Difference between revisions of "EHL VPN Client Configuration in Fedora"
Chris Tyler (talk | contribs) (→Firewall Adjustment) |
Chris Tyler (talk | contribs) (→Generate OpenVPN certificates for client) |
||
(14 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
[[Category:Enterprise Hyperscale Lab]] | [[Category:Enterprise Hyperscale Lab]] | ||
− | The [[EHL]] has | + | The [[EHL]] has OpenVPN and PPTP VPN for remote access. |
+ | |||
+ | = OpenVPN method = | ||
+ | |||
+ | == Generate OpenVPN certificates for client == | ||
+ | |||
+ | 1. SSH to EHL and login as root | ||
+ | ssh ehl.cdot.systems | ||
+ | sudo su - | ||
+ | |||
+ | 2. Generate certificate with easy-rsa (Replace <HOSTNAME> with your own) | ||
+ | cd /etc/openvpn/easy-rsa | ||
+ | source ./vars | ||
+ | ./build-key <HOSTNAME> | ||
+ | '''NOTE:''' No information needed to be inputted except answering (y/n) | ||
+ | |||
+ | == Copy certificates to client == | ||
+ | |||
+ | 1. ON YOUR MACHINE: Create ~/.cert on your own machine: | ||
+ | mkdir ~/.cert | ||
+ | |||
+ | 2. ON RED: Copy certificates from red | ||
+ | scp /etc/openvpn/easy-rsa/keys/{ca.crt,<HOSTNAME>.crt,<HOSTNAME>.key} <user>@<HOSTNAME>:~/.cert | ||
+ | |||
+ | 3. ON YOUR MACHINE: Reset SELinux permissions | ||
+ | restorecon -R ~/.cert | ||
+ | |||
+ | == Setting up a OpenVPN connection == | ||
+ | |||
+ | You might need to install OpenVPN plugin for NetworkManager | ||
+ | yum install openvpn NetworkManager-openvpn pkcs11-helper openssl | ||
+ | |||
+ | === via Gnome network settings === | ||
+ | |||
+ | To set up access to the VPN from a remote Fedora system graphically: | ||
+ | |||
+ | # Access the '''Network''' portion of the '''Setting''' application. | ||
+ | # Click the '''+''' sign to add a new network connection. | ||
+ | # Select '''VPN''' as the connection type. | ||
+ | # Select '''OpenVPN''' as the VPN type. | ||
+ | # Fill in these parameters: | ||
+ | #* Gateway: <code>ehl.internal.cdot.systems</code> (currently: 10.46.52.62) | ||
+ | #* Type: <code>Certificates (TLS)</code> | ||
+ | #* User Certificate: <code>~/.cert/<HOSTNAME>.crt</code> | ||
+ | #* CA Certificate: <code>~/.cert/ca.crt</code> | ||
+ | #* Private Key: <code>~/.cert/<HOSTNAME>.key</code> | ||
+ | # Click on '''Advanced...''' button at the right corner | ||
+ | #* Check the box marked '''"Use LZO data compression"''' | ||
+ | #* In the '''Security''' tab, choose '''"AES-256-CBC"''' as cipher | ||
+ | #* Click OK to finish advanced settings | ||
+ | # In the '''IPv4''' tab, check the box marked '''"Use this connection only for resources on its network"'''. | ||
+ | # Apply the changes. | ||
+ | # Start the VPN with the control in the Network Settings screen or at the top of the Gnome screen. | ||
+ | |||
+ | === via Command line === | ||
+ | |||
+ | Add a new basic vpn using nmcli: | ||
+ | nmcli conn add con-name EHL type vpn ifname lo vpn-type openvpn | ||
+ | |||
+ | Edit ''/etc/NetworkManager/system-connections/EHL'' and add following lines: | ||
+ | [connection] | ||
+ | ... | ||
+ | #interface-name=lo <----- Remove this line | ||
+ | autoconnect=true | ||
+ | |||
+ | [vpn] | ||
+ | ... | ||
+ | connection-type=tls | ||
+ | remote=ehl.internal.cdot.systems | ||
+ | cipher=AES-256-CBC | ||
+ | comp-lzo=yes | ||
+ | cert-pass-flags=0 | ||
+ | ca=/home/<user>/.cert/ca.crt | ||
+ | key=/home/<user>/.cert/newzealand.key | ||
+ | cert=/home/<user>/.cert/newzealand.crt | ||
+ | |||
+ | [ipv6] | ||
+ | method=auto | ||
+ | |||
+ | [ipv4] | ||
+ | method=auto | ||
+ | never-default=true | ||
+ | |||
+ | Reload configuration file: | ||
+ | nmcli conn reload | ||
+ | |||
+ | Turn on the VPN connection: | ||
+ | nmcli conn up EHL | ||
+ | |||
+ | = PPTP method (Not recommended) = | ||
== Creating a VPN User == | == Creating a VPN User == | ||
Line 21: | Line 110: | ||
# Select '''Point-to-Point Tunneling Protocol (PPTP)''' as the VPN type. | # Select '''Point-to-Point Tunneling Protocol (PPTP)''' as the VPN type. | ||
# Fill in these parameters: | # Fill in these parameters: | ||
− | #* Gateway: <code> | + | #* Gateway: <code>ehl.internal.cdot.systems</code> (currently: 10.46.52.62) |
#* User name: ''Your VPN Username'' | #* User name: ''Your VPN Username'' | ||
#* Password: ''Your VPN Password'' (the system will ask you for this when you connect anyway) | #* Password: ''Your VPN Password'' (the system will ask you for this when you connect anyway) | ||
