Basic Linux notes

On Windows, your options are fairly limited, so it’s easy to write a “one size fits all” howto for VPN and remote access. On Linux, there are several ways to do things. So I’m just making notes as to what I’ve tried out.

N.B. I use Debian at home and on my desktop, rather than Mint. Some stuff might be slightly different from what I describe here.

VPN

GlobalProtect

Lots of people have had trouble with the “official” GlobalProtect VPN package for Linux. It makes edits to the central bash “profile” files and, in at least one case I’ve seen, these changes have completely prevented someone from logging into their laptop. As such, I’ve not risked testing it out at home.

OpenConnect

Laurence Tyler mentioned the existence of “openconnect”. This VPN client is present in the standard Debian & Mint repositories. There’s a NetworkManager plugin, but I’ve not tested that (I don’t use NetworkManager at home).

After some feedback from folks, I’ve discovered that the version of openconnect that comes with Linux Mint 19.1 (not tested others) is too old and doesn’t support GlobalProtect. I’ve compiled the version that comes with recent Debian builds, and that seems to work. So…

If your repository contains openconnect 8.0.0 or above, you can just install and use it.

If you’re on Mint 19, install openconnect from the standard repository (to get its dependencies) then download my packages of libopenconnect5 and openconnect. Next, open a terminal and install them. Assuming you’ve downloaded them to your Downloads folder, you can do:

cd ~/Downloads
dpkg --install libopenconnect5_8.02-1+deb10u1_amd64.deb openconnect_8.02-1+deb10u1_amd64.deb

As for actually connecting, here’s what works for me.

sudo openconnect --user=auj --protocol=gp pa-vpn.aber.ac.uk

The client asks for my “one time password” (from Google Authenticator) and, once I’ve entered that, the VPN connection just works. To close the connection down, I just hit Ctrl-C to kill the program.

N.B. The VPN, by default, will become your default route. This means that if you have the VPN running and decide to watch a youtube video on your home PC, the resulting traffic will go in and out of Aber’s network. Possibly not ideal. If you’re feeling adventurous, you can use openconnect’s --script option to handle routing differently.

Remote access

Remote wake

If your work machine is configured to suspend when not in use, you may need to wake it before you can connect to it. If your machine is on the Computer Science network, you should visit wol.dcs.aber.ac.uk to wake it. If your machines on an IS network (most Physics/Maths machines) you should visit myaccount.aber.ac.uk/protected/paws to wake it.

SSH access

Our standard Mint desktop build includes an ssh server. If you have a working VPN connection, you should be able to ssh into your machine.

Remote access to a running session

If you are currently logged in on the console and you want to connect to that already-running session from home, I’d recommend that you use VNC.

N.B. When connected to a running session like this, anything you do will be visible on the physical screen that’s attached to your PC in your office. This could represent a security risk, especially in open plan offices.

Remote access to a new session

This takes a bit more setting up, but has the advantage that you do not need to be logged in at work. You can also tailor the remote session resolution to the size of the screen you use at home.

I’ve tried four approaches.

VNC session launched directly from lightdm

This gives you a login screen that you can connect to using vncviewer (as above). When you log in, you get a normal desktop session. When you disconnect, the session gets logged out. To enable this:

On your work machine, apt-get install tigervnc-standalone-server and edit /etc/lightdm/lightdm.conf to include the following lines:

[VNCServer]
enabled=true
port=5900
command=/usr/bin/Xvnc -SecurityTypes None
width=1280
height=1024
depth=24

You can change the “width=” and “height=” lines as you prefer. Restart lightdm: systemctl restart lightdm

You should now be able to connect VNCViewer to display :0 on your work PC (see the section above for more details).

The disadvantage of this approach is that you will be logged out if you disconnect from the session. I imagine most people won’t like that.

VNC session launched from xinetd

This gives you a login screen that you can connect to using vncviewer (as above). When you log in, you get a normal desktop session. When you disconnect, the session persists. N.B. This option should never be exposed directly to the network - since the session persists and is not password protected, if you expose it to the network, anyone can take over your desktop. Tunnelling via SSH should be safe.

On your work machine, apt-get install xinetd tigervnc-standalone-server and edit /etc/lightdm/lightdm.conf to include the following lines:

[XDMCPServer]
enabled=true
port=177
listen-address=localhost

Create /etc/xinetd.d/Xvnc with the following content:

service xvnc_1
{
    type = UNLISTED
    disable = no
    protocol = tcp
    socket_type = stream
    bind = 127.0.0.1
    port = 5900
    wait = yes
    user = root
    server = /usr/bin/Xvnc
    server_args = :1 -inetd -query localhost -geometry 1600x1200 -depth 24 -once -fp /usr/share/fonts/X11/misc -DisconnectClients=0 -NeverShared -SecurityTypes None
}

You can change the “-geometry” option to use a different resolution if you prefer.

Now restart xinetd and lightdm: systemctl restart xinetd lightdm

You should now be able to connect VNCViewer to display :0 on your work PC (see the section above for more details).

Windows remote desktop

This one could be the nicest option:

However, I found it very unreliable at the client side - both rdesktop and xfreerdp randomly crashed when talking to the server. After a bit of testing, I decided it just wasn’t stable enough. Your mileage my vary!

