VPN and SSH via central

From IBERS Bioinformatics and HPC Wiki
Revision as of 19:02, 26 March 2020 by Ibers-admin (talk | contribs) (Local Port Forwarding)
Jump to: navigation, search

VPN

The VPN (Virtual Private Network) will securely connect your computer to the university network when off-campus. To access bert and most IBERS virtual machines you will need to connect to the VPN first.

The university uses a VPN program called Global Protect, instructions on how to install it can be found at on the Information Services FAQ pages.

More detailed notes

Alun Jones in Computer Science support has written some detailed instructions on using you can find these on his webpage.

Using the VPN on Linux

There is an official GlobalProtect client for Linux which is linked to on the Information Services page, however some users have reported difficulty getting it to work.


OpenConnect on the command line

As an alternative the open source openconnect client can be used, but it needs to be version 8.0 or newer. If you are running Ubuntu version 16.04 or 18.04 this is not available using your normal package sources, but can be installed via this PPA. Linux Mint 19 seems to work without any extra packages. The openconnect client can also be installed from source, you can download it from github.

Use the command (replace <userid> with your aber user id, WITHOUT @aber.ac.uk:

   sudo openconnect --user=<userid> --protocol=gp pa-vpn.aber.ac.uk

You will need to have setup a Multifactor Authentication token using a phone app such as Google Authenticator or otpclient (for Linux desktop) and by visiting the webpage [mfa.aber.ac.uk] while on campus. If you can't get to campus see the section below on Socks proxies as a workaround for this.

OpenConnect via Network Manager

If you want to connect using a GUI then you can create a

This does NOT work in Ubuntu versions 16.04 or 18.04.

More detailed Linux notes

Alun Jones in Computer Science support has written some detailed instructions on using you can find these on his webpage.

SSH via Central

Central is a Linux server run by Information Services which is accessible off campus. You can login to it using SSH and then login to other machines (e.g. bert or your office PC) that are on the university network. Access to central is disabled by default unless you are part of the Computer Science department.

Enable access to central

1. Go to the IS My Account page 2. Choose "Login to check and edit your account settings" 3. Enter your university username and password when prompted 4. Click "Add or remove permissions" in the Account section. 5. Under the "Service Features on my own account" section ensure that "SSH access on central.aber.ac.uk" says "Remove". If it says "Add" then click on the "Add" button. It will take about 15 minutes to activate.

Connecting to Central

Connect via SSH to central.aber.ac.uk.

In Windows 10, Linux or MacOS open a terminal and type (replacing <userid> with your university user ID):

   ssh <userid>@central.aber.ac.uk   

The first time you connect you'll see a message about the host key.

   The authenticity of host 'central.aber.ac.uk (144.124.16.20)' can't be established.
   ECDSA key fingerprint is SHA256:MAyKXGiivwSsc9ICg1PQdh1Xo92qjTAyDhuub8xMkqA.
   Are you sure you want to continue connecting (yes/no)?

Type "yes" (just pressing y won't work) and then press enter. Then enter your password when prompted. Once logged in the prompt will change to saying:

   central:~ $

From here you could connect to Bert by typing:

   ssh bert.ibers.aber.ac.uk


Other Windows SSH clients

If you don't have a recent version of Windows 10 you'll need to install an SSH client. Try either Putty or MobaXTerm. Putty is a small download and very simple, MobaXterm is bigger and has many other features.


SSH Port Forwarding

SSH port forwarding allows you to send data other than what would be on the screen/keyboard over your SSH session. It can be used to get around firewall restrictions to access computers behind a firewall or break out from behind a firewall to other parts of the internet.

For a good visual guide explaining this, see this youtube video.

Local Port Forwarding

A local port forward allows you to access a single port on another computer that's accessible to the system you're SSH'ed into. For example you might want to SSH to central from outside the university and then have it port forward to Bert. This way you can SSH straight into Bert, using the port forward via central.

Lets forward port 22 on bert (which is the port for SSH) to port 2222 on our local computer via central.aber.ac.uk.

  ssh -L 2222:bert.ibers.aber.ac.uk:22 <userid>@central.aber.ac.uk

We can now connect to bert by running (in a different terminal window):

  ssh -p 2222 <userid>@localhost

This feature is particularly useful for copying files between bert and your home PC as you can use it with the SCP/SFTP commands or a graphical copying utility like Filezilla.

To copy a file called <localfile> to bert we can do:

  scp -P 2222 <localfile> <userid>@localhost:

Note that scp uses a capital P to specify the port number, but ssh uses a lower case p.

Dynamic Port Forwarding (SOCKS proxy)

SSH has a nice extra feature where data can be forwarded to the remote computer for it to forward onto others. This effectively means any data you send will appear to be from the remote computer. To activate this feature we have to start SSH with an extra option. SSH will create a proxy server using the SOCKS protocol, any software we want to use this feature will have to be told to send its data to the SOCKS proxy.

To start the proxy add the "-D" option to SSH followed by a port number between 1024 and 65535, 1080 is the default number for SOCKS but it doesn't really matter what you use.

   ssh <userid>@central.aber.ac.uk -D 1080


Once we've entered our password there will be a SOCKS proxy server running on our local computer listening on port 1080. Any requests sent to this will be forwarded to central, which will forward them onto their destination.

Proxy server settings

To use the SOCKS proxy you'll have to change your proxy server settings in the applications you want to use it. Any programs which you don't change the settings for will continue to access the internet via your own internet provider.

Firefox:

  • Click on the grill menu (3 horizontal lines in the top left)
  • Click on the cog icon (options)
  • Click on the Wizard hat (advanced settings) icon at the bottom of the left hand side
  • Choose the network tab
  • Under the "Connection" section at the top click "Settings" next to the "configure how Firefox connects to the internet"
  • Choose "Manual Proxy configuration"
  • Enter "localhost" in the SOCKS host section and set the port to 1080, choose "SOCKS v5" and press Ok.