Scribd
Upload
11 views

DEVOPS ProductionVPNaccess 011220 2106

This document provides a comprehensive guide for accessing the production VPN, including access approval, setting up two-factor authentication (2FA), and installing VPN clients on various operating systems. It outlines the steps for installing Google Authenticator, OTP Manager, and WinAuth for 2FA, as well as detailed instructions for setting up VPN clients on macOS and Windows. Additionally, it includes information on changing VPN passwords and accessing internal services once connected.

Uploaded by

rs599960
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
11 views

DEVOPS ProductionVPNaccess 011220 2106

This document provides a comprehensive guide for accessing the production VPN, including access approval, setting up two-factor authentication (2FA), and installing VPN clients on various operating systems. It outlines the steps for installing Google Authenticator, OTP Manager, and WinAuth for 2FA, as well as detailed instructions for setting up VPN clients on macOS and Windows. Additionally, it includes information on changing VPN passwords and accessing internal services once connected.

Uploaded by

rs599960
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

Production VPN access

Access Approval
Setting up 2FA
Installing Google Authenticator on mobile(Preferred)
Installing OTP Manager on your Macbook
Installing WinAuth on a Windows Laptop
Setting up the VPN on your laptop
Client packages
INSTALLING THE VPN CLIENT OSX
Tunnelblick
Extra Options
INSTALLING THE VPN CLIENT Windows
OpenVPN
ADVANCED (VPN using macos terminal)
Installation on OSX
Openvpn from the command line
Appendix
Changing your vpn password

Access Approval
Production access to our internal cloud requires you to use a VPN.

Access to this is controlled by DevOps, so if needed please have Dmitriy/Kevin approve your request and submit a request on #devops slack
channel for access.

LDAP username is typically your first initial/last name.

Setting up 2FA
You should have received an email from [email protected] with a QR code and a 16 character secret. You will use these to configure a token
generator which you can install either on your phone or laptop. Follow one (or more) of the options below.

Installing Google Authenticator on mobile(Preferred)

If you choose to setup on your phone, you can download the "Google Authenticator" app either form the ITunes or Google Play store.

https://apps.apple.com/us/app/google-authenticator/id388497605

https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en_US

After installing, you can select the + button in the app and scan the QR code in the email. You should see a 6 digit code generator on your app.
You have setup your 2FA device.

Installing OTP Manager on your Macbook

Install OTP Manager from the Mac App Store

https://apps.apple.com/us/app/otp-manager/id928941247?mt=12

After you should be able to open the OTP Manager app. Click on the 'Add your first account' Button.
For Issuer and username, you can put anything there, but listing thehive.ai and your vpn username is recommended.

Use the 16 character secret provided in your email in the OTP secret.

Click "Save" and your 2FA service is setup.

Installing WinAuth on a Windows Laptop

For setting up the 2fa service on windows download the zip file on this page. https://winauth.github.io/winauth/download.html

You can unzip and move the application in the folder onto your desktop.

When you run the WinAuth app you should get an option to add Google as an authenticator.

You can put anything for the name and then copy the secret provided in the email for the Secret Code. Verify and then click OK.

You have setup your 2FA device.

Setting up the VPN on your laptop

Client packages
Download one of these packages first. These files configure your vpn client to connect to our server. Instructions for using these files will be
provided below.

For Mac OS:

https://drive.google.com/file/d/1W8jWK1c-WvHEiSYn8nQ_92HgxFapWuMX/view?usp=sharing

For Windows:

https://drive.google.com/file/d/1fFb8ogMVHK9YQU0yoliNZ3sEvFhyXgrl/view?usp=sharing

RO VPN (for non-engineers that need HTTP only access)

https://drive.google.com/file/d/19tT37mWMr30-GhOiZJRYo5-NAoiL80Wg/view?usp=sharing

Mumbai NAT VPN (for India based QA/DA folks)

https://drive.google.com/file/d/1AQyfsFdBvzDInBbGcXpjCpcCOR5rRYYW/view?usp=sharing
INSTALLING THE VPN CLIENT OSX

Tunnelblick

Step 1: Download and install tunnelblick. if you already have it installed, make sure to upgrade

Step 2: Extract content from .tgz file downloaded from above. Open the .ovpn config file in the hive-vpn folder with tunnelblick.

