To request access to the Sepia lab,
For details on our particular OpenVPN server setup, see OpenVPN.
Follow the instructions corresponding to your workstation's operating system below.
NOTE: You will need VPN credentials for each machine/workstation you intend to connect to the Sepia VPN. Client credentials can not be used on more than one machine at a time!
sudo [apt-get|yum] install openvpn sudo mkdir -p /run/openvpn ## Fedora 28 and later cd /etc/openvpn/client ## All others cd /etc/openvpn sudo wget https://filedump.ceph.com/sepia-vpn-client.tar.gz sudo tar zxvf sepia-vpn-client.tar.gz # Generate client credentials # USER should be your desired username and HOST should describe your workstation # e.g., dgalloway@thinkpad sudo ./sepia/new-client USER@HOST # Submit the command output in your ticket # After you've been notified in your ticket that access has been granted, sudo service openvpn restart OR sudo systemctl restart openvpn@sepia OR sudo systemctl restart openvpn-client@sepia # Try all 3. One of them should work. # Whichever works, enable the systemd service sudo systemctl enable openvpn@sepia OR sudo systemctl enable openvpn-client@sepia
You may need to edit user
and group
in /etc/openvpn/sepia/client.conf
depending on what user the service runs as. This could be nobody
, nogroup
, or openvpn
.
sed -i 's/nobody/openvpn/g' /etc/openvpn/sepia/client.conf || sed -i 's/nobody/openvpn/g' /etc/openvpn/client/sepia/client.conf sed -i 's/nogroup/openvpn/g' /etc/openvpn/sepia/client.conf || sed -i 's/nogroup/openvpn/g' /etc/openvpn/client/sepia/client.conf
If you're using OpenVPN for any other VPN connection (e.g., Red Hat's), you may need to change the dev
name in /etc/openvpn/sepia/client.conf
. See below.
# ERASE dev tun # REPLACE WITH dev sepia0 dev-type tun
If the new-client
script throws an error about /usr/bin/python
not being found, run:
sudo sed -i 's|/usr/bin/python|/usr/bin/python3|g' sepia/new-client
Please disable SELinux on rhel clients
To troubleshoot your VPN connection, try running the following command to determine where the connection is failing:
openvpn --config /etc/openvpn/sepia.conf --cd /etc/openvpn --verb 5 OR openvpn --config /etc/openvpn/client/sepia.conf --cd /etc/openvpn/client --verb 5
/etc/openvpn/sepia/client.conf
/etc/openvpn/sepia/secret
(e.g., USER@HOST
) under User name/etc/openvpn/sepia/secret
file for PasswordThis procedure was confirmed to work on Fedora 34 on 14 July 2021.
/etc/openvpn/client/sepia.conf
/etc/openvpn/client/sepia/secret
(e.g., USER@HOST
) under User name/etc/openvpn/client/sepia/secret
file for PasswordTunnelblick and Viscosity are two clients known to work with the Sepia VPN.
mkdir /etc/openvpn cd /etc/openvpn wget https://filedump.ceph.com/sepia-vpn-client.tar.gz sudo tar zxvf sepia-vpn.client.tar.gz # Generate client credentials # USER should be your desired username and HOST should describe your workstation # e.g., dgalloway@thinkpad sudo ./sepia/new-client USER@HOST # Submit the output of this command in your ticket
auth-user-pass sepia/secret
with just auth-user-pass
in client.conf/etc/openvpn/sepia/secret
.sepia/ca.crt
somewheresudo ./sepia/new-client USER@HOST
USER@HOST
with your desired username and machine description. (e.g., dgalloway@laptop)USER@HOST
combination as the usernamesepia/secret
as the passwordDue to complexities around adding nameservers to various Linux distro VPN clients, our OpenVPN server does not use the dhcp-option DNS option.
Instead, we serve our private DNS records publicly. Your machine should be able to resolve hostnames under the sepia.ceph.com
subdomain automatically.
If you're using dnsmasq, you can add server=/sepia.ceph.com/172.21.0.1
to /etc/dnsmasq.conf
.