2.6) Experiment Access Workflow

On Linux:

Use openvpn.  Linux is by far the recommended platform from which to access AERPAW.  In our experience, the VPN connection from Linux is stable.  Most of our testing was with openvpn 2.4.4 running on Ubuntu 18.04 .   The further instructions below assume this combination.

NOTE: openvpn Version 3 will NOT work - it drops support for Layer-3 VPNs.  Please make sure to use openvpn Version 2.

Use sudo apt-get install openvpn if you do not already have it installed.   

Running the software:  Provide the OVPN profile file you have saved above, by running the following at a command prompt (e.g. terminal window):

sudo openvpn --config aerpaw_exp.ovpn

This will create a new logical network interface, likely named tap0 or similar, in your OS.  You can check on this with:

ifconfig -a

The interface is created in a DOWN state, and Linux does not automatically request a Layer-3 address on it.  This requires two further commands to be executed:

sudo ifconfig tap0 up

sudo dhclient tap0 -v

On Mac OS:

Use Tunnelblick.  This free software can be downloaded from https://tunnelblick.net/downloads.html ; we have tested connectivity using the 3.8.6a stable build, on MacOS 10.15.7 .  Generally the connection provided by Tunnelblick appears to consistently work correctly with AERPAW's openvpn servers, and has also been stable in our testing.  Follow the instructions provided in the Tunnelblick documentation to provide Tunnelblick with the aerpaw_exp.ovpn file.  Note: in our testing, we find that after Tunnelblick establishes the connection, and it turns green, there is nevertheless a delay of several seconds before an IP address is assigned to the tap interface, and the interface becomes usable.

Note: The OpenVPN Connect software on MacOS will NOT work - it does not support Layer-2 VPNs.

On Windows:

OpenVPN client for Windows should work fine.  We are aware of different kinds of OpenVPN clients and some of them appear not to work well with the standard Linux OpenVPN server that AERPAW uses. The one that has worked without problems is the community edition at  https://openvpn.net/community-downloads/ .

Download OpenVPN here and install it.  This should create an icon in the system tray for OpenVPN.  The openvpn profile file you received as part of the Manifest can be imported by selecting the menu item "Import -> Import file".  After the file is imported click "connect" and this should create a new logical network interface in your OS with IP address 192.168.108.xxx for the example provided above.  

If OpenVPN does not work, you can also try Windows Subsystem for Linux (WSL), a compatibility layer that enables Linux binary executables to be run on a Windows OS.  You must install WSL 2 (WSL 1 provides a thinner compatibility, which will not suffice).

The instructions for manual install of WSL are located at https://docs.microsoft.com/en-us/windows/wsl/install-manual .  Some of the steps require that you have System Administrator privilege on your Windows system.  Also, at one point your system needs to be rebooted before proceeding.

After you have installed WSL, you need to install Ubuntu Linux on it.  Ubuntu 20.04 has been tested for this purpose and appears stable; Ubuntu 18.04 should also work but has not been tested.  Install by going to the Windows Store app, searching for Ubuntu, selecting the version you want, and then clicking install.  Once installed, launch Ubuntu and you should be asked to setup a username (such as "myapuser") and a corresponding password.  Once you have done so, Ubuntu should be all set up.  You can use this userid to login to the Ubuntu.  When you temporarily need root access, you can use sudo to execute commands as root inside this Ubuntu installation, using the password.

Move the openvpn profile file you received as part of the Manifest inside your Ubuntu file system.  From this point on, you should be able to follow the instructions above for Linux above.

On Linux, MacOS:

Typically, ssh is part of the OS distribution, and needs to be executed on the command line.  The option to use a specific private key is invoked by the option -i, and a userid can be specified before the target host.  For example, assume that on your laptop you have saved your public and private keys in the .ssh directory under your home directory (this is the normal place to save them) with the names my_aerpaw_key.pub and my_aerpaw_key, respectively.  (Of these, you would have uploaded the former, i.e. the public key, as "Credentials" to the AERPAW Portal, in an earlier step.)  Now, to log in to the first AVN provided in the example JSON above, open a command shell (Terminal window, for Mac OS), and type:

ssh -i ~/.ssh/my_aerpaw_key root@192.168.108.1

         (specifies the right key to use)       (specifies user) (and target host - first AVN)

This should log you into the AERPAW Virtual Node without any need of using a password.  Inside the AVN, you should have logged in as the User "root".

In separate command shells (windows), you can login to each of your AVNs, and the OEO Console.

Note: A common pitfall is that most ssh clients require the private key and the directory it is in to have restrictive file permissions, so that they are truly private to the user.  In other words, the .ssh directory, and the my_aerpaw_key file, in the above example, need to have read, write, and (for the directory) scan access only for the user.  To ensure this, if you have ssh problems, with your ssh client complaining about your key being insecure, execute the following commands:

chmod 700 ~/.ssh; chmod 400 ~/.ssh/my_aerpaw_key

Note: When you originally created your ssh key-pair, the key generation program you used may have given you an option to locally encrypt your private key file.  If you took that option, you entered a passphrase to encrypt your private key, and at this point, you will need to supply that passphrase again, so as to be able to use your private key.

More information and background on ssh can be found in the manual pages of your computer's OS, or at various places on the web, such as here.

On Windows:

There are many SSH clients for Windows such as MobaXterm, XShell, which are known to run properly with the Openssh servers that AERPAW uses.  Please refer to the respective documentation or help material for such applications to know how to use them, how to specify the key to use, and how to specify to log in as the user "root".  Make sure you point your SSH client application to 

(i) the right ssh private key for the public key you uploaded on AERPAW portal

(ii) the right destination IP address for your experiment

(iii) make it use the username “root”) 

Alternatively, assuming you are using the Windows Subsystem for Linux (WSL) solution to be able to establish the VPN connection to your experiment in AERPAW, you can also use ssh from inside the WSL environment.  If you do, you should follow the instructions above for Linux, including placing the ssh keys in appropriate locations inside WSL, such as the home directory "~".