User Tools

Site Tools


vpnaccess

VPN Access

Requesting Access

To request access to the Sepia lab,

  1. Generate login credentials by following directions under VPN Client Access below.
  2. File a ticket. Select Sepia Lab Access Request for the Issue Template.

For details on our particular OpenVPN server setup, see OpenVPN.

VPN Client Access

Follow the instructions corresponding to your workstation's operating system below.

NOTE: You will need VPN credentials for each machine/workstation you intend to connect to the Sepia VPN. Client credentials can not be used on more than one machine at a time!

Linux

sudo [apt-get|yum] install openvpn
cd /etc/openvpn
wget http://ceph.com/sage/sepia-vpn-client.tar.gz
sudo tar zxvf sepia-vpn-client.tar.gz

# Generate client credentials
# USER should be your desired username and HOST should describe your workstation
# e.g., dgalloway@thinkpad

sudo ./sepia/new-client USER@HOST

# Submit the command output in your ticket
# After you've been notified in your ticket that access has been granted,

sudo service openvpn restart
OR
sudo systemctl restart openvpn@sepia

# If you have a /etc/openvpn/client/ directory, you may need to:

sudo mv /etc/openvpn/sepia* /etc/openvpn/client/

# before you can run openvpn-client@sepia.service.
# This is because the OpenVPN systemd unit file looks in /etc/openvpn/client/ for configuration files by default.

Linux Gotchas

You may need to modify user and group in /etc/openvpn/sepia/client.conf depending on what user the service runs as. This could be nobody, nogroup, or openvpn.

- user nobody
- group nogroup
+ user openvpn
+ group openvpn

If you're using OpenVPN for any other VPN connection (e.g., Red Hat's), you may need to change the dev name in /etc/openvpn/sepia/client.conf. See below.

- dev tun
+ dev sepia0
+ dev-type tun

Troubleshooting

To troubleshoot your VPN connection, try running the following command to determine where the connection is failing:

openvpn --config /etc/openvpn/sepia.conf --cd /etc/openvpn --verb 5

Fedora NetworkManager GUI

  1. Make sure you've followed all the prerequisite steps here
  2. Right click the NetworkManager icon
  3. Edit Connections
  4. Click the + symbol
  5. Select Import a saved VPN configuration from the bottom
  6. Click Create
  7. Browse to /etc/openvpn/sepia/client.conf
  8. Enter your the first line in /etc/openvpn/sepia/secret (e.g., USER@HOST) under User name
  9. Enter the second line in your /etc/openvpn/sepia/secret file for Password

Mac/OS X

Tunnelblick and Viscosity are two clients known to work with the Sepia VPN.

Tunnelblick **UNTESTED**

  1. Download and untar the Sepia VPN client tarball
    mkdir /etc/openvpn
    cd /etc/openvpn
    wget http://ceph.com/sage/sepia-vpn-client.tar.gz
    sudo tar zxvf sepia-vpn.client.tar.gz
    
    # Generate client credentials
    # USER should be your desired username and HOST should describe your workstation
    # e.g., dgalloway@thinkpad
    
    sudo ./sepia/new-client USER@HOST
    
    # Submit the output of this command in your ticket
  2. Replace the line auth-user-pass sepia/secret with just auth-user-pass in client.conf
  3. Follow Tunnelblick's instructions for adding the config
  4. When prompted for user/pass, enter username USER@HOST as above, and for password use the secret contents of the file /etc/openvpn/sepia/secret.
  5. Save to your keychain if you wish

Viscosity

  1. Import the Sepia.visz config into Viscosity
  2. Extract sepia-vpn-client.tar.gz
  3. Save sepia/ca.crt somewhere
  4. Run sudo ./sepia/new-client USER@HOST
    1. Replace USER@HOST with your desired username and machine description. (e.g., dgalloway@laptop)
  5. In Viscosity, under the Authentication tab, set:
    1. Authentication: SSL/TLS Client
    2. Check Use Username/Password authentication
    3. CA: to the ca.crt file you saved earlier
    4. Tls-Auth: ta.key
  6. When connecting to the VPN for the first time,
    1. Enter your USER@HOST combination as the username
    2. Enter the second line of sepia/secret as the password
  7. Save the credentials to your keychain
  8. You can now delete any downloaded and created files (except ca.crt)

A Note About DNS

Due to complexities around adding nameservers to various Linux distro VPN clients, our OpenVPN server does not use the dhcp-option DNS option.

Instead, we serve our private DNS records publicly. Your machine should be able to resolve hostnames under the sepia.ceph.com subdomain automatically.

If you're using dnsmasq, you can add server=/sepia.ceph.com/172.21.0.1 to /etc/dnsmasq.conf.

vpnaccess.txt · Last modified: 2018/06/29 15:59 by djgalloway