Our VPN (Virtual Private Network) allows a simple access to facilities that normally cannot be accessed outside of CSIM (except by using a SSH tunnel). For example, facilities with restricted access can be the virtual servers or the GPU servers.
Our VPN is not behaving like commercial ones, it does not proxy all your connections through CSIM: only your traffic to and from CSIM is going through the VPN. The rest of the traffic is going though your ISP as it would normally doing with the VPN, your computer can be seen as being part of CSIM network, wherever you are located in the world.
On Linux systems, access to AIT resources will also be covered by our VPN, just like if you were connected inside CSIM building (Windows clients have the same access but need to add a route manually as described in step 10.).
Authentication is base on your user's credential (username and password provided at CSIM) and a VPN certificate file.
The VPN certificate file is personal and encrypted with a password. It should be a password different from your user's password. The VPN certificate file provides another layer or security, beyond the standard username and password.
Once it has been created and encrypted, there is no way to recover the password used to encrypt the VPN certificate file.
You are only allowed to have one device connected to CSIM VPN at any time.
Go to your account management page to create and download your VPN certificate file.
|The VPN section is located right below the section where you can change your password.
You must enter the password used to ecnrypt your VPN certificate, then press the
Note: once your certificate has been created, it is valid for one year, if you forget your VPN encryption password, it will not be possible to generate another VPN certificate.
|Once it has been created, you can download your VPN certificate at any further time. Just click on the
You can download the certificate as often as you wish, if new functionalities have been added to the VPN, tey will be included the next time you download your certificate.
The VPN certificate file is called
You can install that VPN certificate file on any device you will use to connect to CSIM VPN.
This has been tested on Windows 7.
|1.||Download OpenVPN from the community page.
Install the application normally.
Accept to install WireGuard LLC Network Adapter and Tap-Windows Provider V9 Network adapters, they are essential components to run OpenVPN on Windows.
|2.||Right-click on the icon for OpenVPN in the hidden icons menu and select
Note: next operations with OpenVPN will always be done with a right-click on the icon.
|3.||Select the proper VPN certificate file, with the name
The VPN certificate files are saved in
You can install more than one certificate file, but there is no mechanism provided to remove a file apart from going and manually removing it in Windows Explorer.
|4.||OpenVPN is configured and ready to use.
Click on OK to continue.
|5.||Right-click on OpenVPN hidden icon and select
|6.||Enter your username and password.
You must use the credential of CSIM.
And click OK.
|7.||Next setp is to enter the encryption password used for the VPN certificate file.
When you click on OK, the connection will be established with CSIM VPN.
|8.||When the status window of OpenVPN displays the message
The status window will hide automatically.
Note: the hidden icon for OpenVPN has changed to a green colour when the connection is completed.
|9.||You can run a
That means that your computer is now connected inside CSIM.
|10.||You can manually add a route to AIT network
Open a command prompt with administrator privileges (Start, All Programs, Accessories, Right click on Command Prompt, Run as Administrator);
Enter the following command:
This has been tested on Ubuntu 20.04.
CSIM VPN is not supported by Ubuntu native VPN client. This is likely due to the fact that we manage dynamic IP addresses for the clients in a different sever than the OpenVPN server.
But the OpenVPN client is readily available. In case you are using a Linux distribution that does not include OpenVPN, you can download it from OpenVPN Community pages.
You must start with creating or downloading the following script (lets call it
up.sh). This script will create the needed routing through the VPN.
#!/usr/bin/sh # Test if a route exists to the VPN server route_exist=`ip route show 22.214.171.124` if [ "XX$route_exist" != "XX" ]; then logger -p user.info -t openvpn.up Deleting existing route to VPN server ip route del 126.96.36.199 fi # Set a route to the VPN server using the default route, as resolved by # the existing routing table ip route add to `ip route get 188.8.131.52|cut -d' ' -f 1-3|sed '/^ *$/d'` logger -p user.info -t openvpn.up Route to VPN server has been added # DHCP address can only be obtained after the VPN connection had fully # initialized. Run DHCP in a separate and detached process. (while : # loop indefinitely until we get a dynamic IP do dhclient $1 ret=$? if [ $ret -eq 0 ] ; then # dhclient will sometime resolve to some private IP coming from
Then you launch OpenVPN with the command:
sudo openvpn --config <VPN_certificate_file> --up <path_to>/up.sh --script-security 2
You may want to save that command in a script. OpenVPN will ask for your username and password, as well as the password used for encrypting the VPN certificate file. You must use
sudo because you need super-user privileges to establish the VPN connection.
The connection has been established when you receive the message
Extracted DHCP router address: 184.108.40.206.
You can verify that you are connected to CSIM VPN with a
olivier@olivier:~$ traceroute bazooka.cs.ait.ac.th traceroute to bazooka.cs.ait.ac.th (220.127.116.11), 64 hops max 1 18.104.22.168 19,085ms 18,883ms 18,648ms olivier@olivier:~$ traceroute intranet.ait.ac.th traceroute to intranet.ait.ac.th (22.214.171.124), 64 hops max 1 126.96.36.199 19,833ms 18,579ms 18,623ms 2 188.8.131.52 20,375ms 21,593ms 20,212ms 3 184.108.40.206 18,663ms 19,672ms 18,717ms olivier@olivier:~$ netstat -r Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface default _gateway 0.0.0.0 UG 0 0 0 wlo1 link-local 0.0.0.0 255.255.0.0 U 0 0 0 wlo1 220.127.116.11 0.0.0.0 255.255.255.0 U 0 0 0 tap0 vpn.cs.ait.ac.t _gateway 255.255.255.255 UGH 0 0 0 wlo1 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 wlo1 18.104.22.168 csrouter2.cs.ai 255.255.192.0 UG 0 0 0 tap0 olivier@olivier:~$
traceroute samples, you can see that CSIM servers can be reached in a single hop, like for any client inside CSIM network. The same is true for AIT servers that are reached in three hops.