Configure CERN VPN on CentOS7

lcadamur · November 13, 2020, 2:53pm

Dear all,

does anyone have an example or tutorial on how to configure a VPN connection on CentOS7?
I am trying to set up a VPN on my machine to work remotely with CERN-licensed software, as described in this TWiki: https://twiki.cern.ch/twiki/bin/viewauth/CS/Public/ItcsVpnHowTo

I can open the connection with the CERN VPN (“ip a show” reports a “tun0” as long as openvpn is running), but honestly I don’t know how to configure this under the network settings.

Thanks in advance!

Cheers,
Luca

manuel · November 14, 2020, 5:48pm

Hi,
I use myself sshuttle from my Linux laptop at home. Just run something like:

% sudo sshuttle --dns --python=python -vNHr lcadamur@lxplus.cern.ch -x lxplus.cern.ch 0/0 -vv

…and then you can access anything as if you were at CERN’s intranet.

More info at:
https://github.com/sshuttle/sshuttle

Cheers,
manuel

lcadamur · November 18, 2020, 5:56pm

Hi Manuel, thank you for the advice!

I managed to install sshuttle but I cannot make it work at the moment, the program continuously prompts messages related to the connections but I don’t see my public IP changing.
I’ll try to read the documentation and check if there is any option that I need to modify from the example.
Meanwhile, just to confirm, is this connection equivalent to using a “standard” ssh tunnel as a proxy for network connections?

Cheers,
Luca

lcadamur · November 20, 2020, 5:46pm

Hi again,
it looks like I can have sshuttle working if I remove the -NH option and just use:

sudo sshuttle --dns --python=python -r lcadamur@lxplus.cern.ch 0/0

Can you maybe comment on the need for those two extra flags in your experience?
I see that they are related to remote hostnames scans, but I don’t know if/how this can impact the connection to CERN’s network.

Cheers,
Luca

manuel · December 16, 2020, 7:22am

For me it works as well without the -NH option. The man page reads:
-N, --auto-nets
In addition to the subnets provided on the command line, ask the
server which subnets it thinks we should route, and route those
automatically. The suggestions are taken automatically from the
server’s routing table.

and:
-H, --auto-hosts
Scan for remote hostnames and update the local /etc/hosts file with matching entries for as long as the VPN is open. This is nicer than changing your system’s DNS (/etc/resolv.conf) settings, for several reasons. First, hostnames are added without domain names attached, so you can ssh thatserver without worrying if your local domain matches the re mote one. Second, if you sshuttle into more than one VPN at a time, it’s impossible to use more than one DNS server at once anyway, but sshuttle correctly merges /etc/hosts entries between all running copies. Third, if you’re only routing a few subnets over the VPN, you probably would prefer to keep using your local DNS server for everything else.

Cheers;
manuel