Difference between revisions of "EHL VPN Client Configuration in Fedora"

From CDOT Wiki
Jump to: navigation, search
(Firewall Adjustment)
(Generate OpenVPN certificates for client)
 
(14 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
[[Category:Enterprise Hyperscale Lab]]
 
[[Category:Enterprise Hyperscale Lab]]
The [[EHL]] has a PPTP VPN for remote access.
+
The [[EHL]] has OpenVPN and PPTP VPN for remote access.
 +
 
 +
= OpenVPN method =
 +
 
 +
== Generate OpenVPN certificates for client ==
 +
 
 +
1. SSH to EHL and login as root
 +
ssh ehl.cdot.systems
 +
sudo su -
 +
 
 +
2. Generate certificate with easy-rsa (Replace <HOSTNAME> with your own)
 +
cd /etc/openvpn/easy-rsa
 +
source ./vars
 +
./build-key <HOSTNAME>
 +
'''NOTE:''' No information needed to be inputted except answering (y/n)
 +
 
 +
== Copy certificates to client ==
 +
 
 +
1. ON YOUR MACHINE: Create ~/.cert on your own machine:
 +
mkdir ~/.cert
 +
 
 +
2. ON RED: Copy certificates from red
 +
scp /etc/openvpn/easy-rsa/keys/{ca.crt,<HOSTNAME>.crt,<HOSTNAME>.key} <user>@<HOSTNAME>:~/.cert
 +
 
 +
3. ON YOUR MACHINE: Reset SELinux permissions
 +
restorecon -R ~/.cert
 +
 
 +
== Setting up a OpenVPN connection ==
 +
 
 +
You might need to install OpenVPN plugin for NetworkManager
 +
yum install openvpn NetworkManager-openvpn pkcs11-helper openssl
 +
 
 +
=== via Gnome network settings ===
 +
 
 +
To set up access to the VPN from a remote Fedora system graphically:
 +
 
 +
# Access the '''Network''' portion of the '''Setting''' application.
 +
# Click the '''+''' sign to add a new network connection.
 +
# Select '''VPN''' as the connection type.
 +
# Select '''OpenVPN''' as the VPN type.
 +
# Fill in these parameters:
 +
#* Gateway: <code>ehl.internal.cdot.systems</code> (currently: 10.46.52.62)
 +
#* Type: <code>Certificates (TLS)</code>
 +
#* User Certificate: <code>~/.cert/<HOSTNAME>.crt</code>
 +
#* CA Certificate: <code>~/.cert/ca.crt</code>
 +
#* Private Key: <code>~/.cert/<HOSTNAME>.key</code>
 +
# Click on '''Advanced...''' button at the right corner
 +
#* Check the box marked '''"Use LZO data compression"'''
 +
#* In the '''Security''' tab, choose '''"AES-256-CBC"''' as cipher
 +
#* Click OK to finish advanced settings
 +
# In the '''IPv4''' tab, check the box marked '''"Use this connection only for resources on its network"'''.
 +
# Apply the changes.
 +
# Start the VPN with the control in the Network Settings screen or at the top of the Gnome screen.
 +
 
 +
=== via Command line ===
 +
 
 +
Add a new basic vpn using nmcli:
 +
nmcli conn add con-name EHL type vpn ifname lo vpn-type openvpn
 +
 
 +
Edit ''/etc/NetworkManager/system-connections/EHL'' and add following lines:
 +
[connection]
 +
...
 +
#interface-name=lo <----- Remove this line
 +
autoconnect=true
 +
 +
[vpn]
 +
...
 +
connection-type=tls
 +
remote=ehl.internal.cdot.systems
 +
cipher=AES-256-CBC
 +
comp-lzo=yes
 +
cert-pass-flags=0
 +
ca=/home/<user>/.cert/ca.crt
 +
key=/home/<user>/.cert/newzealand.key
 +
cert=/home/<user>/.cert/newzealand.crt
 +
 +
[ipv6]
 +
method=auto
 +
 +
[ipv4]
 +
method=auto
 +
never-default=true
 +
 
 +
Reload configuration file:
 +
nmcli conn reload
 +
 
 +
Turn on the VPN connection:
 +
nmcli conn up EHL
 +
 
 +
= PPTP method (Not recommended) =
  
 
== Creating a VPN User ==
 
== Creating a VPN User ==
Line 21: Line 110:
 
# Select '''Point-to-Point Tunneling Protocol (PPTP)''' as the VPN type.
 
# Select '''Point-to-Point Tunneling Protocol (PPTP)''' as the VPN type.
 
# Fill in these parameters:
 
# Fill in these parameters:
#* Gateway: <code>morocco.proximity.on.ca</code>
+
#* Gateway: <code>ehl.internal.cdot.systems</code> (currently: 10.46.52.62)
 
#* User name: ''Your VPN Username''
 
#* User name: ''Your VPN Username''
 
#* Password: ''Your VPN Password'' (the system will ask you for this when you connect anyway)
 
#* Password: ''Your VPN Password'' (the system will ask you for this when you connect anyway)
Line 32: Line 121:
 
#** Address: 172.16.172.0
 
#** Address: 172.16.172.0
 
#** Netmask: 255.255.255.0
 
#** Netmask: 255.255.255.0
#** Gateway: 172.16.172.254
+
#** Gateway: 172.16.172.254 (currently: 172.16.172.215)
 
#** Metric: ''leave blank''
 
#** Metric: ''leave blank''
 
#* Check the box marked "Use this connection only for resources on its network".
 
