This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
vpnaccess [2018/06/29 15:59] djgalloway |
vpnaccess [2024/12/20 01:01] (current) dmick [VPN Client Access] |
||
---|---|---|---|
Line 3: | Line 3: | ||
To request access to the Sepia lab, | To request access to the Sepia lab, | ||
- Generate login credentials by following directions under **VPN Client Access** below. | - Generate login credentials by following directions under **VPN Client Access** below. | ||
- | - [[http://tracker.ceph.com/projects/lab/issues/new?issue[tracker_id]=3|File a ticket]]. Select **Sepia Lab Access Request** for the Issue Template. | + | - [[http://tracker.ceph.com/projects/lab/issues/new?issue[tracker_id]=3|File a ticket]]. Select **Sepia Lab Access Request** and ***copy those questions and answer them in the ticket.*** |
+ | |||
+ | <code> | ||
+ | |||
+ | 1) Do you just need VPN access or will you also be running teuthology jobs? | ||
+ | |||
+ | 2) Desired Username: | ||
+ | |||
+ | 3) Alternate e-mail address(es) we can reach you at: | ||
+ | |||
+ | 4) If you don't already have an established history of code contributions to Ceph, is there an existing community or core developer you've worked with who has reviewed your work and can vouch for your access request? | ||
+ | |||
+ | If you answered "No" to # 4, please answer the following (paste directly below the question to keep indentation): | ||
+ | |||
+ | 4a) Paste a link to a Blueprint or planning doc of yours that was reviewed at a Ceph Developer Monthly. | ||
+ | |||
+ | 4b) Paste a link to an accepted pull request for a major patch or feature. | ||
+ | |||
+ | 4c) If applicable, include a link to the current project (planning doc, dev branch, or pull request) that you are looking to test. | ||
+ | |||
+ | 5) Paste your SSH public key(s) between the pre tags | ||
+ | |||
+ | 6) Paste your hashed VPN credentials between the pre tags (Format: user@hostname 22CharacterSalt 65CharacterHashedPassword) | ||
For details on our particular OpenVPN server setup, see [[services:openvpn|OpenVPN]]. | For details on our particular OpenVPN server setup, see [[services:openvpn|OpenVPN]]. | ||
+ | </code> | ||
===== VPN Client Access ===== | ===== VPN Client Access ===== | ||
Follow the instructions corresponding to your workstation's operating system below. | Follow the instructions corresponding to your workstation's operating system below. | ||
+ | |||
+ | ==== The 'secret' file ==== | ||
+ | |||
+ | |||
+ | The new-client script will generate a secret in a file named 'secret'. This is your secret VPN password. Do not share this in any way to anyone. Do not overwrite it for any reason. It is precious unrecoverable data, and losing it will lose your access to the VPN. | ||
+ | |||
+ | ==== The 'secret.hash' file: ==== | ||
+ | |||
+ | new-client will also generate a file named 'secret.hash', which corresponds to, but is not the same as, 'secret'. new-client also prints out this secret.hash. This is public information, derived from your secret, but not your secret. This is what you put in the tracker ticket to be added to the OpenVPN server. | ||
+ | |||
+ | ==== The secrets tarball: ==== | ||
+ | |||
+ | |||
+ | new-client will also generate a tarball named 'secrets.YYMMDD_HHMMSS.tar.gz' (where YYMMDD_HHMMSS represents the current date and time) containing both secret and secret.hash files. Since they go together, this will help track problems in their creation and use. | ||
