vpnaccess
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
vpnaccess [2018/06/29 15:59] djgalloway |
vpnaccess [2026/02/23 14:22] (current) djgalloway [Requesting Access] |
||
|---|---|---|---|
| Line 3: | Line 3: | ||
| To request access to the Sepia lab, | To request access to the Sepia lab, | ||
| - Generate login credentials by following directions under **VPN Client Access** below. | - Generate login credentials by following directions under **VPN Client Access** below. | ||
| - | - [[http://tracker.ceph.com/projects/lab/issues/new?issue[tracker_id]=3|File a ticket]]. Select **Sepia Lab Access Request** for the Issue Template. | + | - [[http://tracker.ceph.com/projects/lab/issues/new?issue[tracker_id]=3|File a ticket]]. |
| + | - Copy and paste the questions below into your ticket | ||
| - | For details on our particular OpenVPN server setup, see [[services:openvpn|OpenVPN]]. | ||
| - | |||
| - | ===== VPN Client Access ===== | ||
| - | Follow the instructions corresponding to your workstation's operating system below. | ||
| - | |||
| - | **NOTE:** You will need VPN credentials for each machine/workstation you intend to connect to the Sepia VPN. **Client credentials can not be used on more than one machine at a time!** | ||
| - | |||
| - | ==== Linux ==== | ||
| <code> | <code> | ||
| - | sudo [apt-get|yum] install openvpn | ||
| - | cd /etc/openvpn | ||
| - | wget http://ceph.com/sage/sepia-vpn-client.tar.gz | ||
| - | sudo tar zxvf sepia-vpn-client.tar.gz | ||
| - | # Generate client credentials | + | 1) Do you just need VPN access or will you also be running teuthology jobs? |
| - | # USER should be your desired username and HOST should describe your workstation | + | |
| - | # e.g., dgalloway@thinkpad | + | |
| - | sudo ./sepia/new-client USER@HOST | + | 2) Desired Username: |
| - | # Submit the command output in your ticket | + | 3) Alternate e-mail address(es) we can reach you at: |
| - | # After you've been notified in your ticket that access has been granted, | + | (Other than the one used to create your tracker/Redmine account. Optional.) |
| - | sudo service openvpn restart | + | 4) If you don't already have an established history of code contributions to Ceph, is there an existing community or core developer you've worked with who has reviewed your work and can vouch for your access request? |
| - | OR | + | |
| - | sudo systemctl restart openvpn@sepia | + | |
| - | # If you have a /etc/openvpn/client/ directory, you may need to: | + | If you answered "No" to # 4, please answer the following (paste directly below the question to keep indentation): |
| - | sudo mv /etc/openvpn/sepia* /etc/openvpn/client/ | + | 4a) Paste a link to a Blueprint or planning doc of yours that was reviewed at a Ceph Developer Monthly. |
| - | # before you can run openvpn-client@sepia.service. | + | 4b) Paste a link to an accepted pull request for a major patch or feature. |
| - | # This is because the OpenVPN systemd unit file looks in /etc/openvpn/client/ for configuration files by default. | + | |
| - | </code> | + | |
| - | === Linux Gotchas === | + | 4c) If applicable, include a link to the current project (planning doc, dev branch, or pull request) that you are looking to test. |
| - | You may need to modify ''user'' and ''group'' in ''/etc/openvpn/sepia/client.conf'' depending on what user the service runs as. This could be ''nobody'', ''nogroup'', or ''openvpn''. | + | |
| - | <code> | + | 5) Paste your SSH public key(s) between the pre tags: <pre></pre> |
| - | - user nobody | + | |
| - | - group nogroup | + | |
| - | + user openvpn | + | |
| - | + group openvpn | + | |
| - | </code> | + | |
| - | If you're using OpenVPN for any other VPN connection (e.g., Red Hat's), you may need to change the ''dev'' name in ''/etc/openvpn/sepia/client.conf''. See below. | + | 6) Paste your Wireguard public key between the pre tags <pre></pre> |
