1,885
edits
Changes
→Generate OpenVPN certificates for client
[[Category:Enterprise Hyperscale Lab]]
The [[EHL]] has a OpenVPN and PPTP VPN for remote access. = OpenVPN method = == Generate OpenVPN certificates for client == 1. SSH to EHL and login as root ssh ehl.cdot.systems sudo su - 2. Generate certificate with easy-rsa (Replace <HOSTNAME> with your own) cd /etc/openvpn/easy-rsa source ./vars ./build-key <HOSTNAME>'''NOTE:''' No information needed to be inputted except answering (y/n) == Copy certificates to client == 1. ON YOUR MACHINE: Create ~/.cert on your own machine: mkdir ~/.cert 2. ON RED: Copy certificates from red scp /etc/openvpn/easy-rsa/keys/{ca.crt,<HOSTNAME>.crt,<HOSTNAME>.key} <user>@<HOSTNAME>:~/.cert 3. ON YOUR MACHINE: Reset SELinux permissions restorecon -R ~/.cert == Setting up a OpenVPN connection == You might need to install OpenVPN plugin for NetworkManager yum install openvpn NetworkManager-openvpn pkcs11-helper openssl === via Gnome network settings === To set up access to the VPN from a remote Fedora system graphically: # Access the '''Network''' portion of the '''Setting''' application.# Click the '''+''' sign to add a new network connection.# Select '''VPN''' as the connection type.# Select '''OpenVPN''' as the VPN type.# Fill in these parameters:#* Gateway: <code>ehl.internal.cdot.systems</code> (currently: 10.46.52.62)#* Type: <code>Certificates (TLS)</code>#* User Certificate: <code>~/.cert/<HOSTNAME>.crt</code>#* CA Certificate: <code>~/.cert/ca.crt</code>#* Private Key: <code>~/.cert/<HOSTNAME>.key</code># Click on '''Advanced...''' button at the right corner#* Check the box marked '''"Use LZO data compression"'''#* In the '''Security''' tab, choose '''"AES-256-CBC"''' as cipher#* Click OK to finish advanced settings# In the '''IPv4''' tab, check the box marked '''"Use this connection only for resources on its network"'''.# Apply the changes.# Start the VPN with the control in the Network Settings screen or at the top of the Gnome screen. === via Command line === Add a new basic vpn using nmcli: nmcli conn add con-name EHL type vpn ifname lo vpn-type openvpn Edit ''/etc/NetworkManager/system-connections/EHL'' and add following lines: [connection] ... #interface-name=lo <----- Remove this line autoconnect=true [vpn] ... connection-type=tls remote=ehl.internal.cdot.systems cipher=AES-256-CBC comp-lzo=yes cert-pass-flags=0 ca=/home/<user>/.cert/ca.crt key=/home/<user>/.cert/newzealand.key cert=/home/<user>/.cert/newzealand.crt [ipv6] method=auto [ipv4] method=auto never-default=true Reload configuration file: nmcli conn reload Turn on the VPN connection: nmcli conn up EHL = PPTP method (Not recommended) =
== Creating a VPN User ==
== Setting up VPN via command line ==
Add a new basic vpn using nmcli:
nmcli conn add con-name EHL type vpn ifname ppp0 vpn-type pptp
Edit ''/etc/NetworkManager/system-connections/EHL'' and add following lines:
...
gateway=ehl.internal.cdot.systems
user=[<Your VPN Username]>
password-flags=0
[vpn-secrets]
password=[<Your VPN Password]>
[ipv6]
(From [http://tinyurl.com/lyb63co here]).
For convenient access to the EHL resources: