Openvpn creates a secure virtual private network, sometimes called a tunnel, between two points on the internet. The conversations are encrypted with software keys that are easily created and although no communications are immune from evesdropping, the chance of any listener getting any useful information from intercepted data, is very small.
Accessing a specific machine behind a protective firewall, or a NAT, coming in from the outside, is difficult. The outward facing router, and firewall need to be configured, and if there are any devices doing NAT, they must also be instructed to do port forwarding.
But if a conversation is started from the internal network, the packets can easily traverse NAT and firewalls. The trick is to set up a process on the school server that starts a conversation with an external openvpn server (in our case, we set that server up with Amazon cloud services — see Amazon EC2 — Elastic Cloud Compute — at http://aws.amazon.com/ec2/), and to keep that conversation alive continuously.
Whenever access is needed to a school server, a second vpn connection is made by the administrator of the school server to the Amazon cloud server, and that server makes the connection beween the two vpn tunnels.
Amazon offers a free year of “micro” sized cloud server, after which the cost is currently $128.12 per year (see http://aws.amazon.com/ec2/pricing/). The price has been coming down quickly as Amazon experiences price competition from other providers.
The process of setting up vpn access to school servers is made up several steps:
- Obtain an instance of a cloud server (our deployment used Amazon — get started at http://aws.amazon.com/).
- Load the openvpn access server software on your instance (Amazon has already configured disk images detailed at http://openvpn.net/index.php/access-server/docs/admin-guides/499-openvpn-access-server-ami.html.
- During the setup of the instance, create a certificate which you must download to a convenient place on you own machine.
- Then log on the your newly running instance using “ssh -i <path to the certificate you downloaded> ubuntu@<ip address of your new instance or its public urt>
- If you are lucky, and have followed the instructions, you will be able to browse to your new OpenVPN access server instance, and log on as described.
- When I tried it, it didn’t let me in, and I connected via ssh to do the text mode setup. The manual is very helpful at: http://openvpn.net/images/pdf/OpenVPN_Access_Server_Sysadmin_Guide_Rev.pdf?Name=Value
- Once you have gained access to the GUI administrative interface to your new instance, it’s time to create user. Administrators and school servers are both users. But you need to assign fixed ip’s to the servers. And to download the config file for the server, you will need to assign the school server a password, so that you can sign in to the client interface of the instance , and download the automatically generated openvpn config file (it will have the filename “client.ovpn” which I learned to quickly rename to the identity of the user or school.
- If openvpn is not yet installed on the school server, do it now (yum install openvpn).
- I used sneaker-net (usb stick) to move the downloaded “ovpn” file to the school server (reminder that on xs-0.7 a USB stick is automatically mounted at “/media/usb<number>” — in my experience usually 0).
- I like to keep all the config files in the proper folder in /etc. When you install openvpn, an empty folder appears at /etc/openvpn. So I put the xxxx.ovpn file there.
- Test the new client: “openvpn –config /etc/openvpn/<username>.ovpn”. For this worked every time (unusual in sysadmin).
- Now include the following line in “/etc/rc.d/rc.local”: “openvpn –config /etc/openvpn/<username>.ovpn &” (the “&” puts the openvpn program in the background, so that any additional lines that someone might put in rc.local will be executed).
- As an additional guarantee of school server accessability, I put create a script that hourly checks for connectivity to the Amazon server, and reopens the vpn tunnel if it is closed. (include that script here)