[VPN]FIT VPN

What is VPN FIT good for?

VPN FIT may be used for several purposes:

  • provide direct encrypted channel to local FIT network (very useful when public unencrypted WiFi is used),
  • provide access to Windows server (Fik and Aja, file services are blocked at faculty firewall for security reasons),
  • provide IPv6 connectivity for users who can get either no IPv6 or just over ureliable IPv6 tunnel.
IPv4 uses private addresses of 172.27.128.0/21 range. Traffic is routed to networks 147.229.8.0/23, 147.229.15.128/25 and 147.229.176.0/24 only (may be subject to change). IPv6 uses addresses from public subnet 2001:67c:1220:810::/64 and traffic is routed to all global addresses of 2000::/3 range (i.e. VPN provides access to all IPv6 addresses world wide).

Software required: OpenVPN, installation package for Windows current version (since version 2.3 IPv6 is supported by default).

Windows configuration

  1. Donwload installation package from https://openvpn.net/ and change nothing during instrallation.
  2. Download client configuration file and move it to propper folder - either to %USERPROFILE%\OpenVPN\config for private use or to \Program Files\OpenVPN\config for all users.
  3. Windows firewall must permit packet transfer through TAP driver (with AVG firewall mark TAP-WIN32 Adapter as a safe network, Microsoft Windows 7+ firewall requires no change).
  4. Run OpenVPN GUI (it should be started at logon by default). Right-click on icon in systray a and select Connect. Provide your faculty login name and password, you may check to remember the values.
  5. If the connection is established (ithe con in systray is green) you may check your connection by listing routing table, running tracert/traceroute kazi.fit.vutbr.cz (should go through 172.27.xx.yy), tracert6/tracert -6/traceroute6 ipv6.google.com or open Web Fit (left on the bootm should be an address 2001:67c:1220:810::xx:yy).
  6. Once a VPN FIT over OpenVPN is operational you may add configuration for VPN BUT: VUT-aktivace.ovpn. It's an alternative connection for all the situations when VPN BUT is required but you cannot or do not want to use VPN over PPTP/GRE protocol, e.g. when your internet connection has no public IPv4 address (xDSL in O2 network and many others).

    This time you have to log in using VUTlogin and VUTpin. When connected all IPv4 traffic is routed through this VPN. It's good idea to diconnect immediately when the VPN tunnel is not needed.

Linux configuration

Verified in Ubuntu, Debian and Fedora distributions. So it really should work!

  1. Install current openvpn package (Ubuntu/Debian: apt-get install openvpn)
  2. Download configuration filer FIT.ovpn
    wget http://www.fit.vutbr.cz/CVT/vpn/FIT.ovpn
  3. Open termina windows and run:
    sudo openvpn --config FIT.ovpn
    If not in current directory path to FIT.ovpn must be provided on cummand line.
  4. Connection is terminated by CTRL-C key (i.e. by terminating openvpn command)
  5. If you whish to use VPN BUT just download configuration file according to the last step from Windows configurtation above and uset it instead of FITP.ovpn.
Can I use Connection Manager?
Unfortunately, no. Connection Manager does not use configuration files but executes openvpn with parameters. It does not allow to use login/password authentication. Hope this will change in the future.
Why the openvpn must be run over sudo?
openvpn makes changes in routing tables and sets parameters of network interface which requires elevated rights. openvpn is not installed with SUID flag, at least in Ubuntu. You may set this by hand but it may be a security risk.

Android configuration

Tested in versions 4.4.2, 5.0, 5.1, 6

  1. Go to Google Play and install a client - OpenVPN Connect
  2. Download a configuration file FIT.ovpn
  3. Run an application, choose Import profile from SD card, and use the downloaded file
  4. VPN BUT is not possible to use since Android VPN API does not support TAP tunel

To use this you may need file manager which can access files over network, e.g. ES File Explorer

FAQ

What is VPN (OpenVPN)?
See Open Virtual Private Network
Can I use OpenVPN over NAT/CGNAT?
Yes. With mobile data we have sometimes encountered problems during connecting (TLS channel does not open, log terminates at line TLS: Initial Packet). Just wait a while and try again.
Why there is a TUN driver in configuration file while there is a TAP driver in Windows?
OpenVPN for Windows uses TAP driver (ethernet bridge) in TUN emulation mode. v režimu emulace TUN. Server runs in point-to-multipoint TUN mode.
IPv6 does not work
Have you installed propper version? You can check your log file, for version 2.2.x there should be [IPv6 payload...] somwhere at the beginning. Note that IPv6 is supported by OpneVPN for quite a long time so you should upgrade anyway for security reasons.
Can I use VPN FIT to access web pages limited to IPv4 adresses of BUT?
Yes, just set proxy cache server to cache6.fit.vutbr.cz:3128.
I can't connect to Samba/CIFS (\\kazi, \\eva, \\fik, \\aja), I don't see Windows servers of FIT in Network Neighborhood
If you use non-Microsoft firewall try to permit access for SMB client (ports 135, 137 and 445) for networks 147.229.8.0/24 and 147.229.176.0/24
Try to use fully qualified domain names (FQDN) - \\aja.fit.vutbr.cz, \\eva.fit.vutbr.cz etc.

