Difference between revisions of "EHL VPN Client Configuration in Fedora"

From CDOT Wiki
Jump to: navigation, search
(Setting up VPN via command line)
Line 1: Line 1:
 
[[Category:Enterprise Hyperscale Lab]]
 
[[Category:Enterprise Hyperscale Lab]]
The [[EHL]] has a PPTP VPN for remote access.
+
The [[EHL]] has OpenVPN and PPTP VPN for remote access.
  
== Creating a VPN User ==
+
== OpenVPN method ==
 +
 
 +
=== Generate OpenVPN certificates for your machine ===
 +
 
 +
1. SSH to red and login as root
 +
ssh red
 +
sudo su -
 +
 
 +
2. Generate certificate with easy-rsa (Replace <HOSTNAME> with your own)
 +
cd /etc/openvpn/easy-rsa
 +
source ./vars
 +
./build-key <HOSTNAME>
 +
'''NOTE:''' No information needed to be inputted except answering (y/n)
 +
 
 +
=== Copy certificates to your machine ===
 +
 
 +
1. ON YOUR MACHINE: Create ~/.cert on your own machine:
 +
mkdir ~/.cert
 +
 
 +
2. ON RED: Copy certificates from red
 +
scp /etc/openvpn/easy-rsa/keys/{ca.crt,<HOSTNAME>.crt,<HOSTNAME>.key} <HOSTNAME>:~/.cert
 +
 
 +
3. ON YOUR MACHINE: Reset SELinux permissions
 +
restorecon -R ~/.cert
 +
 
 +
=== Setting up a OpenVPN connection in Gnome network settings ===
 +
 
 +
To set up access to the VPN from a remote Fedora system graphically:
 +
 
 +
# Access the '''Network''' portion of the '''Setting''' application.
 +
# Click the '''+''' sign to add a new network connection.
 +
# Select '''VPN''' as the connection type.
 +
# Select '''OpenVPN''' as the VPN type.
 +
# Fill in these parameters:
 +
#* Gateway: <code>ehl.internal.cdot.systems</code> (currently: 10.46.52.62)
 +
#* Type: <code>Certificates (TLS)</code>
 +
#* User Certificate: <code>~/.cert/<HOSTNAME>.crt</code>
 +
#* CA Certificate: <code>~/.cert/ca.crt</code>
 +
#* Private Key: <code>~/.cert/<HOSTNAME>.key</code>
 +
# Click on '''Advanced...''' button at the right corner
 +
#* Check the box marked '''"Use LZO data compression"'''
 +
#* In the '''Security''' tab, choose '''"AES-256-CBC"''' as cipher
 +
#* Click OK to finish advanced settings
 +
# In the '''IPv4''' tab, check the box marked '''"Use this connection only for resources on its network"'''.
 +
# Apply the changes.
 +
# Start the VPN with the control in the Network Settings screen or at the top of the Gnome screen.
 +
 
 +
=== Setting up OpenVPN connection via command line ===
 +
 
 +
Add a new basic vpn using nmcli:
 +
nmcli conn add con-name EHL type vpn ifname lo vpn-type openvpn
 +
 
 +
Edit ''/etc/NetworkManager/system-connections/EHL'' and add following lines:
 +
[connection]
 +
...
 +
#interface-name=lo <----- Remove this line
 +
autoconnect=true
 +
 +
[vpn]
 +
...
 +
connection-type=tls
 +
remote=ehl.internal.cdot.systems
 +
cipher=AES-256-CBC
 +
comp-lzo=yes
 +
cert-pass-flags=0
 +
ca=/home/<user>/.cert/ca.crt
 +
key=/home/<user>/.cert/newzealand.key
 +
cert=/home/<user>/.cert/newzealand.crt
 +
 +
[ipv6]
 +
method=auto
 +
 +
[ipv4]
 +
method=auto
 +
never-default=true
 +
 
