TalTech VPN: Difference between revisions
m →Uni-ID |
|||
(59 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
=Uni-ID= | =Uni-ID= | ||
[https://taltech.atlassian.net/wiki/spaces/ITI/pages/38994346/Uni-ID+ehk+Digitaalne+identiteet about Uni-ID (EST/ENG)] | |||
Uni-ID is required to use TalTech VPN. | Uni-ID is required to use TalTech VPN. | ||
=eduVPN= | =eduVPN= | ||
'''NB! Since July 2021 | '''NB! | ||
* Since June 30, 2024 eduVPN will be closed and replaced with [[#Forticlient_VPN|FortiClient VPN]] | |||
* Since July 2021 has been old [[#OpenVPN|OpenVPN]] service replaced by eduVPN, used for library.''' | |||
More information: | More information: | ||
* [https://eduvpn.taltech.ee/ eduVPN portal in TalTech - OpenVPN settings generation and download] | * [https://eduvpn.taltech.ee/ eduVPN portal in TalTech - OpenVPN settings generation and download] | ||
* [https:// | * [https://taltech.atlassian.net/wiki/spaces/ITI/pages/39000862/Kaugt+hendus+eduVPN+sulgub+30.06.2024+Remote+connection+with+eduVPN+closes+30.06.2024 how to configure (EST, ENG)] | ||
* [https://www.eduvpn.org/ about eduVPN] | * [https://www.eduvpn.org/ about eduVPN] | ||
Line 24: | Line 24: | ||
For OpenVPN installation, [[#Installation_in_Debian.2FUbuntu|please see here]] | For OpenVPN installation, [[#Installation_in_Debian.2FUbuntu|please see here]] | ||
For smart devices, there are an eduVPN clients available: [https://play.google.com/store/apps/details?id=nl.eduvpn.app Android] | [https://apps.apple.com/us/app/eduvpn-client/id1292557340 iOS], that makes connection via TAAT authentication. | |||
=Forticlient VPN= | =Forticlient VPN= | ||
* [https://taltech.atlassian.net/wiki/spaces/ITI/pages/38994267/Kaug+hendus+FortiClient+VPN+Remote+connection+with+FortiClient+VPN FortiClient guidance] | |||
* | |||
==Packages== | ==Packages== | ||
* clean client https://www.forticlient.com/downloads | * clean client https://www.forticlient.com/downloads | ||
* for MS Windows, | * for MS Windows, TalTech preconfigured software [https://taltech.atlassian.net/wiki/spaces/ITI/pages/38994267/Kaug+hendus+FortiClient+VPN+Remote+connection+with+FortiClient+VPN available here], there are also other packages and links for other operating systems | ||
* Debian packages | * Debian packages | ||
** FortiClient (deprecated -> use OpenFortiGUI) | ** FortiClient (deprecated -> use OpenFortiGUI) | ||
Line 43: | Line 39: | ||
*** https://hadler.me/linux/openfortigui/ | *** https://hadler.me/linux/openfortigui/ | ||
==Usage== | |||
'''NB! About connecting using OpenFortiGUI''': | '''NB! About connecting using OpenFortiGUI''': | ||
* please use SUDO -E parameter in OpenfortiGUI settings! (File→Settings) | * please use SUDO -E parameter in OpenfortiGUI settings! (File→Settings). Might be necessary (not usually) to disable temporarily for certificate retrieval in first time. | ||
* also it might be necessary to turn off the ''Set DNS'' parameter (see [https://github.com/theinvisible/openfortigui/issues/41 this report]). Choose Edit connection and under Options tab uncheck '''Options > Advanced > Set DNS''' so that openfortivpn does not handle DNS or overwrite ''/etc/resolv.conf''. Otherwise after disconnecting is Internet connectivity lost with error message ''Temporary failure in name resolution''. | |||
Also whenever needed, uncheck '''Options > PPPD > PPPD no peerdns''' so that pppd does handle DNS - and hopefully does the right thing. | |||
* on first connection attempt, the certificate must be accepted | * on first connection attempt, the certificate must be accepted | ||
* next connection attempt can be actually connect via VPN | * next connection attempt can be actually connect via VPN | ||
* at file ''/etc/sudoers.d/openfortigui'' there is a line (will be created automatically during OpenFortiGUI setup): | |||
%sudo ALL=NOPASSWD:SETENV: /usr/bin/openfortigui --start-vpn * | |||
This means, that all users in group sudo can use it without password with superuser rights. Although running the app is regular (as user in group sudo) without actual sudo command. | |||
* When you got an error ''Peer refused to agree to his IP address'' in log then you need to enable ''ipcp-accept-remote'' (or possibly ''ipcp-accept-local'' - choose one at a time) in /etc/ppp/options - this will work immediately on next connection, no services need restart. More details at [https://github.com/adrienverge/openfortivpn/issues/920 this issue] | |||
==Connecting== | ==Connecting== | ||
* use your Uni-ID credentials to login (without ''@ | [https://taltech.atlassian.net/wiki/spaces/ITI/pages/38994267/Kaug+hendus+FortiClient+VPN+Remote+connection+with+FortiClient+VPN guide] | ||
