École des Ponts Paristech DSI Installing OpenVPN
Introduction... 3 Windows... 3 Preamble... 3 Installation of OpenVPN... 3 Use... 11 Linux... 13 Install... 13 Use... 14 Mac OS X... 14 Install... 14 Use... 15
Introduction This document outlines the procedure to enable you to access resources from the École des Ponts Paristech from any Internet connection. For this, you will need to install a software called Open VPN on to your computer. To allow access to the network, you were provided a certificate and a password. Windows Preamble Installing OpenVPN requires some administrator s rights even if your user account owns rights of an administrator. Under Windows Seven, it is not necessary to disable UAC (User Account Control) except In case of problems. However, under Windows seven it is necessary to start the installation and application as administrator (right click Run as administrator ). For Linux and MacOS users, the installation procedure with the software TunnelBlick is indicated in the last part of this document. Installation of OpenVPN Copy OpenVPN on the desktop. Open the folder OpenVPN and drop in the certificate YYY-xxxx.enpc.fr that was sent to you.
Drop in your certificate here Right click OpenVPN-Setup.exe and then on to Run as an administrator Perform a default installation.
When the Windows Security window pops up, click on "Install" to install the TAP-Win32 driver.
To check if the script was successfull, go to the following directory C:\Program Files\OpenVPN\Config for 32 bits or C:\Program Files(x86)\OpenVPN\Config for 64bits The config directory must contain your certificate YYY-xxxx.enpc.fr.p12 and enpc.ovpn a file whose contents are similar to the file "config.txt" contained in the installation folder except the line 83 which indicates your certificat s name YYY-xxxx.enpc.fr.p12 An icon OPEN VPN GUI appears on the desktop. The software installation is completed. Now, we need to configure in your browser the ENPC s proxy detection. Activate your browser s proxy auto-detection. For example under Internet Explorer:
Check «Automatically Detect Settings». If there are any problems with proxy s auto-detection, enter the http s address etuproxy.enpc.fr and port 3128 Uncheck «Automatically Detect Settings».
Check Use proxy server Uncheck Do not use proxy server for local addresses NB : There are Firefox extensions FoxyProxy and in Gogle Chrome switch proxy that can easily manage connections through a proxy server (read FoxyProxy section). For Internet Explorer, there is a utility changeproxy that can enable or disable a proxy (please note you must uncheck the automatic detection of proxy). Use changeproxy.exe with Internet Explorer (read Changeproxy section).
Use Before starting Open VPN, ensure access to the Internet from your computer. To run OpenVPN with administrator s privileges, right click on the shortcut of OpenVPN from the desktop and click Run as administrator (Read note below). An icon pops up in the tray.
Right click on the Open VPN icon and then on to Connect. If the Windows Firewall is enabled, the following screen should appear (do the same thing for any other firewall). Allow access. For the network configuration Windows Seven, set access Work network.
Enter your password. The color of Open VPN icon in tray will turn green. Launch your browser with enpc proxy setting. You now have access to the resources of the École des Ponts Paristech related to your security certificate. In case of problems, you can check the log file generated during the connection process by right clicking on the Open VPN icon in the tray and click on View log. With Windows Seven, it is definitely possible to configure OpenVPN to be launched as an administrator. Right click on the shortcut OpenVPN GUI on the desktop then right click on Properties In the tab Compatibility check "Run this program as administrator". Linux Install Install OpenVPN version >= 2.1 ( http://openvpn.net/index.php/open-source/downloads.html ). The GNU/Linux distribution s package should be good but just in case verify that you have a version >= 2.0 of the software with appropriate security. Copy the OpenVPN s configuration file enpc.config inside the installation directory and put it in /etc/openvpn (do not install with.conf: extension that would lauch OpenVPN automatically at your pc s boot).
