Difference between revisions of "TalTech VPN"

From ICO wiki
m (eduVPN)
m
 
(25 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
=Uni-ID=
 
=Uni-ID=
* EST https://confluence.ttu.ee/it-info/varia/uni-id-ehk-digitaalne-identiteet
+
[https://confluence.ttu.ee/it-info/it-arvuti-ja-oppetoeoekoht/kasutajakonto-ja-ligipaeaes/uni-id-ehk-digitaalne-identiteet guidance EST / ENG]
* EST https://wiki.ttu.ee/et/juhendid/it/doc/uni-id
 
* ENG https://wiki.ttu.ee/en/manuals/it/doc/uni-id
 
  
Uni-ID is required to use TTU VPN.
+
Uni-ID is required to use TalTech VPN.
  
 
=eduVPN=
 
=eduVPN=
'''NB! Since July 2021 will replace old [[#OpenVPN|OpenVPN]] service for library.'''
+
'''NB! Since July 2021 has been old [[#OpenVPN|OpenVPN]] service replaced by eduVPN, used for library.'''
  
 
More information:
 
More information:
Line 14: Line 12:
 
* [https://www.eduvpn.org/ about eduVPN]
 
* [https://www.eduvpn.org/ about eduVPN]
  
Usually generated OpenVPN settings are enough. Still there is a separate client possible to use:
+
Usually generated OpenVPN settings are enough. Still there is a separate ''eduvpn-client'' possible to use:
 
* [https://python-eduvpn-client.readthedocs.io/en/master/installation.html#debian-and-ubuntu Ubuntu and Debian client installation, configuration] (also Fedora, CentOS and manual installation via [https://en.wikipedia.org/wiki/Pip_(package_manager) pip] available)
 
* [https://python-eduvpn-client.readthedocs.io/en/master/installation.html#debian-and-ubuntu Ubuntu and Debian client installation, configuration] (also Fedora, CentOS and manual installation via [https://en.wikipedia.org/wiki/Pip_(package_manager) pip] available)
 
  sudo apt install apt-transport-https curl
 
  sudo apt install apt-transport-https curl
Line 24: Line 22:
  
 
For OpenVPN installation, [[#Installation_in_Debian.2FUbuntu|please see here]]
 
For OpenVPN installation, [[#Installation_in_Debian.2FUbuntu|please see here]]
 +
 +
For smart devices, there are an eduVPN clients available:  [https://play.google.com/store/apps/details?id=nl.eduvpn.app Android] | [https://apps.apple.com/us/app/eduvpn-client/id1292557340 iOS], that makes connection via TAAT authentication.
  
 
=Forticlient VPN=
 
=Forticlient VPN=
 
'''FortiClient VPN is for employees only.''' Does not allow to access the TTU library outside university. You will get only a secure VPN connection.
 
'''FortiClient VPN is for employees only.''' Does not allow to access the TTU library outside university. You will get only a secure VPN connection.
  
* EST https://confluence.ttu.ee/it-info/kauguehendus-vpn/kauguehendus-forticlient-vpn
+
* [https://confluence.ttu.ee/it-info/it-arvuti-ja-oppetoeoekoht/kauguehendus-vpn/kauguehendus-forticlient-vpn FortiClient guidance]
* EST https://wiki.ttu.ee/et/juhendid/it/doc/vpn
 
* ENG https://wiki.ttu.ee/en/manuals/it/doc/vpn
 
  
 
==Packages==
 
==Packages==
 
* clean client https://www.forticlient.com/downloads
 
* clean client https://www.forticlient.com/downloads
* for MS Windows, TTU preconfigured http://www.ttu.ee/FortiClient.exe
+
* for MS Windows, TalTech preconfigured [https://confluence.ttu.ee/it-info/it-arvuti-ja-oppetoeoekoht/kauguehendus-vpn/kauguehendus-forticlient-vpn available here]
 
* for MS Windows, [https://portal.itcollege.ee:10443/SslvpnClient.exe IT College client] (requires login beforehand, usually older version than original one from Fortinet)
 
* for MS Windows, [https://portal.itcollege.ee:10443/SslvpnClient.exe IT College client] (requires login beforehand, usually older version than original one from Fortinet)
 
* [https://forticlient.com/downloads original FortiClient software packages (MS Windows, macOS, GNU/Linux, Android, iOS, Windows Phone, Chromebook)]
 
* [https://forticlient.com/downloads original FortiClient software packages (MS Windows, macOS, GNU/Linux, Android, iOS, Windows Phone, Chromebook)]
Line 43: Line 41:
 
*** https://hadler.me/linux/openfortigui/
 
*** https://hadler.me/linux/openfortigui/
  
 
+
==Usage==
 
'''NB! About connecting using OpenFortiGUI''':
 
'''NB! About connecting using OpenFortiGUI''':
* please use SUDO -E parameter in OpenfortiGUI settings! (File→Settings)
+
* please use SUDO -E parameter in OpenfortiGUI settings! (File→Settings). Might be necessary (not usually) to disable temporarily for certificate retrieval in first time.
 +
* also it might be necessary to turn off the ''Set DNS'' parameter (see [https://github.com/theinvisible/openfortigui/issues/41 this report]). Uncheck '''Options > Advanced > Set DNS''' so that openfortivpn does not handle DNS or overwrite ''/etc/resolv.conf''. Otherwise after disconnecting is Internet connectivity lost with error message ''Temporary failure in name resolution''.
 +
Also whenever needed, uncheck '''Options > PPPD > PPPD no peerdns''' so that pppd does handle DNS - and hopefully does the right thing.
 
* on first connection attempt, the certificate must be accepted
 
* on first connection attempt, the certificate must be accepted
 
* next connection attempt can be actually connect via VPN
 
* next connection attempt can be actually connect via VPN
 +
* at file ''/etc/sudoers.d/openfortigui'' there is a line:
 +
  %sudo  ALL=NOPASSWD:SETENV: /usr/bin/openfortigui --start-vpn *
 +
This means, that all users in group sudo can use it without password with superuser rights. Although running the app is regular (as user in group sudo) without actual sudo command.
  
 
==Connecting==
 
==Connecting==
* use your Uni-ID credentials to login (without ''@ttu.ee'')
+
* use your Uni-ID credentials to login ('''NB! without ''@ttu.ee''''')
 
* Web: https://vpn.ttu.ee:443/
 
* Web: https://vpn.ttu.ee:443/
 
* server: '''vpn.ttu.ee'''
 
* server: '''vpn.ttu.ee'''
Line 56: Line 59:
  
 
'''... in IT College:'''
 
'''... in IT College:'''
* use your Uni-ID credentials to login (without ''@ttu.ee'')
+
* use your Uni-ID credentials to login ('''NB! without ''@ttu.ee''''')
 
* Web: https://portal.itcollege.ee:10443/
 
* Web: https://portal.itcollege.ee:10443/
 
* server: '''portal.itcollege.ee'''
 
* server: '''portal.itcollege.ee'''
Line 64: Line 67:
  
 
=OpenVPN=
 
=OpenVPN=
'''NB! Since July 2021 will be replaced by [[#eduVPN|eduVPN]].'''
+
'''NB! Since July 2021 has been replaced by [[#eduVPN|eduVPN]].'''
  
 
Allows to access the TTU library outside university. Additionally you will get a secure VPN connection. [[#Uni-ID|Uni-ID account]] is required.
 
Allows to access the TTU library outside university. Additionally you will get a secure VPN connection. [[#Uni-ID|Uni-ID account]] is required.
  
* EST https://confluence.ttu.ee/it-info/kauguehendus-vpn/kauguehendus-toru
+
* [https://confluence.ttu.ee/it-info/it-arvuti-ja-oppetoeoekoht/kauguehendus-vpn/kauguehendus-toru guidance for old TORU]
* EST https://wiki.ttu.ee/et/juhendid/it/doc/lib_toru
 
* ENG https://wiki.ttu.ee/en/manuals/it/doc/lib_toru
 
  
 
==Client software==
 
==Client software==
Line 152: Line 153:
  
 
[[Category:TalTech]]
 
[[Category:TalTech]]
 +
[[Category:Vaba_Tarkvara_Teadmuskeskus]]

Latest revision as of 15:52, 25 November 2021

Uni-ID

guidance EST / ENG

Uni-ID is required to use TalTech VPN.

eduVPN

NB! Since July 2021 has been old OpenVPN service replaced by eduVPN, used for library.

More information:

Usually generated OpenVPN settings are enough. Still there is a separate eduvpn-client possible to use:

sudo apt install apt-transport-https curl
curl -L https://app.eduvpn.org/linux/deb/eduvpn.key | sudo apt-key add -
echo "deb https://app.eduvpn.org/linux/deb/ stable main" | sudo tee -a /etc/apt/sources.list.d/eduvpn.list
sudo apt update
sudo apt install eduvpn-client
sudo ldconfig && sudo dpkg --configure -a && sudo apt-get clean

For OpenVPN installation, please see here

For smart devices, there are an eduVPN clients available: Android | iOS, that makes connection via TAAT authentication.

