Professional Documents
Culture Documents
md 10/6/2022
General Information
About
The objective is to have all internal assets accessible only via the VPN. If you find any asset which is publicly
available after the migration, please report it to the #OpSec team.
You are hereby instructed to install the OMG VPN and make sure you can connect before internal assets
become only accessible via the OMG VPN.
Note: The transition from public to internal will take a few weeks to complete. This is to ensure that we
don't break any existing external integrations.
FAQ
Q: Is all traffic routed over the VPN?
No. Only a select few internal routes are pushed over the VPN.
Q: Can I still use other VPN services (e.g., ExpressVPN) to hide my public IP while browsing?
Yes. You can use both the OMG VPN and a traditional VPN together.
Yes. As you only need to Google authenticate to download the initial VPN profile, the OTP code is the
only way to ensure your identity upon connecting to the VPN.
We recommend to use the official Pritunl client which supports both OpenVPN and WireGuard.
However, the OMG VPN supports all OpenVPN clients.
Yes. Every existing URL will be replace with *something*.corp.omg.inc. Every time a migration is
completed, the affected users will be notified of the new URL. Make sure to update your bookmarks
accordingly.
This is to increase security and prevent external parties from discovering our internal assets. For
example, every SSL certificate issued is published in a global database. In this setup there is only one
wildcard certificate for *.corp.omg.inc. We will use, for example: https://admin-
fs.corp.omg.inc, https://admin-sx.corp.omg.inc, https://admin-api-staging-
sx.corp.omg.inc, etc.
Yes. There is no restriction on the amount of simultanious clients or how long they remain connected.
1 / 10
HOWTO.md 10/6/2022
Q: I have a router at home that supports WireGuard, IPSec, or OpenVPN. Can I have a permanent VPN
connection?
No. Not at the moment. However, some routers support OpenVPN with OTP which you can configure
using your personal OpenVPN configuration and OTP seed.
OMG VPN requires a one-time-password (OTP) to be entered every time you connect to the VPN. You will
need a password manager to manage the OTP.
Admin Portals
The Email Code for internal admin portals will be disabled and 2FA with OTP will be enforced.
Saas Software
2FA must be enabled on all SaaS Software, including, but not limited to, GitHub, Google GSuite, Trello, etc.
Please take this opportunity to enable 2FA everywhere, at some point in the near future, we will enforce 2FA
everywhere.
Note: For developers, please sign your commits with GPG. It is out-of-scope for the OMG VPN, but
good practice to do so.
Recommended Software
Note: Authy is the recommended OTP manager, easiest to use, has an online backup, restore
functionality, and is also required for SendGrid.
Google Play
Authy
Google Authenticator
FreeOTP
Microsoft Authenticator
Apple Store
Authy
Google Authenticator
FreeOTP
Microsoft Authenticator
Windows
Authy
OTP Manager
2 / 10
HOWTO.md 10/6/2022
MacOS
Authy
OTP Manager
Linux
Authy
Note: You may use any OpenVPN client you are accustomed to. However, IT will only provide support
for the official Pritunl client.
VPN Portal
The VPN portal is available at https://access.corp.omg.inc, please bookmark this url!
VPN Authentication
When opening the VPN portal click on the Sign in with Google button and authenticate yourself with your
name@omg.inc account.
3 / 10
HOWTO.md 10/6/2022
VPN OTP
After authenticating, you will be redirected to your VPN Profile which will list your personal OTP code. You
must add this in your password manager.
If you use Authy on your mobile device, you can simply scan the QR code.
4 / 10
HOWTO.md 10/6/2022
5 / 10
HOWTO.md 10/6/2022
Open the Pritunl client and click on Import. This will open the Import Profile box where you enter the
Profile URI Link
6 / 10
HOWTO.md 10/6/2022
7 / 10
HOWTO.md 10/6/2022
8 / 10
HOWTO.md 10/6/2022
9 / 10
HOWTO.md 10/6/2022
Advanced Instructions
All the information below is optional and for advanced users only.
WireGuard
The Pritunl clients supports WireGuard which is significantly faster than OpenVPN. This is recommended for
DevOps and Developers who SSH into servers.
For WireGuard to work, you need to install the official WireGuard libraries available at
https://www.wireguard.com/install/.
After installing the WireGuard libraries, you must reboot or WireGuard will not show up as an option in the
Pritunl client.
Note: Only the Pritunl client supports WireGuard, you cannot use WireGuard natively.
Other Clients
The OMG VPN should work on all OpenVPN clients. The VPN portal (after clicking show more) allows you to
download your personal OpenVPN configuration file.
10 / 10