====== VPN Access ======
===== Requesting Access =====
To request access to the Sepia lab,
- Generate login credentials by following directions under **VPN Client Access** below.
- [[http://tracker.ceph.com/projects/lab/issues/new?issue[tracker_id]=3|File a ticket]]. Select **Sepia Lab Access Request** for the Issue Template.
For details on our particular OpenVPN server setup, see [[services:openvpn|OpenVPN]].
===== VPN Client Access =====
Follow the instructions corresponding to your workstation's operating system below.
**NOTE:** You will need VPN credentials for each machine/workstation you intend to connect to the Sepia VPN. **Client credentials can not be used on more than one machine at a time!**
==== Linux ====
sudo [apt-get|yum] install openvpn
sudo mkdir -p /run/openvpn
## Fedora 28 and later
cd /etc/openvpn/client
## All others
cd /etc/openvpn
sudo wget https://filedump.ceph.com/sepia-vpn-client.tar.gz
sudo tar zxvf sepia-vpn-client.tar.gz
# Generate client credentials
# USER should be your desired username and HOST should describe your workstation
# e.g., dgalloway@thinkpad
sudo ./sepia/new-client USER@HOST
# Submit the command output in your ticket
# After you've been notified in your ticket that access has been granted,
sudo service openvpn restart
OR
sudo systemctl restart openvpn@sepia
OR
sudo systemctl restart openvpn-client@sepia
# Try all 3. One of them should work.
# Whichever works, enable the systemd service
sudo systemctl enable openvpn@sepia
OR
sudo systemctl enable openvpn-client@sepia
=== Linux Gotchas ===
You may need to edit ''user'' and ''group'' in ''/etc/openvpn/sepia/client.conf'' depending on what user the service runs as. This could be ''nobody'', ''nogroup'', or ''openvpn''.
sed -i 's/nobody/openvpn/g' /etc/openvpn/sepia/client.conf || sed -i 's/nobody/openvpn/g' /etc/openvpn/client/sepia/client.conf
sed -i 's/nogroup/openvpn/g' /etc/openvpn/sepia/client.conf || sed -i 's/nogroup/openvpn/g' /etc/openvpn/client/sepia/client.conf
----
If you're using OpenVPN for any other VPN connection (e.g., Red Hat's), you may need to change the ''dev'' name in ''/etc/openvpn/sepia/client.conf''. See below.
# ERASE
dev tun
# REPLACE WITH
dev sepia0
dev-type tun
----
If the ''new-client'' script throws an error about ''/usr/bin/python'' not being found, run:
sudo sed -i 's|/usr/bin/python|/usr/bin/python3|g' sepia/new-client
=== Troubleshooting ===
Please disable SELinux on rhel clients
To troubleshoot your VPN connection, try running the following command to determine where the connection is failing:
openvpn --config /etc/openvpn/sepia.conf --cd /etc/openvpn --verb 5
OR
openvpn --config /etc/openvpn/client/sepia.conf --cd /etc/openvpn/client --verb 5
==== Fedora NetworkManager GUI ====
- Make sure you've followed all the prerequisite steps [[vpnaccess#linux|here]]
- Right click the NetworkManager icon
- **Edit Connections**
- Click the + symbol
- Select **Import a saved VPN configuration** from the bottom
- Click **Create**
- Browse to ''/etc/openvpn/sepia/client.conf''
- Enter your the first line in ''/etc/openvpn/sepia/secret'' (e.g., ''USER@HOST'') under **User name**
- Enter the second line in your ''/etc/openvpn/sepia/secret'' file for **Password**
==== Fedora Network Manager GUI -- Fedora 34 ====
This procedure was confirmed to work on Fedora 34 on 14 July 2021.
- Make sure you've followed all the prerequisite steps [[vpnaccess#linux|here]]
- Right click the NetworkManager icon
- Select **Settings** --> **Network**
- Click the **+** symbol under VPN
- Select **Import from file...** from the bottom
- Browse to ''/etc/openvpn/client/sepia.conf''
- Enter your the first line in ''/etc/openvpn/client/sepia/secret'' (e.g., ''USER@HOST'') under **User name**
- Enter the second line in your ''/etc/openvpn/client/sepia/secret'' file for **Password**
==== Mac/OS X ====
Tunnelblick and Viscosity are two clients known to work with the Sepia VPN.
=== Tunnelblick **UNTESTED** ===
- Download and untar the Sepia VPN client [[https://filedump.ceph.com/sepia-vpn-client.tar.gz|tarball]]
mkdir /etc/openvpn
cd /etc/openvpn
wget https://filedump.ceph.com/sepia-vpn-client.tar.gz
sudo tar zxvf sepia-vpn.client.tar.gz
# Generate client credentials
# USER should be your desired username and HOST should describe your workstation
# e.g., dgalloway@thinkpad
sudo ./sepia/new-client USER@HOST
# Submit the output of this command in your ticket
- Replace the line ''auth-user-pass sepia/secret'' with just ''auth-user-pass'' in client.conf
- Follow [[https://tunnelblick.net/cConfigT.html|Tunnelblick's instructions]] for adding the config
- When prompted for user/pass, enter username USER@HOST as above, and for password use the secret contents of the file ''/etc/openvpn/sepia/secret''.
- Save to your keychain if you wish
=== Viscosity ===
- Download https://filedump.ceph.com/Sepia.visz
- Download https://filedump.ceph.com/sepia-vpn-client.tar.gz
- Import the Sepia.visz config into Viscosity
- Extract sepia-vpn-client.tar.gz
- Save ''sepia/ca.crt'' somewhere
- Run ''sudo ./sepia/new-client USER@HOST''
- Replace ''USER@HOST'' with your desired username and machine description. (e.g., dgalloway@laptop)
- In Viscosity, under the Authentication tab, set:
- **Authentication:** SSL/TLS Client
- Check **Use Username/Password authentication**
- **CA:** to the ca.crt file you saved earlier
- **Tls-Auth:** ta.key
- When connecting to the VPN for the first time,
- Enter your ''USER@HOST'' combination as the username
- Enter the second line of ''sepia/secret'' as the password
- Save the credentials to your keychain
- You can now delete any downloaded and created files (except ca.crt)
===== A Note About DNS =====
Due to complexities around adding nameservers to various Linux distro VPN clients, our OpenVPN server does not use the [[https://openvpn.net/index.php/open-source/documentation/howto.html#dhcp|dhcp-option DNS]] option.
Instead, we serve our private DNS records publicly. Your machine should be able to resolve hostnames under the ''sepia.ceph.com'' subdomain automatically.
If you're using dnsmasq, you can add ''server=/sepia.ceph.com/172.21.0.1'' to ''/etc/dnsmasq.conf''.