VPN

Theunissen Lab Virtual Private Network (VPN)

Connecting to the VPN

1. Create new VPN credentials on zebra (you can have one per device, or use the same credentials on all your devices. If you lose your device, you should have these credentials revoked and generate new ones)

   • You will create one password for the VPN account and one password to encrypt your private key.

2. Transfer the credentials file, KEYNAME_keys.tar.gz, to your computer and extract/unzip it (tar -xvzf KEYNAME_keys.tar.gz). I prefer to keep them in my ~/.ssh/ directory. It should contain 5 files:

   ca_zebra.fet.berkeley.edu.crt
   client_zebra.fet.berkeley.edu.crt
   client_zebra.fet.berkeley.edu.key
   ta_zebra.fet.berkeley.edu.key
   config.ovpn
   

from Ubuntu

3. Open network settings, click add VPN (Ubuntu has OpenVPN built in)

4. Load the config.ovpn file

from Mac or Windows

3. Install OpenVPN Connect Client from their website You should find the exact software for MacOs (OpenVPN Connect V3) here

4. Run OpenVPN Connect Client and go to add/import a profile or upload a file

5. Select the config.ovpn file (to make .ssh folder visible press Command+Shift+G then enter ~/.ssh) and enter your credentials

   • Your username is the KEYNAME, and your passwords were created in step 1. Password is finch's private key; the private key password is the first password (PEM pass phrase).

6. if you encounter the error message "required credentials are missing" follow these steps

Note: OpenVPN could not establish the connection for Julie as of 2025/01/24

from iOS or Android

The config.ovpn file references the other files in the KEYNAME_keys.tar.gz package. However, when loading the config on mobile these references won't work, and those keys must be embedded directly into the config file.

3. Open the config.ovpn file in a text editor. Replace the lines

   ca ca_zebra.fet.berkeley.edu.crt
   cert client_zebra.fet.berkeley.edu.crt
   key client_zebra.fet.berkeley.edu.key
   tls-auth ta_zebra.fet.berkeley.edu.key 1
   

   with

   <ca>
   -----BEGIN CERTIFICATE-----
   [paste cert from ca_zebra.fet.berkeley.edu.crt]
   -----END CERTIFICATE-----
   </ca>
   <cert>
   -----BEGIN CERTIFICATE-----
   [paste cert from client_zebra.fet.berkeley.edu.crt]
   -----END CERTIFICATE-----
   </cert>
   <key>
   -----BEGIN ENCRYPTED PRIVATE KEY-----
   [paste key from client_zebra.fet.berkeley.edu.key]
   -----END ENCRYPTED PRIVATE KEY-----
   </key>
   <tls-auth>
   -----BEGIN OpenVPN Static key V1-----
   [paste key from ta_zebra.fet.berkeley.edu.key]
   -----END OpenVPN Static key V1-----
   </tls-auth>
   
   key-direction 1
   

4. One by one, open the files ca_zebra.fet.berkeley.edu.crt, client_zebra.fet.berkeley.edu.crt, client_zebra.fet.berkeley.edu.key, and ta_zebra.fet.berkeley.edu.key, find the sections starting with ------BEGIN XXXXX-----, and copy/paste them into the corresponding spots in the config.ovpn file (without brackets)

5. Securely transmit your config.ovpn file to your mobile device. For iPad, three ways to do this are (1) AirDrop from your Mac, (2) transfer via iTunes, or (3) upload it to iCloud from your computer and download it on your device. You can email it to yourself too, but note that this is not as secure.

6. On your mobile device, download and install the OpenVPN app.

7. Find the config.ovpn file on your device, and open it with the OpenVPN app. Input your credentials generated from step 1 (username will be KEYNAME)

Create credentials for a new VPN user

Instructions here

Details on the VPN configuration

Details here

Troubleshooting

Cannot connect by hostnames on Windows

Normally, when you connect to our VPN server, it tells your computer to use 10.0.2.1 (finch) as its DNS server. This is a line in the config.ovpn file. On Windows' OpenVPN Connect Client this doesn't seem to work. Not sure how to solve this but you can manually figure out how to add finch (AKA fet.neuro.berkeley.edu) as your DNS server, or connect to a host using its full name (e.g. corvus.fet.berkeley.edu).