|
|
| (One intermediate revision by one user not shown) |
| Line 1: |
Line 1: |
| − | == Info ==
| + | We no longer support a traditional VPN. SSH access for those that need it is the way to go. |
| − | * We use [http://www.infradead.org/ocserv/ the ocserv VPN server].
| + | |
| − | ** This server implements the [http://www.cisco.com/c/en/us/support/security/anyconnect-vpn-client/tsd-products-support-series-home.html Cisco AnyConnect] protocol. You can use either [http://www.infradead.org/openconnect/ the OpenConnect open source client] or Cisco's AnyConnect client to connect. Both AnyConnect and OpenConnect are available on many platforms, including GNU/Linux, Windows, Mac OS X, and Android. On Windows, you might want to try this [https://github.com/openconnect/openconnect-gui/wiki OpenConnect GUI], but I don't know much about it.
| + | |
| − | * All members have the option to use the VPN. Since we have not enabled LDAP authentication just yet, you will need to set a VPN password first.
| + | |
| − | | + | |
| − | == Acquiring access ==
| + | |
| − | # Request VPN account from [[User:Enabrintain|EnabrinTain]] or [[User:hfuller|hfuller]].
| + | |
| − | #* This will need to be done in person, or in a way that the admin can be certain of your identity.
| + | |
| − | # Set your VPN password.
| + | |
| − | | + | |
| − | == Connecting ==
| + | |
| − | # Start the AnyConnect or OpenConnect client, and supply the address shop.makerslocal.org:876
| + | |
| − | #* On most platforms, you can do <code>openconnect shop.makerslocal.org:876</code>
| + | |
| − | # Enter your VPN username and continue.
| + | |
| − | # Enter your VPN password and continue.
| + | |
| − | # Accept the terms of use for the VPN.
| + | |
| − | | + | |
| − | Now your connection will be brought online and you can access Maker-exclusive network resources. (Your connection may be announced in IRC.)
| + | |
| − | | + | |
| − | == Script with Pass ==
| + | |
| − | | + | |
| − | If you want to automate some of the connection process without using NetworkManager, then you can try this.
| + | |
| − | | + | |
| − | Export the vpn cert to a CA file.
| + | |
| − | | + | |
| − | * Open [https://shop.makerslocal.org:876/ https://shop.makerslocal.org:876/] in a browser. Negate any security warnings (or don't, I'm a wiki not a cop).
| + | |
| − | * Click on the lock symbol next to the address. Click "More Information". Click to view the certificate. Click the Details tab.
| + | |
| − | * Export the certificate to a file. In our example we export to '256.makerslocal.org'
| + | |
| − | | + | |
| − | You should wind up with a file that looks like this:
| + | |
| − | <pre>
| + | |
| − | $ cat 256.makerslocal.org
| + | |
| − | -----BEGIN CERTIFICATE-----
| + | |
| − | MIIGLDCCBRSgAwIBAgIDEaNVMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
| + | |
| − | [...]
| + | |
| − | Wz74gerIhC9upZKjo9TnE9+1aJJ7WAzL4I2CJag69Jpnyo7VoOx2IHqAXPUWA6YQ
| + | |
| − | -----END CERTIFICATE-----
| + | |
| − | </pre>
| + | |
| − | | + | |
| − | Now we're ready to write a small bash script:
| + | |
| − | <pre>
| + | |
| − | #!/bin/bash
| + | |
| − | | + | |
| − | # Check to see if the device already exists
| + | |
| − | ip addr | grep "vpn0"
| + | |
| − | IPADDR=$?
| + | |
| − | if [ !$IPADDR ]; then
| + | |
| − | sudo ip tuntap add vpn0 mode tun user berocs # berocs is my system username
| + | |
| − | fi
| + | |
| − | | + | |
| − | PSWD=$(pass makers/vpn) # Or hardcode it if your password manager isn't amazing.
| + | |
| − | | + | |
| − | echo -e "yes\n${PSWD}\n" | \ # Send "yes" and "$PSWD" to stdin
| + | |
| − | openconnect -b --pid-file=/tmp/openconnect.pid -i vpn0 \
| + | |
| − | -s 'sudo -E /etc/vpnc/vpnc-script' --cafile=256.makerslocal.org \
| + | |
| − | -u ctag shop.makerslocal.org:876 # ctag is my VPN username
| + | |
| − | </pre>
| + | |
| − | | + | |
| − | Note that the "yes\n" being echoed automatically to openconnect is to accept the vpn cert even though it's expired. If we ever renew the cert, this part of the script has to be changed.
| + | |
| − | | + | |
| − | Links:
| + | |
| − | | + | |
| − | * [https://www.passwordstore.org/ https://www.passwordstore.org/ -- The password manager used in this script.]
| + | |
| − | * [http://www.infradead.org/openconnect/nonroot.html http://www.infradead.org/openconnect/nonroot.html -- Running openconnect as not root.]
| + | |
| − | * [https://shop.makerslocal.org:876/ https://shop.makerslocal.org:876/ -- doh.]
| + | |
| − | * [https://wiki.archlinux.org/index.php/OpenConnect https://wiki.archlinux.org/index.php/OpenConnect -- Good information on openconnect.]
| + | |
| | | | |
| | == Poor Man's VPN == | | == Poor Man's VPN == |
| − | If you have a VPN account, but you can't run OpenConnect or AnyConnect at the moment, you can use ssh to log into the newvpn box:
| + | You can use ssh to log into the newvpn box: |
| | | | |
| | <code>ssh hfuller@shop.makerslocal.org</code> | | <code>ssh hfuller@shop.makerslocal.org</code> |
Latest revision as of 11:25, 24 October 2022
We no longer support a traditional VPN. SSH access for those that need it is the way to go.
Poor Man's VPN
You can use ssh to log into the newvpn box:
ssh hfuller@shop.makerslocal.org
From there, you could ssh to other resources at the shop, or do whatever else you can do from the command line.
You can also use ssh's -L option to forward ports on your local machine to ports on the Makers network, if that's your thing:
ssh -L 2222:cascade:22 tylercrumpton@shop.makerslocal.org
If I were Tyler, this example would expose port 22 on CasCADE as port 2222 on my local computer. See man ssh for more help with this.
Finally, mosh is also available. As you might guess, you can do this:
mosh hfuller@shop.makerslocal.org
