Differences between revisions 16 and 17
Revision 16 as of 2023-12-12 14:24:30
Size: 10619
Editor: bones
Comment:
Revision 17 as of 2023-12-12 14:25:26
Size: 9629
Editor: bones
Comment:
Deletions are marked like this. Additions are marked like this.
Line 7: Line 7:
Line 12: Line 11:

---- /!\ '''Edit conflict - other version:''' ----

= sshuttle =
While attempting to get an OpenVPN cert (and then trying to get IPsec to work), [SEB] found sshuttle, https://github.com/sshuttle/sshuttle, and while this may not work for *everything* you may need, it seems to be a hassle free way of accessing stuff so far. You will need: A linux machine, with ssh access to a UCC server using a pubkey, sudo access on said linux machine you are accessing the server *from*, and patience. This is only a solution for Linux (and possibly Mac?), although windows users can *probably* use IPSec. To use, install sshuttle, either from the [[https://github.com/sshuttle/sshuttle|github]], or check your package manager for it. Once installed, run `sshuttle -r [email protected] -x ssh.ucc.asn.au:22 0.0.0.0/0`. That's it! You *should* now have access! If not - enjoy debugging ;)



---- /!\ '''Edit conflict - your version:''' ----

---- /!\ '''End of edit conflict''' ----

Connecting to the UCC VPN allows you access to internal resources that are normally firewalled off.

There is one currently working (albeit outdated) VPN method - IPsec VPN (This should work fine for windows, although Linux users be warned, you may find this very painful to try and use). OpenVPN is currently, maybe (?) working for people with client configs already set up, although currently we cannot create new client configs. An alternative that [SEB] is currently using is sshuttle. The old PPTP VPN is deprecated.

The IPsec VPN is the easiest to use on Windows and is authenticated using your UCC username and password, however since [FVP] was not able to get it working by following the instructions below, he went and set up OpenVPN as well.

sshuttle

While attempting to get an OpenVPN cert (and then trying to get IPsec to work), [SEB] found sshuttle, https://github.com/sshuttle/sshuttle, and while this may not work for *everything* you may need, it seems to be a hassle free way of accessing stuff so far. You will need: A linux machine, with ssh access to a UCC server using a pubkey, sudo access on said linux machine you are accessing the server *from*, and patience. This is only a solution for Linux (and possibly Mac?), although windows users can *probably* use IPSec. To use, install sshuttle, either from the github, or check your package manager for it. Once installed, run sshuttle -r [email protected] -x ssh.ucc.asn.au:22 0.0.0.0/0. That's it! You *should* now have access! If not - enjoy debugging ;)

OpenVPN

To connect to the UCC OpenVPN server, you will need to ask a wheel member to generate a client configuration with valid certificates.

This can be done by running USER="<username>"; ssh root@murasoi "/etc/openvpn/server/uccvpn/client-gen-conf.sh $USER" > openvpn-config-$USER.conf.

The resulting config file contains all the necessary information to connect to the VPN. Note: client certificates and corresponding private keys are stored in the file. Keep it safe.

Installation

Windows

Download the OpenVPN "Community" installer from the https://openvpn.net/index.php/download/community-downloads.html.

You should be able to find OpenVPN GUI in the start menu somewhere. Run it.

Place any configuration files in C:\Program Files\OpenVPN\config\ or C:\Program Files (x86)\OpenVPN\config\. An submenu should appear in the context menu accessible via the OpenVPN GUI taskbar icon which lets you connect and disconnect from the VPN.

For more information, see the https://community.openvpn.net/openvpn/wiki/Easy_Windows_Guide.

Linux (most distros)

Install the package openvpn using your favourite package manager. If you want to use NetworkManager integration, install network-manager-openvpn as well.

Some examples:

Debian: apt-get install openvpn network-manager-openvpn

Arch: pacman -S openvpn networkmanager-openvpn

If you use NetworkManager, you can select the option to import saved VPN configurations when adding a connection in the "Network Connections" interface.

If you want to use systemctl, place the file in /etc/openvpn/client/ and run systemctl start openvpn-client@<config-file-name>.service to connect.

IPsec (strongswan)

Connecting to the VPN

Windows 7

Follow the directions from the strongSwan wiki

  • Use ipsec.ucc.asn.au as the Internet address

  • No need to set any advanced settings (if you do, you want IKEv2 and authentication via EAP-MSCHAPv2) .

Android

Option 1 - preferred:

  • Install the strongSwan VPN client.

  • Start the newly-installed application.
  • Add VPN Profile.
  • Profile name is "UCC".
  • Gateway is ipsec.ucc.asn.au.

  • Type is the default "IKEv2 EAP (Username/password)"
  • Username and password are your UCC credentials.
  • Leave "CA certificate: Select automatically" checked.
  • Save the profile.

When you connect you will get a big warning about using a third-party VPN application; this is expected.

Option 2 - less preferred as there is no mutual authentication (I think) - this means it is much more trivial to MITM the connection.

