• Information
  • Computing
  • Contact
  • Department News
  • Visting
  • Computing Help
• People
  • Directory
  • Faculty
  • Graduate Students
  • Staff
  • Tutors
  • Faculty Research
  • Computing Group
• Research
  • Applied
  • Pure
  • Symbolic Logic
  • VIGRE
• Undergraduate
  • Courses
  • Major/Programs
  • Labs/Tutorials
  • Counseling
  • Diagnostic Test
  • AP Calculus
  • Opportunities
  • News/Events
  • Organizations
  • Useful Links
• Graduate
  • Courses
  • Prospective
  • Current Students
  • Resources
  • Grad News

UCLA-Mathnet has installed the OpenVPN software for virtual private networks. A VPN protects from prying eyes all information sent between your computer and the VPN terminus (vpn.math.ucla.edu) at Mathnet.

• Introduction
• Get Your Certificate
• Installation and Use on Linux
• Installation and Use on Microsoft Windows®
• Server Configuration

When you connect to another computer, your packets, specifically passwords and sensitive student information, are vulnerable to these kinds of attacks:

• If you use cable TV for your internet connection, your packets are visible to everyone on your cable segment.
• If your computer uses wireless networking, other wireless machines within about 100 meters can see all your packets. Even if WEP encryption is used, there is a well-known exploit against it, available in the AirSnort software package (see also here).
• An unscrupulous sysop at your Internet Service Provider may harvest passwords from traffic on a large scale.
• The national security apparatus of various nations, operating inside or outside their national jurisdictions, may turn their attention your way.

Various methods can be used to safeguard your information by cryptography. Some services are intrinsically encrypted. For login (terminal) sessions and generic file transfer, SSH is the most convenient way to encrypt the session. On the web, HTTPS is normally used for encryption by financial and e-commerce sites. But sometimes you need to encrypt every kind of traffic, including those that have no intrinsic encryption procedure. In this situation you use a Virtual Private Network (VPN).

Further, when you use the VPN your traffic appears to come from the VPN terminus at Mathnet, so if you direct all packets down the tunnel you can use from home the online resources purchased on your behalf by the Mathematics Department or the University, that are protected by hostbased authentication. These services include the online journals of the American Mathematical Society, and the Oxford English Dictionary.

However, a VPN is not a panacea for security. You are still vulnerable to these threats:

• The same viruses that could attack you without the VPN can attack you with it, if you execute infected mail or connect to an infected site and execute its payload.
• A hacker or virus at either endpoint (your machine or the destination) can still steal information.
• Thru traffic, once it leaves Mathnet, has the same protection (i.e. none) that it would have coming directly from your machine. But you do get protection on the hazardous hop over a cable or wireless link.
• A network sniffer at Mathnet can steal information. But presumably there is enough physical and network security at the destination to keep the enemies out, most of the time.
• Inimical packets can come at you through the tunnel, same as with your unencrypted connection to the Internet. However, Mathnet uses aggressive firewall rules plus NAT (Network Address Translation) at the server. It is unlikely that you will suffer an unsolicited attack through Mathnet. Even so, it is always a good idea for your own machine to have proper firewall rules, even if your gateway to the Internet also functions as a firewall.

---

Beware when taking a laptop computer into certain commonly-visited nations such as (but definitely not limited to) China and Russia: the use of cryptography within their national jurisdictions is a crime, and you may be considered to be a spy if you have cryptographic facilities, including (but not limited to) the software described herein, and also SSH, SSL and PGP. However, this software is not considered to be a "munition" under the Wassenaar Arrangement, being in the public domain.

For France, please see the Regulations Summary (en anglais) de la Direction centrale de la sécurité des systèmes d'information. Thanks to Mathieu Lafon for this informative link.

---

As of this writing, the installed version is OpenVPN-2.0beta5. The home page of the project is http://openvpn.sourceforge.net/, and pursuant to the software licenses, the source code for OpenVPN may be obtained there. This page has links to precompiled RPM's for Linux on Intel, and the Microsoft Windows® client. If you are on a different supported operating system, you will need to compile from source. Supported OS's are Linux 2.2 and above, OpenBSD 3.0 and above, FreeBSD, NetBSD, Solaris, MacOS-X (Darwin and later), and Windows 2000 and XP.

First, make sure you have your X.509 digital certificate. The VPN terminus will only accept a certificate signed by the UCLA-Mathnet Certificate Authority. You will need to move (or copy) the certificate and its secret key to the configuration directory in a subsequent step.

The UCLA-Mathnet Certificate Authority does not talk to hackers on the global Internet. You should get your certificate when you are physically present at Mathnet. An alternative is to use SSH to connect to a Mathnet Linux machine, use the text-only web browser w3m to deposit the certificate and key there, and then use SCP to copy those files to your remote location.

When you follow the link below, you may be asked for a X.509 certificate, which you don't have yet. You may decline to send the certificate, i.e. hit cancel. The requirement to ask for a certificate is a crock in the way a POST form is handled by the web server. Sorry about that. We hope the problem will be fixed in a future web server release.

