• Personal tools
  • Log in / create account
• Navigation
  • Main Page
  • Development Projects
  • FAQs
  • HowTos
  • OSpedia
  • Tips
  • Recent changes
  • Random page
  • Community portal
  • Help
  • Donations
• Toolbox
  • What links here
  • Related changes
  • Upload file
  • Special pages

SoCVPN

From Linux & Open Source @ NUS

Background

The School of Computing (SoC) uses a separate VPN system from the rest of the NUS network.

While the rest of NUS uses a Cisco VPN system (as well as the proprietary LEAP wireless authentication scheme), SoC, in it's separate little network, uses the OpenVPN (rebranded as SoCVPN by SoC) to allow users into its network.

This HOWTO is written with OpenVPN 2.0.9 in mind. However, the settings should work for future versions as well.

Installation

Pre-built packages

See here for prebuilt SoC VPN Packages

Manual configuration

If your Linux distribution is mirrored at http://mirror.comp.nus.edu.sg, you can just add this repository to your package manager, and install OpenVPN as usual using your package manager.

However, if your Linux distribution is not mirrored, you can download the original source code (same as the one provided by OpenVPN) from the Debian repository. The tarball should have the phrase 'orig' somewhere in the filename.

From the command-line, extract the files.

$ cd location/of/downloaded/tarball
$ tar -vzxf openvpn_2.0.9.orig.tar.gz

Installation may then be carried out as follows (note that you may need to run $./configure --disable-lzo for the 1st step if you do not have lzo libs. This can be inferred from the any error messages when running ./configure):

$ cd path-to-extracted-directory
$ ./configure
$ make
$ su -c "make install"

Configuration

It requires 2 files to setup the VPN connection, #socvpn-linux.conf and #ca.crt. You can copy these and save them as named into a directory where you can easily access them, such as /etc/openvpn.

socvpn-linux.conf

Note that the below config file has the line 'ca ca.crt' commented off, unlike in the original configuration file provided by SoC. This line is not required as the location of ca.crt is given as an option to when you start OpenVPN.

#####################################################
; Client-side Configuration for Connecting to SoC-VPN
#####################################################

client
dev tap
proto tcp
remote vpn.comp.nus.edu.sg 443
remote vpn0.comp.nus.edu.sg 443
remote vpn2.comp.nus.edu.sg 443
remote-random
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
#ca ca.crt
ns-cert-type server
verb 3
auth-user-pass
mssfix 1460
route-up "sleep 5; htmlview https://noc.comp.nus.edu.sg/netlogon &"

Or, download the linuxNUS customised version here

ca.crt

-----BEGIN CERTIFICATE-----
MIIEEDCCA3mgAwIBAgIJAOBNfQuMxT/PMA0GCSqGSIb3DQEBBAUAMIG3MQswCQYD
VQQGEwJTRzESMBAGA1UECBMJU2luZ2Fwb3JlMRIwEAYDVQQHEwlTaW5nYXBvcmUx
KTAnBgNVBAoTIE5hdGlvbmFsIFVuaXZlcnNpdHkgb2YgU2luZ2Fwb3JlMSwwKgYD
VQQDEyNOYXRpb25hbCBVbml2ZXJzaXR5IG9mIFNpbmdhcG9yZSBDQTEnMCUGCSqG
SIb3DQEJARYYcm9vdEBub2MuY29tcC5udXMuZWR1LnNnMB4XDTA2MDExODA3Mjcx
MVoXDTE2MDExNjA3MjcxMVowgbcxCzAJBgNVBAYTAlNHMRIwEAYDVQQIEwlTaW5n
YXBvcmUxEjAQBgNVBAcTCVNpbmdhcG9yZTEpMCcGA1UEChMgTmF0aW9uYWwgVW5p
dmVyc2l0eSBvZiBTaW5nYXBvcmUxLDAqBgNVBAMTI05hdGlvbmFsIFVuaXZlcnNp
dHkgb2YgU2luZ2Fwb3JlIENBMScwJQYJKoZIhvcNAQkBFhhyb290QG5vYy5jb21w
Lm51cy5lZHUuc2cwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALnrnqidnWuP
wELNt4uUwTlBZR7sup9QygkV40/M97+7V8Q1ID6ZZ625V1A4qFR3XzZB+F2KqlwF
UvlSdal3MN/cjMh1W5bjJOLpClQtHiMe9ThITz8sJve/wqVTXOgKpDGfjVkqVziO
guX6OpO1VCQUYrzhFrNwVDzwy1RnU3ljAgMBAAGjggEgMIIBHDAdBgNVHQ4EFgQU
dlh5DUEPPzkOXL7r76Kcr0NYKLwwgewGA1UdIwSB5DCB4YAUdlh5DUEPPzkOXL7r
76Kcr0NYKLyhgb2kgbowgbcxCzAJBgNVBAYTAlNHMRIwEAYDVQQIEwlTaW5nYXBv
cmUxEjAQBgNVBAcTCVNpbmdhcG9yZTEpMCcGA1UEChMgTmF0aW9uYWwgVW5pdmVy
c2l0eSBvZiBTaW5nYXBvcmUxLDAqBgNVBAMTI05hdGlvbmFsIFVuaXZlcnNpdHkg
b2YgU2luZ2Fwb3JlIENBMScwJQYJKoZIhvcNAQkBFhhyb290QG5vYy5jb21wLm51
cy5lZHUuc2eCCQDgTX0LjMU/zzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBAUA
A4GBAKyfsAT1/85gCaBNvpgu6wcOycv+Pb83iSEww/le1BWTsPXkbY5W8wDqIUWJ
YNlsjZZtAUdVAGrP8yCQx3ULy49JwpSeKzTCoBDiz9KWyNdFZ+2uIspNoTa+v3IK
7rOCFikWrzdyN8Aa9dT+m8F2/ZuVoPIQtpyQPYNp9sx1ImNh
-----END CERTIFICATE-----

Download it here

Starting OpenVPN/SoCVPN

Now that you've installed OpenVPN, be it through compiling from source or through your distribution's package manager, you're ready to go!