Line 32: | Line 121: | ||
#** Address: 172.16.172.0 | #** Address: 172.16.172.0 | ||
#** Netmask: 255.255.255.0 | #** Netmask: 255.255.255.0 | ||
− | #** Gateway: 172.16.172.254 | + | #** Gateway: 172.16.172.254 (currently: 172.16.172.215) |
#** Metric: ''leave blank'' | #** Metric: ''leave blank'' | ||
#* Check the box marked "Use this connection only for resources on its network". | #* Check the box marked "Use this connection only for resources on its network". | ||
Line 39: | Line 128: | ||
Note: If you are unable to connect to the VPN after following the above steps, it is possibly due to the firewall restricting access. To check if that is the case, turn off the firewall temporarily with <code>sudo systemctl stop firewalld</code> and attempt to the connect to the VPN. Turn the firewall back on afterwards with <code>sudo systemctl start firewalld</code>. | Note: If you are unable to connect to the VPN after following the above steps, it is possibly due to the firewall restricting access. To check if that is the case, turn off the firewall temporarily with <code>sudo systemctl stop firewalld</code> and attempt to the connect to the VPN. Turn the firewall back on afterwards with <code>sudo systemctl start firewalld</code>. | ||
+ | |||
+ | == Setting up VPN via command line == | ||
+ | Add a new basic vpn using nmcli: | ||
+ | nmcli conn add con-name EHL type vpn ifname ppp0 vpn-type pptp | ||
+ | |||
+ | Edit ''/etc/NetworkManager/system-connections/EHL'' and add following lines: | ||
+ | [connection] | ||
+ | ... | ||
+ | autoconnect=true | ||
+ | |||
+ | [vpn] | ||
+ | ... | ||
+ | gateway=ehl.internal.cdot.systems | ||
+ | user=<Your VPN Username> | ||
+ | password-flags=0 | ||
+ | |||
+ | [vpn-secrets] | ||
+ | password=<Your VPN Password> | ||
+ | |||
+ | [ipv6] | ||
+ | method=auto | ||
+ | |||
+ | [ipv4] | ||
+ | method=auto | ||
+ | route1=172.16.172.0/24,172.16.172.215,0 | ||
+ | ignore-auto-dns=true | ||
+ | ignore-auto-routes=true | ||
+ | never-default=true | ||
+ | |||
+ | Reload configuration file: | ||
+ | nmcli conn reload | ||
+ | |||
+ | Turn on the VPN connection: | ||
+ | nmcli conn up EHL | ||
== Firewall Adjustment == | == Firewall Adjustment == | ||
Line 50: | Line 173: | ||
(From [http://tinyurl.com/lyb63co here]). | (From [http://tinyurl.com/lyb63co here]). | ||
− | + | = Other Configuration = | |
For convenient access to the EHL resources: | For convenient access to the EHL resources: | ||
− | # Merge <code>/etc/hosts</code> entries from | + | # Merge <code>/etc/hosts</code> entries from Red (=ehl.internal.cdot.systems, which is the gateway system) into your local <code>/etc/hosts</code> file, commenting out or removing the line for Red/EHL itself. |
− | # Copy <code>/usr/local/bin/{serial,pingbuilders,startkojids,pdu}</code> from | + | # Copy <code>/usr/local/bin/{serial,pingbuilders,startkojids,pdu}</code> from Red into your local <code>/usr/local/bin</code> directory. |
# Copy your SSH public key to the EHL systems using <code>ssh-copy-id</code>, including the <code>ostep</code> account on <code>serial</code>. | # Copy your SSH public key to the EHL systems using <code>ssh-copy-id</code>, including the <code>ostep</code> account on <code>serial</code>. | ||
+ | ssh-copy-id ostep@serial | ||
+ | serial x1 |
Latest revision as of 18:07, 23 September 2015
The EHL has OpenVPN and PPTP VPN for remote access.
OpenVPN method
Generate OpenVPN certificates for client
1. SSH to EHL and login as root
ssh ehl.cdot.systems sudo su -
2. Generate certificate with easy-rsa (Replace <HOSTNAME> with your own)
cd /etc/openvpn/easy-rsa source ./vars ./build-key <HOSTNAME>
NOTE: No information needed to be inputted except answering (y/n)
Copy certificates to client
1. ON YOUR MACHINE: Create ~/.cert on your own machine:
mkdir ~/.cert
2. ON RED: Copy certificates from red
scp /etc/openvpn/easy-rsa/keys/{ca.crt,<HOSTNAME>.crt,<HOSTNAME>.key} <user>@<HOSTNAME>:~/.cert
3. ON YOUR MACHINE: Reset SELinux permissions
restorecon -R ~/.cert
Setting up a OpenVPN connection
You might need to install OpenVPN plugin for NetworkManager
yum install openvpn NetworkManager-openvpn pkcs11-helper openssl
via Gnome network settings
To set up access to the VPN from a remote Fedora system graphically:
- Access the Network portion of the Setting application.
