VPN and SSH via central

From IBERS Bioinformatics and HPC Wiki
Jump to: navigation, search

VPN

The VPN (Virtual Private Network) will securely connect your computer to the university network when off-campus. To access bert and most IBERS virtual machines you will need to connect to the VPN first.

The university uses a VPN program called Global Protect, instructions on how to install it can be found at on the Information Services FAQ pages.

More detailed notes

Alun Jones in Computer Science support has written some detailed instructions on using you can find these on his webpage.

Using the VPN on Linux

There is an official GlobalProtect client for Linux which is linked to on the Information Services page, however some users have reported difficulty getting it to work.


OpenConnect on the command line

As an alternative the open source openconnect client can be used, but it needs to be version 8.0 or newer. If you are running Ubuntu version 16.04 or 18.04 this is not available using your normal package sources, but can be installed via this PPA. Linux Mint 19 seems to work without any extra packages. The openconnect client can also be installed from source, you can download it from github.

Use the command (replace <userid> with your aber user id, WITHOUT @aber.ac.uk:

   sudo openconnect --user=<userid> --protocol=gp pa-vpn.aber.ac.uk

You will need to have setup a Multifactor Authentication token using a phone app such as Google Authenticator or otpclient (for Linux desktop) and by visiting the webpage [mfa.aber.ac.uk] while on campus. If you can't get to campus see the section below on Socks proxies as a workaround for this.

OpenConnect via Network Manager

If you want to connect using a GUI then you can create a

This does NOT work in Ubuntu versions 16.04 or 18.04.

More detailed Linux notes

Alun Jones in Computer Science support has written some detailed instructions on using you can find these on his webpage.

SSH via Central

Central is a Linux server run by Information Services which is accessible off campus. You can login to it using SSH and then login to other machines (e.g. bert or your office PC) that are on the university network. Access to central is disabled by default unless you are part of the Computer Science department.

Enable access to central

  1. Go to the IS My Account page
  2. Choose "Login to check and edit your account settings"
  3. Enter your university username and password when prompted
  4. Click "Add or remove permissions" in the Account section.
  5. Under the "Service Features on my own account" section ensure that "SSH access on central.aber.ac.uk" says "Remove". If it says "Add" then click on the "Add" button. It will take about 15 minutes to activate.

Connecting to Central

Connect via SSH to central.aber.ac.uk. You must be on campus/VPN the first time you do this, subsequent access off campus requires an SSH key.

In Windows 10+, Linux or MacOS open a terminal and type (replacing <userid> with your university user ID):

   ssh <userid>@central.aber.ac.uk   

The first time you connect you'll see a message about the host key.

   The authenticity of host 'central.aber.ac.uk (144.124.16.20)' can't be established.
   ECDSA key fingerprint is SHA256:MAyKXGiivwSsc9ICg1PQdh1Xo92qjTAyDhuub8xMkqA.
   Are you sure you want to continue connecting (yes/no)?

Type "yes" (just pressing y won't work) and then press enter. Then enter your password when prompted. Once logged in the prompt will change to saying:

   central:~ $

From here you could connect to Bert by typing:

   ssh bert.ibers.aber.ac.uk

Generate an SSH key

This is required for access off campus.

On your computer run the command:

$ ssh-keygen 


This will give the output:

Generating public/private rsa key pair.
Enter file in which to save the key (/home/abc12/.ssh/id_rsa): 

Press enter to save it in the default location (/home/abc12/.ssh/id_rsa in this example)

You'll now be asked to enter a passphrase to protect the key. You can leave this blank, but adding a passphrase means that should anybody else copy the key they won't be able to use it without the passphrase.

Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 

Two files will now be saved in your .ssh directory. id_rsa which is your private key that you keep and id_rsa.pub which is your public key, you copy this to other computers you want to connect to.

