Setting Up an XSCE VPN: Difference between revisions

From OLPC
Jump to navigation Jump to search
No edit summary
Line 6: Line 6:
The internet uses names (technically called url's -- universal resource locators) to create connections. But there is a system for changing names to numbers (called DNS - domain name service). And the numbers are the way communications are routed to the correct destinations. But many Internet Service Providers (ISP's) do not have enough numbers to give out to their many clients. So on different days, a school might have a different number. This makes it hard to find a school from day to day, among all the numbers on the internet.
The internet uses names (technically called url's -- universal resource locators) to create connections. But there is a system for changing names to numbers (called DNS - domain name service). And the numbers are the way communications are routed to the correct destinations. But many Internet Service Providers (ISP's) do not have enough numbers to give out to their many clients. So on different days, a school might have a different number. This makes it hard to find a school from day to day, among all the numbers on the internet.


The vpn jumps these hurdles by starting the conversation, (asking the question), from the inside daily, or even hourly. The vpn starts the conversation with the XSCE mothership that has been made available by activitycentral.com. When people want to connect to a school behind a firewall, they can connect to xsce.activitycentral.com (which always has the same number), and the communication gets routed to the correct destination.
The vpn jumps these hurdles by starting the conversation, (asking the question), from the inside every day, or even every hour. The vpn starts the conversation with the XSCE mothership that has been made available by activitycentral.com. When people want to connect to a school behind a firewall, they can connect to xsce.activitycentral.com (which always has the same number), and the communication gets routed to the correct destination, even when the number keeps changing, or when the immediate question is coming from a random person on the internet.


==How can OPENVPN be Secure and Private when the Keys are Public?==
In this case the private and public keys are hidden in an installation package, and not available except by installing XSCE.


For many years, the unix Secure Shell, SSH, has been the secure way to talk to remote computers. A computer is considered secure if the only way to talk to it is via SSH. Then the conversation usually moves to how SSH is configured. Are passwords enabled? If so, is there any configuration restriction which would make the passwords hard to guess?
The vpn tunnel is only available to school servers who have installed the XSCE rpm package. Additional security can be achieved beyond ssh password security, by generating ssh public/private key pairs using the "ssh-keygen" command (see more complete instructions at http://www.eng.cam.ac.uk/help/jpmg/ssh/authorized_keys_howto.html).

It is recommended that for machines connected the the "XSCE virtual PUBLIC network", users just turn off passwords in the configuration of SSH -- in /etc/ssh/sshd_config change the line to "PasswordAuthentication no". Follow the instructions at http://www.eng.cam.ac.uk/help/jpmg/ssh/authorized_keys_howto.html to generate software keys, and configure the client and server to use them.

==How to Configure XSCE VPN==


To start the openvpn tunnel automatically at every boot, you can add the following line to /etc/rc.d/rc.local: "/etc/openvpn/openvpn-start". To verify that the connection has been established, issue the terminal command "ifconfig", and look for the inet address of the "tun" device. This is the ip address that the openvpn server has assigned you. You can use it when you attempt to connect to the school server from your own personal computer, to check out the remote administration capability of openvpn.
To start the openvpn tunnel automatically at every boot, you can add the following line to /etc/rc.d/rc.local: "/etc/openvpn/openvpn-start". To verify that the connection has been established, issue the terminal command "ifconfig", and look for the inet address of the "tun" device. This is the ip address that the openvpn server has assigned you. You can use it when you attempt to connect to the school server from your own personal computer, to check out the remote administration capability of openvpn.

Revision as of 10:24, 21 June 2013

How does a VPN work?

The "privacy" of virtual private networks is based upon 2 software keys, one private, and the other public. In most instances, the private key is generated by a user and never shared with anyone. The public key can be used as entrance certificate. If this public key is placed in a list of "authorized_keys", the person who has the corresponding private key is given access to the resource. The ssh (secure shell) conversation is encrypted, and evesdroppers are not able to mimic the legitimate client.

The "XSCE VPN" perhaps should be called a "public connectivity network", and not really a "private network". "XSCE VPN" jumps a number of connectivity hurdles. These hurdles include firewalls specifically designed to prevent communications that start from the outside internet. Firewalls let the user ask questions, and get responses from anywhere on the internet. But when the questions come from anywhere on the internet and go to a local machine, they are blocked.

The internet uses names (technically called url's -- universal resource locators) to create connections. But there is a system for changing names to numbers (called DNS - domain name service). And the numbers are the way communications are routed to the correct destinations. But many Internet Service Providers (ISP's) do not have enough numbers to give out to their many clients. So on different days, a school might have a different number. This makes it hard to find a school from day to day, among all the numbers on the internet.

The vpn jumps these hurdles by starting the conversation, (asking the question), from the inside every day, or even every hour. The vpn starts the conversation with the XSCE mothership that has been made available by activitycentral.com. When people want to connect to a school behind a firewall, they can connect to xsce.activitycentral.com (which always has the same number), and the communication gets routed to the correct destination, even when the number keeps changing, or when the immediate question is coming from a random person on the internet.

How can OPENVPN be Secure and Private when the Keys are Public?

For many years, the unix Secure Shell, SSH, has been the secure way to talk to remote computers. A computer is considered secure if the only way to talk to it is via SSH. Then the conversation usually moves to how SSH is configured. Are passwords enabled? If so, is there any configuration restriction which would make the passwords hard to guess?

It is recommended that for machines connected the the "XSCE virtual PUBLIC network", users just turn off passwords in the configuration of SSH -- in /etc/ssh/sshd_config change the line to "PasswordAuthentication no". Follow the instructions at http://www.eng.cam.ac.uk/help/jpmg/ssh/authorized_keys_howto.html to generate software keys, and configure the client and server to use them.

How to Configure XSCE VPN

To start the openvpn tunnel automatically at every boot, you can add the following line to /etc/rc.d/rc.local: "/etc/openvpn/openvpn-start". To verify that the connection has been established, issue the terminal command "ifconfig", and look for the inet address of the "tun" device. This is the ip address that the openvpn server has assigned you. You can use it when you attempt to connect to the school server from your own personal computer, to check out the remote administration capability of openvpn.

To make a second connection to xsce.activitycentral.com, you need to download openvpn client for the operating system your are using, and copy the ca.crt, client1.key, and client1.crt files from the schoolserver/etc/openvpn/keys folder