Table of Contents

VPN Access

Requesting Access

To request access to the Sepia lab,

  1. Generate login credentials by following directions under VPN Client Access below.
  2. File a ticket. Select Sepia Lab Access Request and *copy those questions and answer them in the ticket.*
1) Do you just need VPN access or will you also be running teuthology jobs?

2) Desired Username:

3) Alternate e-mail address(es) we can reach you at:

4) If you don't already have an established history of code contributions to Ceph, is there an existing community or core developer you've worked with who has reviewed your work and can vouch for your access request?

If you answered "No" to # 4, please answer the following (paste directly below the question to keep indentation):

4a) Paste a link to a Blueprint or planning doc of yours that was reviewed at a Ceph Developer Monthly.

4b) Paste a link to an accepted pull request for a major patch or feature.

4c) If applicable, include a link to the current project (planning doc, dev branch, or pull request) that you are looking to test.

5) Paste your SSH public key(s) between the pre tags

6) Paste your hashed VPN credentials between the pre tags (Format: user@hostname 22CharacterSalt 65CharacterHashedPassword)

For details on our particular OpenVPN server setup, see [[services:openvpn|OpenVPN]].

VPN Client Access

Follow the instructions corresponding to your workstation's operating system below.

The 'secret' file

The new-client script will generate a secret in a file named 'secret'. This is your secret VPN password. Do not share this in any way to anyone. Do not overwrite it for any reason. It is precious unrecoverable data, and losing it will lose your access to the VPN.

The 'secret.hash' file:

new-client will also generate a file named 'secret.hash', which corresponds to, but is not the same as, 'secret'. new-client also prints out this secret.hash. This is public information, derived from your secret, but not your secret. This is what you put in the tracker ticket to be added to the OpenVPN server.

The secrets tarball:

new-client will also generate a tarball named 'secrets.YYMMDD_HHMMSS.tar.gz' (where YYMMDD_HHMMSS represents the current date and time) containing both secret and secret.hash files. Since they go together, this will help track problems in their creation and use.

NOTE: You will need VPN credentials for each machine/workstation you intend to connect to the Sepia VPN. Client credentials can not be used on more than one machine at a time!

Linux

sudo [apt-get|yum] install openvpn

sudo mkdir -p /run/openvpn

## Fedora 28 and later
cd /etc/openvpn/client

## All others
cd /etc/openvpn


sudo wget https://filedump.ceph.com/sepia-vpn-client.tar.gz
sudo tar zxvf sepia-vpn-client.tar.gz


# Generate client credentials
# USER should be your desired username and HOST should describe your workstation
# e.g., dgalloway@thinkpad

sudo ./sepia/new-client USER@HOST

# Submit the command output in your ticket
# After you've been notified in your ticket that access has been granted,

sudo service openvpn restart
OR
sudo systemctl restart openvpn@sepia
OR
sudo systemctl restart openvpn-client@sepia

# Try all 3.  One of them should work.
# Whichever works, enable the systemd service

sudo systemctl enable openvpn@sepia
OR
sudo systemctl enable openvpn-client@sepia

Linux Gotchas

You may need to edit user and group in /etc/openvpn/sepia/client.conf depending on what user the service runs as. This could be nobody, nogroup, or openvpn. 

sed -i 's/nobody/openvpn/g' /etc/openvpn/sepia/client.conf || sed -i 's/nobody/openvpn/g' /etc/openvpn/client/sepia/client.conf
sed -i 's/nogroup/openvpn/g' /etc/openvpn/sepia/client.conf || sed -i 's/nogroup/openvpn/g' /etc/openvpn/client/sepia/client.conf

If you're using OpenVPN for any other VPN connection (e.g., Red Hat's), you may need to change the dev name in /etc/openvpn/sepia/client.conf. See below. 