 +
Reload configuration file:
 +
nmcli conn reload
 +
 
 +
Turn on the VPN connection:
 +
nmcli conn up EHL
 +
 
 +
== PPTP Method (Not recommended) ==
 +
 
 +
=== Creating a VPN User ===
  
 
1. Add an entry to the /etc/ppp/chap-secrets file on <code>morocco</code>:
 
1. Add an entry to the /etc/ppp/chap-secrets file on <code>morocco</code>:
Line 12: Line 96:
 
2. Reload the pptpd server: <code>sudo systemctl reload pptpd</code>
 
2. Reload the pptpd server: <code>sudo systemctl reload pptpd</code>
  
== Setting up Remote Access Using NetworkManager GUI Setup Tools in Fedora (Gnome) ==
+
=== Setting up Remote Access Using NetworkManager GUI Setup Tools in Fedora (Gnome) ===
  
 
To set up access to the VPN from a remote Fedora system graphically:
 
To set up access to the VPN from a remote Fedora system graphically:
Line 40: Line 124:
 
Note: If you are unable to connect to the VPN after following the above steps, it is possibly due to the firewall restricting access. To check if that is the case, turn off the firewall temporarily with <code>sudo systemctl stop firewalld</code> and attempt to the connect to the VPN. Turn the firewall back on afterwards with <code>sudo systemctl start firewalld</code>.
 
Note: If you are unable to connect to the VPN after following the above steps, it is possibly due to the firewall restricting access. To check if that is the case, turn off the firewall temporarily with <code>sudo systemctl stop firewalld</code> and attempt to the connect to the VPN. Turn the firewall back on afterwards with <code>sudo systemctl start firewalld</code>.
  
== Setting up VPN via command line ==
+
=== Setting up VPN via command line ===
 
Add a new basic vpn using nmcli:
 
Add a new basic vpn using nmcli:
 
  nmcli conn add con-name EHL type vpn ifname ppp0 vpn-type pptp
 
  nmcli conn add con-name EHL type vpn ifname ppp0 vpn-type pptp
Line 52: Line 136:
 
  ...
 
  ...
 
  gateway=ehl.internal.cdot.systems
 
  gateway=ehl.internal.cdot.systems
  user=[Your VPN Username]
+
  user=<Your VPN Username>
 
  password-flags=0
 
  password-flags=0
 
   
 
   
 
  [vpn-secrets]
 
  [vpn-secrets]
  password=[Your VPN Password]
+
  password=<Your VPN Password>
 
   
 
   
 
  [ipv6]
 
  [ipv6]
Line 74: Line 158:
 
  nmcli conn up EHL
 
  nmcli conn up EHL
  
== Firewall Adjustment ==
+
=== Firewall Adjustment ===
  
 
To enable this to work through the Fedora firewall, issue these commands:
 
To enable this to work through the Fedora firewall, issue these commands:

Revision as of 00:09, 27 August 2015

The EHL has OpenVPN and PPTP VPN for remote access.

OpenVPN method

Generate OpenVPN certificates for your machine

1. SSH to red and login as root 

ssh red
sudo su -

2. Generate certificate with easy-rsa (Replace <HOSTNAME> with your own) 

cd /etc/openvpn/easy-rsa
source ./vars
./build-key <HOSTNAME>

NOTE: No information needed to be inputted except answering (y/n)

Copy certificates to your machine

1. ON YOUR MACHINE: Create ~/.cert on your own machine: 

mkdir ~/.cert

2. ON RED: Copy certificates from red 

scp /etc/openvpn/easy-rsa/keys/{ca.crt,<HOSTNAME>.crt,<HOSTNAME>.key} <HOSTNAME>:~/.cert

3. ON YOUR MACHINE: Reset SELinux permissions 

restorecon -R ~/.cert

Setting up a OpenVPN connection in Gnome network settings

To set up access to the VPN from a remote Fedora system graphically:

  1. Access the Network portion of the Setting application.
  2. Click the + sign to add a new network connection.
  3. Select VPN as the connection type.
  4. Select OpenVPN as the VPN type.
  5. Fill in these parameters:
    • Gateway: ehl.internal.cdot.systems (currently: 10.46.52.62)
    • Type: Certificates (TLS)
    • User Certificate: ~/.cert/<HOSTNAME>.crt
    • CA Certificate: ~/.cert/ca.crt
    • Private Key: ~/.cert/<HOSTNAME>.key
  6. Click on Advanced... button at the right corner
    • Check the box marked "Use LZO data compression"
    • In the Security tab, choose "AES-256-CBC" as cipher
    • Click OK to finish advanced settings
  7. In the IPv4 tab, check the box marked "Use this connection only for resources on its network".
  8. Apply the changes.
  9. Start the VPN with the control in the Network Settings screen or at the top of the Gnome screen.

Setting up OpenVPN connection via command line

Add a new basic vpn using nmcli: 

nmcli conn add con-name EHL type vpn ifname lo vpn-type openvpn

Edit /etc/NetworkManager/system-connections/EHL and add following lines: 

[connection]
...
#interface-name=lo <----- Remove this line
autoconnect=true

[vpn]
...
connection-type=tls
remote=ehl.internal.cdot.systems
cipher=AES-256-CBC
comp-lzo=yes
cert-pass-flags=0
ca=/home/<user>/.cert/ca.crt
key=/home/<user>/.cert/newzealand.key
cert=/home/<user>/.cert/newzealand.crt

[ipv6]
method=auto

[ipv4]
method=auto
never-default=true

Reload configuration file: 

nmcli conn reload

Turn on the VPN connection: 

nmcli conn up EHL

PPTP Method (Not recommended)

Creating a VPN User

1. Add an entry to the /etc/ppp/chap-secrets file on morocco: 

# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
userid          pptpd   password                *

2. Reload the pptpd server: sudo systemctl reload pptpd

Setting up Remote Access Using NetworkManager GUI Setup Tools in Fedora (Gnome)

To set up access to the VPN from a remote Fedora system graphically:

  1. Access the Network portion of the Setting application.
  2. Click the + sign to add a new network connection.
  3. Select VPN as the connection type.
  4. Select Point-to-Point Tunneling Protocol (PPTP) as the VPN type.
  5. Fill in these parameters:
    • Gateway: ehl.internal.cdot.systems (currently: 10.46.52.62)
    • User name: Your VPN Username
    • Password: Your VPN Password (the system will ask you for this when you connect anyway)
    • NT Domain: leave blank
  6. In the IPv4 tab, fill in these parameters:
    • IPv4: On
    • Address: DHCP
    • DNS: Automatic OFF and all fields blank
    • Routes:
      • Address: 172.16.172.0
      • Netmask: 255.255.255.0
      • Gateway: 172.16.172.254 (currently: 172.16.172.215)
      • Metric: leave blank
    • Check the box marked "Use this connection only for resources on its network".
  7. Apply the changes.
  8. Start the VPN with the control in the Network Settings screen or at the top of the Gnome screen.

Note: If you are unable to connect to the VPN after following the above steps, it is possibly due to the firewall restricting access. To check if that is the case, turn off the firewall temporarily with sudo systemctl stop firewalld and attempt to the connect to the VPN. Turn the firewall back on afterwards with sudo systemctl start firewalld.

Setting up VPN via command line

Add a new basic vpn using nmcli: 

nmcli conn add con-name EHL type vpn ifname ppp0 vpn-type pptp

Edit /etc/NetworkManager/system-connections/EHL and add following lines: 

[connection]
...
autoconnect=true

[vpn]
...
gateway=ehl.internal.cdot.systems
user=<Your VPN Username>
password-flags=0

[vpn-secrets]
password=<Your VPN Password>

[ipv6]
method=auto

[ipv4]
method=auto
route1=172.16.172.0/24,172.16.172.215,0
ignore-auto-dns=true
ignore-auto-routes=true
never-default=true

Reload configuration file: 

nmcli conn reload

Turn on the VPN connection: 

nmcli conn up EHL

Firewall Adjustment

To enable this to work through the Fedora firewall, issue these commands: 

firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p gre -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p gre -j ACCEPT
firewall-cmd --reload

(From here).

Other Configuration

For convenient access to the EHL resources:

  1. Merge /etc/hosts entries from Red (=ehl.internal.cdot.systems, which is the gateway system) into your local /etc/hosts file, commenting out or removing the line for Red/EHL itself.
  2. Copy /usr/local/bin/{serial,pingbuilders,startkojids,pdu} from Red into your local /usr/local/bin directory.
  3. Copy your SSH public key to the EHL systems using ssh-copy-id, including the ostep account on serial.
 ssh-copy-id ostep@serial
 serial x1
Retrieved from "https://wiki.cdot.senecapolytechnic.ca/w/index.php?title=EHL_VPN_Client_Configuration_in_Fedora&oldid=112001"