Forticlient VPN

FortiClient VPN is for employees only. Does not allow to access the TTU library outside university. You will get only a secure VPN connection.

Packages

Usage

NB! About connecting using OpenFortiGUI:

  • please use SUDO -E parameter in OpenfortiGUI settings! (File→Settings). Might be necessary (not usually) to disable temporarily for certificate retrieval in first time.
  • also it might be necessary to turn off the Set DNS parameter (see this report). Uncheck Options > Advanced > Set DNS so that openfortivpn does not handle DNS or overwrite /etc/resolv.conf. Otherwise after disconnecting is Internet connectivity lost with error message Temporary failure in name resolution.

Also whenever needed, uncheck Options > PPPD > PPPD no peerdns so that pppd does handle DNS - and hopefully does the right thing.

  • on first connection attempt, the certificate must be accepted
  • next connection attempt can be actually connect via VPN
  • at file /etc/sudoers.d/openfortigui there is a line:
 %sudo  ALL=NOPASSWD:SETENV: /usr/bin/openfortigui --start-vpn *

This means, that all users in group sudo can use it without password with superuser rights. Although running the app is regular (as user in group sudo) without actual sudo command.

Connecting

  • use your Uni-ID credentials to login (NB! without @ttu.ee)
  • Web: https://vpn.ttu.ee:443/
  • server: vpn.ttu.ee
  • port: 443

... in IT College:

In IT College there is an option to use SSH tunnel using http://enos.itcollege.ee/ server using your IT College credentials. For convenient usage there is a Sshuttle (article in Estonian) available. This SSH tunnel is available also for students. MS Windows users can use puTTY. Also macOS users can use SSH tunnel.

OpenVPN

NB! Since July 2021 has been replaced by eduVPN.

Allows to access the TTU library outside university. Additionally you will get a secure VPN connection. Uni-ID account is required.

Client software

Installation in Debian/Ubuntu

  • open the terminal, e.g. CTRL+ALT+T and copy-paste the following line and press Enter

copy-paste in terminal: SHIFT+CTRL+C, SHIFT+CTRL+V

sudo apt-get update && sudo apt-get install openvpn
sudo ldconfig && sudo dpkg --configure -a && sudo apt-get clean

You may want to search also openvpn-blacklist package, but it might be also deprecated and not available.

  • for GUI Network Manager:
sudo apt-get update && sudo apt-get install network-manager-openvpn-gnome
sudo ldconfig && sudo dpkg --configure -a && sudo apt-get clean

You may want to search the package openvpn-systemd-resolved and also install it to integrate OpenVPN with systemd. [1]

Configuration

  • download the preconfigured client.ovpn from https://toru.ttu.ee/
  • use your Uni-ID credentials to login and also later to authenticate in OpenVPN
  • for GNU/Linux in file client.ovpn after setenv PUSH_PEER_INFO please add the following lines and then save the file:

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

Connecting in Debian/Ubuntu

  • use your Uni-ID credentials
  • open the terminal, e.g. using CTRL+ALT+T
  • navigate to folder where the client.ovpn is saved or provide the full path
  • sudo openvpn --config client.ovpn or use more convenient way - the alias created below

Usually there is possible to import *.ovpn files into graphical network manager[2]. In Ubuntu 16.04 LTS cannot be imported current but in Ubuntu 18.04 LTS already can.

Convenient login in GNU/Linux

  • open the terminal, e.g. using CTRL+ALT+T
  • create an alias:
    • nano ~/.bash_aliases #open CLI text editor
    • alias vpn-ttu='sudo openvpn --config /path/client.ovpn' #add appropriate alias and path to client.ovpn, then save the file
  • source ~/.bash_aliases (or reopen terminal or relogin)
  • add permissions to run OpenVPN without entering a password
    • sudo nano /etc/sudoers.d/permissions #the file name permissions could be replaced whatever else you like
    • username ALL=(ALL) NOPASSWD: /usr/sbin/openvpn #replace username with your real one and then save the file
  • type your new alias vpn-ttu in terminal to start a VPN session


in nano text editor

  • save the file:
    • CTRL+O and Enter if you agree the proposed file name (or enter a new one if needed)
    • or F3
  • quit the file:
    • CTRL+X
    • or F2


More information about...

Benefits of TalTech VPN

TalTech helpdesk

References