Start a commandline terminal with root privileges (how?). Though running applications privileged access is generally not recommended, it is necessary in this case.

# openvpn --config /etc/openvpn/socvpn-linux.conf --ca /etc/openvpn/ca.crt

OpenVPN will then prompt you for your NUSNET username and password:

Wed Jun 28 02:04:47 2006 us=962622 OpenVPN 2.0.9 i686 [SSL] [LZO] built on Jun 26 2006
Enter Auth Username:u9987654m
Enter Auth Password:

Enter your NUSNET credentials, and a stream of messages will flow pass. When you are connected, the last line should read as

Wed Jun 28 02:06:54 2006 Initialization Sequence Completed

Termination

The easiest way to stop the OpenVPN connection would be to use pkill openvpn.

In fact, the method recommended by SoC is pkill -9 openvpn

OpenVPN GUI

If you are not really comfortable with the command line, you can check out some of the list of GUIs available for OpenVPN.

General Issues and Troubleshooting

My connection keeps breaking or resetting very frequently, every 4 minutes or so.

The last line of #socvpn-linux.conf is extremely important. For some reason, users must visit [this page] in order for the server to recognise your connection. Omitting this line, or otherwise not visiting the above page, will result in a connection that will reset every 4 minutes exactly, which as you can guess can be very irritating. Now, the problem is that the #socvpn-linux.conf configuration file given by SoC requires htmlview, which is only included with RedHat, or its derivative Fedora. So if you're using any other distribution, you're out of luck.

One solution is of course to change htmlview to the name of your favourite browser, such as Firefox. This will, of course launch the page in whatever browser you specify.

Another (less resource intensive) alternative, would be to pull the page from the server from the ever-useful cURL, and redirect its output to /dev/null. Et vóila!. No more pesky pop-up page.

To do this, change the last line of '#socvpn-linux.conf' to:

route-up "sleep 5; curl https://noc.comp.nus.edu.sg/netlogon 1>/dev/null 2>&1 &"

I do not see the message Initialization Sequence Completed at the end

• You might have not started OpenVPN with priviledged access. See #Why do I need to run OpenVPN with root access?
• You might not have connected to your network properly. In root, bring down your network and reconnect again.

# /sbin/ifconfig eth0 down

Reconnect again using one of these commands
# /sbin/dhclient eth0
# /sbin/pump -i eth0
# /sbin/dhcpcd eth0

• You had not access the SoC NOC logon page. See #My connection keeps breaking or resetting very frequently, every 4 minutes or so.

Why do I need to run OpenVPN with root access?

OpenVPN requires the Linux kernel TUN driver as a device interface. It also needs to set the routing tables. As such, it needs root priviledges.

I can't access the Internet, how am I going to install OpenVPN?

Ask SoC Helpdesk.

Okay, it can be found in the Debian repository in SoC mirror. The file name should have a phrase 'orig' somewhere.

But seriously, ask SoC Helpdesk to make them link to it. Their email is helpdesk (at) comp.nus.edu.sg.

I do not wish to type in my password every single time.

Compile OpenVPN with --enable-password-save during ./configure.

How do I write a script to reconnect automatically?

First, you need to compile OpenVPN with the option --enable-password-save. See #I_do_not_wish_to_type_in_my_password_every_single_time.

Next, create a text file containing your NUSNET credentials. Save it in /etc/openvpn/socvpn-linux.password. The first line is your username, the second is your password. These are the only 2 lines allowed in the file.

/etc/openvpn/socvpn-linux.password

u9987654m
myNUSNETpassword

Change the permissions such that only root can access the file.

# su root
password:
# chown root:root /etc/openvpn/socvpn-linux.password
# chmod 0600 /etc/openvpn/socvpn-linux.password
# exit

Run this script (with root access) when you want to login to SoC.

/root/startopenvpn

#!/bin/bash
while true ; do
        if ! pgrep openvpn 1> /dev/null ; then
                /usr/local/sbin/openvpn --config /etc/openvpn/socvpn-linux.conf --ca /etc/openvpn/ca.crt --auth-user-pass /etc/openvpn/socvpn-linux.password
        fi
done

Disconnect using this script

/root/stopopenvpn

#!/bin/bash
pkill -9 startopenvpn
pkill -9 openvpn
if pgrep openvpn 1> /dev/null ; then
       pkill -9 openpvn
fi
done

How can I auto login using NetworkManager

Add the following into

/etc/NetworkManager/dispatcher.d/NUSOPEN

#!/bin/bash
essid=`/sbin/iwgetid | cut -d":" -f2 | cut -d "\"" -f2`;
if [ $2 == "up" ]; then
    if [ -n $essid ] && [ $essid == "NUSOPEN" ]; then
        sudo /usr/sbin/openvpn --config /etc/openvpn/socvpn-linux.conf --ca /etc/openvpn/ca.crt
    fi
else
    killall openvpn
fi

Start NetworkManagerDispatcher if it is not running.

# su root
Password
# /etc/init.d/NetworkManagerDispatcher start
# exit

How can I resolve tun errors?

A temporary solution is to load the tun module:

# modprobe tun

If there are no error messages, then the module has been loaded successfully.

A permanent solution is to load the module on boot by editing the modules configuration file.