Connecting to the lab VPN - theunissenlab/lab-documentation GitHub Wiki
Connecting to the lab VPN (virtual private network) lets you access the lab network (computers, data on tdrive) from the comfort of your own laptop or home computer.
Setting up VPN access requires a couple things:
-
generating a password protected RSA key on zebra, which is the gateway of the VPN
-
setting up the vpn configuration on your laptop or home pc
The first step requires you to have access to ubuntu@zebra. If you don't have access, ask someone who does (Frederic, Kevin, Bill, Julie) to follow the instructions in the "Generating keys" section. When that is done, you should have configuration files in a form that looks like "USERNAME_keys.tar.gz", and can go onto the section "Setting up vpn configuration".
Connect to zebra as user "ubuntu" (ssh [email protected]). Once connected, go to the easy-rsa directory and run the makeuser helper script to generate keys for a user
$ cd easy-rsa
$ ./makeuser USERNAME
The makeuser script generates a password protected key. It will first ask you to create a password to encrypt the key with. The second password prompt is to unlock the secret key on zebra. This is a separate password ("secure openvpn password").
The newly generated key (as well as previously generated keys) can be found in /home/ubuntu/keys as a file USERNAME_keys.tar.gz. Copy the new keys from zebra to your local computer using ssh:
scp ubuntu@zebra:/home/ubuntu/keys/<USERNAME>_keys.tar.gz .
Send these keys over to the user, who will use them to set up their VPN access.
At this point, you should have a set of files in the form of USERNAME_keys.tar.gz. First, copy this to the directory you want to keep them in (I keep them in my ~/.ssh/ directory), and unzip the file. It should contain 5 files:
ca_zebra.fet.berkeley.edu.crt
client_zebra.fet.berkeley.edu.crt
client_zebra.fet.berkeley.edu.key
ta_zebra.fet.berkeley.edu.key
config.ovpn
You will need to edit the config.ovpn file if you are going to connect through mobile device (see below).
-
Download and install TunnelBlick.
-
You should be able to open the
config.ovpnfile with TunnelBlick. Enter in the password you created when prompted.
-
Install openvpn
sudo apt-get install network-manager-openvpn-gnome -
In Ubuntu's network menu drop down (top right corner), select "Edit connections..." and then click the "Add" button.
-
From the dropdown, select "Import a saved VPN configuration". If this option is not available, something went wrong with step one.
-
Locate the
config.ovpnfile that was generated along with your keys in theUSERNAME_keysdirectory. If you put it in the .ssh folder, you might need to right-click and "show hidden files". Rename the VPN configuration if you like, then save. -
Connect to the VPN by going to the network menu dropdown, going to "VPN Connections", and selecting your VPN configuration.
-
You can activate/deactivate the VPN connection from the command line using
nmcli con [up|down] id VPN_NAME -
Hope that it works
-
Install OpenVPN GUI
-
The OpenVPN GUI menu item should be accessible from the ^ thing in the bottom right corner
-
Open it an import the
config.ovpnfile -
Copy/move the rest of the files from the unzipped file (the keys files) to
C:\Users\USERNAME\OpenVPN\config\config -
Turn it on by double clicking the icon and putting in your password and stuff
-
If it fails, you might need to (re)enable the TAP adapter. I have no idea what this means, but go to
Control Panel > Network and Internet > Network and Sharing Center > Change adapter settingsand turn on anything that looks like it might be the Tap-Windows adapter.
-
Install OpenVPN App
-
The config.ovpn file references the other four files. This doesn't work for mobile where you need to include all the information required in just the config file. Follow the inlining instructions below
-
Finally, transfer the edited config.ovpn file securely to your mobile device. On iOS this can be done by uploading it to iCloud or by using iTunes syncing.
-
Locate this file on your mobile device and open it with openvpn. Enter the username and password as normal, and now you can connect to the VPN!
Open the 5 files in a text editor and go to config.ovpn. You will be replacing the lines
ca ca_zebra.fet.berkeley.edu.crt
cert client_zebra.fet.berkeley.edu.crt
key client_zebra.fet.berkeley.edu.key
tls-auth ta_zebra.fet.berkeley.edu.key 1
with
<ca>
-----BEGIN CERTIFICATE-----
(paste key in ca_zebra.fet.berkeley.edu.crt)
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
(paste key in client_zebra.fet.berkeley.edu.crt)
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
(paste key in client_zebra.fet.berkeley.edu.key)
-----END ENCRYPTED PRIVATE KEY-----
</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
(paste key in ta_zebra.fet.berkeley.edu.key)
-----END OpenVPN Static key V1-----
</tls-auth>
key-direction 1
In each of the tags (ca, crt, key, tls-auth), fill in the corresponding keys found in the corresponding file. Don't miss the key-direction 1 line at the bottom, and make sure you didn't accidentally delete the line auth-user-pass at the end
Once connected to the VPN, nodes can be accessed by their hostnames (e.g. zebra, goats, strfinator, ...) since they will be using finch as their DNS server. This might not work on Windows 10 (I don't know why) unless you do the full dns of the form hostname.fet.berkeley.edu, for example corvus.fet.berkeley.edu.
It seems that your own computer will be assigned an ip in the range 10.10.1.x, check for it with ifconfig
If someone's laptop or device used to connect to the VPN is lost or stolen, any VPN keys used on that device should be revoked and new ones generated (see above). Lists of revoked keys appear on zebra in (don't edit this yourself unless you know what you're doing) ~/easy-rsa/pki/index.txt.
In order to revoke a key, connect to zebra as user "ubuntu" (ssh [email protected]). Once connected, go to the easy-rsa directory and run ./easyrsa revoke KEYNAME, where KEYNAME corresponds to the USERNAME used when generating the keys above.