Normally for use in a web browser you would ask the Certificate Authority to send you the certificate, the private key, and the Certificate Authority's root certificate, all together in a combined PKCS#12 file. However when you're installing OpenVPN it's more convenient to download each of these separately. On the web page indicate "Just the certificate", then in a second step "just the private key" (and also mark send the certificate on file since it was just created), then go back and get the root certificate.

Check the box on the form that says Save as File; when your browser gets the certificate or key, tell it to save it; do not open it with your browser.

Follow this link; follow the instructions to get your certificate.

When you install software you need to be root, but for paranoia's sake you will want to download the files as an ordinary user (yourself). If you deposit downloaded files in /tmp, root will be able to find them easily.

This discussion assumes you are using SuSE Linux v9.2 or 9.3, which Mathnet provides support for. On other distros such as Debian, you will need to translate the instructions to use your distro's installation tools, and if you can't deal with RPMs or if yours isn't an Intel processor, you will need to compile from source.

Make sure you have the needed prerequisite packages: openssl (cryptography) and lzo (data compression). Do rpm -q openssl or rpm -q lzo to find out. If either is missing, get it from your regular source of installation (your CDs). Except, lzo is new in SuSE 9.0 and 9.1. For 8.2 users, download this copy. Tell your web browser to save it (generally right-click on the link and pick Save As from the menu). Install it using the command rpm -U lzo-1.08-104.i586.rpm giving the name of the file that was saved.

Now install the OpenVPN package itself. Use version 2.0 or above, which has the necessary road warrior configuration commands. SuSE 9.3 has version 2.0 so install it from your CD. Earlier SuSE distros have OpenVPN-1.3 or 1.5, which won't work with Mathnet's terminus, so download one of the 2.0-beta5 packages below. Pick the version appropriate to your distro version -- the OpenVPN code is the same, but they expect the OpenSSL libraries prevalent on the distro they were compiled under. See the previous paragraph for how to save the file.

• SuSE 9.x -- openvpn-2.0_beta5-1.i586.rpm
• SuSE 8.2 -- openvpn-2.0_beta5-1.i386.rpm

The downloadable packages are intended for a Red Hat system and the start script has a filename that SuSE doesn't like, and uses Red Hat functions that SuSE does differently. So install with this command line (substitute i386 or i586 according to your version), and ignore the complaints when Red Hat's /sbin/service can't be run:

rpm -U --replacefiles openvpn-2.0_beta5-1.i586.rpm

Now download these control files:

• mathnet.conf -- Configuration file with parameters expected by vpn.math.ucla.edu (Harlech).
• ucla-math.crt -- Root Certificate of the UCLA-Mathnet Certificate Authority
• openvpn.ini -- SuSE style startup script

Install them like this -- the startup script goes in /etc/init.d and must be made executable.

cp mathnet.conf ucla-math.crt /etc/openvpn
cp openvpn.ini /etc/init.d/openvpn
chmod 755 /etc/init.d/openvpn

Also copy your own X.509 certificate and secret key into /etc/openvpn, using the names expected in mathnet.conf. The secret key should be owned by root and readable only by root. If you have your certificate and key (or the UCLA-Mathnet root certificate) elsewhere for other programs to use, you can instead make symbolic links in /etc/openvpn to the real locations, or you can edit mathnet.conf to refer to your preferred locations directly.

cp user.crt /etc/openvpn/host.crt
cp user.key /etc/openvpn/host.key
chmod 600 /etc/openvpn/host.ke

For variations in the configuration file, see the end of the next section.

Once you have your certificate, download to your Windows machine the OpenVPN Windows Client. Click on this link and let your web browser get the file, about 2 Mbytes. When the file has arrived your browser will ask if you want to open (i.e. execute) it, or save it. A truly paranoid user will save the file, scan it with virus protection software, verify the MD5 checksum, and only then, execute the file. A very trusting user will just open the file (not recommended). The setup wizard then goes through the following steps:

1. Announces the name and author of the program. Hit Next.
2. Shows the licenses for the various included software, ending with the Gnu Public License. Read them. If you agree to the license terms, hit Agree.
3. Asks which components should be installed. Windows users normally will decline the source code (the last item). Un-check it, then hit Next.
4. Asks where to install. The provided Mathnet scripts assume you will take the default, which is c:\Program Files\OpenVPN. Hit Next.
5. Decompresses and installs the software. This takes a minute or so. Ignore the complaint that the network adapters have not been blessed with Windows Logo testing; hit Continue in the dialog boxes. Hit Next.
6. Announces a successful installation. It offers to show the release notes. It also wants to reboot your machine to activate the network interface. Click that checkbox and hit Finish. After the machine reboots, return to these instructions.

