Requests for Client Access to the River System Network

[TerryJC]

Please place all requests for Client Certs in this Topic (non WMT Staff and Volunteers need not apply ). Please include the platform that you wish to use (iOS or Linux) and I will then send you a Cert Pack for installation on your machine. Instructions for installation on Linux may be found here viewtopic.php?p=3590#p3590 and for iOS on the GitHub page at https://github.com/gitbls/pistrong/blob ... stallation.

The instructions for installing a Linux Client Cert Pack will also be in the Installation Spec which I expect to publish shortly. I have no experience of installing an iOS Cert Pack so have simply left the reference to the author's GitLab Repository in the document.

[hamishmb]

Requesting a Client Cert for Linux

[TerryJC]

I should have mentioned (I did in the Server Installation Topic) that I can't do this until I know the WAN Address of the WMT Router (and Penri has obtained a DDNS Account).

If all goes well, it will be sometime next week.

[PatrickW]

I suppose I should request a Client Cert for Linux.

[TerryJC]

Patrick,

I've had a few problems creating this. I thought I'd used the exact procedure that I used back in July when I created the User Certs for myself and Hamish, but the Cert Pack doesn't appear in the target directory. Presumably when I documented this I left something out, but it's really weird; if I list users you are there, but I can't find the pack.

I'll be contacting the developer of PiStrong to see if he can shed any light on this and will send you the Cert Pack as soon as I can.

I will then update the documentation.

[TerryJC]

OK. Here's a Sitrep on this. The PiStrong developer gave me a specially crafted debug version of PiStrong to try to find out why the Cert Packs weren't being written. As it happened, the results didn't provide any insights, but a Cert Pack was produced, which I duly sent to Patrick.

After some communications issues (I left a key link out of my email), Patrick managed to run the install script. Unfortunately it didn't work and when he investigated he found that there was a file missing from the Cert Pack. I have checked this and can confirm that the Packs that we all used back in early July possess this file so the special script only partially worked.

I'm 99% sure that the original generation of the Cert Packs for Penri, Hamish and myself were all done on the VPN hardware before Penri installed it on site. In other words they were created with me logged in to the server with a keyboard and monitor and not logged in over VPN as I've been doing for Patrick's Cert Pack. I suggested that this might be an issue to the PiStrong developer but he said that he didn't think so. However, he is the PiStrong developer not the strongSwan developer so he may be wrong. It would probably not be a good idea to allow the VPN Server to generate Certs for security reasons and it may be that strongSwan prevents it.

If that is the case then I may be a bit stymied. At the moment, I don't have a VPN setup here and it would take me a while to reconfigure it. Even then, I don't know how sensitive strongSwan is likely to be to the hardware it is running on. The Certs generated by my local server, may well be perfectly valid but incompatible with the server on site. It will take me a while to check this out. Before I do that I'll see what the PiStrong developer makes of all this.

I'll report back when I have some some progress.

[TerryJC]

After the developer pointed out my deliberate mistake when typing in the 'pistrong add <user>' command, Patrick now has a working connection. My mistake was caused when I tried to use the updated Installation Spec to copy the command. In that, I'd hidden all the important security sensitive stuff and in so doing introduced a mistake...

Anyway two good things came out of this whole sorry story; I discovered the mistake in my Spec and the developer of PiStrong discovered a couple of bugs in his error trapping code.

All's well that ends well I suppose.

Special thanks go to Patrick for being instrumental. at least in part, in sorting this out.

[hamishmb]

Glad you figured it out All's well that ends well I guess - more bugs fixed is always good.