Difference between revisions of "Network/VPN"

Revision as of 01:42, 23 March 2016

Info

• We use the ocserv VPN server.
  • This server implements the Cisco AnyConnect protocol. You can use either the OpenConnect open source client or Cisco's AnyConnect client to connect. Both AnyConnect and OpenConnect are available on many platforms, including GNU/Linux, Windows, Mac OS X, and Android. On Windows, you might want to try this OpenConnect GUI, but I don't know much about it.
• All members have the option to use the VPN. Since we have not enabled LDAP authentication just yet, you will need to set a VPN password first.

Acquiring access

1. Request VPN account from EnabrinTain or hfuller.
   • This will need to be done in person, or in a way that the admin can be certain of your identity.
2. Set your VPN password.

Connecting

1. Start the AnyConnect or OpenConnect client, and supply the address shop.makerslocal.org:876
   • On most platforms, you can do openconnect shop.makerslocal.org:876
2. Enter your VPN username and continue.
3. Enter your VPN password and continue.
4. Accept the terms of use for the VPN.

Now your connection will be brought online and you can access Maker-exclusive network resources. (Your connection may be announced in IRC.)

Script with Pass

If you want to automate some of the connection process without using NetworkManager, then you can try this.

Export the vpn cert to a CA file.

• Open https://shop.makerslocal.org:876/ in a browser. Negate any security warnings (or don't, I'm a wiki not a cop).
• Click on the lock symbol next to the address. Click "More Information". Click to view the certificate. Click the Details tab.
• Export the certificate to a file. In our example we export to '256.makerslocal.org'

You should wind up with a file that looks like this:

$ cat 256.makerslocal.org
-----BEGIN CERTIFICATE-----
MIIGLDCCBRSgAwIBAgIDEaNVMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
[...]
Wz74gerIhC9upZKjo9TnE9+1aJJ7WAzL4I2CJag69Jpnyo7VoOx2IHqAXPUWA6YQ
-----END CERTIFICATE-----

Now we're ready to write a small bash script:

#!/bin/bash
ip addr | grep "vpn0"
IPADDR=$?
echo $IPADDR
if [ !$IPADDR ]; then
	sudo ip tuntap add vpn0 mode tun user berocs
fi
PSWD=$(pass makers/vpn)
echo -e "yes\n${PSWD}\n" | openconnect -b --pid-file=/tmp/openconnect.pid -i vpn0 -s 'sudo -E /etc/vpnc/vpnc-script' --cafile=256.makerslocal.org -u ctag shop.makerslocal.org:876

Note that the "yes\n" being echoed automatically to openconnect is to accept the vpn cert even though it's expired. If we ever renew the cert, this part of the script has to be changed.

Links:

• https://www.passwordstore.org/ -- The password manager used in this script.
• http://www.infradead.org/openconnect/nonroot.html -- Running openconnect as not root.
• https://shop.makerslocal.org:876/ -- doh.
• https://wiki.archlinux.org/index.php/OpenConnect -- Good information on openconnect.

Poor Man's VPN

If you have a VPN account, but you can't run OpenConnect or AnyConnect at the moment, you can use ssh to log into the newvpn box:

ssh hfuller@shop.makerslocal.org

From there, you could ssh to other resources at the shop, or do whatever else you can do from the command line.

You can also use ssh's -L option to forward ports on your local machine to ports on the Makers network, if that's your thing:

ssh -L 2222:cascade:22 tylercrumpton@shop.makerslocal.org

If I were Tyler, this example would expose port 22 on CasCADE as port 2222 on my local computer. See man ssh for more help with this.

Finally, mosh is also available. As you might guess, you can do this:

mosh hfuller@shop.makerslocal.org