Remote access to on campus restricted resources

Tutorials
#1

Accessing campus resources with sshuttle

sshuttle is an alternative to using ROAMS VPN. It requires you to have a valid Robarts account, i.e. CBS account. The software that makes this possible can only be installed on MacOS and Linux. Windows users will have to use a Docker container (which can be searched for in Docker Hub) or a set up a VM using Vagrant.

Setup

  1. Check whether your Robarts account and password are valid by signing in to the Robarts Outlook server.

  2. Install sshuttle

Usage

  1. To provide Western ROAMS-like functionality:

    sudo sshuttle --remote my_robarts_username@login.imaging.robarts.ca --exclude=129.100.47.224/27 129.100.0.0/16

    This will forward all connections to IP addresses beginning with 129.100 via login.imaging.robarts.ca. The 129.100.47.224/27 network is the Robarts DMZ, and all services from those systems are available directly and do not require sshuttle to access. Some campus resources might have a different IP address, e.g. in the private 172.16.0.0/12 range. You can add more IP range specifications in CIDR notations to the end of the above command, if needed.

    The command will run until you quit it with your platform’s termination shortcut, e.g. ctrl-c.

    To avoid having to type a password and verification code, you are strongly encouraged to use an ssh public/private key pair to authenticate. Ensure that you use a strong passphrase when create the key pair and use a password manager to automate the passphrase lookup.

  2. If you need to access online resources via Western library’s off-campus proxy, you’ll need to add an exclusion for the library’s login server, login.proxy1.lib.uwo.ca. Otherwise, it will determine you’re on campus because your request is coming via login.imaging.robarts.ca and not allow you to use the proxy.

    sudo sshuttle --remote my_robarts_username@login.imaging.robarts.ca --exclude=129.100.58.76 --exclude=129.100.47.224/27 129.100.0.0/16
#2

Accessing campus resources with ssh ProxyJump option

This is an alternative to using ROAMS VPN. It allows you to log in to a campus server via SSH, and/or copy files from [CFMM data shares](Storage and backups) using rsync or scp (secure copy). It requires you to have a valid Robarts account and SSH client/library such as openssh. Generally sshuttle is a more convenient solution, but if it is not available these methods provide a subset of the features.

Setup

  1. Check whether your Robarts account and password are valid by signing in to the Robarts Outlook server.

  2. Ensure you have ssh, scp and rsync commands available, and install them if they are absent.

  • MacOS and Linux: all commands should be available out of the box
  • Windows: Windows 10 OpenSSH install instructions.

Usage

If your Western and Robarts accounts/passwords are different, ensure you’re using the appropriate usernames and entering the appropriate passwords when prompted.

  • To log in to a server using ssh:

    ssh -J ROBARTS_user@login.imaging.robarts.ca UWO_user@waltz3.imaging.robarts.ca

  • To copy a directory using secure copy scp:

    scp -r -o 'ProxyJump ROBARTS_user@login.imaging.robarts.ca' UWO_user@hubel1.imaging.robarts.ca:/source/directory /path/to/local/destination/directory

  • To copy a directory using rsync:

    rsync --progress --recursive -e "ssh -J ROBARTS_user@login.imaging.robarts.ca" UWO_user@hubel1.imaging.robarts.ca:/source/directory /path/to/local/destination/directory
#3

Off-campus access on Windows

This allows you to access a firewalled on-campus network device (e.g. a 3D printer) from off-campus, on Windows.

Prerequisites

  • A valid/active Robarts username

Installation

  • Download and install ProxyCap.
    • NOTE: This is not free software. After a 30-day trial period, you’ll need to purchase a licence.

Configuration

  1. Configure proxy (Ruleset -> Proxies, click on “New Proxy Server” button).

    • Display name: Robarts
    • Type: SSH
    • Hostname: ssh.imaging.robarts.ca
    • Port: 22
    • [x] Check ‘Proxy requires authentication’
    • Username/password: Use Robarts credentials (without @robarts.ca)

  2. Configure rule (Ruleset -> Rules, click on ‘Quick Add rule’ button)

    • Rule action: Redirect through proxy
    • Destination port range: Not restricted
    • Proxy: Robarts
    • Destination IP Range: Specify. Enter IP address of network device (e.g. 172.18.1.1) and 32 for mask.
    • Program: Specify, select application/software which is connecting to the device
    • Rule name: e.g. 3D Printer

    Note: This will tunnel connections via SSH only for a particular network device and a particular application. You can use this more generally by not restricting the rule to a specific program or choosing a more general IP range, e.g. 129.100.0.0 with mask of 16.