HOWTO.

md 10/6/2022

General Information
About
The objective is to have all internal assets accessible only via the VPN. If you find any asset which is publicly
available after the migration, please report it to the #OpSec team.

You are hereby instructed to install the OMG VPN and make sure you can connect before internal assets
become only accessible via the OMG VPN.

Note: The transition from public to internal will take a few weeks to complete. This is to ensure that we
don't break any existing external integrations.

FAQ
Q: Is all traffic routed over the VPN?

No. Only a select few internal routes are pushed over the VPN.

Q: Can I still use other VPN services (e.g., ExpressVPN) to hide my public IP while browsing?

Yes. You can use both the OMG VPN and a traditional VPN together.

Q: Do I have to enter the OTP code every time I connect?

Yes. As you only need to Google authenticate to download the initial VPN profile, the OTP code is the
only way to ensure your identity upon connecting to the VPN.

Q: What VPN client do I install?

We recommend to use the official Pritunl client which supports both OpenVPN and WireGuard.
However, the OMG VPN supports all OpenVPN clients.

Q: Will the URLs to internal assets change?

Yes. Every existing URL will be replace with *something*.corp.omg.inc. Every time a migration is
completed, the affected users will be notified of the new URL. Make sure to update your bookmarks
accordingly.

Q: Why is everything behind *.corp.omg.inc and no longer on *.cdn.live or *.fans.com, etc.?

This is to increase security and prevent external parties from discovering our internal assets. For
example, every SSL certificate issued is published in a global database. In this setup there is only one
wildcard certificate for *.corp.omg.inc. We will use, for example: https://admin-
fs.corp.omg.inc, https://admin-sx.corp.omg.inc, https://admin-api-staging-
sx.corp.omg.inc, etc.

Q: Can I connect with multiple devices?

Yes. There is no restriction on the amount of simultanious clients or how long they remain connected.

1 / 10
HOWTO.md 10/6/2022

Q: I have a router at home that supports WireGuard, IPSec, or OpenVPN. Can I have a permanent VPN
connection?

No. Not at the moment. However, some routers support OpenVPN with OTP which you can configure
using your personal OpenVPN configuration and OTP seed.

OTP Code and General 2FA

General Security

OMG VPN requires a one-time-password (OTP) to be entered every time you connect to the VPN. You will
need a password manager to manage the OTP.

Admin Portals

The Email Code for internal admin portals will be disabled and 2FA with OTP will be enforced.

Saas Software

2FA must be enabled on all SaaS Software, including, but not limited to, GitHub, Google GSuite, Trello, etc.
Please take this opportunity to enable 2FA everywhere, at some point in the near future, we will enforce 2FA
everywhere.

Note: For developers, please sign your commits with GPG. It is out-of-scope for the OMG VPN, but
good practice to do so.

Recommended Software

Note: Authy is the recommended OTP manager, easiest to use, has an online backup, restore
functionality, and is also required for SendGrid.

Google Play

Authy
Google Authenticator
FreeOTP
Microsoft Authenticator

Apple Store

Authy
Google Authenticator
FreeOTP
Microsoft Authenticator

Windows

Authy
OTP Manager

2 / 10
HOWTO.md 10/6/2022

MacOS

Authy
OTP Manager

Linux

Authy

OMG VPN - Express Installation

VPN Client
The official VPN client is Pritunl and can be downloaded here or at
https://client.pritunl.com/#install.

Download and install the VPN client on your operating system.

Note: You may use any OpenVPN client you are accustomed to. However, IT will only provide support
for the official Pritunl client.

VPN Portal
The VPN portal is available at https://access.corp.omg.inc, please bookmark this url!

VPN Authentication
When opening the VPN portal click on the Sign in with Google button and authenticate yourself with your
name@omg.inc account.

3 / 10
HOWTO.md 10/6/2022

VPN OTP
After authenticating, you will be redirected to your VPN Profile which will list your personal OTP code. You
must add this in your password manager.

If you use Authy on your mobile device, you can simply scan the QR code.

4 / 10
HOWTO.md 10/6/2022

VPN Profile URI

Copy the Profile URI Link from the VPN portal to setup your VPN client.

5 / 10
HOWTO.md 10/6/2022

Open the Pritunl client and click on Import. This will open the Import Profile box where you enter the
Profile URI Link

6 / 10
HOWTO.md 10/6/2022

Connect to the VPN

Click on the OpenVPN button to start the VPN connection. The same procedure applies to reconnect to the
VPN.

7 / 10
HOWTO.md 10/6/2022

Enter your current OTP code and click on Connect

Confirm VPN Connectivity

After connecting to the OMG VPN you are presented with the VPN connection status. You can close the
application and it will continue running in the background.

8 / 10
HOWTO.md 10/6/2022

Disconnect the VPN

To disconnect the VPN connection, you can simply click the Disconnect button.

9 / 10
HOWTO.md 10/6/2022

Advanced Instructions
All the information below is optional and for advanced users only.

WireGuard
The Pritunl clients supports WireGuard which is significantly faster than OpenVPN. This is recommended for
DevOps and Developers who SSH into servers.

For WireGuard to work, you need to install the official WireGuard libraries available at
https://www.wireguard.com/install/.

After installing the WireGuard libraries, you must reboot or WireGuard will not show up as an option in the
Pritunl client.

Note: Only the Pritunl client supports WireGuard, you cannot use WireGuard natively.

Other Clients
The OMG VPN should work on all OpenVPN clients. The VPN portal (after clicking show more) allows you to
download your personal OpenVPN configuration file.

10 / 10