Step 3: Tunnelblick should ask you for credentials to log in. Enter the credentials that were set up for you. Tunnelblick will next ask for the 6 digit
token from the token service you setup on either your laptop on phone.
If you see this screen, that's it - you're connected!

NOTE: You can also find Tunnelblick from the menu bar.

Also small note,

2019-0827 - New vpn servers require openvpn 2.x and aesni engine available. If in doubt do openvpn --show-ciphers | grep GCM.

If you use tunnelblick to connect - upgrade to the latest client first.


Extra Options

Uncheck VPN Details (Menu Bar) > Configurations (Likely there by default) > Settings > Advanced... (Lower button) > Disconnect when computer
goes to sleep

INSTALLING THE VPN CLIENT Windows

OpenVPN
First go here and get the appropriate installer for your version of windows

https://openvpn.net/community-downloads/

Configuring openvpn-gui guide: https://community.openvpn.net/openvpn/wiki/OpenVPN-GUI

Install the package normally

Once installed right click on the system tray icon and quit out - then from either the search menu or startup icon start with "run as administrator"
by right clicking it
Once that's done we need to browse to our downloaded (and unpacked) configuration files and move them into the right place. Openvpn
expects to see all configurations in C:\Users\<username>\OpenVPN\config so just copy them over like so

Then right click on the config file and choose "start openvpn on this config file"

After you will be prompted to enter the 6 digit OTP code

That should be it. If you see any failures or permission denied errors you are likely not running as administrator.

ADVANCED (VPN using macos terminal)


Installation on OSX

First, you'll need to launch terminal.app and install homebrew:

http://brew.sh/

/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

brew install openvpn

OpenVpn download page is here

This should handle the minimum to get going. Next, you'll need to open up the vpn package somewhere on your filesystem and navigate to that
folder within terminal. If you downloaded the attachment to Documents/dr22_v0_ldap_vpn.tgz double click it and extract it there. From Terminal.
app you can change to the directory and start the vpn by running the following:

Erics-MacBook-Pro-3:Downloads enelson$ /usr/local/sbin/openvpn --show-


ciphers | grep -i GCM
--keysize directive. Using a CBC or GCM mode is recommended.
AES-128-GCM (128 bit key, 128 bit block, TLS client/server mode only)
AES-192-GCM (192 bit key, 128 bit block, TLS client/server mode only)
AES-256-GCM (256 bit key, 128 bit block, TLS client/server mode only)

Erics-MacBook-Pro-3:Downloads enelson$ /usr/local/sbin/openvpn --version


OpenVPN 2.4.7 x86_64-apple-darwin17.7.0 [SSL (OpenSSL)] [LZO] [LZ4]
[PKCS11] [MH/RECVDA] [AEAD] built on Apr 18 2019
library versions: OpenSSL 1.0.2s 28 May 2019, LZO 2.10

Some common errors indicating cipher issues like above:

Tue Aug 27 18:48:03 2019 /sbin/route add -net 172.29.0.1 172.29.0.9


255.255.255.255
add net 172.29.0.1: gateway 172.29.0.9
Tue Aug 27 18:48:03 2019 Initialization Sequence Completed
Tue Aug 27 18:48:13 2019 Authenticate/Decrypt packet error: packet HMAC
authentication failed
Tue Aug 27 18:48:23 2019 Authenticate/Decrypt packet error: packet HMAC
authentication failed
Tue Aug 27 18:48:33 2019 Authenticate/Decrypt packet error: packet HMAC
authentication failed

Openvpn from the command line

Erics-MacBook-Pro-2:~ enelson$ cd ~/Downloads/dr22_v0_ldap_vpn

Erics-MacBook-Pro-2:dr22_v0_ldap_vpn enelson$ sudo /usr/local/sbin/openvpn config.ovpn


Mon Oct 31 10:40:20 2016 OpenVPN 2.3.8 x86_64-apple-darwin14.4.0 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built
on Oct 20 2015

Mon Oct 31 10:40:20 2016 library versions: OpenSSL 1.0.2h 3 May 2016, LZO 2.09

Enter Auth Username:enelson <-- Your VPN username goes here

Enter Auth Password: <xxxxx>

Mon Oct 31 10:40:43 2016 WARNING: No server certificate verification method has been enabled. See http://o
penvpn.net/howto.html#mitm for more info.