**NOTE:** You will need VPN credentials for each machine/workstation you intend to connect to the Sepia VPN. **Client credentials can not be used on more than one machine at a time!** | **NOTE:** You will need VPN credentials for each machine/workstation you intend to connect to the Sepia VPN. **Client credentials can not be used on more than one machine at a time!** | ||
+ | |||
==== Linux ==== | ==== Linux ==== | ||
<code> | <code> | ||
sudo [apt-get|yum] install openvpn | sudo [apt-get|yum] install openvpn | ||
+ | |||
+ | sudo mkdir -p /run/openvpn | ||
+ | |||
+ | ## Fedora 28 and later | ||
+ | cd /etc/openvpn/client | ||
+ | |||
+ | ## All others | ||
cd /etc/openvpn | cd /etc/openvpn | ||
- | wget http://ceph.com/sage/sepia-vpn-client.tar.gz | + | |
+ | |||
+ | sudo wget https://filedump.ceph.com/sepia-vpn-client.tar.gz | ||
sudo tar zxvf sepia-vpn-client.tar.gz | sudo tar zxvf sepia-vpn-client.tar.gz | ||
+ | |||
# Generate client credentials | # Generate client credentials | ||
Line 31: | Line 79: | ||
OR | OR | ||
sudo systemctl restart openvpn@sepia | sudo systemctl restart openvpn@sepia | ||
+ | OR | ||
+ | sudo systemctl restart openvpn-client@sepia | ||
- | # If you have a /etc/openvpn/client/ directory, you may need to: | + | # Try all 3. One of them should work. |
+ | # Whichever works, enable the systemd service | ||
- | sudo mv /etc/openvpn/sepia* /etc/openvpn/client/ | + | sudo systemctl enable openvpn@sepia |
- | + | OR | |
- | # before you can run openvpn-client@sepia.service. | + | sudo systemctl enable openvpn-client@sepia |
- | # This is because the OpenVPN systemd unit file looks in /etc/openvpn/client/ for configuration files by default. | + | |
</code> | </code> | ||
=== Linux Gotchas === | === Linux Gotchas === | ||
- | You may need to modify ''user'' and ''group'' in ''/etc/openvpn/sepia/client.conf'' depending on what user the service runs as. This could be ''nobody'', ''nogroup'', or ''openvpn''. | + | You may need to edit ''user'' and ''group'' in ''/etc/openvpn/sepia/client.conf'' depending on what user the service runs as. This could be ''nobody'', ''nogroup'', or ''openvpn''. |
<code> | <code> | ||
- | - user nobody | + | sed -i 's/nobody/openvpn/g' /etc/openvpn/sepia/client.conf || sed -i 's/nobody/openvpn/g' /etc/openvpn/client/sepia/client.conf |
- | - group nogroup | + | sed -i 's/nogroup/openvpn/g' /etc/openvpn/sepia/client.conf || sed -i 's/nogroup/openvpn/g' /etc/openvpn/client/sepia/client.conf |
- | + user openvpn | + | |
- | + group openvpn | + | |
</code> | </code> | ||
+ | |||
+ | ---- | ||
If you're using OpenVPN for any other VPN connection (e.g., Red Hat's), you may need to change the ''dev'' name in ''/etc/openvpn/sepia/client.conf''. See below. | If you're using OpenVPN for any other VPN connection (e.g., Red Hat's), you may need to change the ''dev'' name in ''/etc/openvpn/sepia/client.conf''. See below. | ||
<code> | <code> | ||
- | - dev tun | + | # ERASE |
- | + dev sepia0 | + | dev tun |
- | + dev-type tun | + | |
+ | # REPLACE WITH | ||
+ | dev sepia0 | ||
+ | dev-type tun | ||
+ | </code> | ||
+ | |||
+ | ---- | ||
+ | |||
+ | If the ''new-client'' script throws an error about ''/usr/bin/python'' not being found, run: | ||
+ | |||
+ | <code> | ||
+ | sudo sed -i 's|/usr/bin/python|/usr/bin/python3|g' sepia/new-client | ||
</code> | </code> | ||
=== Troubleshooting === | === Troubleshooting === | ||