Just install xrdp: apt-get install xrdp

You should then (via VPN) be able to connect to your PC using remote desktop software. The first time you connect, you’ll get a login screen. If you reconnect to a session, it’ll work. The desktop can be resized (or, at least, it will start to match the size of your remote desktop window).

Xpra

Xpra takes a very different approach: Tunnelling individual windows.

I’m not going to go into it in detail because, while it does its job very well, I don’t think most people are going to find it particularly useful for home working. This is just a placeholder to point out the option, should anyone be looking for it.

Microsoft Teams

Rudi suggested I point out that Microsoft Teams is available for Linux.

This is a team working tool which, amongst other things, will be the successor to Skype for Business. Unlike Skype, there is a version for Linux.

I’ve done a bit of testing on my work desktop and, in general, things worked. I did have trouble with getting audio from my analogue microphone though (USB mic worked fine). Since I’m not all that enamoured with using computers as phones in any case, I then tried installing the Android app on my phone. That seems to work perfectly - Sandy, Dave and I had a three way video call this morning.

Central filestore

Connecting to network filestore on Linux is a problem. Not in terms of whether it can be done, but in terms of describing how to do it. In the GUI, the method will depend on the distro, desktop and file manager you’re using and, to an extent, even the versions of those. I’m afraid I’m going to cop out and not even try to describe how to connect from the GUI. I’ll give very basic details of the connections, but that’s all.

Personally, I’d recommend using the sshfs method where possible. This probably has the least pitfalls and also avoids needing a working VPN connection.

Connecting via sshfs

sshfs is present in the standard repositories on most distros. You’ll need to install it before you can use this method.

sshfs uses the sftp protocol (part of ssh) to mount filestore from a remote server. Since it only relies on ssh, you can use it without needing to bring up the VPN.

You can use sshfs (to shellsrv.dcs.aber.ac.uk) to connect to any filestore that’s mounted on that machine. This includes your personal space provided by IS (M: drive), IMPACS (P: drive) and, if you have any, your DCS filestore.

Obviously the location you choose to mount the filestore is entirely up to you. As an example, I’ll assume you’ve created a folder called “aber” and, inside it, folders named “IS”, “IMPACS” and “DCS”.

Just to show the directory structure I’ve set up at home:

$ pwd
/home/auj/aber
$ ls
DCS  IMPACS  IS

Mounting the filestores - you might not have a “dcs” filestore - just mount the ones you want. Note also the trailing slashes on the paths. This is certainly needed for /aber/auj/, and can do no harm for the others:

$ sshfs auj@shellsrv.dcs.aber.ac.uk:/aber/auj/ IS
$ sshfs auj@shellsrv.dcs.aber.ac.uk:/impacs/auj/ IMPACS
$ sshfs auj@shellsrv.dcs.aber.ac.uk:/dcs/auj/ DCS

Demonstrating it works - I can now see my (somewhat minimal) IS filestore:

$ ls -l IS
total 456
drwxr-xr-x 1 6001 6001   4096 Nov  6  2018 cgi-bin
drwxr-xr-x 1 6001 6001   4096 Jun 12  2019 public_html
-rw------- 1 6001 6001 456448 Mar 24 09:11 redirect.log

To unmount the filestore, you should use the “fusermount” command:

$ fusermount -u IS
$ fusermount -u IMPACS
$ fusermount -u DCS

Connecting via a “cifs” mount

This would be my second-place recommendation. It’s slightly more flexible because you can use it to connect to any network share to which you have access in Aber.

However, it’s a bit more complicated because…

CIFS is present in the standard repositories on most distros. You’ll need to install it before you can use this method.

As with sshfs, I will assume you’ve created a directory named “aber”, into which you’ll create subdirectories for your various mounts, and have changed directory into “aber”. I’ll give example commands for the commonly used shares within IMPACS. You’ll need to substitute in your own username wherever you see “auj” in the commands below.

IS Central filestore (M:)

$ mkdir IS # if it doesn't already exist
$ sudo mount -t cifs -o username=auj,domain=PAU,uid=$USER //smb1.aber.ac.uk/auj IS

IMPACS personal filestore (P:)

$ mkdir IMPACS # if it doesn't already exist
$ sudo mount -t cifs -o username=auj,domain=IMAPS,uid=$USER //homefs.imaps.aber.ac.uk/auj IMPACS

DCS personal filestore

$ mkdir DCS # if it doesn't already exist
$ sudo mount -t cifs -o username=auj,domain=IMAPS,uid=$USER //filesrv3.dcs.aber.ac.uk/auj DCS

HomeFS groupspaces $ mkdir homefs_groupspaces # if it doesn’t already exist $ sudo mount -t cifs -o username=auj,domain=IMAPS,uid=$USER //homefs.imaps.aber.ac.uk/groupspaces homefs_groupspaces

Disconnecting

To disconnect from a share, you should use e.g.: $ sudo umount IMPACS

Through a GUI

You need to find the dialogue, in your file manager software, which allows you to connect to Windows (or SMB or Samba) network filestore. Depending on your software, you may be asked to enter connection details in various ways. As above, I’ll use “auj” as the username for these examples. Please change as appropriate!

IS personal filestore (M:)

IMPACS personal filestore (P:)

DCS personal filestore

HomeFS groupspaces