VPN

Using the VPN

Overview:

Hingham PS has enabled a VPN (virtual private network) to allow users access to school resources from home. Our implementation is based upon the open source ‘OpenVPN‘ software. In order to use the VPN from home, you must have Internet access (preferebly FIOS or via coaxial cable or through a mobile broadband connection). Then, you must connect to the VPN server to download the OpenVPN client software. Use your network credentials to connect to the OpenVPN server. After download you must have administrative rights on your home PC to install the client software.
Run that OpenVPN client software whenever you wish to connect to the VPN. The VPN connection will provide you with the same user rights as if you had connected physically to the school network. It will not automatically map your documents to the ‘Y-drive’, nor will it change the default saving location of your applications to any shared network folder. You would need to do this manually if you so choose. To begin:

Download the installer

Login to VPN Access server (https://vpn.hinghamschools.com) and download the VPN software. When prompted for a login, use the same username and password combination as you would on a school PC.
After login, select the link that says ‘OpenVPN_Installer.exe’.
If you are using a Mac, you will need to install an OpenVPN client, like tunnelblick, and then apply your profile.  [Follow the instructions at the OpenVPN site for a more detailed explanation and instructions.]

Detailed Instructions – Windows PCs:

These instructions are a modified and truncated version of the OpenVPN site’s guide. Please be sure to read through if you experience any difficulties accessing the VPN or are more curious about the process.

The Client Web Server

The Client Web Server’s role is to create and distribute client configuration files and/or pre-configured OpenVPN Windows Client GUI installers to authenticated users. This is the only way that VPN client installations are deployed with OpenVPN Access Server.
The client configuration and installer files generated by the Client Web Server for a particular user are locked to that user. No other user can connect to the VPN with those files. Note that more than one connection profile may be installed on a client machine, for those situations where multiple users share the same machine. The user accesses the Client Web Server by entering the appropriate https URL into his or her Web browser (see installer link in ‘Download the Installer’ section above). When the browser connects, the user will likely see a warning or error displayed due to the untrusted server certificate. Once the user confirms that the server should be accessed, the user is presented with a simple login page, as shown below.

Upon successful authentication, the user sees a page (shown in Figure 38 below) which offers two download options:
1. Download a self-contained, pre-configured installer for the OpenVPN Windows Client GUI software. This is the recommended option for Windows users, as the installer file contains everything needed to install an OpenVPN client that is already configured for the specific user.
2. Download a configuration file which can be used on any OpenVPN (version 2.1 or higher) compliant client. This option is primarily useful if the user‟s computer, which may be a non-Windows machine, already has a compatible OpenVPN client installed.

Users can also click the links to pages describing how to install a compatible OpenVPN client on MacOSX and Linux platforms. Finally, the user can sign off of the Client Web Server using the “Log Out” link.

 

OpenVPN Windows Client GUI

The OpenVPN-Access Server Windows Client GUI provides a simple interface for the user to connect to their OpenVPN Access Server. The client software, as installed by the pre-configured installer downloaded from the Client Web Server, always connects to the Access Server which created the installer file for the user. The OpenVPN-AS Windows Client GUI can be installed on a Windows system alongside other OpenVPN clients, as long as only one is used at any time to connect to the OpenVPN Access Server.

Installation

Once the installer file is downloaded from the Client Web Server, the user runs the installer from its downloaded location. A familiar Setup Wizard walks the user through the installation steps. The only option for the user to specify is the folder to use for the new OpenVPN-AS Client files; the default folder is C:\Program Files\OpenVPNTech.
Important Note:
Since the OpenVPN-AS Windows Client GUI must install a TAP device driver on the system, the user must have administrative privileges on the Windows computer in order to successfully complete the client installation. When the Setup Wizard reaches the point when it must install the TAP driver, the user may see a pop-up warning message similar to that shown below. This
warning is normal and the user can proceed by clicking the “Continue Anyway” button (or its equivalent on Windows versions other than XP).

When the Setup Wizard completes, a new shortcut (called “OpenVPN-AS Client”) is added to the user’s Windows desktop and a new “OpenVPN-AS Client” folder is added to the Programs accessible via the Start menu. Note that there is no further configuration needed to make the installed client utilize the desired OpenVPN Access Server, since the proper client configuration is embedded in the installer file when it is generated by the Client Web Server.

