Open main menu

CDOT Wiki β

Changes

EHL VPN Client Configuration in Fedora

3,477 bytes added, 18:07, 23 September 2015
Generate OpenVPN certificates for client
[[Category:Enterprise Hyperscale Lab]]
The [[EHL]] has a OpenVPN and PPTP VPN for remote access. = OpenVPN method = == Generate OpenVPN certificates for client == 1. SSH to EHL and login as root ssh ehl.cdot.systems sudo su - 2. Generate certificate with easy-rsa (Replace <HOSTNAME> with your own) cd /etc/openvpn/easy-rsa source ./vars ./build-key <HOSTNAME>'''NOTE:''' No information needed to be inputted except answering (y/n) == Copy certificates to client == 1. ON YOUR MACHINE: Create ~/.cert on your own machine: mkdir ~/.cert 2. ON RED: Copy certificates from red scp /etc/openvpn/easy-rsa/keys/{ca.crt,<HOSTNAME>.crt,<HOSTNAME>.key} <user>@<HOSTNAME>:~/.cert 3. ON YOUR MACHINE: Reset SELinux permissions restorecon -R ~/.cert == Setting up a OpenVPN connection == You might need to install OpenVPN plugin for NetworkManager yum install openvpn NetworkManager-openvpn pkcs11-helper openssl === via Gnome network settings === To set up access to the VPN from a remote Fedora system graphically: # Access the '''Network''' portion of the '''Setting''' application.# Click the '''+''' sign to add a new network connection.# Select '''VPN''' as the connection type.# Select '''OpenVPN''' as the VPN type.# Fill in these parameters:#* Gateway: <code>ehl.internal.cdot.systems</code> (currently: 10.46.52.62)#* Type: <code>Certificates (TLS)</code>#* User Certificate: <code>~/.cert/<HOSTNAME>.crt</code>#* CA Certificate: <code>~/.cert/ca.crt</code>#* Private Key: <code>~/.cert/<HOSTNAME>.key</code># Click on '''Advanced...''' button at the right corner#* Check the box marked '''"Use LZO data compression"'''#* In the '''Security''' tab, choose '''"AES-256-CBC"''' as cipher#* Click OK to finish advanced settings# In the '''IPv4''' tab, check the box marked '''"Use this connection only for resources on its network"'''.# Apply the changes.# Start the VPN with the control in the Network Settings screen or at the top of the Gnome screen. === via Command line === Add a new basic vpn using nmcli: nmcli conn add con-name EHL type vpn ifname lo vpn-type openvpn Edit ''/etc/NetworkManager/system-connections/EHL'' and add following lines: [connection] ... #interface-name=lo <----- Remove this line autoconnect=true [vpn] ... connection-type=tls remote=ehl.internal.cdot.systems cipher=AES-256-CBC comp-lzo=yes cert-pass-flags=0 ca=/home/<user>/.cert/ca.crt key=/home/<user>/.cert/newzealand.key cert=/home/<user>/.cert/newzealand.crt [ipv6] method=auto [ipv4] method=auto never-default=true Reload configuration file: nmcli conn reload Turn on the VPN connection: nmcli conn up EHL = PPTP method (Not recommended) =
== Creating a VPN User ==
# Select '''Point-to-Point Tunneling Protocol (PPTP)''' as the VPN type.
# Fill in these parameters:
#* Gateway: <code>moroccoehl.proximityinternal.oncdot.casystems</code>(currently: 10.46.52.62)
#* User name: ''Your VPN Username''
#* Password: ''Your VPN Password'' (the system will ask you for this when you connect anyway)
#** Address: 172.16.172.0
#** Netmask: 255.255.255.0
#** Gateway: 172.16.172.254(currently: 172.16.172.215)
#** Metric: ''leave blank''
#* Check the box marked "Use this connection only for resources on its network".
Note: If you are unable to connect to the VPN after following the above steps, it is possibly due to the firewall restricting access. To check if that is the case, turn off the firewall temporarily with <code>sudo systemctl stop firewalld</code> and attempt to the connect to the VPN. Turn the firewall back on afterwards with <code>sudo systemctl start firewalld</code>.
 
== Setting up VPN via command line ==
Add a new basic vpn using nmcli:
nmcli conn add con-name EHL type vpn ifname ppp0 vpn-type pptp
 
Edit ''/etc/NetworkManager/system-connections/EHL'' and add following lines:
[connection]
...
autoconnect=true
[vpn]
...
gateway=ehl.internal.cdot.systems
user=<Your VPN Username>
password-flags=0
[vpn-secrets]
password=<Your VPN Password>
[ipv6]
method=auto
[ipv4]
method=auto
route1=172.16.172.0/24,172.16.172.215,0
ignore-auto-dns=true
ignore-auto-routes=true
never-default=true
 
Reload configuration file:
nmcli conn reload
 
Turn on the VPN connection:
nmcli conn up EHL
== Firewall Adjustment ==
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p gre -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p gre -j ACCEPT
firewall-cmd --reload
(From [http://tinyurl.com/lyb63co here]).
== Other Configuration ==
For convenient access to the EHL resources:
# Merge <code>/etc/hosts</code> entries from morocco Red (=ehl.internal.cdot.systems, which is the gateway system) into your local <code>/etc/hosts</code> file, commenting out or removing the line for morocco Red/EHL itself.# Copy <code>/usr/local/bin/{serial,pingbuilders,startkojids,pdu}</code> from morocco Red into your local <code>/usr/local/bin</code> directory.
# Copy your SSH public key to the EHL systems using <code>ssh-copy-id</code>, including the <code>ostep</code> account on <code>serial</code>.
ssh-copy-id ostep@serial
serial x1