VPN - theunissenlab/lab-documentation GitHub Wiki
-
Create new VPN credentials on finch (you can have one per device, or use the same credentials on all your devices. If you lose your device, you should have these credentials revoked and generate new ones)
- You will create one password for the VPN account and one password to encrypt your private key.
-
Transfer the credentials file,
KEYNAME_keys.tar.gz, to your computer and extract/unzip it (tar -xvzf KEYNAME_keys.tar.gz). I prefer to keep them in my~/.ssh/directory. It should contain 5 files:ca_zebra.fet.berkeley.edu.crt client_zebra.fet.berkeley.edu.crt client_zebra.fet.berkeley.edu.key ta_zebra.fet.berkeley.edu.key config.ovpn
-
Open network settings, click add VPN (Ubuntu has OpenVPN built in)
-
Load the
config.ovpnfile
-
Install OpenVPN Connect Client from their website You should find the exact software for MacOs (OpenVPN Connect V3) here
-
Run OpenVPN Connect Client and go to add/import a profile or upload a file
-
Select the
config.ovpnfile (to make .ssh folder visible press Command+Shift+G then enter ~/.ssh) and enter your credentials- Your username is the
KEYNAME, and your passwords were created in step 1. Password is finch's private key; the private key password is the first password (PEM pass phrase).
- Your username is the
-
if you encounter the error message "required credentials are missing" follow these steps
-
as of 2025/01 Open VPN Client Connect does not support the data-ciphers option and would not let you choose the cipher. You can add the line
data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC(ciphers used by finch) in your config.ovpn file and test if this has been now resolved. Otherwise, check insecurity level under Advanced Settings under Settings. This will enable finch and your computer to use the BF-CBC cipher.
The config.ovpn file references the other files in the KEYNAME_keys.tar.gz package. However, when loading the config on mobile these references won't work, and those keys must be embedded directly into the config file.
-
Open the
config.ovpnfile in a text editor. Replace the linesca ca_zebra.fet.berkeley.edu.crt cert client_zebra.fet.berkeley.edu.crt key client_zebra.fet.berkeley.edu.key tls-auth ta_zebra.fet.berkeley.edu.key 1with
<ca> -----BEGIN CERTIFICATE----- [paste cert from ca_zebra.fet.berkeley.edu.crt] -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- [paste cert from client_zebra.fet.berkeley.edu.crt] -----END CERTIFICATE----- </cert> <key> -----BEGIN ENCRYPTED PRIVATE KEY----- [paste key from client_zebra.fet.berkeley.edu.key] -----END ENCRYPTED PRIVATE KEY----- </key> <tls-auth> -----BEGIN OpenVPN Static key V1----- [paste key from ta_zebra.fet.berkeley.edu.key] -----END OpenVPN Static key V1----- </tls-auth> key-direction 1 -
One by one, open the files
ca_zebra.fet.berkeley.edu.crt,client_zebra.fet.berkeley.edu.crt,client_zebra.fet.berkeley.edu.key, andta_zebra.fet.berkeley.edu.key, find the sections starting with------BEGIN XXXXX-----, and copy/paste them into the corresponding spots in theconfig.ovpnfile (without brackets) -
Securely transmit your
config.ovpnfile to your mobile device. For iPad, three ways to do this are (1) AirDrop from your Mac, (2) transfer via iTunes, or (3) upload it to iCloud from your computer and download it on your device. You can email it to yourself too, but note that this is not as secure. -
On your mobile device, download and install the OpenVPN app.
-
Find the
config.ovpnfile on your device, and open it with the OpenVPN app. Input your credentials generated from step 1 (username will beKEYNAME)
Normally, when you connect to our VPN server, it tells your computer to use 10.0.2.1 (finch) as its DNS server. This is a line in the config.ovpn file. On Windows' OpenVPN Connect Client this doesn't seem to work. Not sure how to solve this but you can manually figure out how to add finch (AKA fet.neuro.berkeley.edu) as your DNS server, or connect to a host using its full name (e.g. corvus.fet.berkeley.edu).