When people configure OpenVPN, a common problem is getting the wrong extension on filenames. Start Windows Explorer (the file browser) and navigate to the configuration directory, c:\Program Files\OpenVPN\config. In the Tools menu, find Folder Options. Mark Do not hide file extensions for known types. Your life will be a lot simpler. Actually, many experienced Windows users turn on this option globally, i.e. applying to every folder on the machine, so they can easily recognize unexpected executable files that hackers try to sneak onto their machines.

Now download the following configuration files and deposit them in your OpenVPN configuration directory, c:\Program Files\OpenVPN\config. With most web browsers, if you right click on the links below (one by one) you will be offered a menu that includes a Save As option. In the resulting dialog box, navigate to the above directory, check that the filename is right (Windows alters some filenames), and hit Save.

• mathnet.ovpn -- Configuration file
• ucla-math.crt -- Root Certificate of the UCLA-Mathnet Certificate Authority (in PEM format, not DER which Microsoft likes to produce). Note: Microsoft Internet Explorer changes the name to ucla-math.cer, for no obvious reason. You will need to change it back.

Previously you obtained your X.509 certificate and its secret key. You need to move/copy these files into the configuration directory directory under the names host.crt and host.key. Beware, Microsoft Internet Explorer likes to change the file extensions, so fix the filenames as needed. To be sure that you're seeing the actual extensions, set Don't Hide... as mentioned previously.

Using OpenVPN

Now, to use OpenVPN, first make sure you are connected to the Internet, that is, your DSL, cable modem or dialup link is ready for use. In your Systray, the set of small icons at the lower right of your screen, the OpenVPN GUI places its icon, which is a network-type picture showing two computers, whose screens initially are red (disconnected). If you can't tell which is the correct network icon, let the mouse hover over one of them and see what title is shown.

Right click on the icon, then select Connect from the menu. It asks you for the pass phrase of your secret key. It shows call progress on its log screen. In a few seconds it will make the connection and all of these will vanish. You are now connected to the Mathnet VPN terminus, and all your Internet traffic will be routed through the VPN.

To disconnect, right click on the Systray icon and select disconnect.

In recent experience, the most frequent problem during connection is a message Cannot open file host.crt, no such file or directory. Do you have just host, or host.crt.crt, both of which errors have been seen in the wild? Review the sections above on not hiding file extensions, and on installing your certificate and secret key.

In special cases you may want to edit mathnet.ovpn or mathnet.bat. The latter is a startup script for OpenVPN, not needed with the OpenVPN GUI, but you can download a pre-made mathnet.bat file here if you want it (do not open, be sure to only save it).

Installed in other than the default location

Edit both files to have the actual directory. In the bat file you need to use the 8.3 (DOS equivalent) name if a directory component is longer than 8 bytes or contains non-ASCII characters.

Routing only Mathnet traffic through the tunnel

In mathnet.ovpn look for redirect-gateway and comment out that line. Uncomment the two following route commands, labelled Send only Mathnet traffic through the tunnel. Actually this sends all traffic to 128.97.x.x, which is much but not all of the UCLA traffic.

Show more configuration and progress messages

Change verb 1 to a higher number. 2 gives TLS and crypto parameters, 3 adds some TLS debug output, and onward up to 11 (not recommended except for developers).

Tunnel fails after 60 seconds of non-use

Some residential firewall-routers (NAT boxes) have a short timeout for UDP connections, and forget to let returning tunnel packets onto your net. Try reducing ping 60 to 15 (seconds).

Mathnet wants to use AES (Rijndael) cipher

Very soon we'll upgrade vpn.math.ucla.edu (Harlech) so it can use AES-128-CBC, but until then it uses CAST5-CBC. The client's configuration file has to have the same cipher. If your configuration file's cipher is wrong, edit the cipher parameter. The error messages should show what Harlech wants to use. (The HMAC or auth algorithm will not be changed.)

Different names or locations of the certificates

You can edit the configuration file to use certificates and keys under any name or directory. The program starts in the directory where the configuration file(s) are. If any filename contains blanks, enclose it in double quotes.

Installation of a server is essentially the same as for a Linux client, but with a different configuration file. The main items you need to edit in this file are the tunnel endpoint's internal IP address and the ifconfig-pool -- the range of IP addresses reserved for client machines. Due to a Windows requirement, each client gets four addresses (a.b.c.d/30). The hosts on your network, or on the global Internet, need to know that this address range is reached by sending packets to the VPN server, so that when the clients make connections to hosts, the hosts can send answers back. Frequently this is accomplished by putting the VPN server on the main gateway - firewall - router for the department, that all packets to anywhere must pass through. At UCLA-Mathnet, on the other hand, the VPN server uses NAT (network address translation) to ensure that client packets seem to come from it, and answers will return to it that way.

The server.conf file includes the duplicate-cn command, which allows one user to have more than one connection at a time, e.g. multiple machines on his home net. If he shuts off one connection, it will persist at vpn.math.ucla.edu for a short time, until the ping-exit timeout. If he restarts the connection quickly there will be two, but only one will be functional and no trouble should ensue. (On a company intranet, however, duplicate connections with static routes could be a problem.)