- Click the + sign to add a new network connection.
- Select VPN as the connection type.
- Select OpenVPN as the VPN type.
- Fill in these parameters:
- Gateway:
ehl.internal.cdot.systems
(currently: 10.46.52.62) - Type:
Certificates (TLS)
- User Certificate:
~/.cert/<HOSTNAME>.crt
- CA Certificate:
~/.cert/ca.crt
- Private Key:
~/.cert/<HOSTNAME>.key
- Gateway:
- Click on Advanced... button at the right corner
- Check the box marked "Use LZO data compression"
- In the Security tab, choose "AES-256-CBC" as cipher
- Click OK to finish advanced settings
- In the IPv4 tab, check the box marked "Use this connection only for resources on its network".
- Apply the changes.
- Start the VPN with the control in the Network Settings screen or at the top of the Gnome screen.
via Command line
Add a new basic vpn using nmcli:
nmcli conn add con-name EHL type vpn ifname lo vpn-type openvpn
Edit /etc/NetworkManager/system-connections/EHL and add following lines:
[connection] ... #interface-name=lo <----- Remove this line autoconnect=true [vpn] ... connection-type=tls remote=ehl.internal.cdot.systems cipher=AES-256-CBC comp-lzo=yes cert-pass-flags=0 ca=/home/<user>/.cert/ca.crt key=/home/<user>/.cert/newzealand.key cert=/home/<user>/.cert/newzealand.crt [ipv6] method=auto [ipv4] method=auto never-default=true
Reload configuration file:
nmcli conn reload
Turn on the VPN connection:
nmcli conn up EHL
PPTP method (Not recommended)
Creating a VPN User
1. Add an entry to the /etc/ppp/chap-secrets file on morocco
:
# Secrets for authentication using CHAP # client server secret IP addresses userid pptpd password *
2. Reload the pptpd server: sudo systemctl reload pptpd
Setting up Remote Access Using NetworkManager GUI Setup Tools in Fedora (Gnome)
To set up access to the VPN from a remote Fedora system graphically:
- Access the Network portion of the Setting application.
- Click the + sign to add a new network connection.
- Select VPN as the connection type.
- Select Point-to-Point Tunneling Protocol (PPTP) as the VPN type.
- Fill in these parameters:
- Gateway:
ehl.internal.cdot.systems
(currently: 10.46.52.62) - User name: Your VPN Username
- Password: Your VPN Password (the system will ask you for this when you connect anyway)
- NT Domain: leave blank
- Gateway:
- In the IPv4 tab, fill in these parameters:
- IPv4: On
- Address: DHCP
- DNS: Automatic OFF and all fields blank
- Routes:
- Address: 172.16.172.0
- Netmask: 255.255.255.0
- Gateway: 172.16.172.254 (currently: 172.16.172.215)
- Metric: leave blank
- Check the box marked "Use this connection only for resources on its network".
- Apply the changes.
- Start the VPN with the control in the Network Settings screen or at the top of the Gnome screen.
Note: If you are unable to connect to the VPN after following the above steps, it is possibly due to the firewall restricting access. To check if that is the case, turn off the firewall temporarily with sudo systemctl stop firewalld
and attempt to the connect to the VPN. Turn the firewall back on afterwards with sudo systemctl start firewalld
.
Setting up VPN via command line
Add a new basic vpn using nmcli:
nmcli conn add con-name EHL type vpn ifname ppp0 vpn-type pptp
Edit /etc/NetworkManager/system-connections/EHL and add following lines:
[connection] ... autoconnect=true [vpn] ... gateway=ehl.internal.cdot.systems user=<Your VPN Username> password-flags=0 [vpn-secrets] password=<Your VPN Password> [ipv6] method=auto [ipv4] method=auto route1=172.16.172.0/24,172.16.172.215,0 ignore-auto-dns=true ignore-auto-routes=true never-default=true
Reload configuration file:
nmcli conn reload
Turn on the VPN connection:
nmcli conn up EHL
Firewall Adjustment
To enable this to work through the Fedora firewall, issue these commands:
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p gre -j ACCEPT firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p gre -j ACCEPT firewall-cmd --reload
(From here).
Other Configuration
For convenient access to the EHL resources:
- Merge
/etc/hosts
entries from Red (=ehl.internal.cdot.systems, which is the gateway system) into your local/etc/hosts
file, commenting out or removing the line for Red/EHL itself. - Copy
/usr/local/bin/{serial,pingbuilders,startkojids,pdu}
from Red into your local/usr/local/bin
directory. - Copy your SSH public key to the EHL systems using
ssh-copy-id
, including theostep
account onserial
.
ssh-copy-id ostep@serial serial x1