OpenVPN
From FGVwiki
Contents |
Overview
OpenVPN is an SSL based VPN solution made by the good people at http://www.openvpn.net. We are currently using the 'free' version of Access Server OpenVPN. This allows us two concurrent users to connect at any time, if we require more than 2 users then we will need to pay for licenses. As it stands now, this is not needed. Currently hosted on Hosts/camphor and assigns clients an IP in the 10.8.0.0/24 subnet.
Remote Access
You can log in to the website https://vpn.freegeekvancouver.org to see the instructions and get all the proper files to be able to connect. First download the client.ovpn file. The follow the instructions for your appropriate OS. Once connected you should be able to access all internal services as if you were at Free Geek in the flesh.
Caveats
- When a Linux/Unix client is used with Access Server, the Access Server is unable to alter the DNS settings on the client in question.
- When using the Mac client Tunnelblick you MUST place the client.ovpn file into the folder ~/Library/openvpn. Then launch the Tunnelblick program, go to Details and UNCLICK set nameserver. If you do not do this, the VPN will NOT connect, you have been warned.
Authentication
Authentication is done by an LDAP plugin for OpenVPN and ties into our LDAP implementation.
Authorization
In order to try to authenticate to the VPN the user must be assigned to the group vpn. The OpenVPN server is configured to only allow access to clients that are part of this group. This is done via the admin interface for OpenVPN, the filter used is memberOf=cn=vpn,dc=shop,dc=lan
Granting Authorization to VPN
- Logon to http://arbutus.shop.lan/phpldapadmin
- Use root password
- Expand ou=Groups" and then click "cn=vpn"
- Click "modify group members"
- Select the member you want to grant access and click "Add Selected"
- Click Save
Administration
You can access the OpenVPN administration page at https://vpn.freegeekvancouver.org/admin. It requires the root credentials.