* Web: https://vpn. | * SSL-VPN | ||
* ''Connection name'' - cannot be empty, use whatever you want to name the connection | |||
* ''Description'' - can be empty, use whatever you want to describe the connection | |||
* ''Remote gateway'' (VPN-server): '''vpn.taltech.ee''' | |||
* ''Customize port'': 443 | |||
* ''Authentication'': Save login | |||
* use your [[#Uni-ID|Uni-ID]] credentials to login ('''NB! without ''@taltech.ee''''') | |||
* accept offered certificate | |||
* Web: https://vpn.taltech.ee:443/ | |||
'''... in IT College:''' | '''... in IT College:''' | ||
* use your Uni-ID credentials to login (without ''@ | * use your [[#Uni-ID|Uni-ID]] credentials to login ('''NB! without ''@taltech.ee''''') | ||
* Web: https://portal.itcollege.ee:10443/ | * Web: https://portal.itcollege.ee:10443/ | ||
* server: '''portal.itcollege.ee''' | * ''Remote gateway'' (VPN-server): '''portal.itcollege.ee''' | ||
* port: 10443 | * ''Customize port'': 10443 | ||
In IT College there is an option to use SSH tunnel using http://enos.itcollege.ee/ server using your | Then you can use remote access: | ||
* [https://mesh.itcollege.ee/ Mesh Central] to switch operating systems remotely | |||
* RDP for remote usage <-- suggested as on screen is nothing then visible | |||
In IT College there is an option to use SSH tunnel using http://enos.itcollege.ee/ server using your Uni-ID credentials. For convenient usage there is a [[Sshuttle]] (article in Estonian) available. This SSH tunnel is available also for students. MS Windows users [https://www.startpage.com/do/search?q=putty+SSH+tunnel can use puTTY]. Also macOS users [https://www.startpage.com/do/search?q=SSH+tunnel+macOS can use SSH tunnel]. | |||
=OpenVPN= | =OpenVPN= | ||
'''NB! Since July 2021 will be replaced by [[# | '''NB! Since July 2021 OpenVPN has been replaced by [[#eduVPN|eduVPN]], which in turn will be since June 30, 2024 replaced by [[#Forticlient_VPN|Forticlient VPN]].''' | ||
Allows to access the TTU library outside university. Additionally you will get a secure VPN connection. [[#Uni-ID|Uni-ID account]] is required. | Allows to access the TTU library outside university. Additionally you will get a secure VPN connection. [[#Uni-ID|Uni-ID account]] is required. | ||
==Client software== | ==Client software== | ||
Line 152: | Line 160: | ||
[[Category:TalTech]] | [[Category:TalTech]] | ||
[[Category:Vaba_Tarkvara_Teadmuskeskus]] |
Latest revision as of 10:19, 6 February 2024
Uni-ID
Uni-ID is required to use TalTech VPN.
eduVPN
NB!
- Since June 30, 2024 eduVPN will be closed and replaced with FortiClient VPN
- Since July 2021 has been old OpenVPN service replaced by eduVPN, used for library.
More information:
- eduVPN portal in TalTech - OpenVPN settings generation and download
- how to configure (EST, ENG)
- about eduVPN
Usually generated OpenVPN settings are enough. Still there is a separate eduvpn-client possible to use:
- Ubuntu and Debian client installation, configuration (also Fedora, CentOS and manual installation via pip available)
sudo apt install apt-transport-https curl curl -L https://app.eduvpn.org/linux/deb/eduvpn.key | sudo apt-key add - echo "deb https://app.eduvpn.org/linux/deb/ stable main" | sudo tee -a /etc/apt/sources.list.d/eduvpn.list sudo apt update sudo apt install eduvpn-client sudo ldconfig && sudo dpkg --configure -a && sudo apt-get clean
For OpenVPN installation, please see here
For smart devices, there are an eduVPN clients available: Android | iOS, that makes connection via TAAT authentication.
Forticlient VPN
Packages
- clean client https://www.forticlient.com/downloads
- for MS Windows, TalTech preconfigured software available here, there are also other packages and links for other operating systems
- Debian packages
- FortiClient (deprecated -> use OpenFortiGUI)
- OpenFortiGUI - recommended
- repository https://apt.iteas.at (older: https://styrion.at/apt/)
- https://hadler.me/linux/openfortigui/
Usage
NB! About connecting using OpenFortiGUI:
- please use SUDO -E parameter in OpenfortiGUI settings! (File→Settings). Might be necessary (not usually) to disable temporarily for certificate retrieval in first time.
- also it might be necessary to turn off the Set DNS parameter (see this report). Choose Edit connection and under Options tab uncheck Options > Advanced > Set DNS so that openfortivpn does not handle DNS or overwrite /etc/resolv.conf. Otherwise after disconnecting is Internet connectivity lost with error message Temporary failure in name resolution.
Also whenever needed, uncheck Options > PPPD > PPPD no peerdns so that pppd does handle DNS - and hopefully does the right thing.
