[TriLUG] linode, VPN, SSH

Tom Roche Tom_Roche at pobox.com
Wed Aug 27 16:36:24 EDT 2014 

My VPN experience is limited, and my linode experience is zero, so I'd appreciate some bullshit detection on the following proposal, particularly

1. regarding where to run the VPN
2. whether any of the following sounds un-doable on a linode
3. .ssh/config advice (more below)

As previously noted[1], I now need to VPN into a federal research cluster from a static IP#. However I have always needed to VPN in: what's new is the static-IP requirement. (Previously I have VPNed in from anywhere, from whatever IP# the ISP gave me.) Furthermore, I have always been required to use the @#$%^&! F5 SSL VPN, which runs userside as a browser plugin (the NAP or "Network Access Plugin")[2], and which is only supported on linux for 32-bit firefox :-( Basically one installs the F5 NAP once, then (for each session) browses to the agency's magic remote-access URI and authenticates, which starts the VPN.

Once I make the VPN connection, everything else I do is SSH to the linux clusters[3]. So ISTM (but I'm asking) I could meet the static IP requirement with the following plan:

1. Standup a linode jumpbox
1.1. with a static IP# (for the security police) which I believe is default.
1.2. with a minimal distro supporting SSH and multiarch (for 32-bit firefox on a 64-bit host)
1.3. configured to accept incoming HTTP/S and SSH, which I believe is default.
1.4. .ssh/config'ed to support target-side tunneling (more below).

2. Install the F5 NAP on the linode.
2.1. Install a 32-bit firefox. Unfortunately support at linode.com says they do not support 32-bit guests, but I can presumably use this kludge[4] that has worked for me on my home 64-bit boxes.
2.2. Install the F5 NAP on the 32-bit firefox.

3. For each work session:
3.1. SSH from my workstation to the linode, starting firefox if it's not already up on the linode.
3.2. Authenticate to the agency's magic remote-access URI from the linode's firefox, opening a VPN connection from the linode to the target LAN.
3.3. Open an SSH session from the workstation to the target host via the linode.

My first question is: I want to run the VPN on the linode/jumpbox, *not* my workstation, correct? because

* the agency's magic remote-access URI will presumably be configured to only accept connections from the linode's static IP#.
* F5 NAP "does not work with a proxy server"[5], so I couldn't tell it to run from the workstation via the linode.

My second question is: will linode.com likely prevent me from doing any of the above? Is there anything fundamentally undoable?

The final step raises my third question: is a double tunnel substantially different from a single tunnel .ssh/config-wise? (Why I ask: given the F5 NAP's declared proxy-hostility[5], I have always configured access to the target hosts via .ssh/config rather than via SOCKS.) Currently--i.e., minus the jumpbox--SSHing from my DHCP-ing workstation to a target host (happiness.federal.gov below) requires tunneling through a bastion (gateway.federal.gov below). Hence my workstation:.ssh/config currently has many stanzas like

Host happiness.federal.gov happiness h
     ProxyCommand ssh federal-me at gateway.federal.gov "nc %h %p" 2>/dev/null
     HostName happiness.federal.gov
     Port 22
     User federal-me
     ForwardX11 yes
     ForwardX11Trusted yes

(Note that I am id=federal-me on both the target and the gateway.) I'm guessing that, to double-tunnel through both the jumpbox (aka my.linode.com) and the gateway (gateway.federal.gov), I'll need only to

1. Copy SSH keys
1.1. from the workstation to the linode.
1.2. to/from the linode and all the target gateways and hosts to which it must connect.
2. Copy currently-working stanzas like the above from workstation:.ssh/config to my.linode.com:.ssh/config
3. Edit my current workstation stanzas to be like

 Host happiness.federal.gov happiness h
-     ProxyCommand ssh federal-me at gateway.federal.gov "nc %h %p" 2>/dev/null
+     ProxyCommand ssh linode-me at my.linode.com "nc %h %p" 2>/dev/null
      HostName happiness.federal.gov
      Port 22
      User federal-me
      ForwardX11 yes
      ForwardX11Trusted yes

Am I missing something?

your assistance is appreciated, Tom Roche <Tom_Roche at pobox.com>

[1]: Details @ http://www.trilug.org/pipermail/trilug/Week-of-Mon-20140825/072092.html
[2]: http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm_compatibility_matrix_10_2_1.html
[3]: Not *quite* true: very occasionally I have needed to access an intranet-only website, but I haven't had to do that for at least a year.
[4]: https://support.mozilla.org/en-US/questions/931873#answer-352504
[5]: Search for that string in [2].

More information about the TriLUG mailing list