#* Check the box marked "Use this connection only for resources on its network".
Line 39: Line 128:
  
 
Note: If you are unable to connect to the VPN after following the above steps, it is possibly due to the firewall restricting access. To check if that is the case, turn off the firewall temporarily with <code>sudo systemctl stop firewalld</code> and attempt to the connect to the VPN. Turn the firewall back on afterwards with <code>sudo systemctl start firewalld</code>.
 
Note: If you are unable to connect to the VPN after following the above steps, it is possibly due to the firewall restricting access. To check if that is the case, turn off the firewall temporarily with <code>sudo systemctl stop firewalld</code> and attempt to the connect to the VPN. Turn the firewall back on afterwards with <code>sudo systemctl start firewalld</code>.
 +
 +
== Setting up VPN via command line ==
 +
Add a new basic vpn using nmcli:
 +
nmcli conn add con-name EHL type vpn ifname ppp0 vpn-type pptp
 +
 +
Edit ''/etc/NetworkManager/system-connections/EHL'' and add following lines:
 +
[connection]
 +
...
 +
autoconnect=true
 +
 +
[vpn]
 +
...
 +
gateway=ehl.internal.cdot.systems
 +
user=<Your VPN Username>
 +
password-flags=0
 +
 +
[vpn-secrets]
 +
password=<Your VPN Password>
 +
 +
[ipv6]
 +
method=auto
 +
 +
[ipv4]
 +
method=auto
 +
route1=172.16.172.0/24,172.16.172.215,0
 +
ignore-auto-dns=true
 +
ignore-auto-routes=true
 +
never-default=true
 +
 +
Reload configuration file:
 +
nmcli conn reload
 +
 +
Turn on the VPN connection:
 +
nmcli conn up EHL
  
 
== Firewall Adjustment ==
 
== Firewall Adjustment ==
Line 50: Line 173:
 
(From [http://tinyurl.com/lyb63co here]).
 
(From [http://tinyurl.com/lyb63co here]).
  
== Other Configuration ==
+
= Other Configuration =
  
 
For convenient access to the EHL resources:
 
For convenient access to the EHL resources:
# Merge <code>/etc/hosts</code> entries from morocco into your local <code>/etc/hosts</code> file, commenting out or removing the line for morocco itself.
+
# Merge <code>/etc/hosts</code> entries from Red (=ehl.internal.cdot.systems, which is the gateway system) into your local <code>/etc/hosts</code> file, commenting out or removing the line for Red/EHL itself.
# Copy <code>/usr/local/bin/{serial,pingbuilders,startkojids,pdu}</code> from morocco into your local <code>/usr/local/bin</code> directory.
+
# Copy <code>/usr/local/bin/{serial,pingbuilders,startkojids,pdu}</code> from Red into your local <code>/usr/local/bin</code> directory.
 
# Copy your SSH public key to the EHL systems using <code>ssh-copy-id</code>, including the <code>ostep</code> account on <code>serial</code>.
 
# Copy your SSH public key to the EHL systems using <code>ssh-copy-id</code>, including the <code>ostep</code> account on <code>serial</code>.
 +
  ssh-copy-id ostep@serial
 +
  serial x1

Latest revision as of 18:07, 23 September 2015

The EHL has OpenVPN and PPTP VPN for remote access.

OpenVPN method

Generate OpenVPN certificates for client

1. SSH to EHL and login as root

ssh ehl.cdot.systems
sudo su -

2. Generate certificate with easy-rsa (Replace <HOSTNAME> with your own)

cd /etc/openvpn/easy-rsa
source ./vars
./build-key <HOSTNAME>

NOTE: No information needed to be inputted except answering (y/n)

Copy certificates to client

1. ON YOUR MACHINE: Create ~/.cert on your own machine:

mkdir ~/.cert

2. ON RED: Copy certificates from red

scp /etc/openvpn/easy-rsa/keys/{ca.crt,<HOSTNAME>.crt,<HOSTNAME>.key} <user>@<HOSTNAME>:~/.cert

3. ON YOUR MACHINE: Reset SELinux permissions

restorecon -R ~/.cert

Setting up a OpenVPN connection

You might need to install OpenVPN plugin for NetworkManager

yum install openvpn NetworkManager-openvpn pkcs11-helper openssl

via Gnome network settings

To set up access to the VPN from a remote Fedora system graphically:

