User Instructions for Installing a Virtual Private Network with OpenVPN
This document consists of instructions to our end users for setting up a virtual private network between a Windows computer and a Linux server running OpenVPN. The Linux host acts as a secure gateway to the intranet, which consists of a number of Windows computers and Linux machines running Samba. Both ends of the link receive virtual IP addresses. The Windows computer's IP address is NATed so the end user becomes a full-fledged member of the company's or institute's internal network.
What is a VPN
A VPN (virtual private network) is client/server software that allows you to connect securely to a remote network from anywhere, including over a modem or a broadband connection. Our VPN will allow you to browse computers on the network as if you were at work. You can drag files from your computer at work to your home PC, send email through our server, analyze data remotely, edit documents residing on your work computer, and everything else you can do at work. This lets you do work at home at night, on weekends, and on holidays as if you were in the office 24 hours a day, working continuously!
Our VPN gateway is named "endive". Once you are connected to endive, you will have complete access to our internal network. However, all your communications will be encrypted so that hackers on your remote network or on the Internet can't read any of your information. Once you are connected, all your communications with the institute's computers will be encrypted with AES, the Advanced Encryption System, which is the most secure algorithm available. Access to our network is controlled by a certificate, which is a special encryption code that is different for each user. No one else can access our VPN unless they have a valid certificate. If you lose your computer, or someone steals your certificate, please let me know and I will give you a new one.
These instructions are for Windows 2000. For Windows XP or 2003, the procedure will be slightly different. If you're using Windows ME, 98, or 95, you will have to upgrade before you can access the VPN. If you use Linux, OS X, or some other operating system, go to http://openvpn.net for software and setup details. See linuxsetup71.html for server setup instructions.
What a VPN will not do
The VPN only provides security on the link between your home computer and our network. It will not protect you against people who may have hacked into your work computer. It will not protect you against viruses or trojans. The portion of the link between the VPN server and your work computer is not encrypted. (This portion of the link is protected to some extent by our network architecture). If you have added a hub to your work computer or home computer, the VPN cannot protect you against other computers attached to that hub.
Before starting, make sure you have the following:
- A copy of openvpn-2.0.2-install.exe. This file is small enough to fit on a floppy. Download it from the server (in the temporary/vpn directory) or from http://openvpn.net .
- The floppy disk provided by Tom N. This disk contains a special configuration file and an RSA certificate and key that will identify your computer. Do not share your key or certificate with anyone. This would allow them to have complete access to your computer.
On your home computer, click on openvpn-2.0.2-install.exe and click "Next" to begin the installation. After installing, reboot your computer. OpenVPN will install itself in C:\Program Files\OpenVPN and create a directory there called "config". The Windows version of OpenVPN will only run on W2K or later. Normally, you must have administrator privileges to install or run OpenVPN (but if this is a problem, there are ways around this).
Leave your work computer turned on. No preparation is needed for your work computer. Do not install the VPN software on your work computer.
Configure the Windows client
- Copy all the files from the floppy to C:\Program Files\OpenVPN\config. There should be four files: client.ovpn, ca.crt, xyz.crt, and xyz.key (where xyz is your name).
- Open the Control Panel, select Network Connections, and right-click on the Local Area Connection icon for the new Local Area Connection (which is called a TUN/TAP adapter) and change the properties to "Enable NetBIOS over TCP/IP".
- If you're using Windows XP, you may have to manually disable the firewall for the TAP adapter. Also, check to make sure no other software like Norton Security is blocking UDP on port 1194.
Start the VPN
Before starting the VPN, install the latest Windows patches from http://windowsupdate.microsoft.com, then update your virus-checking software and perform a complete virus scan on your home computer. Once you are connected, any viruses on your home computer will be able to travel across the VPN and get on your work computer.
- Connect to the Internet through your ISP in the usual manner (for example, by clicking on "Dial-up Connection").
- Click on My Computer -> Local Disk (C:) and navigate to the C:\Program Files\OpenVPN\config folder.
- Right-click on client.ovpn and select "Start OpenVPN on this
config file". A console window will open and messages should appear
indicating glorious success, or not.
Client console window of VPN in glorious success mode.
- To stop the VPN, you can use the Task Manager or press F4 in the OpenVPN console. Pressing F2 shows connection statistics.
- Click on "My Network Places" on the client and type \\engram
in the address box. You should see a list of Windows shares.
Screen shot of the software actually working
- Now you should be able to browse the institute's network and connect to your work computer.
If you want to uninstall it, follow this procedure:
- Backup your computer just in case something goes wrong.
- Uninstall the software (My computer->Control Panel->Add/Remove Programs).
- Remove the Virtual Adapter using the Windows Device Manager.
Control Panel->Add/Remove Hardware->Uninstall/Unplug a device-> TAP-Win32 Adapter V8
- If you want to run the VPN after this step, it is necessary to reinstall OpenVPN and reboot before it will work again.
For more information
Click here for more information on OpenVPN.
If you have a home network that needs VPN access, let me know and I will give you a different config file.