Your identification has been saved in /home/abc12/.ssh/id_rsa.
Your public key has been saved in /home/abc12/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:KovOb+BBFX3txNV9IjuFoAMviZ8ByFFtF8kxKnLj9kI abc12@localhost
The key's randomart image is:
+---[RSA 3072]----+
|=.o+++oB+        |
|o* .=o=+* .      |
|+.==.=.+ o       |
| o=+= o          |
| .oE   .S        |
|  = .  .         |
| . +...          |
| ...oo    -      |
| .+oo    .       |
+----[SHA256]-----+

Now to copy the key to a system you want to use you can either paste the id_rsa.pub file into the .ssh/authorized_keys file on the other system or you can use the ssh-copy-id command. This is usually the simpler option, so let's do that and add our key to central by running the command:

ssh-copy-id abc12@central.aber.ac.uk

This should give a response like this and it will prompt for your password on central (since they key isn't copied yet).

/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/abc12/.ssh/id_rsa.pub"
The authenticity of host 'central.aber.ac.uk (144.124.255.1)' can't be established.
ECDSA key fingerprint is SHA256:n5CZT+pkmlMlF7N+vqN1ybTxatdrW8Kt4Ko0BLNikc.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
abc12@central.aber.ac.uk's password: 
Number of key(s) added: 1
Now try logging into the machine, with:   "ssh 'abc12@central.aber.ac.uk'"
and check to make sure that only the key(s) you wanted were added.


Now if you attempt to login to central again it shouldn't prompt for your password. If you set a passphrase on the key then you will be asked for this.

ssh abc12@central.aber.ac.uk

Connections to central should now be possible off campus/VPN too.

Other Windows SSH clients

If you don't have a recent version of Windows 10 you'll need to install an SSH client. Try either Putty or MobaXTerm. Putty is a small download and very simple, MobaXterm is bigger and has many other features.

SSH Port Forwarding

This no longer works with central, these instructions are left here for reference should you want to use this technique elsewhere.

SSH port forwarding allows you to send data other than what would be on the screen/keyboard over your SSH session. It can be used to get around firewall restrictions to access computers behind a firewall or break out from behind a firewall to other parts of the internet.

For a good visual guide explaining this, see this youtube video.

Local Port Forwarding

A local port forward allows you to access a single port on another computer that's accessible to the system you're SSH'ed into. For example you might want to SSH to central from outside the university and then have it port forward to Bert. This way you can SSH straight into Bert, using the port forward via central.

Lets forward port 22 on bert (which is the port for SSH) to port 2222 on our local computer via central.aber.ac.uk.

  ssh -L 2222:bert.ibers.aber.ac.uk:22 <userid>@central.aber.ac.uk

We can now connect to bert by running (in a different terminal window):

  ssh -p 2222 <userid>@localhost

This feature is particularly useful for copying files between bert and your home PC as you can use it with the SCP/SFTP commands or a graphical copying utility like Filezilla.

To copy a file called <localfile> to bert we can do:

  scp -P 2222 <localfile> <userid>@localhost:

Note that scp uses a capital P to specify the port number, but ssh uses a lower case p.

Dynamic Port Forwarding (SOCKS proxy)

SSH has a nice extra feature where data can be forwarded to the remote computer for it to forward onto others. This effectively means any data you send will appear to be from the remote computer. To activate this feature we have to start SSH with an extra option. SSH will create a proxy server using the SOCKS protocol, any software we want to use this feature will have to be told to send its data to the SOCKS proxy.

To start the proxy add the "-D" option to SSH followed by a port number between 1024 and 65535, 1080 is the default number for SOCKS but it doesn't really matter what you use.

   ssh <userid>@central.aber.ac.uk -D 1080


Once we've entered our password there will be a SOCKS proxy server running on our local computer listening on port 1080. Any requests sent to this will be forwarded to central, which will forward them onto their destination.

Proxy server settings

To use the SOCKS proxy you'll have to change your proxy server settings in the applications you want to use it. Any programs which you don't change the settings for will continue to access the internet via your own internet provider.

Firefox:

  • Click on the grill menu (3 horizontal lines in the top left)
  • Click on the cog icon (options)
  • Click on the Wizard hat (advanced settings) icon at the bottom of the left hand side
  • Choose the network tab
  • Under the "Connection" section at the top click "Settings" next to the "configure how Firefox connects to the internet"
  • Choose "Manual Proxy configuration"
  • Enter "localhost" in the SOCKS host section and set the port to 1080, choose "SOCKS v5" and press Ok.