Mon Oct 31 10:40:43 2016 Socket Buffers: R=[196724->65536] S=[9216->65536]

Mon Oct 31 10:40:43 2016 UDPv4 link local: [undef]

Mon Oct 31 10:40:43 2016 UDPv4 link remote: [AF_INET]4.16.199.125:1194

Mon Oct 31 10:40:43 2016 TLS: Initial packet from [AF_INET]4.16.199.125:1194, sid=1f593355 237cabcb

Mon Oct 31 10:40:43 2016 WARNING: this configuration may cache passwords in memory -- use the auth-nocache
option to prevent this

Mon Oct 31 10:40:43 2016 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Kiwi.qa, OU=OpenVPN Server, CN=
Kiwi.qa CA, [email protected]

Mon Oct 31 10:40:43 2016 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Kiwi.qa, OU=OpenVPN Server,
CN=server, [email protected]

Mon Oct 31 10:40:43 2016 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

Mon Oct 31 10:40:43 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Mon Oct 31 10:40:43 2016 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

Mon Oct 31 10:40:43 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Mon Oct 31 10:40:43 2016 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA

Mon Oct 31 10:40:43 2016 [server] Peer Connection Initiated with [AF_INET]4.16.199.125:1194

Mon Oct 31 10:41:14 2016 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)

Mon Oct 31 10:41:14 2016 PUSH: Received control message: 'PUSH_REPLY,route 172.17.0.0 255.255.0.0,topology
net30,ping 10,ping-restart 120,ifconfig 172.17.0.22 172.17.0.21'

Mon Oct 31 10:41:14 2016 OPTIONS IMPORT: timers and/or timeouts modified

Mon Oct 31 10:41:14 2016 OPTIONS IMPORT: --ifconfig/up options modified

Mon Oct 31 10:41:14 2016 OPTIONS IMPORT: route options modified

Mon Oct 31 10:41:14 2016 Opened utun device utun0

Mon Oct 31 10:41:14 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0

Mon Oct 31 10:41:14 2016 /sbin/ifconfig utun0 delete

ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address

Mon Oct 31 10:41:14 2016 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure

Mon Oct 31 10:41:14 2016 /sbin/ifconfig utun0 172.17.0.22 172.17.0.21 mtu 60000 netmask 255.255.255.255 up

Mon Oct 31 10:41:14 2016 /sbin/route add -net 192.168.110.0 172.17.0.21 255.255.255.0

add net 192.168.110.0: gateway 172.17.0.21

Mon Oct 31 10:41:14 2016 /sbin/route add -net 172.17.16.0 172.17.0.21 255.255.255.0

add net 172.17.16.0: gateway 172.17.0.21

Mon Oct 31 10:41:14 2016 /sbin/route add -net 172.17.64.0 172.17.0.21 255.255.255.0

add net 172.17.64.0: gateway 172.17.0.21

Mon Oct 31 10:41:14 2016 /sbin/route add -net 172.17.80.0 172.17.0.21 255.255.240.0

add net 172.17.80.0: gateway 172.17.0.21


Mon Oct 31 10:41:14 2016 /sbin/route add -net 172.17.128.0 172.17.0.21 255.255.240.0

add net 172.17.128.0: gateway 172.17.0.21

Mon Oct 31 10:41:14 2016 /sbin/route add -net 172.17.144.0 172.17.0.21 255.255.240.0

add net 172.17.144.0: gateway 172.17.0.21

Mon Oct 31 10:41:14 2016 /sbin/route add -net 10.2.0.0 172.17.0.21 255.255.0.0

add net 10.2.0.0: gateway 172.17.0.21

Mon Oct 31 10:41:14 2016 /sbin/route add -net 10.0.0.0 172.17.0.21 255.255.0.0

add net 10.0.0.0: gateway 172.17.0.21

Mon Oct 31 10:41:14 2016 /sbin/route add -net 172.17.0.0 172.17.0.21 255.255.0.0

add net 172.17.0.0: gateway 172.17.0.21

Mon Oct 31 10:41:14 2016 Initialization Sequence Completed

Appendix

Changing your vpn password


Once you are logged into the vpn you can access our internal services. One of them changes your password.

Goto https://password.castle.fm/ and enter your work email. You will receive a password reset email.

This URL can only be accessed when you are on the VPN. (A temporary password might be given to access the VPN initially. You will need
to change the password to a more secure one afterwards. )

Please follow Changing DNS severs for your laptop page to add our local DNS servers for your Wi-Fi settings as well. (You will have to do the
same for Ethernet connections separately)

You might also like