DDCVPN Connection

Downloading VPN client and OpenVPN configuration

The following links should allow you to download the OpenVPN config for the DEV or PROD environments.

OpenVPN Config

Dev

cvpn-endpoint-DDC-DEV-20220606.ovpn

PROD

cvpn-endpoint-DDC-PROD-20220606.ovpn

VPN Client Download

Below we’ve listed three links to download a Windows, Mac OSX and Linux VPN client installer.

Select the VPN client that works best for your environment.

MacOS AWS VPN Client AWS_VPN_Client.pkg

Windows AWS VPN Client AWS_VPN_Client.msi

Linux (Debian) AWS VPN Client awsvpnclient_amd64.deb

Installing and Configuring your VPN client

Install your VPN client and then launch the client.

  • Under File > select Manage Profiles
  • Click the Add Profile button
  • Create a name for the VPN Connection profile. An example could be “DDC DEV VPN Connection”
  • Click the folder icon to search for the openvpn config file you downloaded earlier.
  • Select the file and then click Add Profile.
  • You should now have the VPN connection profile you need to connect to the VPN.

Connecting to the VPN endpoint

Open the VPN client again, select the profile you created previously and click Connect.

  • You will get a Roche SSO login prompt.
  • A new browser page/tab will open in your default browser after the successful SSO login.
  • This page verifies that a connection is being made to the VPN.
  • It will have the below text contents:

Authentication details received, processing details. You may close this window at any time.

After a short bit of time the VPN client will change from an Establishing connection state to a Connected state. You have now successfully logged into the VPN endpoint.

How to add user access to the VPN Endpoint

Access to the VPN is dependent on RADA groups in the DEV and PROD environments

DEV RADA group

GLOFCT_DDC-Dev-VPN-Access

PROD RADA group

GLOFCT_DDC-Prod-VPN-Access

If you’re an admin, please log into rada.roche.com, go to the Groups tab and search for the above groups to add any users that you want to get access to the VPN.

  • Under group name, type in the RADA group in the text box to search for the group that you want.
  • Once you’ve found the group, select the main function group. You should now have a list of members in the group
  • Click the add users menu option above the list. There should be a textbox to the right of the members list.
  • Type in the unix id of the user you want to add and click search.
  • The user should appear in the search results. Click the << add button to add them to the group.

Verify VPN access to resources

We’ve implemented a simple test to verify VPN access. The instance 10.100.2.207 is connected to a private subnet in the VPC. Any user connected to the VPC in 10.100.0.0/20 should be able to reach the server.

$ ssh 10.100.2.207
von2@10.100.2.207: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

$ ssh -i vpn_test.pem  ec2-user@10.100.2.207
Last login: Wed Mar 30 23:58:51 2022 from ip-10-100-5-3.eu-west-1.compute.internal

       __|  __|_  )
       _|  (     /   Amazon Linux 2 AMI
      ___|\___|___|

https://aws.amazon.com/amazon-linux-2/
[ec2-user@ip-10-100-2-207 ~]$
AWS EnvironmentBackup & Restore