User Tools

Site Tools


VPN Access

Requesting Access

To request access to the Sepia lab,

  1. Generate login credentials by following directions under VPN Client Access below.
  2. File a ticket. Select Sepia Lab Access Request for the Issue Template.

For details on our particular OpenVPN server setup, see OpenVPN.

VPN Client Access

Follow the instructions corresponding to your workstation's operating system below.

NOTE: You will need VPN credentials for each machine/workstation you intend to connect to the Sepia VPN. Client credentials can not be used on more than one machine at a time!


sudo [apt-get|yum] install openvpn

sudo mkdir -p /run/openvpn

## Fedora 28 and later
cd /etc/openvpn/client

## All others
cd /etc/openvpn

sudo tar zxvf sepia-vpn-client.tar.gz

# Ubuntu Bionic and later (or any python3-only distro)
sudo apt-get -y install python2-minimal; sed -i 's|/usr/bin/python|/usr/bin/python2|g' sepia/new-client

# Generate client credentials
# USER should be your desired username and HOST should describe your workstation
# e.g., dgalloway@thinkpad

sudo ./sepia/new-client USER@HOST

# Submit the command output in your ticket
# After you've been notified in your ticket that access has been granted,

sudo service openvpn restart
sudo systemctl restart openvpn@sepia
sudo systemctl restart openvpn-client@sepia

# Try all 3.  One of them should work.
# Whichever works, enable the systemd service

sudo systemctl enable openvpn@sepia
sudo systemctl enable openvpn-client@sepia

Linux Gotchas

You may need to edit user and group in /etc/openvpn/sepia/client.conf depending on what user the service runs as. This could be nobody, nogroup, or openvpn.

sed -i 's/nobody/openvpn/g' /etc/openvpn/sepia/client.conf || sed -i 's/nobody/openvpn/g' /etc/openvpn/client/sepia/client.conf
sed -i 's/nogroup/openvpn/g' /etc/openvpn/sepia/client.conf || sed -i 's/nogroup/openvpn/g' /etc/openvpn/client/sepia/client.conf

If you're using OpenVPN for any other VPN connection (e.g., Red Hat's), you may need to change the dev name in /etc/openvpn/sepia/client.conf. See below.

dev tun

dev sepia0
dev-type tun

If the new-client script throws an error about /usr/bin/python not being found, run:

sudo sed -i 's|/usr/bin/python|/usr/bin/python3|g' sepia/new-client


To troubleshoot your VPN connection, try running the following command to determine where the connection is failing:

openvpn --config /etc/openvpn/sepia.conf --cd /etc/openvpn --verb 5
openvpn --config /etc/openvpn/client/sepia.conf --cd /etc/openvpn/client --verb 5

Fedora NetworkManager GUI

  1. Make sure you've followed all the prerequisite steps here
  2. Right click the NetworkManager icon
  3. Edit Connections
  4. Click the + symbol
  5. Select Import a saved VPN configuration from the bottom
  6. Click Create
  7. Browse to /etc/openvpn/sepia/client.conf
  8. Enter your the first line in /etc/openvpn/sepia/secret (e.g., USER@HOST) under User name
  9. Enter the second line in your /etc/openvpn/sepia/secret file for Password

Mac/OS X

Tunnelblick and Viscosity are two clients known to work with the Sepia VPN.

Tunnelblick **UNTESTED**

  1. Download and untar the Sepia VPN client tarball
    mkdir /etc/openvpn
    cd /etc/openvpn
    sudo tar zxvf sepia-vpn.client.tar.gz
    # Generate client credentials
    # USER should be your desired username and HOST should describe your workstation
    # e.g., dgalloway@thinkpad
    sudo ./sepia/new-client USER@HOST
    # Submit the output of this command in your ticket
  2. Replace the line auth-user-pass sepia/secret with just auth-user-pass in client.conf
  3. Follow Tunnelblick's instructions for adding the config
  4. When prompted for user/pass, enter username USER@HOST as above, and for password use the secret contents of the file /etc/openvpn/sepia/secret.
  5. Save to your keychain if you wish


  1. Import the Sepia.visz config into Viscosity
  2. Extract sepia-vpn-client.tar.gz
  3. Save sepia/ca.crt somewhere
  4. Run sudo ./sepia/new-client USER@HOST
    1. Replace USER@HOST with your desired username and machine description. (e.g., dgalloway@laptop)
  5. In Viscosity, under the Authentication tab, set:
    1. Authentication: SSL/TLS Client
    2. Check Use Username/Password authentication
    3. CA: to the ca.crt file you saved earlier
    4. Tls-Auth: ta.key
  6. When connecting to the VPN for the first time,
    1. Enter your USER@HOST combination as the username
    2. Enter the second line of sepia/secret as the password
  7. Save the credentials to your keychain
  8. You can now delete any downloaded and created files (except ca.crt)

A Note About DNS

Due to complexities around adding nameservers to various Linux distro VPN clients, our OpenVPN server does not use the dhcp-option DNS option.

Instead, we serve our private DNS records publicly. Your machine should be able to resolve hostnames under the subdomain automatically.

If you're using dnsmasq, you can add server=/ to /etc/dnsmasq.conf.

vpnaccess.txt · Last modified: 2020/10/27 18:03 by djgalloway