+ | Please disable SELinux on rhel clients | ||
+ | |||
To troubleshoot your VPN connection, try running the following command to determine where the connection is failing: | To troubleshoot your VPN connection, try running the following command to determine where the connection is failing: | ||
<code> | <code> | ||
openvpn --config /etc/openvpn/sepia.conf --cd /etc/openvpn --verb 5 | openvpn --config /etc/openvpn/sepia.conf --cd /etc/openvpn --verb 5 | ||
+ | OR | ||
+ | openvpn --config /etc/openvpn/client/sepia.conf --cd /etc/openvpn/client --verb 5 | ||
</code> | </code> | ||
Line 77: | Line 142: | ||
- Enter the second line in your ''/etc/openvpn/sepia/secret'' file for **Password** | - Enter the second line in your ''/etc/openvpn/sepia/secret'' file for **Password** | ||
+ | |||
+ | ==== Fedora Network Manager GUI -- Fedora 34 ==== | ||
+ | |||
+ | This procedure was confirmed to work on Fedora 34 on 14 July 2021. | ||
+ | |||
+ | - Make sure you've followed all the prerequisite steps [[vpnaccess#linux|here]] | ||
+ | - Right click the NetworkManager icon | ||
+ | - Select **Settings** --> **Network** | ||
+ | - Click the **+** symbol under VPN | ||
+ | - Select **Import from file...** from the bottom | ||
+ | - Browse to ''/etc/openvpn/client/sepia.conf'' | ||
+ | - Enter your the first line in ''/etc/openvpn/client/sepia/secret'' (e.g., ''USER@HOST'') under **User name** | ||
+ | - Enter the second line in your ''/etc/openvpn/client/sepia/secret'' file for **Password** | ||
==== Mac/OS X ==== | ==== Mac/OS X ==== | ||
Line 82: | Line 160: | ||
=== Tunnelblick **UNTESTED** === | === Tunnelblick **UNTESTED** === | ||
- | - Download and untar the Sepia VPN client [[http://ceph.com/sage/sepia-vpn-client.tar.gz|tarball]] <code> | + | - Download and untar the Sepia VPN client [[https://filedump.ceph.com/sepia-vpn-client.tar.gz|tarball]] <code> |
mkdir /etc/openvpn | mkdir /etc/openvpn | ||
cd /etc/openvpn | cd /etc/openvpn | ||
- | wget http://ceph.com/sage/sepia-vpn-client.tar.gz | + | wget https://filedump.ceph.com/sepia-vpn-client.tar.gz |
- | sudo tar zxvf sepia-vpn.client.tar.gz | + | sudo tar zxvf sepia-vpn-client.tar.gz |
# Generate client credentials | # Generate client credentials | ||
Line 102: | Line 180: | ||
=== Viscosity === | === Viscosity === | ||
- | - Download http://ceph.com/sage/Sepia.visz | + | - Download https://filedump.ceph.com/Sepia.visz |
- | - Download http://ceph.com/sage/sepia-vpn-client.tar.gz | + | - Download https://filedump.ceph.com/sepia-vpn-client.tar.gz |
- Import the Sepia.visz config into Viscosity | - Import the Sepia.visz config into Viscosity | ||
- Extract sepia-vpn-client.tar.gz | - Extract sepia-vpn-client.tar.gz | ||
Line 115: | Line 193: | ||
- **Tls-Auth:** ta.key | - **Tls-Auth:** ta.key | ||
- When connecting to the VPN for the first time, | - When connecting to the VPN for the first time, | ||
- | - Enter your ''USER@HOST'' combination as the username | + | - Enter your ''USER@HOST'' combination as the username(the username is the first line in secret file) |
- | - Enter the second line of ''sepia/secret'' as the password | + | - Enter the second line of ''sepia/secret'' as the password(the password is the second line in secret file) |
- Save the credentials to your keychain | - Save the credentials to your keychain | ||
- You can now delete any downloaded and created files (except ca.crt) | - You can now delete any downloaded and created files (except ca.crt) |