====== VPN Access ======
===== Requesting Access =====
To request access to the Sepia lab,
  - Generate login credentials by following directions under **VPN Client Access** below.
  - [[http://tracker.ceph.com/projects/lab/issues/new?issue[tracker_id]=3|File a ticket]].  Select **Sepia Lab Access Request** and ***copy those questions and answer them in the ticket.***

<code>

1) Do you just need VPN access or will you also be running teuthology jobs?

2) Desired Username:

3) Alternate e-mail address(es) we can reach you at:

4) If you don't already have an established history of code contributions to Ceph, is there an existing community or core developer you've worked with who has reviewed your work and can vouch for your access request?

If you answered "No" to # 4, please answer the following (paste directly below the question to keep indentation):

4a) Paste a link to a Blueprint or planning doc of yours that was reviewed at a Ceph Developer Monthly.

4b) Paste a link to an accepted pull request for a major patch or feature.

4c) If applicable, include a link to the current project (planning doc, dev branch, or pull request) that you are looking to test.

5) Paste your SSH public key(s) between the pre tags

6) Paste your hashed VPN credentials between the pre tags (Format: user@hostname 22CharacterSalt 65CharacterHashedPassword)

For details on our particular OpenVPN server setup, see [[services:openvpn|OpenVPN]].

</code>
===== VPN Client Access =====
Follow the instructions corresponding to your workstation's operating system below.

==== The 'secret' file ====


The new-client script will generate a secret in a file named 'secret'.  This is your secret VPN password.  Do not share this in any way to anyone.  Do not overwrite it for any reason.  It is precious unrecoverable data, and losing it will lose your access to the VPN.

==== The 'secret.hash' file: ====

new-client will also generate a file named 'secret.hash', which corresponds to, but is not the same as, 'secret'.  new-client also prints out this secret.hash.  This is public information, derived from your secret, but not your secret.  This is what you put in the tracker ticket to be added to the OpenVPN server.

==== The secrets tarball: ====


new-client will also generate a tarball named 'secrets.YYMMDD_HHMMSS.tar.gz' (where YYMMDD_HHMMSS represents the current date and time) containing both secret and secret.hash files.  Since they go together, this will help track problems in their creation and use.

**NOTE:** You will need VPN credentials for each machine/workstation you intend to connect to the Sepia VPN.  **Client credentials can not be used on more than one machine at a time!**


==== Linux ====
<code>
sudo [apt-get|yum] install openvpn

sudo mkdir -p /run/openvpn

## Fedora 28 and later
cd /etc/openvpn/client

## All others
cd /etc/openvpn


sudo wget https://filedump.ceph.com/sepia-vpn-client.tar.gz
sudo tar zxvf sepia-vpn-client.tar.gz


# Generate client credentials
# USER should be your desired username and HOST should describe your workstation
# e.g., dgalloway@thinkpad

sudo ./sepia/new-client USER@HOST

# Submit the command output in your ticket
# After you've been notified in your ticket that access has been granted,

sudo service openvpn restart
OR
sudo systemctl restart openvpn@sepia
OR
sudo systemctl restart openvpn-client@sepia

# Try all 3.  One of them should work.
# Whichever works, enable the systemd service

sudo systemctl enable openvpn@sepia
OR
sudo systemctl enable openvpn-client@sepia
</code>

=== Linux Gotchas ===
You may need to edit ''user'' and ''group'' in ''/etc/openvpn/sepia/client.conf'' depending on what user the service runs as.  This could be ''nobody'', ''nogroup'', or ''openvpn''.

<code>
sed -i 's/nobody/openvpn/g' /etc/openvpn/sepia/client.conf || sed -i 's/nobody/openvpn/g' /etc/openvpn/client/sepia/client.conf
sed -i 's/nogroup/openvpn/g' /etc/openvpn/sepia/client.conf || sed -i 's/nogroup/openvpn/g' /etc/openvpn/client/sepia/client.conf
</code>

----

If you're using OpenVPN for any other VPN connection (e.g., Red Hat's), you may need to change the ''dev'' name in ''/etc/openvpn/sepia/client.conf''.  See below.

