I just got VPN access set up with Macquarie, my new institution, and I thought I'd make a quick post on how to get this set up under Linux and why it can be nice. At both Macquarie and Edinburgh, I had a desktop machine that was more powerful than my laptop, but it was not publicly accessible. One solution is just to only use it when I'm actually in the building at the desk, but then I don't get to feel like a ninja. (well, and I also can't use the machine if I'm not at my desk for whatever reason).
The cooler solution is to use various networking systems to get access when not actually in the office. At Edinburgh, I used a combination of Virtual Private Network (VPN) and Andrew File System (AFS). Specifically, with openafs (available in the Arch User Repository), I was able to mount my network share by starting the openafs-client service, authenticating with Kerberos using
kinit, and passing the Kerberos authentication ticket to openafs with
aklog (I've attached my kerberos configuration file krb5.conf to this post). I was also able to
ssh into Informatics servers without a password by using
ssh -K, which uses the kerberos ticket. So that let me access my files on the network transparently, and sign into my desktop by first signing into the Informatics server then signing into my desktop machine.
Next, I set up openvpn to sign in to my desktop immediately without first
ssh'ing into the Informatics ssh server. I've attached my configuration file to this post, named "Informatics-via-Forum.conf", along with the certificate file "EdUniRootCA.crt" and tls authorization file tls.auth. There is another file pass.txt that should have your username on the first line and password on the second line (kerberos authentication doesn't seem to work with openvpn). With this set up, I could ssh into my desktop machine by just typing
ssh <desktop_IP> directly.
It's also worth noting that kerberos authentication is secure even when you don't trust your connection. When I've visited China and wanted to access the internet in a secure way or bypass the firewall, I'd authenticate with kerberos, and then set up a socks5 proxy using
ssh -C2qTnN -D 8080 -K <studentid>@student.ssh.inf.ed.ac.uk
(I aliased this command to infproxy in my .bashrc).
While this command is running, I can start up chromium to tunnel everything through the proxy with
chromium --proxy-server="socks5://localhost:8080", use foxyproxy to be fine-grained about what gets tunneled with firefox, and use
proxychains to tunnel arbitrary command line programs through the proxy. (Use this proxy sparingly though, so you don't overload your ssh server!)
Macquarie doesn't seem to have AFS set up, but there is a VPN called OneNet Anywhere. This VPN uses not the open source openvpn but Microsoft's proprietary pptp protocol. To set it up, I installed the open-source client pptp, which is available in Arch's core repository, and configured it in the attached options.pptp, Macquarie_OneNet_Anywhere, and chap-secrets files. You should modify Macquarie_OneNet_Anywhere and chap-secrets to contain your mq id and password.
Once it's configured, you can start it up with (the initial "
#" means with root permissions):
# pon Macquarie_OneNet_Anywhere
and turn it off with
This opens the connection, but you still have to specify what goes to the VPN and what goes through your normal connection. I really only want to access my workstation, so currently I modify my routing table to use the VPN only for packets that want to go to my workstation's IP address:
# ip route add <workstation_IP> dev ppp0
This uses iproute2 to add a new route for packets to go through the ppp0 interface, which is the VPN's interface, if their final destination is my workstation's IP.
Finally, you can verify with sytem monitoring programs like gkrellm or conky to check that packets are being routed properly. In this screenshot from my laptop, you can see towards the bottom of gkrellm that ppp0, the VPN interface, has a small spike every minute or so because I've ssh'd in but haven't been doing anything, but there's a lot more activity along the wlan0 interface, my usual wireless interface.
And now you too can slip in and out of your office invisibly!