Noction VPN Package Deployment

In order to access internal resources at Noction, a VPN package has to be built by Noction engineers
responsible for VPN service’s management.

When the VPN package is provided, a list of steps should be accomplished for its proper deployment on the
destination device. The list of activities to be performed differs from one operational system to another.

Below is provided the VPN package deployment guide for different devices’ type and Operating Systems.

Table of Contents
Table of Contents
Noction VPN bundle deployment
Linux (Ubuntu 10.04)
VPN Account Password change
Windows
Android
Mac OS
Replace the expired VPN certificate and key files
Linux (Ubuntu)
Windows
Android
Mac OS
Annex 1: Initial OpenVPN Configuration File
Noction VPN bundle deployment
Linux (Ubuntu 10.04)

● Install OpenVPN ­ http://build.openvpn.net/downloads/releases/ubuntu/10.04/

NOTE: The OpenVPN 2.1.4 version is recommended because the latest one has a bug related to password change.
Also the appropriate package: i386/x86_64 in dependence of the OS installed installed on the device.

● Save the VPN bundle (archive) received by message on the local disk;
● Unpack the archive;
● Copy the received by email *.crt, *.key and client.conf files to the following destination directory:
/etc/openvpn/;
● Start OpenVPN client, via the following command:
/etc/init.d/openvpn start

NOTE: At the launch of the OpenVPN client, a password will be requested. The initial set password for the VPN
account is provided into passwd.txt file of the VPN bundle.

● Check the VPN connection is established, by running the ifconfig command and looking into result for
something like the following:

tun.vpn Link encap:UNSPEC HWaddr

inet addr:10.210.125.6 P­t­P:10.210.125.5 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

VPN Account Password change

The password for the VPN connection can be changed, by performing few steps as presented in the example
below:

● Change directory to OpenVPN folder:

cd /etc/openvpn/

● Create a new RSA key based on the current one

openssl rsa ­in amustuc.key ­out amustuc­tmp.key ­des3

NOTE: The process of a new key’s generation will ask for the old and new passwords.

● Replace the current key with the new one

mv amustuc­tmp.key amustuc.key

● Restart the OpenVPN client

/etc/init.d/openvpn restart
Windows
In order to deploy the VPN packages and to properly configure Noction VPN in Windows SO, the
following activities have to be performed:

• Install the OpenVPN packages for 32bit or 64bit OS version;

• Extract VPN Package zip file, received by mail from Noction engineers into a separate folder;
• Rename the client.conf file to client.ovpn;

• Copy the folder containing your *.crt, *.key and client.ovpn files to the OpenVPN installation directory :

C:/Program Files/OpenVPN/config

or
C:/Program Files(x68)/OpenVPN/config

● Run OpenVPN from the Start Menu or from the Desktop as Administrator by right clicking on the
OpenVPN icon and selecting the Run as Administrator option, as shown in the picture bellow:

NOTE: At the OpenVPN client’s launch, a new icon appears in the system tray (two computers with earth).

● Right­click on the icon and choose Connect:

NOTE: The VPN account could be protected by using the Change Password option. By default there is no password
configured.

● Check the VPN connection is properly established:

○ The icon’s color has to become green and no errors should be presented in the logs;
○ In case the logs contain "There are no TAP­Win32 adapters on this system”, the required
TAP­Win32 adapter has to be created manually: Go to Start ­> All Programs ­> OpenVPN ­> Add
a new TAP­Win32 virtual ethernet adapter and wait for the process to complete;
● When completed, try to establish VPN connection once again;
● In case of a successful connection, something similar to the below picture is shown:

● In order to verify that the VPN connection is properly established and, respectively, the required Noction
resources are accessible, a tracert command could be used:
● Hit Ctrl+R and type cmd and press enter or go to Start ­> Command Prompt;
● Do a tracert to salesforce.com and/or any Noction resource, access to which is allowed only over
VPN connection:

NOTE: The first hop(line)’s address in the tracert’s answer has to be from the 10.210.125.0/24 network, which
means that the requests to the Web resources (salesforce.com) are properly routed over the VPN tunnel.
Android
● Install OpenVPN Connect utility from Google Play:
● Extract VPN package zip file, received by mail from Noction engineers, into a separate folder;
● Rename the client.conf file to client.ovpn;
● Copy the folder to your Android device via USB cable, Google Drive or other possible ways (It is also
possible to install a File Manager tool directly on the Android device in order to perform all required activities
on the device itself);
● Start OpenVPN client;
● From the OpenVPN menu, choose Import ­> Import Profile from SD Card and, by navigating to the folder
where the *.ovpn file is stored, chose the configuration profile and click SELECT:

