
        --enable-farp --enable-dhcp \
        --enable-eap-sim --enable-eap-sim-file --enable-eap-simaka-pseudonym \
        --enable-eap-simaka-reauth --enable-eap-identity --enable-eap-md5 \
        --enable-eap-gtc --enable-eap-aka --enable-eap-aka-3gpp2 \
        --enable-eap-mschapv2 --enable-eap-radius --enable-xauth-eap \
        --enable-ha --enable-vici --enable-swanctl --enable-systemd --enable-ext-auth \
        --disable-mysql --disable-ldap --enable-cmd --enable-forecast --enable-connmark \
        --enable-aesni --enable-eap-ttls --enable-radattr --enable-xauth-pam --enable-xauth-noauth \
        --enable-eap-dynamic --enable-eap-peap --enable-eap-tls --enable-chapoly --enable-unity \
        --with-capabilities=libcap --enable-newhope --enable-ntru --enable-mgf1 --enable-sha3 \
        --enable-bliss \
        --enable-nm  # <-- this line added to enable networkManager support
#       --enable-ruby-gems --enable-python-eggs
  make
}

At this point you should be able to continue installing the package as per usual and then install networkmanager-strongswan.

Configuration

  • Use networkManager to create a new "IPsec/IKEv2 (strongswan)" connection
  • Authentication is "EAP"
  • Gateway address is secure.ucc.asn.au

  • Certificate - Select "COMODO_RSA_Certification_Authority.pem" (navigate to /etc/ssl/certs)
  • Username and password are your UCC username and password
  • Select the "request an inner IP address" option
  • Save the profile
  • connect to the profile using networkManager

Technical bits

IKE/IPsec setup is done by strongSwan on Murasoi. There are similar setups for IKEv1 (Android, iOS) and IKEv2 (Windows). Most of the difficulty is in getting the certificates right, see http://serverfault.com/questions/536092/strongswan-ikev2-windows-7-agile-vpn-what-is-causing-error-13801

The XAuth/EAP authentication (IKEv1 and v2 respectively) is passed to the RADIUS server, which also handles accounting. select username, sum(acctinputoctets), sum(acctoutputoctets) from radacct where nasporttype='Virtual' group by username; will give you a nice sum of traffic over the VPN.

Clients get a IPv4 and IPv6 address from the ranges in Network.