Install scripts up_script.sh and down_script.sh in /etc/openvpn (do not forget to make them executable: sudo chmod +x /etc/openvpn/up_script.sh /etc/openvpn/down_script.sh). These scripts update /etc/resolv.conf (DNS resolution: use school s servers when OpenVPN is on, get back to initial user s configuration when OpenVPN is off) Copy your certificat YYY-xxxx.enpc.fr.p12 in /etc/openvpn. Choose to copy and rename certificate with the name certificat.enpc.p12 or edit the configuration s file enpc.config at the line pkcs12 /etc/openvpn/certificat.enpc.p12 rename certificate.enpc.fr with the exact name of your certificat. Use To launch OpenVPN use the command: sudo openvpn --config /etc/openvpn/enpc.config (you have to use the certificate s password). You can find a graphical interface here: http://gopenvpn.sourceforge.net/ If you want to change your certificate s password you can use the following commands (be sure to have root s privileges use sudo for exemple): cd /tmp openssl pkcs12 -nokeys -in /etc/openvpn/certificat.enpc.p12 -cacerts -out cacert openssl pkcs12 -nokeys -in /etc/openvpn/certificat.enpc.p12 -clcerts -out clcert openssl pkcs12 -nocerts -nodes -in /etc/openvpn/certificat.enpc.p12 - out key openssl pkcs12 -export -inkey key -in clcert -certfile cacert -out /etc/openvpn/certificat.enpc.p12 /bin/rm -f cacert clcert key Mac OS X Install For Mac OS users, you can install the software Tunnelblick under a free license (GNU GPL v2) contained in the installation directory. The École des Ponts ParisTech does not support MacOS. Please note the installation process indicated on the website of Tunnelblick ( http://code.google.com/p/tunnelblick/ ). Open a text editor in the configuration file enpc.ovpn located in the installation folder and then change to line 5 votre.certificat.enpc.p12 with the name of your certificate After installing Tunnelblick ( http://code.google.com/p/tunnelblick/wiki/cinstall ), with no configuration, you must copy the certificate and enpc.ovpn file that you modified in the following directory: ~/Library/Application Support/Tunnelblick/Configurations/ Another installation method is possible since version 3.1 of Tunnelblick. Create a folder enpc where you create another folder Contents in which you create a folder Resources and copy inside of Resources your configuration file enpc.ovpn.
Rename the folder enpc to enpc.tblk. Click on the file enpc.tblk to install the setup. Use You can start Tunnelblick after changing the proxy of your browser as described above. Do a click on the Tunnelblick s icon in the tray then select enpc configuration. Enter your password when asked. Launch your browser with enpc proxy setting. Since the Mac OS version 10.7, the Library folder is invisible. To get there, you can choose between : Finder and then in the menu Go hold down the Alt key will bring up the Library folder Or : Make the key combinaison Shift+ Apple+g which opens the screen «Go to folder» and then type the command : ~/Library/Application Support/Tunnelblick/Configurations/ Use Changeproxy with Internet Explorer Disable automatic detection of proxy as indicated below. Close the browser s «Internet Explorer» (the change of proxy is not dynamic) Two proxy servers can be used Type the addresse «etuproxy.enpc.fr :3128» and click «Set»
Click on «Proxy Disabled» to enable the proxy. You can start Internet Explorer and browse through the proxy Close Internet Explorer and click on Proxy Enabled to remove the proxy. Use FoxyProxy with Firefox To use the Firefox extension «FoxyProxy» of Firefox go to the following page: https://addons.mozilla.org/en-us/firefox/addon/foxyproxy-standard/ Install the plugin in Firefox. Click on the icon above: If the icon doesn t appear, go to the «Tools» menu and click on «FoxyProxy Standard»
Click on «Add a new proxy». Select «Manual configuration of proxy» and enter the address etuproxy.enpc.fr and port 3128
Click OK to confirm. Click OK and close the window Foxyproxy To enable the proxy : Right click on the Foxyproxy icon or click on the menu Tools FoxyProxy Standard Click «Use the proxy etuproxy.enpc.fr :3128 for all URLs» Unlike Proxychange with I.E., the change of proxy is dynamic with Firefox. You do not need to restart Firefox.