● After the VPN configuration is applied, in order to establish the VPN Connection, click the Connect button;
● Once connected, a similar image/connection state is presented:

● In order to verify that the VPN connection is properly established, try to access any Noction resources that
has to be accessible over VPN, like salesforce.com, Confluence, customers IRP Front­ends, etc. (The first
hop in the answer should be from the VPN subnet: 10.210.125.0/24).
Mac OS
● Download stable version of TunnelBlick and install it on the OS X device;
● Extract VPN Package zip file, received by mail from Noction engineers, into a separate folder;
● Comment the "log­append /var/log/openvpn.log" line in the client.conf configuration file by adding the #
sign before the line or completely remove this line;
● Double click the client.conf file in order to open it with the TunnelBlick application, which will automatically
import the configuration into the VPN client;
● Connect VPN from TunnelBlick icon from OS X Taskbar (near the clock). In case the TunnelBlick icon is
not presented, the application has to be started from the Launchpad:

● When connected, a pop­up window with green text saying "Connected" appears:

● In order to verify that the VPN connection is properly established, try to access any Noction resources that
has to be accessible over VPN, like salesforce.com, Confluence, customers IRP Front­ends, etc. (The first
hop in the answer should be from the VPN subnet: 10.210.125.0/24);

CAUTION: your *.key file should not be discovered!!!

Replace the expired VPN certificate and key files
The VPN bundle is generated for one year and, once expired, the Support Team will generate a new one and
send it via mail. Once the new VPN bundle is received, the new certificate and key have to installed in place of old
ones.

Linux (Ubuntu)
● Before replacement of the old certificates with the new ones, the OpenVPN has to be stopped:
/etc/init.d/openvpn stop
● Copy the newly received by email *.crt and *.key files to the following destination directory: /etc/openvpn/
and overwrite the existing ones;
● Last step will be starting OpenVPN and check the connectivity with the new VPN bundle:
/etc/init.d/openvpn start

Windows
● Before replacement of the old certificates with the new ones, the OpenVPN has to be stopped by
right­clicking on the OpenVPN icon (two computers with earth) from the system tray and choosing EXIT
option;
● Copy the newly received by email *.crt and *.key files, by overwriting the existing ones, to the VPN
application’s directory:
C:/Program Files/OpenVPN/config
or
C:/Program Files(x68)/OpenVPN/config
● Last step will be to start OpenVPN and check the connectivity with the new VPN bundle.

Android
The procedure to follow for certificates replacement is:
● Before replacement of the old certificates with the new ones, the OpenVPN has to be stopped;
● The newly received, by email, *.crt and *.key files have to be copied to the OpenVPN profile’s directory by
overwriting the existing ones;
● Last step will be to start OpenVPN and check the connectivity with the new VPN bundle:
○ In case it’s not possible to find the existing certificate, the easiest way would be to perform the
installation and configuration procedure from the beginning.
Mac OS
Mac OS keeps application’s configuration in separate folders and for that reason the easiest way to replace or
update a configuration is to remove current TunnelBlick configuration and add the new one by following Installation
and Configuration steps defined in this document.
In order to remove the VPN configuration from the TunnelBlick application, the VPN Details… option has to
be selected by right­clicking the TunnelBlick icon from the OS X Taskbar (near the clock).

NOTE: In case the icon is not there, the TunnelBlick tool has to be started from the Launchpad.

When the VPN Details windows is open, the configuration part contains + and ­ options that allow the
configuration to be removed and added, as it is shown in the picture below:

After that the old configuration is removed and the new one added, the Connect button, from the same
window, can be used to establish the VPN connection.
Annex 1: Initial OpenVPN Configuration File
client
dev tun
proto tcp­client
remote dev.noction.com 9932
resolv­retry infinite
persist­key
persist­tun
auth­nocache
remote­cert­tls server

ca ca.crt
cert account_name.crt
key account_name.key

max­routes 10000

comp­lzo

verb 3
status /var/log/openvpn­status.log
log­append /var/log/openvpn.log