Versions Compared

Version Old Version 5 New Version Current
Changes made by

Daniel Arroyo

Daniel Arroyo

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info

AI2 has two VPN options available: PriTunl and TunnelBlick. PriTunl is the preferred option, only use TunnelBlick if something prevents you from using PriTunl.

MacOS:

Connect via the PriTunl Client

Note

The Profile URI Link on the login page only lasts a few minutes, so unless you're really fast, you'll have to log in a second time. The instructions will guide you through that.

  1. Go to pritunl.allenai.org

  2. Select Sign in with Google

  3. Select your @allenai.org GSuite account

  4. Select Download Client, follow the installation instructions

  5. Close the pritunl.allenai.org browser tab (see note above as to why)

  6. Go back to pritunl.allenai.org and log in again

  7. Open the Pritunl application

  8. Copy the Profile URI Link

  9. Start the PriTunl client (if it hasn't already been started)

  10. Select Import Profile URI

  11. Paste the URI and press Import

  12. You can use the “hamburger” menu in the top right corner of each profile to connect to and disconnect from the VPN.

Info

You will see three AI2 VPNs in the Pritunl client:

pritunl.allenai.org - This profile is intended for computers running MacOS. It will only route traffic destined for the corporate network through the VPN. All other traffic will continue to route through your local network.

pritunl.allenai.org-alltraffic - This profile is intended for computer running MacOS. This will route all traffic through the VPN. Some project team members (formerly VPT) may need this to connect to cloud resources.  Use this only if you require it.

pritunl.allenai.org-windows - This profile is specifically configured to be used on Windows computers. It will only route traffic destined for the corporate network through the VPN. All other traffic will continue to route through your local network.

Windows Users:

Note

If you are using a Windows laptop, you should be using the built in VPN protocol to log in. If you have not been set up to log in to your laptop via “Network Sign-in” please reach out to IT in the #it slack channel

MacOS (Alternate Setup)

Connect via Tunnelblick (MacOS Only)

  1. Install the Tunnelblick (MacOS) client (you may skip this step if it's already installed)

    1. Skip the config file installation if asked - that comes later

  2. Go to pritunl.allenai.org

  3. Select Sign in with Google

  4. Select your @allenai.org GSuite account

  5. Select Show More

  6. Select Download Profile (pritunl.allenai.org) (the thin, blue option)

  7. Download the .ovpn file and open it

...

Tunnelblick/OpenVPN will guide you through the rest of the installation. If you have issues installing the client or messages appear when connecting, see the Troubleshooting section below.

Windows (Built in VPN solution)

Tip

Please review the Domain Join/VPN steps to set up your laptop to automatically connect to VPN on Windows. If you have any questions, don’t hesitate to reach out to IT on the #it slack channel

Troubleshooting

...

If you want to route all traffic over the VPN, make a copy of the configuration as follows

  1. Click the Tunnelblick icon and select "VPN Details..."

  2. Select "AllenAI", click the gear icon on the bottom of the list and choose "Duplicate Configuration..."

  3. Select the new configuration and press the "Advanced..." button

  4. Press the "While Connected" tab and click the "Route all traffic through the VPN" checkbox

  5. Close the windows and connect

...

If you get one of the following messages:

  • Tunnelblick was not able to load a system extension that is needed to connect to ...

  • System Extension Blocked: A program tried to load new system extension(s) signed by "Jonathan Bullard"

Follow the instructions here to resolve the problem. (H/T Miles)

Tunnelblick Connection Messages

If you get a message that complains about one of the following, you may ignore it:

  • comp-lzo compression deprecation

  • Apparent IP address changing or not changing

...

401: Unauthorized - Make sure you are logging in with your http://allenai.org email address, not a personal email address

...

Connecting to Tailscale

  1. Disconnect from and exit any VPNs that might already be running (other than Tailscale)

  2. If you are on an AI2-managed Mac, go to your Applications folder and open Tailscale. Otherwise, download Tailscale from https://tailscale.com/download and launch the app. It will launch to your top menu bar.

  3. Click the Tailscale icon in the menu bar and click Log in…

  4. Choose Sign in with Google and authenticate with Google/Okta

  5. Click the Connect button to add your device to the AI2 Tailscale network

  6. Now that you’ve signed in and added your machine, Tailscale will automatically launch itself on startup and will stay connected unless you manually disconnect. 

 

There are three ways to reach resources through Tailscale:

  • You can access all resources on the AI2 network using the FQDN, e.g. allennlp-cirrascale-01.reviz.ai2.in. This includes hardware and cloud resources on our networks that are not directly running Tailscale. 

  • For a resource running Tailscale directly, you can use its Tailscale name, which is the hostname portion of the FQDN, e.g. allennlp-cirrascale-01. This name resolves to its Tailscale IP address. You can see a list of available resources in the Tailscale app under Network Devices - Tagged Devices.

  • If you click the name of a resource in the Network Devices - Tagged Devices list in the Tailscale app, it will copy the Tailscale IP address of the resource to your clipboard and can be pasted wherever you need.

    Image Added

Troubleshooting

  • If you are unable to connect to resources while on Tailscale or unable to connect to the internet, exit Tailscale completely from the application icon, then re-launch. This causes a number of resets and will resolve most connection issues.

    Image Added

  • If unable to connect to a resource using its FQDN, try using its Tailscale name, e.g. prior-elanding-75 

    • This is particularly helpful if you are connecting from a hotel, university, or other corporate location, as oftentimes their IP address range conflicts with ours. When using Tailscale hostnames, it uses a reserved IP range, so you will never encounter conflicts with your local network.

  • If unable to access a resource using its Tailscale name, try using its FQDN, e.g. prior-elanding-75.reviz.ai2.in

    • These two methods take different routes, so often if one is not routing properly, the other will work