VPN connection service

提供: 東京大学理学系研究科wiki
2013年3月21日 (木) 19:33時点におけるShitami.junichiro (トーク)による版
移動先: 案内検索

Information Technology Team > VPN connection service

日本語

1 Outline

The VPN connection service provides secure access to your Department/laboratory subnet from external networks (allowing external access to individual servers should be avoided for security reasons). This service is available via special client software installed and configured on each PC. It offers the same network environment as a direct connection to your Department/laboratory subnet. The School of Science is responsible only for providing the service connection. While the VPN connection service allows you to access your Department/laboratory subnet, you should observe the network usage policy of each organization (host management, IP address setting, etc.), as is the case when using the wired LAN or Wi-Fi. The VPN connection service offers the same network environment as a direct connection to your Department/laboratory subnet; however, it requires the installation of PacketiX VPN software and is available only for Windows and Linux. On the other hand, the SSL-VPN connection service requires only a suitable browser, although it can serve only limited purposes (e.g. browsing internal websites). For the comparison of the two services, see the page “Comparison of VPN and SSL-VPN connection services”.

2 Examples of use

Servers allowing access only from within the University or the School of Science can be accessed from external networks by using the VPN connection service. The VPN connection service provides secure access to servers and PCs within each Department/laboratory from external networks via ssh or remote desktop.

3 Supported users

All faculty and students with access to the School of Science network can use the VPN connection service.

4 Required environment

The service requires a Windows or Linux PC. It provides VPN access to your Department/laboratory subnet based on PacketiX, which is one of the few options that offer comprehensive VPN solutions. PacketiX VPN client software for Mac is under development. An open source version of the client software is also available and may be adopted after further upgrades.

5 Procedures for using the service

Access authentication is performed by using the same user certificate as for Wi-Fi authentication. The VPN connection service requires no other special procedures. For the user certificate, see the page “Connection to Wi-Fi”. Note that the service does not accept a guest certificate for Wi-Fi (the guest certificate does not have Wi-Fi access to subnets within the School of Science).

6 Setup

6.1 Downloading/installing client software

The VPN connection service is based on PacketiX. Visit the link below to download the client software for service connection and then install it. Download the relevant latest version by clicking the corresponding link.

For Windows, navigate through the directories VPN -> Japanese -> Windows -> PacketiX VPN Client 3.0 and select the platform type (“Intel x86, 32-bit” or “Intel x64 or AMD64, 64-bit” depending on the Windows version) to download the client software. For Linux, navigate through the directories VPN -> Japanese -> Linux -> PacketiX VPN Client 3.0 and select the platform type (multiple platform types supported for the Linux version) to download the client software. A manual with setup instructions is available at the link below.

6.2 Settings

  • Host Name: svpn.s.u-tokyo.ac.jp
  • Port Number: 443 (default)
  • Virtual HUB Name: sos (Select from the list (no other options available).)
  • Authentication Type: Client certificate authentication (Select from the list.)
  • User Name: User’s 10-digit Universal ID
  • Specify Client Certificate: Specify the user certificate downloaded from the School of Science authentication system.

6.3 Setup tips for Windows

Run the downloaded file to start the installer and complete the installation process as instructed. The user must indicate his/her agreement to the license terms. All settings may remain unchanged. Upon initial installation, a virtual network adapter must be created. Start the PacketiX VPN Client Manager and choose [Virtual Adapter] -> [Create Virtual Network Adapter]. The virtual network adapter can be named arbitrarily. If a warning message regarding driver installation appears during the creation process, allow the installation of the driver (a message may also appear after the installation to confirm whether it has completed successfully). The newly created virtual network adapter is assigned a MAC address different from that of the existing wired LAN or Wi-Fi network. If a MAC address registration is required for network access in the Department/Facility, inform the subnet administrator of the MAC address of the virtual network adapter. Then, configure the connection settings. Click [New VPN Connection Setting] to open the “New VPN Connection Setting Properties” dialog. The setting can be named arbitrarily. Fill in all required fields and click [OK] to create a new setting.

  • The button to set the client certificate authentication is indicated as the [Close] button within a red circle below (since the screen below is the one after completing the setting, the button has been changed from [View Certificate] to [Close]).

After configuring the VPN connection setting, a connection can be made by double-clicking “Connect”.

6.4 Setup tips for Linux

The client software for Linux is a connection tool using the command line and does not have a GUI. It requires the user to load the certificate and to configure the network settings (the PacketiX manual warns that the Linux version of VPN Client is recommended for use only by users with a deep understanding of the Linux operating system and networks). Client software installation requires utilities (such as make, gcc, and binutils) and development libraries (also known as “devel”) (such as libc (glibc), zlib, openssl, readline, and ncurses). Unzip the downloaded file into the destination directory and execute the “make” utility to install the software. After running the vpnclient command, the software can be operated by the vpncmd command (selecting “2” upon startup enables the control by vpnclient). Upon initial installation, a virtual network adapter must be created, as is the case with the Windows version. Use vpncmd to execute the following command (the virtual network adapter can be named arbitrarily). NicCreate packetix All necessary information must be extracted from the user certificate in advance. In the example below, XXXX.p12 represents the user certificate file name. The output file can be named arbitrarily. openssl pkcs12 -in XXXX.p12 -nocerts -nodes -out XXXX.key openssl pkcs12 -in XXXX.p12 -clcerts -nokeys -out XXXX.crt Execute the following commands to create a new VPN connection setting. In the example below, the setting name is svpn (the setting may be named arbitrarily). XXXX and NICNAME represent Universal ID and the name of the created virtual network adapter, respectively. AccountCreate svpn /SERVER:svpn.s.u-tokyo.ac.jp:443 /HUB:sos /USERNAME:XXXX /NICNAME:packetix AccountCertSet svpn /LOADCERT:XXXX.crt /LOADKEY:XXXX.key Use the following command to make a connection. AccountConnect After the connection has been made, the interface created above (vpn_packetix) is connected via VPN. Set the address and routing configuration in the same way as eth0. To disconnect the connection, use the following command. AccountDisconnect

7 Service operation

Account information is updated at 3:00 everyday. When a new user account has been created, the VPN connection service can be used after the next update at 3:00. Note that each update disconnects connected users. The service uses the authentication system, which constitutes part of the School of Science core network. Since the core network will be updated in March 2013, details of operation may be changed in connection with the network update.