GUI Operation: Connecting to VPN
Once the user launches the OpenVPN-AS Windows Client GUI (using the “OpenVPN-AS Client” shortcut on the desktop or in the Programs list), a login panel appears, as shown below. Note that the “Username” field is not editable, since the VPN client installation is locked to the user that downloaded the installer file from the Client Web Server. After entering a password, the user presses the “Connect” button to start the connection and authentication process.


Login Window


Status Window: Connected
If the user’s password, coupled with the fixed username, causes the authentication with the OpenVPN Access Server to succeed, the user will briefly see the “Connected” message in the Status window, as shown in the picture above (the Status window disappears shortly after the “Connected” message is displayed). Otherwise, a login failure message is displayed, as shown in the picture below.

Status Window: Login Failure
Pressing the “Connect” button brings the user back to the Login Window; from there, the user can retry the authentication with a different password or press the “Cancel” button to exit.
System Tray Indicator
As soon as the OpenVPN-AS Windows Client GUI is launched, a system tray icon appears showing the current status of the VPN connection. The OpenVPN icon with a grey keyhole shape indicates an inactive VPN connection, while the same icon with a green keyhole shape indicates an active VPN connection. The green color is alternated between dark and bright green to indicate network activity over the VPN. A red color indicates an error or a startup condition during which the OpenVPN-AS Windows Client GUI is not ready for regular operation. A yellow colored keyhole indicates the connection is being established.


Tray Icon (VPN not connected)


Tray Icon (VPN connected)
When a mouse pointer is made to hover over this system tray icon, a “tip” is shown with the current VPN connection status (e.g., “Disconnected”).

System Tray Menu
Upon right-clicking on the system tray icon, the user sees a pop-up menu containing the following choices:

“Connect” – initiates a connection to the OpenVPN Access Server by bringing up the
Login window
“Disconnect” – disconnects current VPN connection
“Show Status” – shows the Status window
“Exit” – exits the GUI, removing the system tray icon

If the user clicks anywhere outside the menu, the right-click menu disappears. Double-clicking on the system tray icon is equivalent to choosing the “Show Status” menu item.

Disconnecting from VPN
The user disconnects from the VPN using either the “Disconnect” or the “Exit” option in the popup menu seen after right-clicking the system tray icon. When disconnecting, the user may see a balloon pop-up message from Windows saying that “a network cable has been unplugged.”

Un-installation
To uninstall the OpenVPN-AS Windows GUI Client, the user selects the “Uninstall OpenVPN-AS Client” entry in the “OpenVPN-AS Client” Programs group. This removes the client software along with all of its installed components, shortcuts and client configuration.

Accessing HPS Network Resources

If you have successfully connected to the VPN (green keyhole icon in the Windows system tray icon), you’ll probably want to gain access to your HPS files and possibly network applications as well. First, you first need to know where these resources reside. Some schools have different file servers, so connecting to your documents will require a slightly different procedure for each school depending on which school server hosts your files. To access your user-specific document location (Y-drive) from the High School server, select the Start Button… Choose ‘Run’ and enter the following:
\\172.17.0.7\yourusername$ (where ‘yourusername’ is the same username that you used to connect to the VPN. Then, select ‘OK’.
To connect to the Middle School server, the process is the same, except for the IP address of the server.
HMS users would enter the following: \\172.17.0.8\yourusername$
South School users would enter \\172.17.0.9\yourusername$
PRS users would enter \\172.17.0.9\yourusername$
Foster users would enter \\172.17.0.9\yourusername$
East users would enter \\172.17.0.9\yourusername$

If you have any difficulties with these procedures, please see the ‘Other Things You Should Know’ section below.

Other Things You Should Know

When you are connected to the VPN, you will be utilizing the District’s computing resources not only to work with your documents, but also to browse the web. This means, among other things, that you may find your browsing is subject to the WebSense content filtering as at school. If you find this disagreeable, you may wish to collect the files you need to work on via the VPN, save them somewhere on your local computer, and then disconnect from the VPN. When you need to upload those files back to the school server, reconnect to the VPN and your Y-drive and copy/paste your modified files back.

Sprint mobile Broadband users have reported that their Internet connection drops after what initially appears to be a successful connection to the OpenVPN client. In Smartview – Tools, Settings, Rules Engine, Connection Maintenance, Maintain established connection regardless … (or “Prompt before disconnect”). It allows Smartview to stay connected after OpenVPN connects. In the newer versions of the Smartview software, you may need to enable the “allow multiple simultaneous connections” checkbox.

Additionally, if you are running a personal firewall program, like ZoneAlarm, you need to add the HPS network to the ‘Trusted Networks’ zone in order for certain network functions, like drive mappings, to work properly.