BACKGROUND:
* If there is a better newsgroup (or other channel) for this question, please let me know.
* Post contains one ASCII-art diagram, also available via link.
* Links in footnotes @ end of post.
* Apologies if this is tl;dr but the problem seems somewhat complex (at least to me)
SUMMARY: I seek to tunnel an F5 SSL VPN (hard requirement) through an OpenVPN server (apparently required) in order to shell into a compute cluster behind a firewall. I can access the required F5 remote-access website (RAW) through the OpenVPN tunnel, but lose DNS once I activate the F5VPN using the RAW's web GUI. I suspect this is due to a problem with my OpenVPN configuration, since direct access using the F5VPN (unfortunately now disallowed) worked for me in the past; specifically I suspect my OpenVPN server is not enabling my F5VPN client to see/use the DNS server(s) inside the firewall.
How to fix? Alternatively,
* what else do I need to learn/discover before a fix can be applied?
* where else should I go for help?
* is there a better way to do what I need?
DETAILS:
This seems pretty complicated (to me, anyway), and I'm hoping to make whatever I discover available for others, so I'm maintaining my code/configs as project=linode_jumpbox_config[1] and documenting @ that project's wiki[2] (which has a glossary[3] which may clarify terms used below).
The details on what I'm trying to do[4] are hopefully summarized by this ASCII art (web-rendered here[4] in case you're not reading this in monospace):
<-MY CONTROL | AGENCY CONTROLLED->
firewall
+----------+ +-----------+ +---------------+ | +---------+
| laptop + | | linode + | | remote-access | | | cluster |
| F5NAP + | <--> | OpenVPN + | <---> | website + | <-|-> | node(s) |
| OpenVPN | | security | | F5VPN | | | |
+----------+ +-----------+ +---------------+ | +---------+[/code]
Both laptop and linode are running Debian, and I configure them. I know almost nothing about what agency=='US EPA'[5] runs, and have even less control. The agency requires me to run an F5NAP=='F5 Network Access Plugin'[6] in order to access the agency's F5VPN which enables access to compute clusters on which I need to do research (I'm a student). In the past I could run the F5NAP directly from my laptop to access the F5VPN[7], but this was recently broken by access-policy change[8].
To accommodate the new policies, I'm trying to tunnel through a linode jumpbox[1], such that the linode satisfies all the new requirements (notably, static IP#[8]). Most of the linode's pre-OpenVPN networking is configured by this bash script[9], which (hopefully) automates this manual procedure[10]. (Details on the entire networking+OpenVPN install+configuration starts here[11], and is mostly automated. The automating scripts[12] unfortunately need more structure and commenting, but should be relatively readable. Questions are welcomed; pull requests even more so.)
My implementation of my design works only for the following sequence (details here[13]), after which it fails:
1. I can start an OpenVPN server on my linode[14] (via SSH from my laptop) apparently successfully.
2. On my laptop, if I browse to (e.g.)
http://www.whatismyip.com , I see a "normal" (for my ISP) IP#.
3. I can then start an OpenVPN client on my laptop[15] (in a bash shell/terminal), again apparently successfully.
4. On my laptop, if I browse to
http://www.whatismyip.com (using my normal, Debian-packaged browser=Firefox), as expected I now see the IP# of my linode. This is essential, since that IP# is on the agency's whitelist.
5. On my laptop, I can start my F5NAP'ed Firefox[6], and with that browse to
http://www.whatismyip.com/ , and still see my linode's IP#.
6. Using the F5NAP'ed Firefox (on my laptop), I can browse to the agency's remote-access website and login normally.
7. Using (from the F5NAP'ed Firefox on my laptop) the web GUI provided (post-authentication) by the remote-access website, I can start the F5VPN, and see status==Connected in the F5VPN UI. This is what I expect from "the good old days" when I could run the F5VPN directly from my laptop[16].
At this point, in "the good old days," I could go to any shell/gnome-terminal on my laptop, utter `ssh
fqdn.for.a.cluster.login.node.at.epa.gov`, and get to work. But not now :-(
Currently I am broken at this point in the sequence (details here[17]). Specifically, I lose DNS, which
* (immediately) causes SSH to fail, preventing me from running SSH to any cluster login node (which is the whole point of this exercise).
* (eventually) breaks the OpenVPN tunnel, which means the F5VPN no longer sees the registered/whitelisted IP#, causing it to drop my connection.
How to fix or debug? Complications for debugging/support include:
1. F5 (the agency's VPN vendor) is completely proprietary, and barely supports Linux. My attempts to get support from them have been mostly ignored.
2. The agency barely supports Linux internally, for users. (Of course the scientific-research clusters which we seek to use are *all* Linux, but they're supported by separate contractors who only support the clusters themselves, not access *to* the clusters.) The agency barely *tolerates* Linux for remote access, and especially by non-employees like me. (I'm a student.)
Net: I suspect I can get answers to some direct, specific questions from agency support, but I know (from bitter experience) that I cannot get support if I just say to them (as I am to you now) "this isn't working--what should I do?" I know especially that I cannot get help with anything related to a Linux client: agency client-side support is (AFAICS) *strictly* limited to Windows XP (no lie!)
How to fix this problem? (FWIW, I will document the fix @ project wiki[2], and my effusive praise for anyone who provides any assistance will last ... as long as its git repo does :-) Alternatively,
* what else do I need to learn/discover before a fix can be applied?
* where else should I go for help?
* is there a better way to do what I need?
If feasible, please reply to me as well as to the group, and thanks in advance! Tom Roche <
Tom_...@pobox.com>
[1]:
https://bitbucket.org/tlroche/linode_jumpbox_config
[2]:
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home
[3]:
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-glossary
[4]:
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-intended-solution
[5]:
http://www.epa.gov/ , part of the US Federal government.
[6]:
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-f5nap
[7]:
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-f5vpn-only-access
[8]:
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-aug-2014-policy-change
[9]:
https://bitbucket.org/tlroche/linode_jumpbox_config/raw/HEAD/scripts/OpenVPN_install_server.sh
[10]:
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/OpenVPN_install#rst-header-network-configuration
[11]:
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/OpenVPN_install#rst-header-id6
[12]:
https://bitbucket.org/tlroche/linode_jumpbox_config/src/HEAD/scripts/?at=master
[13]:
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-dns-problem
[14]:
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/OpenVPN_install#rst-header-test-server-startup
[15]:
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/OpenVPN_install#rst-header-client-test
[16]:
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-f5vpn-only-access
[17]:
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-dns-breakage