- on first connection attempt, the certificate must be accepted
- next connection attempt can be actually connect via VPN
- at file /etc/sudoers.d/openfortigui there is a line (will be created automatically during OpenFortiGUI setup):
%sudo ALL=NOPASSWD:SETENV: /usr/bin/openfortigui --start-vpn *
This means, that all users in group sudo can use it without password with superuser rights. Although running the app is regular (as user in group sudo) without actual sudo command.
- When you got an error Peer refused to agree to his IP address in log then you need to enable ipcp-accept-remote (or possibly ipcp-accept-local - choose one at a time) in /etc/ppp/options - this will work immediately on next connection, no services need restart. More details at this issue
Connecting
- SSL-VPN
- Connection name - cannot be empty, use whatever you want to name the connection
- Description - can be empty, use whatever you want to describe the connection
- Remote gateway (VPN-server): vpn.taltech.ee
- Customize port: 443
- Authentication: Save login
- use your Uni-ID credentials to login (NB! without @taltech.ee)
- accept offered certificate
- Web: https://vpn.taltech.ee:443/
... in IT College:
- use your Uni-ID credentials to login (NB! without @taltech.ee)
- Web: https://portal.itcollege.ee:10443/
- Remote gateway (VPN-server): portal.itcollege.ee
- Customize port: 10443
Then you can use remote access:
- Mesh Central to switch operating systems remotely
- RDP for remote usage <-- suggested as on screen is nothing then visible
In IT College there is an option to use SSH tunnel using http://enos.itcollege.ee/ server using your Uni-ID credentials. For convenient usage there is a Sshuttle (article in Estonian) available. This SSH tunnel is available also for students. MS Windows users can use puTTY. Also macOS users can use SSH tunnel.
OpenVPN
NB! Since July 2021 OpenVPN has been replaced by eduVPN, which in turn will be since June 30, 2024 replaced by Forticlient VPN.
Allows to access the TTU library outside university. Additionally you will get a secure VPN connection. Uni-ID account is required.
Client software
- for MS Windows and macOS clients, please login https://toru.ttu.ee/ and download university-customized version directly from there
- GNU/Linux https://openvpn.net/vpn-server-resources/connecting-to-access-server-with-linux/
- Android https://openvpn.net/vpn-server-resources/connecting-to-access-server-with-android/
- iOS https://openvpn.net/vpn-server-resources/connecting-to-access-server-with-apple-ios/
Installation in Debian/Ubuntu
- open the terminal, e.g. CTRL+ALT+T and copy-paste the following line and press Enter
copy-paste in terminal: SHIFT+CTRL+C, SHIFT+CTRL+V
sudo apt-get update && sudo apt-get install openvpn sudo ldconfig && sudo dpkg --configure -a && sudo apt-get clean
You may want to search also openvpn-blacklist package, but it might be also deprecated and not available.
- for GUI Network Manager:
sudo apt-get update && sudo apt-get install network-manager-openvpn-gnome sudo ldconfig && sudo dpkg --configure -a && sudo apt-get clean
You may want to search the package openvpn-systemd-resolved and also install it to integrate OpenVPN with systemd. [1]
Configuration
- download the preconfigured client.ovpn from https://toru.ttu.ee/
- use your Uni-ID credentials to login and also later to authenticate in OpenVPN
- for GNU/Linux in file client.ovpn after setenv PUSH_PEER_INFO please add the following lines and then save the file:
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
Connecting in Debian/Ubuntu
- use your Uni-ID credentials
- open the terminal, e.g. using CTRL+ALT+T
- navigate to folder where the client.ovpn is saved or provide the full path
- sudo openvpn --config client.ovpn or use more convenient way - the alias created below
Usually there is possible to import *.ovpn files into graphical network manager[2]. In Ubuntu 16.04 LTS cannot be imported current but in Ubuntu 18.04 LTS already can.
Convenient login in GNU/Linux
- open the terminal, e.g. using CTRL+ALT+T
- create an alias:
- nano ~/.bash_aliases #open CLI text editor
- alias vpn-ttu='sudo openvpn --config /path/client.ovpn' #add appropriate alias and path to client.ovpn, then save the file
- source ~/.bash_aliases (or reopen terminal or relogin)
- add permissions to run OpenVPN without entering a password
- sudo nano /etc/sudoers.d/permissions #the file name permissions could be replaced whatever else you like
- username ALL=(ALL) NOPASSWD: /usr/sbin/openvpn #replace username with your real one and then save the file
- type your new alias vpn-ttu in terminal to start a VPN session
in nano text editor
- save the file:
- CTRL+O and Enter if you agree the proposed file name (or enter a new one if needed)
- or F3
- quit the file:
- CTRL+X
- or F2
More information about...
- sudoers at https://help.ubuntu.com/community/Sudoers
- alias
Benefits of TalTech VPN
- you have a secure tunnel over insecure network, e.g. public WiFi, mobile internet or similar
- OpenVPN can be used for TalTech library and its paid databases outside TalTech:
TalTech helpdesk
- in case of questions, issues - please contact TalTech helpdesk
- https://confluence.ttu.ee/it-info/
- https://it.taltech.ee/ (choose website language if needed)
- self-service: http://helpdesk.taltech.ee/ (to visit self-service you must own Uni-ID account)