| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| en:centro:servizos:vpn:start [2023/01/11 10:34] – jorge.suarez | en:centro:servizos:vpn:start [2025/02/20 13:17] (current) – external edit 127.0.0.1 |
|---|
| ====== VPN ====== | ====== VPN ====== |
| ===== Service description ===== | ===== Description of the service ===== |
| Allows access to the internal network from anywhere trough Internet. | Provides access to the internal network from anywhere through the Internet. |
| When connected to the VPN you hay an internal IP address that allows secure access to all the CITIUS services. However Internet access is filtered so that only the internal network and a few chosen external sites are accessible. You can check which sites in the [[centro:servizos:vpn:lista de sitios accesibles|VPN white list]] | |
| |
| ===== Activation ===== | When connected to the VPN, you have an IP in the center from wherever you connect, allowing you to securely access all the services you have access to. |
| Check in [[https://apps.citius.usc.es/xici/personainternas/edit|Xici permissions]] whether the service //Acceso ext. VPN// is listed. If the service is listed, you don't need to register. | |
| |
| You have to register filling the [[https://citius.usc.es/dashboard/enviar-incidencia| requests and problem reporting form]]. This form is only available to CITIUS users. | Internet access is cut off through the VPN. Using the VPN, you can only access the CITIUS network and certain specific services. Check the [[centro:servizos:vpn:lista de sitios accesibles|list of sites accessible through the VPN]]. |
| |
| The necessary configuration files are located in [[https://nextcloud.citius.usc.es/|the VPN folder in Nextcloud]]. | ===== Registration for the service ===== |
| |
| The installation guides tell you when and how to use those files. | First, check in the [[https://apps.citius.usc.es/xici/personainternas/edit|Xici Account and Permissions section]] if the service //External VPN Access// is already listed. If so, the service is already active for your account. |
| |
| ===== User guides ===== | If you need to request registration, it must be done through the [[https://citius.usc.es/dashboard/enviar-incidencia|request and incident form]]. To access the form, you need a CITIUS username and password. If you have trouble remembering your username or password, you can request a reactivation at [[citius.tic@usc.es]]. |
| |
| * [[en:centro:servizos:vpn:windows| Windows 7/8/8.1/10 User Guide]] | The necessary files will be shared in the [[https://nextcloud.citius.usc.es/|VPN Files on Nextcloud]] directory once you have the service active. |
| * [[en:centro:servizos:vpn:ubuntu| Ubuntu 22.04 User Guide]] | |
| * [[en:centro:servizos:vpn:android| Android User Guide]] | |
| * [[en:centro:servizos:vpn:centos| CentOS 6 User Guide]] | |
| * [[en:centro:servizos:vpn:linux| Generic GNU/Linux (without Network Manager) User Guide]] | |
| * [[en:centro:servizos:vpn:macosx| Mac OS X 10.8/10.9/10.10 User Guide]] | |
| |
| | The installation guides themselves will refer to the files you will need. Check these manuals to know what each file belongs to. |
| |
| ===== Frequent issues ===== | ===== User manuals ===== |
| ==== The VPN isn't working from anywhere (and never did) ==== | |
| |
| In the configuration, check that the VPN server address is ''193.144.83.110'' (or ''vpn.citius.usc.es''). When using the name check if it matches the ip address. | * [[:centro:servizos:vpn:windows|Manual for Windows 10/11]] |
| | * [[:centro:servizos:vpn:ubuntu|Manual for Ubuntu 24.04]] |
| | * [[:centro:servizos:vpn:android|Manual for Android]] |
| | * [[:centro:servizos:vpn:linux|Manual for Generic GNU/Linux (without Network Manager)]] |
| | * [[:centro:servizos:vpn:macosx|Manual for Mac OS X 10.8 and above]] |
| | * [[:centro:servizos:vpn:centos|Manual for CentOS 6]] |
| |
| To do so, open a terminal window and enter ''ping vpn.citius.usc.es'' and check that the answers are from that ip address. If it is not, then use the address instead of the name in the configuration. | ===== Frequently asked questions ===== |
| |
| To change the configuration in Windows, right click the systray icon and choose "Edit configuration...". In the text editor, change ''remote vpn.citius.usc.es'' to ''remote 193.144.83.110''. Remove the whole line ''verify-x509-name "vpn.citius.usc.es" name''. Save and close the editor. | ==== The VPN connection was working until recently but has stopped ==== |
| ==== The VPN worked until recently but not anymore ==== | |
| |
