- Infos im HLRS Wiki sind nicht rechtsverbindlich und ohne Gewähr -
- Information contained in the HLRS Wiki is not legally binding and HLRS is not responsible for any damages that might result from its use -

VPN: Difference between revisions

From HLRS Platforms
Jump to navigationJump to search
(15 intermediate revisions by 2 users not shown)
Line 1: Line 1:
== Access HLRS compute service using VPN ==
== Access HLRS compute service using VPN ==


Access to HLRS compute platforms requiers a registration of the clients IP adress in the firewall. If the IP adress is not static
Access to HLRS compute platforms requieres a registration of the clients IP address in the firewall. If the IP address is not static
a connection via VPN is possible.  
a connection via VPN is recommended.  


To use this featrue, please contact your project supervisor and ask him to add the hww-vpn ressorce in the HLRS user database.  
To use this feature, please contact your project supervisor and ask him to add the vpn-hww resource in the HLRS user database.  
Install the Fortigate software on your laptop. The Software could be downloaded on
Install the Fortigate software on your laptop. The Software could be downloaded on


  https://www.forticlient.com (Windows, Mac)
  https://github.com/adrienverge/openfortivpn (Linux and Mac)


On Fedora, OpenSUSE, and latest Ubuntu openfortivpn is available via packet manager


On Mac OSX openfortivpn can also be installed via Homebrew or Macports


== configuration of Fortinet VPN client ==


== configuration of VPN client ==
[[File:Forticlient windows config.jpg]]


[[File:Forticlient windows config.jpg]]
== using the VPN ==


[[File:Forticlient_windows_usage.jpg]]


Type your login and password to connect. If this works, you are able to login on the frontend servers using ssh e.g.


== using the VPN ==
  ssh -l <your_login> hazelhen.hww.hlrs.de
 
== configuration of openfortivpn ==


type your login and passwort to connect. If this works, you are able to login on the frontend servers using ssh e.g.
# config file for openfortivpn
host = rmgw.hww.hlrs.de
port = 443
username = your username
# trusted-cert = 5338851771baa67d1a29fa8df7d49ddbd83cbbd517c78e032bf5ab305eaba3f8
# ca-file = /usr/share/ca-certificates/mozilla/Deutsche_Telekom_Root_CA_2.crt


  ssh -l <your_login> hazelhen.hww.hlrs.de
A user certificate is '''not''' required. If your Openssl library is configured correctly and your certificate bundles are installed properly it should neither be necessary to explicitly set up the ca certificate. The vpn gateway uses a DFN certificate which is issued below the root ca tree of the German Telekom, one of the CA's trusted by most browsers, the trusted-cert is the digest of the server's certificate which is subject to change every couple of years.

Revision as of 15:49, 5 June 2019

Access HLRS compute service using VPN

Access to HLRS compute platforms requieres a registration of the clients IP address in the firewall. If the IP address is not static a connection via VPN is recommended.

To use this feature, please contact your project supervisor and ask him to add the vpn-hww resource in the HLRS user database. Install the Fortigate software on your laptop. The Software could be downloaded on

 https://www.forticlient.com (Windows, Mac)
 https://github.com/adrienverge/openfortivpn (Linux and Mac)

On Fedora, OpenSUSE, and latest Ubuntu openfortivpn is available via packet manager

On Mac OSX openfortivpn can also be installed via Homebrew or Macports

configuration of Fortinet VPN client

Forticlient windows config.jpg

using the VPN

Forticlient windows usage.jpg

Type your login and password to connect. If this works, you are able to login on the frontend servers using ssh e.g.

  ssh -l <your_login> hazelhen.hww.hlrs.de

configuration of openfortivpn

# config file for openfortivpn
host = rmgw.hww.hlrs.de
port = 443
username = your username
# trusted-cert = 5338851771baa67d1a29fa8df7d49ddbd83cbbd517c78e032bf5ab305eaba3f8
# ca-file = /usr/share/ca-certificates/mozilla/Deutsche_Telekom_Root_CA_2.crt

A user certificate is not required. If your Openssl library is configured correctly and your certificate bundles are installed properly it should neither be necessary to explicitly set up the ca certificate. The vpn gateway uses a DFN certificate which is issued below the root ca tree of the German Telekom, one of the CA's trusted by most browsers, the trusted-cert is the digest of the server's certificate which is subject to change every couple of years.