  • Create a new VPN connection (Settings - More - VPN)
  • Name is "UCC"
  • Type is "IPsec Hybrid RSA"
  • Server address is ipsec.ucc.asn.au

  • IPsec CA certificate - leave as "don't verify" (WTF Android, you have to manually install a CA and you can't use a system one, this is a total pain)
  • IPsec server certificate - leave as "received from server"
  • Save the profile
  • Connect using your UCC username and password.

iPhone / iPad

  • Technically could work with a deployed profile
  • Only problem is that the profile has to contain the user name, thapple.
  • If anyone really cares you can make a script that does it, ask zanchey@ for a sample
  • Might be better in OS 9

OS X

  • Works in Mac OS X System 10.11
  • Go into Sys Prefs -> Network

  • Click +, Interface: VPN, VPN Type: IKEv2, Service Name: UCC or whatever, Click Create
  • Server address: ipsec.ucc.asn.au, Remote ID: ipsec.ucc.asn.au, Local ID: your username or something personal
  • Click Apply.
  • Click Connect and it should work.

Linux

  • There is a strongSwan plugin for NetworkMangler. I haven't been able to get it to work.

Arch

Installation

To get strongSwan working on Arch with networkManager requires building strongSwan from source. The easiest way to do this is by installing the following AUR packages: strongswan, networkmanager-strongswan. For help with installing aur packages check the AUR instructions on the arch wiki.

When installing strongSwan you will need to make some changes to the PKGBUILD of strongswan package as networkManager support is not enabled by default. In the PKGBUILD you will find the "depends" and "makedepends" lined and add 'libnm-glib' to the end of both lines so that it looks like this:

depends=('curl' 'gmp' 'iproute2' 'openssl' 'sqlite' 'libcap' 'libsystemd' 'pam' 'libnm-glib')
makedepends=('curl' 'gmp' 'iproute2' 'openssl' 'sqlite' 'libcap' 'libsystemd' 'systemd' 'pam' 'libnm-glib')

You then need to edit the build() section of the PKGBUILD by appending the --enable-nm option so that the section looks like this:

 build() {
  cd "${srcdir}/${pkgname}-${pkgver}"

  ./configure --prefix=/usr \
        --sbindir=/usr/bin \
        --sysconfdir=/etc \
        --libexecdir=/usr/lib \
        --with-ipsecdir=/usr/lib/strongswan \
        --enable-sqlite \
        --enable-openssl --enable-curl \
        --enable-sql --enable-attr-sql \
        --enable-farp --enable-dhcp \
        --enable-eap-sim --enable-eap-sim-file --enable-eap-simaka-pseudonym \
        --enable-eap-simaka-reauth --enable-eap-identity --enable-eap-md5 \
        --enable-eap-gtc --enable-eap-aka --enable-eap-aka-3gpp2 \
        --enable-eap-mschapv2 --enable-eap-radius --enable-xauth-eap \
        --enable-ha --enable-vici --enable-swanctl --enable-systemd --enable-ext-auth \
        --disable-mysql --disable-ldap --enable-cmd --enable-forecast --enable-connmark \
        --enable-aesni --enable-eap-ttls --enable-radattr --enable-xauth-pam --enable-xauth-noauth \
        --enable-eap-dynamic --enable-eap-peap --enable-eap-tls --enable-chapoly --enable-unity \
        --with-capabilities=libcap --enable-newhope --enable-ntru --enable-mgf1 --enable-sha3 \
        --enable-bliss \
        --enable-nm  # <-- this line added to enable networkManager support
#       --enable-ruby-gems --enable-python-eggs
  make
}

At this point you should be able to continue installing the package as per usual and then install networkmanager-strongswan.

Configuration

  • Use networkManager to create a new "IPsec/IKEv2 (strongswan)" connection
  • Authentication is "EAP"
  • Gateway address is ipsec.ucc.asn.au

  • Certificate - Select "COMODO_RSA_Certification_Authority.pem" (navigate to /etc/ssl/certs)
  • Username and password are your UCC username and password
  • Select the "request an inner IP address" option
  • Save the profile
  • connect to the profile using networkManager

Technical bits

IKE/IPsec setup is done by strongSwan on Murasoi. There are similar setups for IKEv1 (Android, iOS) and IKEv2 (Windows). Most of the difficulty is in getting the certificates right, see http://serverfault.com/questions/536092/strongswan-ikev2-windows-7-agile-vpn-what-is-causing-error-13801

The XAuth/EAP authentication (IKEv1 and v2 respectively) is passed to the RADIUS server, which also handles accounting. select username, sum(acctinputoctets), sum(acctoutputoctets) from radacct where nasporttype='Virtual' group by username; will give you a nice sum of traffic over the VPN.

SSL certificates are from Let's Encrypt and automatically updated by certbot. A catch when setting this up is that the chain.pem file must be present (symlinked) in /etc/ipsec.d/cacerts for strongswan to send the full chain to the clients.

Clients get a IPv4 and IPv6 address from the ranges in Network.