|
| 1 | +# Remote Access |
| 2 | + |
| 3 | +To access the DAQ server remotely we will be using SSH and UCR's VPN. If you |
| 4 | +need to use the user with root permission on the server, please ask the DAQ |
| 5 | +lead for permissions. All programs that you need are already installed, so to |
| 6 | +prevent human errors occurring on the server because of typos or other |
| 7 | +misinputs, we have decided to limit the people getting root access on the |
| 8 | +server. |
| 9 | + |
| 10 | +## Connect to VPN |
| 11 | + |
| 12 | +<div class="warning"> |
| 13 | + Please create an UCR engineer account first. |
| 14 | + |
| 15 | + [Follow this guide](https://docs.google.com/document/d/1oX0ZYzlXolmpZ0fJNAy_cVPW6i22R3PRp1TenrxjHMw/edit?usp=sharing). |
| 16 | +</div> |
| 17 | + |
| 18 | +You can follow the [UCR's VPN |
| 19 | +guide](https://library.ucr.edu/using-the-library/technology-equipment/connect-from-off-campus) |
| 20 | +to connect to the BCOE network--which is where our server's LAN is located. If |
| 21 | +you don't want to read the UCR guide, we have created a TLDR below that you can |
| 22 | +follow. If you are a Linux user or you want an open-source-only option, we have |
| 23 | +provided a guide for that below as well. |
| 24 | + |
| 25 | +<details> |
| 26 | + <summary>TLDR</summary> |
| 27 | + |
| 28 | + 1. Make sure: |
| 29 | + * you can login into UCR's CISCO Anyconnect VPN using [vpn.ucr.edu](https://vpn.ucr.edu) (username and password should be the same as how you log into R'web) |
| 30 | + * you have an [engineer account](https://docs.google.com/document/d/1oX0ZYzlXolmpZ0fJNAy_cVPW6i22R3PRp1TenrxjHMw/edit?usp=sharing). |
| 31 | + 2. Log into [vpn.ucr.edu](https://vpn.ucr.edu), and click on continue. |
| 32 | + 3. You will see instructions telling you how to install CISCO Anyconnect VPN client. |
| 33 | + 4. Download the client and install it. |
| 34 | + 5. Open the client and enter `vpn.ucr.edu` as the VPN endpoint where the client will connect to. |
| 35 | + 6. Click "Connect" and you should be connected to the UCR VPN after a few seconds. |
| 36 | +</details> |
| 37 | + |
| 38 | +<details> |
| 39 | + <summary>Open source option</summary> |
| 40 | + |
| 41 | + 1. First, you need to download the command [`openconnect`](https://www.infradead.org/openconnect/). |
| 42 | + * Arch Linux: `sudo pacman -S openconnect` |
| 43 | + 2. Make sure: |
| 44 | + * `curl` is avaliable in your `PATH` environment variable. |
| 45 | + * you can login into UCR's CISCO Anyconnect VPN using [vpn.ucr.edu](https://vpn.ucr.edu) (username and password should be the same as how you log into R'web) |
| 46 | + * you have an [engineer account](https://docs.google.com/document/d/1oX0ZYzlXolmpZ0fJNAy_cVPW6i22R3PRp1TenrxjHMw/edit?usp=sharing). |
| 47 | + 3. Download [`vpn.sh`](./vpn.sh) and fill out your `USERNAME` and `PASSWORD` inside of the file on line 3 and 4. |
| 48 | + 4. `cd` into where `vpn.sh` is located and make it executable `chmod +x vpn.sh`. |
| 49 | + 5. Run `vpn.sh` with `./vpn.sh` |
| 50 | + 6. This script will ask for you to approve the login attempt on DUO application everytime you run it. |
| 51 | + |
| 52 | + This is the content of [`vpn.sh`](./vpn.sh): |
| 53 | + |
| 54 | + ```sh |
| 55 | + #!/bin/env sh |
| 56 | + |
| 57 | + USERNAME="" |
| 58 | + PASSWORD="" |
| 59 | + DOMAIN="https://vpn.ucr.edu" |
| 60 | + |
| 61 | + #echo -n "Enter DUO Passcode: " |
| 62 | + #read DUO_PASSCODE |
| 63 | + DUO_PASSCODE="1" |
| 64 | + |
| 65 | + echo Getting the \`tg\` cookie |
| 66 | + VAR_tg=$(curl -s -v "${DOMAIN}/+CSCOE+/logon.html?tgroup=FTD_VPN" 2>&1 | grep -i "Set-Cookie:" | grep -oP '(?<=tg=)[^;]+') |