# ERASE
dev tun

# REPLACE WITH
dev sepia0
dev-type tun

If the new-client script throws an error about /usr/bin/python not being found, run: 

sudo sed -i 's|/usr/bin/python|/usr/bin/python3|g' sepia/new-client

Troubleshooting

Please disable SELinux on rhel clients

To troubleshoot your VPN connection, try running the following command to determine where the connection is failing: 

openvpn --config /etc/openvpn/sepia.conf --cd /etc/openvpn --verb 5
OR
openvpn --config /etc/openvpn/client/sepia.conf --cd /etc/openvpn/client --verb 5

Fedora NetworkManager GUI

  1. Make sure you've followed all the prerequisite steps here
  2. Right click the NetworkManager icon
  3. Edit Connections
  4. Click the + symbol
  5. Select Import a saved VPN configuration from the bottom
  6. Click Create
  7. Browse to /etc/openvpn/sepia/client.conf
  8. Enter your the first line in /etc/openvpn/sepia/secret (e.g., USER@HOST) under User name
  9. Enter the second line in your /etc/openvpn/sepia/secret file for Password

Fedora Network Manager GUI -- Fedora 34

This procedure was confirmed to work on Fedora 34 on 14 July 2021.

  1. Make sure you've followed all the prerequisite steps here
  2. Right click the NetworkManager icon
  3. Select Settings –> Network
  4. Click the + symbol under VPN
  5. Select Import from file… from the bottom
  6. Browse to /etc/openvpn/client/sepia.conf
  7. Enter your the first line in /etc/openvpn/client/sepia/secret (e.g., USER@HOST) under User name
  8. Enter the second line in your /etc/openvpn/client/sepia/secret file for Password

Mac/OS X

Tunnelblick and Viscosity are two clients known to work with the Sepia VPN.

Tunnelblick **UNTESTED**

  1. Download and untar the Sepia VPN client tarball 
    mkdir /etc/openvpn
cd /etc/openvpn
wget https://filedump.ceph.com/sepia-vpn-client.tar.gz
sudo tar zxvf sepia-vpn-client.tar.gz

# Generate client credentials
# USER should be your desired username and HOST should describe your workstation
# e.g., dgalloway@thinkpad

sudo ./sepia/new-client USER@HOST

# Submit the output of this command in your ticket
  2. Replace the line auth-user-pass sepia/secret with just auth-user-pass in client.conf
  3. Follow Tunnelblick's instructions for adding the config
  4. When prompted for user/pass, enter username USER@HOST as above, and for password use the secret contents of the file /etc/openvpn/sepia/secret.
  5. Save to your keychain if you wish

Viscosity

  1. Download https://filedump.ceph.com/Sepia.visz
  2. Download https://filedump.ceph.com/sepia-vpn-client.tar.gz
  3. Import the Sepia.visz config into Viscosity
  4. Extract sepia-vpn-client.tar.gz
  5. Save sepia/ca.crt somewhere
  6. Run sudo ./sepia/new-client USER@HOST
    1. Replace USER@HOST with your desired username and machine description. (e.g., dgalloway@laptop)
  7. In Viscosity, under the Authentication tab, set:
    1. Authentication: SSL/TLS Client
    2. Check Use Username/Password authentication
    3. CA: to the ca.crt file you saved earlier
    4. Tls-Auth: ta.key
  8. When connecting to the VPN for the first time,
    1. Enter your USER@HOST combination as the username(the username is the first line in secret file)
    2. Enter the second line of sepia/secret as the password(the password is the second line in secret file)
  9. Save the credentials to your keychain
  10. You can now delete any downloaded and created files (except ca.crt)

A Note About DNS

Due to complexities around adding nameservers to various Linux distro VPN clients, our OpenVPN server does not use the dhcp-option DNS option.

Instead, we serve our private DNS records publicly. Your machine should be able to resolve hostnames under the sepia.ceph.com subdomain automatically.

If you're using dnsmasq, you can add server=/sepia.ceph.com/172.21.0.1 to /etc/dnsmasq.conf.