| Check that you can open a session in the CiTIUS web with your username and password. If you can, then double check the password in the VPN configuration. Once you are sure the problem is not your username/password if it isn't working yet then it may be an outdated certificate's fault. Get in touch with the admins to make them check it. | Since March 19, 2018, new certificates must be used, which you can find in the [[https://nextcloud.citius.usc.es/|VPN Files on Nextcloud]]. |
| |
| ==== VPN not working from EDUROAM or other networks ==== | If you are using the new files, check that you can log in to the CiTIUS website with your username and password. If you can log in to the website, verify that it is the same password in the VPN configuration. |
| |
| After this service was launched the list of ports that an EDUROAM network has to have open has been standardized. We use port ''22 UDP'' for the VPN service and sadly that port was not in the list. The same thing happens when connecting from other networks like the SERGAS, which have that port filtered. | ==== The VPN connection does not work for me from an EDUROAM network or other work locations ==== |
| |
| To work around that problem we redirect port ''1194 UDP''(which is open in EDUROAM) to ''22 UDP''. So if you are having trouble change the connection port to 1194 and try again. | For the VPN to work, your connection must allow traffic on UDP port 1194. In some workplaces or educational centers, this port may be closed. In that case, your only alternatives are the [[:centro:servizos:pasarela_ssh|SSH Gateway]] or the [[:centro:servizos:webshell|Web Shell]]. |
| |
| To change the configuration in Windows, right click the systray icon and choose "Edit configuration...". In the text editor, change ''22 udp'' to ''1194 udp'' (all lowecase). Save and close the editor. | ==== I receive a DNS error when trying to connect ==== |
| ==== Can't reach any computer using SSH ==== | Especially on Ubuntu, when trying to connect via SSH to CiTIUS servers, a DNS error is received: "SSH: Could not resolve hostname ...." The solution is to use the corresponding IP address to connect instead of the hostname. |
| Certain combinations of SSH clients and servers can have traffic between them blocked by Internet providers when negotiating the connection encryption. To check if the problem applies to your case, try to connect with the ''-v'' parameter. You should see messages like these: | |
| | ==== I cannot connect via SSH to any device on the network ==== |
| | |
| | Some combinations of SSH servers and clients can cause network issues when negotiating the SSH connection encryption. To ensure this is the problem, by connecting with the ''-v'' option you should receive messages like these: |
| |
| <code bash> | <code bash> |
| $ ssh -v jorge.suarez@172.16.54.31 | $ ssh -v jorge.suarez@172.16.243.xx |
| OpenSSH_5.9p1 Debian-5ubuntu1, OpenSSL 1.0.1 14 Mar 2012 | OpenSSH_5.9p1 Debian-5ubuntu1, OpenSSL 1.0.1 14 Mar 2012 |
| debug1: Reading configuration data /etc/ssh/ssh_config | debug1: Reading configuration data /etc/ssh/ssh_config |
| </code> | </code> |
| |
| and then keeps waiting for one minute until the server closes the connection. | Then the connection stays waiting until the server closes the connection a minute later. |
| You can avoid this problem forcing the preferred encryption methods in the SSH client configuration file. For example: | |
| | You can avoid this problem by setting your own preferred encryption methods in the SSH client configuration. For example, with the following command: |
| <code bash> | <code bash> |
| $ echo "Ciphers aes256-ctr,aes192-ctr,aes128-ctr,aes128-cbc,3des-cbc" > ~/.ssh/config | $ echo "Ciphers aes256-ctr,aes192-ctr,aes128-ctr,aes128-cbc,3des-cbc" > ~/.ssh/config |
| </code> | </code> |
| |
| If this doesn't resolve the issue then you mast configure other encryption methods. Try shortening the list o changing the its order. | If you still cannot connect with the same symptoms, you must set other encryption methods. Try reducing the list or varying the order of the methods. |
| | |
| ==== In Windows: Runs ok but connections fail ==== | |
| It is necessary to run //OpenVPN GUI// as **administrator**. If not, everything seems ok but routes are not correctly established an connections fail. | |
| |
| ==== Windows installer is a 7z file and I don't know what is that ==== | |
| It's a file compressed with [[http://7-zip.org/|7-zip]], that is also protected with password ''citius''. We use to send the configuration files by email in that format to avoid them being rejected by mail servers. Usually mail servers don't allow ''.exe'' files attached. | |