====== VPN ======
===== Service description =====
Allows access to the internal network from anywhere trough Internet.
When connected to the VPN you hay an internal IP address that allows secure access to all the CITIUS services. However Internet access is filtered so that only the internal network and a few chosen external sites are accessible. You can check which sites in the [[centro:servizos:vpn:lista de sitios accesibles|VPN white list]]
===== Activation =====
Check in [[https://apps.citius.usc.es/xici/personainternas/edit|Xici permissions]] whether the service //Acceso ext. VPN// is listed. If the service is listed, you don't need to register.
Depending on your user type, it can be possible that you're not allowed to access this page.
If needed, you have to register filling the [[https://citius.usc.es/dashboard/enviar-incidencia| requests and problem reporting form]]. This form is only available to CITIUS users.
The necessary configuration files are located in [[https://nextcloud.citius.usc.es/|the VPN folder in Nextcloud]].
The installation guides tell you when and how to use those files.
===== User guides =====
* [[en:centro:servizos:vpn:windows| Windows 10/11 User Guide]]
* [[en:centro:servizos:vpn:ubuntu| Ubuntu 22.04 User Guide]]
* [[en:centro:servizos:vpn:android| Android User Guide]]
* [[en:centro:servizos:vpn:centos| CentOS 6 User Guide]]
* [[en:centro:servizos:vpn:linux| Generic GNU/Linux (without Network Manager) User Guide]]
* [[en:centro:servizos:vpn:macosx| Mac OS X 10.8/10.9/10.10 User Guide]]
===== Frequent issues =====
==== DNS error when using SSH ====
Specially in Ubuntu, when using SSH to connect to CiTIUS servers it fails with a DNS error : " SSH: Could not resolve hostname ...." . The solution is to use the correspondent IP address to connect instead of the hostname.
==== The VPN isn't working from anywhere (and never did) ====
In the configuration, check that the VPN server address is ''193.144.83.110'' (or ''vpn.citius.usc.es''). When using the name check if it matches the ip address.
To do so, open a terminal window and enter ''ping vpn.citius.usc.es'' and check that the answers are from that ip address. If it is not, then use the address instead of the name in the configuration.
To change the configuration in Windows, right click the systray icon and choose "Edit configuration...". In the text editor, change ''remote vpn.citius.usc.es'' to ''remote 193.144.83.110''. Remove the whole line ''verify-x509-name "vpn.citius.usc.es" name''. Save and close the editor.
==== The VPN worked until recently but not anymore ====
Check that you can open a session in the CiTIUS web with your username and password. If you can, then double check the password in the VPN configuration. Once you are sure the problem is not your username/password if it isn't working yet then it may be an outdated certificate's fault. Get in touch with the admins to make them check it.
==== VPN not working from EDUROAM or other networks ====
After this service was launched the list of ports that an EDUROAM network has to have open has been standardized. We use port ''22 UDP'' for the VPN service and sadly that port was not in the list. The same thing happens when connecting from other networks like the SERGAS, which have that port filtered.
To work around that problem we redirect port ''1194 UDP''(which is open in EDUROAM) to ''22 UDP''. So if you are having trouble change the connection port to 1194 and try again.
To change the configuration in Windows, right click the systray icon and choose "Edit configuration...". In the text editor, change ''22 udp'' to ''1194 udp'' (all lowecase). Save and close the editor.
==== Can't reach any computer using SSH ====
Certain combinations of SSH clients and servers can have traffic between them blocked by Internet providers when negotiating the connection encryption. To check if the problem applies to your case, try to connect with the ''-v'' parameter. You should see messages like these:
$ ssh -v jorge.suarez@172.16.54.31
OpenSSH_5.9p1 Debian-5ubuntu1, OpenSSL 1.0.1 14 Mar 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 172.16.54.31 [172.16.54.31] port 22.
debug1: Connection established.
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3p1 Debian-3ubuntu7
debug1: match: OpenSSH_5.3p1 Debian-3ubuntu7 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
and then keeps waiting for one minute until the server closes the connection.
You can avoid this problem forcing the preferred encryption methods in the SSH client configuration file. For example:
$ echo "Ciphers aes256-ctr,aes192-ctr,aes128-ctr,aes128-cbc,3des-cbc" > ~/.ssh/config
If this doesn't resolve the issue then you mast configure other encryption methods. Try shortening the list o changing the its order.
==== In Windows: Runs ok but connections fail ====
It is necessary to run //OpenVPN GUI// as **administrator**. If not, everything seems ok but routes are not correctly established an connections fail.
==== Windows installer is a 7z file and I don't know what is that ====
It's a file compressed with [[http://7-zip.org/|7-zip]], that is also protected with password ''citius''. We use to send the configuration files by email in that format to avoid them being rejected by mail servers. Usually mail servers don't allow ''.exe'' files attached.