| - | + | ||
| - | <code> | + | |
| - | - dev tun | + | |
| - | + dev sepia0 | + | |
| - | + dev-type tun | + | |
| </code> | </code> | ||
| - | + | ===== VPN Client Access ===== | |
| - | === Troubleshooting === | + | See [[wireguard|Wireguard Access]] |
| - | To troubleshoot your VPN connection, try running the following command to determine where the connection is failing: | + | |
| - | + | ||
| - | <code> | + | |
| - | openvpn --config /etc/openvpn/sepia.conf --cd /etc/openvpn --verb 5 | + | |
| - | </code> | + | |
| - | + | ||
| - | ==== Fedora NetworkManager GUI ==== | + | |
| - | + | ||
| - | - Make sure you've followed all the prerequisite steps [[vpnaccess#linux|here]] | + | |
| - | - Right click the NetworkManager icon | + | |
| - | - **Edit Connections** | + | |
| - | - Click the + symbol | + | |
| - | - Select **Import a saved VPN configuration** from the bottom | + | |
| - | - Click **Create** | + | |
| - | - Browse to ''/etc/openvpn/sepia/client.conf'' | + | |
| - | - Enter your the first line in ''/etc/openvpn/sepia/secret'' (e.g., ''USER@HOST'') under **User name** | + | |
| - | - Enter the second line in your ''/etc/openvpn/sepia/secret'' file for **Password** | + | |
| - | + | ||
| - | + | ||
| - | ==== Mac/OS X ==== | + | |
| - | Tunnelblick and Viscosity are two clients known to work with the Sepia VPN. | + | |
| - | + | ||
| - | === Tunnelblick **UNTESTED** === | + | |
| - | - Download and untar the Sepia VPN client [[http://ceph.com/sage/sepia-vpn-client.tar.gz|tarball]] <code> | + | |
| - | mkdir /etc/openvpn | + | |
| - | cd /etc/openvpn | + | |
| - | wget http://ceph.com/sage/sepia-vpn-client.tar.gz | + | |
| - | sudo tar zxvf sepia-vpn.client.tar.gz | + | |
| - | + | ||
| - | # Generate client credentials | + | |
| - | # USER should be your desired username and HOST should describe your workstation | + | |
| - | # e.g., dgalloway@thinkpad | + | |
| - | + | ||
| - | sudo ./sepia/new-client USER@HOST | + | |
| - | + | ||
| - | # Submit the output of this command in your ticket</code> | + | |
| - | - Replace the line ''auth-user-pass sepia/secret'' with just ''auth-user-pass'' in client.conf | + | |
| - | - Follow [[https://tunnelblick.net/cConfigT.html|Tunnelblick's instructions]] for adding the config | + | |
| - | - When prompted for user/pass, enter username USER@HOST as above, and for password use the secret contents of the file ''/etc/openvpn/sepia/secret''. | + | |
| - | - Save to your keychain if you wish | + | |
| - | + | ||
| - | === Viscosity === | + | |
| - | + | ||
| - | - Download http://ceph.com/sage/Sepia.visz | + | |
| - | - Download http://ceph.com/sage/sepia-vpn-client.tar.gz | + | |
| - | - Import the Sepia.visz config into Viscosity | + | |
| - | - Extract sepia-vpn-client.tar.gz | + | |
| - | - Save ''sepia/ca.crt'' somewhere | + | |
| - | - Run ''sudo ./sepia/new-client USER@HOST'' | + | |
| - | - Replace ''USER@HOST'' with your desired username and machine description. (e.g., dgalloway@laptop) | + | |
| - | - In Viscosity, under the Authentication tab, set: | + | |
| - | - **Authentication:** SSL/TLS Client | + | |
| - | - Check **Use Username/Password authentication** | + | |
| - | - **CA:** to the ca.crt file you saved earlier | + | |
| - | - **Tls-Auth:** ta.key | + | |
| - | - When connecting to the VPN for the first time, | + | |
| - | - Enter your ''USER@HOST'' combination as the username | + | |
| - | - Enter the second line of ''sepia/secret'' as the password | + | |
| - | - Save the credentials to your keychain | + | |
| - | - You can now delete any downloaded and created files (except ca.crt) | + | |
| ===== A Note About DNS ===== | ===== A Note About DNS ===== | ||
vpnaccess.1530287965.txt.gz · Last modified: 2018/06/29 15:59 by djgalloway
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