| 67 | + |
| 68 | + echo Getting CSRFtoken cookie |
| 69 | + CSRF_TOKEN=$(curl -s "${DOMAIN}/+CSCOE+/logon.html" | grep CSRFtoken | awk -F'"' '{print $4}') |
| 70 | + |
| 71 | + # Random stuff that are required |
| 72 | + curl -s "${DOMAIN}/+CSCOE+/logon.html" \ |
| 73 | + -H "Cookie: tg=${VAR_tg}" \ |
| 74 | + -H "Referer: ${DOMAIN}/" > /dev/null |
| 75 | + |
| 76 | + curl -s "${DOMAIN}/+CSCOE+/blank.html" \ |
| 77 | + -H "Cookie: tg=${VAR_tg}; webvpnlogin=1; webvpnLang=en; CSRFtoken=${CSRF_TOKEN}" \ |
| 78 | + -H "Referer: ${DOMAIN}/+CSCOE+/logon.html" > /dev/null |
| 79 | + |
| 80 | + echo Login using username and password |
| 81 | + LOGIN_PAGE=$(curl -X POST -s "${DOMAIN}/+webvpn+/index.html" \ |
| 82 | + -H "Content-Type: application/x-www-form-urlencoded" \ |
| 83 | + -H "Cookie: tg=${VAR_tg}; webvpnlogin=1; webvpnLang=en; CSRFtoken=${CSRF_TOKEN}" \ |
| 84 | + -H "Referer: ${DOMAIN}/+CSCOE+/logon.html" \ |
| 85 | + --data "tgroup=" \ |
| 86 | + --data "next=" \ |
| 87 | + --data "tgcookieset=" \ |
| 88 | + --data "csrf_token=${CSRF_TOKEN}" \ |
| 89 | + --data "username=${USERNAME}" \ |
| 90 | + --data "password=${PASSWORD}" \ |
| 91 | + --data "Login=Logon") |
| 92 | + |
| 93 | + AUTH_HANDLE=$(echo $LOGIN_PAGE | sed -n 's/.*&auth_handle=\([^"]*\)".*/\1/p') |
| 94 | + VAR_a1=$(echo $LOGIN_PAGE | sed -n 's/.*&a1=\([^"]*\)".*/\1/p') |
| 95 | + |
| 96 | + # DUO challenge |
| 97 | + HOME_PAGE=$(curl -X POST -v -s "${DOMAIN}/+webvpn+/login/challenge.html" \ |
| 98 | + -H "Content-Type: application/x-www-form-urlencoded" \ |
| 99 | + -H "Referer: ${DOMAIN}/+CSCOE+/logon.html?reason=7&a0=2&a1=${VAR_a1}&a2=&a3=0&next=&auth_handle=${AUTH_HANDLE}&status=2&username=${UESRNAME}&serverType=0&challenge_code=0" \ |
| 100 | + -H "Cookie: tg=${VAR_tg}; webvpnlogin=1; webvpnLang=en; CSRFtoken=${CSRF_TOKEN}" \ |
| 101 | + -v \ |
| 102 | + --data "next=" \ |
| 103 | + --data "auth_handle=${AUTH_HANDLE}" \ |
| 104 | + --data "status=2" \ |
| 105 | + --data "username=${USERNAME}" \ |
| 106 | + --data "challenge_code=0" \ |
| 107 | + --data "csrf_token=${CSRF_TOKEN}" \ |
| 108 | + --data "password=${DUO_PASSCODE}" 2>&1) |
| 109 | + |
| 110 | + if [[ "$HOME_PAGE" != *"doStart"* ]]; then |
| 111 | + # failed to login |
| 112 | + echo failed to login |
| 113 | + exit 1 |
| 114 | + fi |
| 115 | + |
| 116 | + WEBVPN_COOKIE=$(echo $HOME_PAGE | grep "Set-Cookie:" | sed -n 's/.*webvpn=\([^;]*\);.*/\1/p') |
| 117 | + |
| 118 | + echo Sucessfully logged in. Connecting to VPN... |
| 119 | + |
| 120 | + sudo openconnect --protocol=anyconnect -C "webvpn=${WEBVPN_COOKIE}" vpn.ucr.edu |
| 121 | + ``` |
| 122 | + |
| 123 | + The reason why this script is needed is because `sudo openconnect |
| 124 | + --protocol=anyconnect vpn.ucr.edu` by itself is not currently compatible with |
| 125 | + `vpn.ucr.edu`. What this script does is it extra the login session cookie |
| 126 | + from `vpn.ucr.edu` and use it with `openconnect`. |
| 127 | +</details> |
| 128 | + |
| 129 | +## SSH Access |
| 130 | + |
| 131 | +For regular members, you should be using the user without root access. We want |
| 132 | +to reduce the amount of human errors that can happen on the machine. If you |
| 133 | +really need root access, please ask the DAQ lead. |
| 134 | + |
| 135 | +After you are connected to the BCOE network, you can access the server through SSH. |
| 136 | + |
| 137 | +* Server IP: 169.235.18.162 |
| 138 | +* Username: highlander |
| 139 | +* Password: hsp |
| 140 | + |
| 141 | +`ssh highlander@169.235.18.162` |
0 commit comments