<code>
# ERASE
dev tun

# REPLACE WITH
dev sepia0
dev-type tun
</code>

----

If the ''new-client'' script throws an error about ''/usr/bin/python'' not being found, run:

<code>
sudo sed -i 's|/usr/bin/python|/usr/bin/python3|g' sepia/new-client
</code>

=== Troubleshooting ===
Please disable SELinux on rhel clients

To troubleshoot your VPN connection, try running the following command to determine where the connection is failing:

<code>
openvpn --config /etc/openvpn/sepia.conf --cd /etc/openvpn --verb 5
OR
openvpn --config /etc/openvpn/client/sepia.conf --cd /etc/openvpn/client --verb 5
</code>

==== Fedora NetworkManager GUI ====

  - Make sure you've followed all the prerequisite steps [[vpnaccess#linux|here]]
  - Right click the NetworkManager icon
  - **Edit Connections**
  - Click the + symbol
  - Select **Import a saved VPN configuration** from the bottom
  - Click **Create**
  - Browse to ''/etc/openvpn/sepia/client.conf''
  - Enter your the first line in ''/etc/openvpn/sepia/secret'' (e.g., ''USER@HOST'') under **User name**
  - Enter the second line in your ''/etc/openvpn/sepia/secret'' file for **Password**


==== Fedora Network Manager GUI -- Fedora 34 ====

This procedure was confirmed to work on Fedora 34 on 14 July 2021.

   - Make sure you've followed all the prerequisite steps [[vpnaccess#linux|here]]
   - Right click the NetworkManager icon
   - Select **Settings** --> **Network**
   - Click the **+** symbol under VPN
   - Select **Import from file...** from the bottom
   - Browse to ''/etc/openvpn/client/sepia.conf''
   - Enter your the first line in ''/etc/openvpn/client/sepia/secret'' (e.g., ''USER@HOST'') under **User name**
   - Enter the second line in your ''/etc/openvpn/client/sepia/secret'' file for **Password**

==== Mac/OS X ====
Tunnelblick and Viscosity are two clients known to work with the Sepia VPN.

=== Tunnelblick **UNTESTED** ===
  - Download and untar the Sepia VPN client [[https://filedump.ceph.com/sepia-vpn-client.tar.gz|tarball]] <code>
mkdir /etc/openvpn
cd /etc/openvpn
wget https://filedump.ceph.com/sepia-vpn-client.tar.gz
sudo tar zxvf sepia-vpn-client.tar.gz

# Generate client credentials
# USER should be your desired username and HOST should describe your workstation
# e.g., dgalloway@thinkpad

sudo ./sepia/new-client USER@HOST

# Submit the output of this command in your ticket</code>
  - Replace the line ''auth-user-pass sepia/secret'' with just ''auth-user-pass'' in client.conf
  - Follow [[https://tunnelblick.net/cConfigT.html|Tunnelblick's instructions]] for adding the config
  - When prompted for user/pass, enter username USER@HOST as above, and for password use the secret contents of the file ''/etc/openvpn/sepia/secret''.
  - Save to your keychain if you wish

=== Viscosity ===

  - Download https://filedump.ceph.com/Sepia.visz
  - Download https://filedump.ceph.com/sepia-vpn-client.tar.gz
  - Import the Sepia.visz config into Viscosity
  - Extract sepia-vpn-client.tar.gz
  - Save ''sepia/ca.crt'' somewhere
  - Run ''sudo ./sepia/new-client USER@HOST''
    - Replace ''USER@HOST'' with your desired username and machine description.  (e.g., dgalloway@laptop)
  - In Viscosity, under the Authentication tab, set:
    - **Authentication:** SSL/TLS Client
    - Check **Use Username/Password authentication**
    - **CA:** to the ca.crt file you saved earlier
    - **Tls-Auth:** ta.key
  - When connecting to the VPN for the first time,
    - Enter your ''USER@HOST'' combination as the username(the username is the first line in secret file)
    - Enter the second line of ''sepia/secret'' as the password(the password is the second line in secret file)
  - Save the credentials to your keychain
  - You can now delete any downloaded and created files (except ca.crt)

===== A Note About DNS =====
Due to complexities around adding nameservers to various Linux distro VPN clients, our OpenVPN server does not use the [[https://openvpn.net/index.php/open-source/documentation/howto.html#dhcp|dhcp-option DNS]] option.

Instead, we serve our private DNS records publicly.  Your machine should be able to resolve hostnames under the ''sepia.ceph.com'' subdomain automatically.

If you're using dnsmasq, you can add ''server=/sepia.ceph.com/172.21.0.1'' to ''/etc/dnsmasq.conf''.