Your log file should look like this:

Mon Nov 07 19:43:32 2011 OpenVPN 2.2.0 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] [IPv6 payload 20110522-1 (2.2.0)] built on May 22 2011
Enter Management Password:
Mon Nov 07 19:43:32 2011 MANAGEMENT: TCP Socket listening on 127.0.0.10:25340
Mon Nov 07 19:43:32 2011 Need hold release from management interface, waiting...
Mon Nov 07 19:43:32 2011 MANAGEMENT: Client connected from 127.0.0.10:25340
Mon Nov 07 19:43:32 2011 MANAGEMENT: CMD 'state on'
Mon Nov 07 19:43:32 2011 MANAGEMENT: CMD 'log all on'
Mon Nov 07 19:43:32 2011 MANAGEMENT: CMD 'hold off'
Mon Nov 07 19:43:32 2011 MANAGEMENT: CMD 'hold release'
Mon Nov 07 19:43:37 2011 MANAGEMENT: CMD 'username "Auth" "novak"'
Mon Nov 07 19:43:37 2011 MANAGEMENT: CMD 'password [...]'
Mon Nov 07 19:43:37 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Nov 07 19:43:37 2011 LZO compression initialized
Mon Nov 07 19:43:37 2011 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Nov 07 19:43:37 2011 Socket Buffers: R=[8192->8192] S=[32768->32768]
Mon Nov 07 19:43:37 2011 MANAGEMENT: >STATE:1320691417,RESOLVE,,,
Mon Nov 07 19:43:38 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Nov 07 19:43:38 2011 Local Options hash (VER=V4): '5405f7b0'
Mon Nov 07 19:43:38 2011 Expected Remote Options hash (VER=V4): '69d5be14'
Mon Nov 07 19:43:38 2011 UDPv4 link local: [undef]
Mon Nov 07 19:43:38 2011 UDPv4 link remote: 147.229.9.81:1194
Mon Nov 07 19:43:38 2011 MANAGEMENT: >STATE:1320691418,WAIT,,,
Mon Nov 07 19:43:40 2011 MANAGEMENT: >STATE:1320691420,AUTH,,,
Mon Nov 07 19:43:40 2011 TLS: Initial packet from 147.229.9.81:1194, sid=021856dc 76b7c36a
Mon Nov 07 19:43:40 2011 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Nov 07 19:43:46 2011 VERIFY OK: depth=1, /C=CZ/L=Brno/ST=Czech_Republic/O=Brno_University_of_Technology/OU=Certification_Authority/CN=Brno_University_of_Technology_CA
Mon Nov 07 19:43:46 2011 VERIFY OK: nsCertType=SERVER
Mon Nov 07 19:43:46 2011 VERIFY OK: depth=0, /C=CZ/ST=Czech_Republic/L=Brno/O=Brno_University_of_Technology/OU=Faculty_of_Information_Technology/CN=vpn.fit.vutbr.cz
Mon Nov 07 19:43:46 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Nov 07 19:43:46 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Nov 07 19:43:46 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Nov 07 19:43:46 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Nov 07 19:43:46 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Nov 07 19:43:46 2011 [vpn.fit.vutbr.cz] Peer Connection Initiated with 147.229.9.81:1194
Mon Nov 07 19:43:47 2011 MANAGEMENT: >STATE:1320691427,GET_CONFIG,,,
Mon Nov 07 19:43:48 2011 SENT CONTROL [vpn.fit.vutbr.cz]: 'PUSH_REQUEST' (status=1)
Mon Nov 07 19:43:48 2011 PUSH: Received control message: 'PUSH_REPLY,ifconfig-ipv6 2001:67c:1220:810::1:1 2001:67c:1220:810::1,route-ipv6 2001::/3,route 147.229.8.0 255.255.255.0,route 147.229.176.0 255.255.255.0,dhcp-option NBT 2,dhcp-option WINS 147.229.8.12,tun-ipv6,route 172.27.128.1,topology net30,ping 10,ping-restart 120,ifconfig 172.27.128.10 172.27.128.9'
Mon Nov 07 19:43:48 2011 OPTIONS IMPORT: timers and/or timeouts modified
Mon Nov 07 19:43:48 2011 OPTIONS IMPORT: --ifconfig/up options modified
Mon Nov 07 19:43:48 2011 OPTIONS IMPORT: route options modified
Mon Nov 07 19:43:48 2011 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Nov 07 19:43:48 2011 ROUTE default_gateway=10.81.192.100
Mon Nov 07 19:43:48 2011 ROUTE6: default_gateway=UNDEF
Mon Nov 07 19:43:48 2011 do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=1
Mon Nov 07 19:43:48 2011 MANAGEMENT: >STATE:1320691428,ASSIGN_IP,,172.27.128.10,
Mon Nov 07 19:43:49 2011 NETSH: C:\WINDOWS\system32\netsh.exe interface ipv6 set address Local Area Connection 3 2001:67c:1220:810::1:1 store=active
Ok.
Mon Nov 07 19:43:51 2011 add_route_ipv6(2001:67c:1220:810::/64 -> 2001:67c:1220:810::1:1 metric 2290448) dev Local Area Connection 3
Mon Nov 07 19:43:51 2011 C:\WINDOWS\system32\netsh.exe interface ipv6 add route 2001:67c:1220:810::/64 Local Area Connection 3 fe80::8 store=active
Mon Nov 07 19:43:51 2011 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Ok.
Mon Nov 07 19:43:52 2011 open_tun, tt->ipv6=1
Mon Nov 07 19:43:52 2011 TAP-WIN32 device [Local Area Connection 3] opened: \\.\Global\{29093224-85F7-4DF3-B8C1-04A1DEB5A04E}.tap
Mon Nov 07 19:43:52 2011 TAP-Win32 Driver Version 9.8 
Mon Nov 07 19:43:52 2011 TAP-Win32 MTU=1500
Mon Nov 07 19:43:52 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 172.27.128.10/255.255.255.252 on interface {29093224-85F7-4DF3-B8C1-04A1DEB5A04E} [DHCP-serv: 172.27.128.9, lease-time: 31536000]
Mon Nov 07 19:43:52 2011 Successful ARP Flush on interface [196612] {29093224-85F7-4DF3-B8C1-04A1DEB5A04E}
Mon Nov 07 19:43:55 2011 TEST ROUTES: 3/3 succeeded len=3 ret=1 a=0 u/d=up
Mon Nov 07 19:43:55 2011 MANAGEMENT: >STATE:1320691435,ADD_ROUTES,,,
Mon Nov 07 19:43:55 2011 C:\WINDOWS\system32\route.exe ADD 147.229.8.0 MASK 255.255.255.0 172.27.128.9
Mon Nov 07 19:43:55 2011 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Mon Nov 07 19:43:55 2011 C:\WINDOWS\system32\route.exe ADD 147.229.176.0 MASK 255.255.255.0 172.27.128.9
Mon Nov 07 19:43:55 2011 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Mon Nov 07 19:43:55 2011 C:\WINDOWS\system32\route.exe ADD 172.27.128.1 MASK 255.255.255.255 172.27.128.9
Mon Nov 07 19:43:55 2011 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Mon Nov 07 19:43:55 2011 add_route_ipv6(2000::/3 -> 2001:67c:1220:810::1 metric 0) dev Local Area Connection 3
Mon Nov 07 19:43:55 2011 C:\WINDOWS\system32\netsh.exe interface ipv6 add route 2000::/3 Local Area Connection 3 fe80::8 store=active
Mon Nov 07 19:43:55 2011 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Ok.
Mon Nov 07 19:43:56 2011 Initialization Sequence Completed
Mon Nov 07 19:43:56 2011 MANAGEMENT: >STATE:1320691436,CONNECTED,SUCCESS,172.27.128.10,147.229.9.81
tracert kazi
Tracing route to kazi [147.229.8.12]
over a maximum of 30 hops:

1 228 ms   230 ms   205 ms  172.27.128.1
2 257 ms   236 ms   242 ms  bda-boz.fit.vutbr.cz [147.229.9.1]
3 176 ms   199 ms   349 ms  kazi.fit.vutbr.cz [147.229.8.12]

tracert6 ipv6.google.com

Tracing route to ipv6.l.google.com [2a00:1450:8007::69]
from 2001:67c:1220:810::1:1 over a maximum of 30 hops:

 1        *       88 ms    88 ms  vpn-gw6.fit.vutbr.cz [2001:67c:1220:810::1]
 2       77 ms    86 ms    86 ms  bda-boz6.fit.vutbr.cz [2001:67c:1220:809::1]
 3       75 ms    74 ms    73 ms  hp-meo.net.vutbr.cz [2001:67c:1220:f521::aff:701]
 4       82 ms    81 ms    90 ms  hp-ant.net.vutbr.cz [2001:67c:1220:f559::aff:201]
 5       79 ms    78 ms    77 ms  hp-kou.net.vutbr.cz [2001:67c:1220:f529::aff:601]
 6       76 ms    74 ms    73 ms  gw-kou6.net.vutbr.cz [2001:67c:1220:f534::aff:605]
 7       81 ms    80 ms    79 ms  2001:718:0:c003::1
 8       97 ms    97 ms    97 ms  pr61.ams04.net.google.com [2001:7f8:1::a501:5169:1]
 9       97 ms    97 ms    97 ms  pr61.ams04.net.google.com [2001:7f8:1::a501:5169:1]
10       96 ms     *      118 ms  2001:4860::1:0:8
11       97 ms    96 ms    95 ms  2001:4860::8:0:2db0
12       94 ms    93 ms    93 ms  2001:4860::8:0:3016
13      102 ms   101 ms   100 ms  2001:4860::2:0:48d
14      109 ms    98 ms    97 ms  2001:4860:0:1::cb
15       96 ms    95 ms    94 ms  fx-in-x69.1e100.net [2a00:1450:8007::69]

Your IPv4 address: 54.196.26.1
Switch to IPv6 connection

DNSSEC [dnssec]