  1. Access the Network portion of the Setting application.
  2. Click the + sign to add a new network connection.
  3. Select VPN as the connection type.
  4. Select OpenVPN as the VPN type.
  5. Fill in these parameters:
    • Gateway: ehl.internal.cdot.systems (currently: 10.46.52.62)
    • Type: Certificates (TLS)
    • User Certificate: ~/.cert/<HOSTNAME>.crt
    • CA Certificate: ~/.cert/ca.crt
    • Private Key: ~/.cert/<HOSTNAME>.key
  6. Click on Advanced... button at the right corner
    • Check the box marked "Use LZO data compression"
    • In the Security tab, choose "AES-256-CBC" as cipher
    • Click OK to finish advanced settings
  7. In the IPv4 tab, check the box marked "Use this connection only for resources on its network".
  8. Apply the changes.
  9. Start the VPN with the control in the Network Settings screen or at the top of the Gnome screen.

via Command line

Add a new basic vpn using nmcli:

nmcli conn add con-name EHL type vpn ifname lo vpn-type openvpn

Edit /etc/NetworkManager/system-connections/EHL and add following lines:

[connection]
...
#interface-name=lo <----- Remove this line
autoconnect=true

[vpn]
...
connection-type=tls
remote=ehl.internal.cdot.systems
cipher=AES-256-CBC
comp-lzo=yes
cert-pass-flags=0
ca=/home/<user>/.cert/ca.crt
key=/home/<user>/.cert/newzealand.key
cert=/home/<user>/.cert/newzealand.crt

[ipv6]
method=auto

[ipv4]
method=auto
never-default=true

Reload configuration file:

nmcli conn reload

Turn on the VPN connection:

nmcli conn up EHL

PPTP method (Not recommended)

Creating a VPN User

1. Add an entry to the /etc/ppp/chap-secrets file on morocco:

# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
userid          pptpd   password                *

2. Reload the pptpd server: sudo systemctl reload pptpd

Setting up Remote Access Using NetworkManager GUI Setup Tools in Fedora (Gnome)

To set up access to the VPN from a remote Fedora system graphically:

  1. Access the Network portion of the Setting application.
  2. Click the + sign to add a new network connection.
  3. Select VPN as the connection type.
  4. Select Point-to-Point Tunneling Protocol (PPTP) as the VPN type.
  5. Fill in these parameters:
    • Gateway: ehl.internal.cdot.systems (currently: 10.46.52.62)
    • User name: Your VPN Username
    • Password: Your VPN Password (the system will ask you for this when you connect anyway)
    • NT Domain: leave blank
  6. In the IPv4 tab, fill in these parameters:
    • IPv4: On
    • Address: DHCP
    • DNS: Automatic OFF and all fields blank
    • Routes:
      • Address: 172.16.172.0
      • Netmask: 255.255.255.0
      • Gateway: 172.16.172.254 (currently: 172.16.172.215)
      • Metric: leave blank
    • Check the box marked "Use this connection only for resources on its network".
  7. Apply the changes.
  8. Start the VPN with the control in the Network Settings screen or at the top of the Gnome screen.

Note: If you are unable to connect to the VPN after following the above steps, it is possibly due to the firewall restricting access. To check if that is the case, turn off the firewall temporarily with sudo systemctl stop firewalld and attempt to the connect to the VPN. Turn the firewall back on afterwards with sudo systemctl start firewalld.

Setting up VPN via command line

Add a new basic vpn using nmcli:

nmcli conn add con-name EHL type vpn ifname ppp0 vpn-type pptp

Edit /etc/NetworkManager/system-connections/EHL and add following lines:

[connection]
...
autoconnect=true

[vpn]
...
gateway=ehl.internal.cdot.systems
user=<Your VPN Username>
password-flags=0

[vpn-secrets]
password=<Your VPN Password>

[ipv6]
method=auto

[ipv4]
method=auto
route1=172.16.172.0/24,172.16.172.215,0
ignore-auto-dns=true
ignore-auto-routes=true
never-default=true

Reload configuration file:

nmcli conn reload

Turn on the VPN connection:

nmcli conn up EHL

Firewall Adjustment

To enable this to work through the Fedora firewall, issue these commands:

firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p gre -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p gre -j ACCEPT
firewall-cmd --reload

(From here).

Other Configuration

For convenient access to the EHL resources:

  1. Merge /etc/hosts entries from Red (=ehl.internal.cdot.systems, which is the gateway system) into your local /etc/hosts file, commenting out or removing the line for Red/EHL itself.
  2. Copy /usr/local/bin/{serial,pingbuilders,startkojids,pdu} from Red into your local /usr/local/bin directory.
  3. Copy your SSH public key to the EHL systems using ssh-copy-id, including the ostep account on serial.
 ssh-copy-id ostep@serial
 serial x1