edit · print · PDF

Please note that all the SIEpedia's articles address specific issues or questions raised by IAC users, so they do not attempt to be rigorous or exhaustive, and may or may not be useful or applicable in different or more general contexts.

This page is now obsolete!
Instructions on how to set up and use the IAC's VPN can be found in the SI's website, at http://goya/sic/index.php?option=com_content&view=article&id=185:conexion-al-servicio-vpn-del-iac&catid=18:guias-uso&Itemid=7

Work At Home (the SSH Tunnel of Love)

The second part of this article can be found here.

Setting up the tunnels

  • To work at home we first need to create a SSH connection with "tunnels" (see Tunneling Explained if you are curious about what we mean by a "tunnel"). In Linux we can create a .ssh/config file (with permissions set to 600 - also the .ssh directory itself should have permissions set to 700) in our home directory with the following contents, but remember to change the IP address and the user to reflect your machine and your username (in Windows we could use PuTTY and follow the instructions for PuTTY to set the tunnels):
Host iac-work
     User angelv

# Intranet Web servers
     LocalForward 8000 marta:80
     LocalForward 8002 goya:80
     LocalForward 8005 venus:80
     LocalForward 8443 pccau:443

# IDL (new license server since 08-Feb-2011: zuko)
     LocalForward 9000 zuko:1700
     LocalForward 51700 zuko:51700

# Mail (new mail server)
     LocalForward 10000 correo.iac.es:993
     LocalForward 10001 correo.iac.es:25

# Web Proxy (not existing anymore)
     LocalForward 3128 proxy.ll.iac.es:3128

  • We then can connect to our IAC machine in the usual way: first with telnet acceso.ll.iac.es, and then ssh -X -Y iac-work (please note that iac-work is the name provided as Host in the config file, which is a sort of alias which defines the machine, the username and all the tunnels to set up). If accessing the IAC from an external account is new to you check the Instructions for External Accounts given by SIC to connect to the IAC from the outside world. Once we are in, then all the tunnels should be up.

Accessing the Intranet

  • To test that the tunnels were properly set up just open your favourite browser and point it to the Goya page: http://localhost:8002/. Hopefully you should see our page nicely, but the excitement soon fades... Most links are relative, so you will see them pointing at http://localhost:8002/... , but some aren't, so if you follow that link you will get somewhere, but definitely not to the SIE Forum. In order to solve this we can use the extension capabilities of Firefox (so obviously this assumes you are using Firefox).
    • Go to the greasemonkey page (http://greasemonkey.mozdev.org/) and follow steps 1 and 2 to get GreaseMonkey installed (extremely easy, just click, click, click), and restart firefox.
    • Save the contents of the following script in a file named iac.user.js (change "iac" if you want, but not the rest). Open it with Firefox and install it via the menu Tools -> Install This User Script. Obviously you see the correspondence between the tunnels created in the .ssh/config file and this script. You are free to modify the ports, but if doing so, make sure you modify them in both places.
// ==UserScript==
// @name IAC SSH Tunneling Link Rewriter
// @description Seeks out links to internal IAC servers, and will rewrite them to point to the local tunnels
// @include *
// ==/UserScript==
//Based on SourceForge Download Link Rewriter (http://userscripts.org/scripts/show/1517)

  for(var i=0;i<document.links.length;i++)
    var elem = document.links[i];
    if(elem.href.match(/^http:\/\/marta(.*)/i)) {elem.href="http://localhost:8000"+RegExp.$1;}
    if(elem.href.match(/^http:\/\/goya(.*)/i)) {elem.href="http://localhost:8002"+RegExp.$1;}
    if(elem.href.match(/^http:\/\/pccau(.*)/i)) {elem.href="http://localhost:8003"+RegExp.$1;}
    if(elem.href.match(/^http:\/\/afrodita.ll.iac.es:8080(.*)/i)) {elem.href="http://localhost:8004"+RegExp.$1;}
    if(elem.href.match(/^http:\/\/diodo(.*)/i)) {elem.href="http://localhost:8006"+RegExp.$1;}
    if(elem.href.match(/^http:\/\/venus(.*)/i)) {elem.href="http://localhost:8005"+RegExp.$1;}

  • Now reload the page http://localhost:8002/ and you will see that links now point to http://localhost:8002/..., so you can surf the intranet transparently.
  • If you want to disable the script, just go to the menu Tools -> Manage User Scripts and click on the "Enabled" box. Easy, right?

Running IDL locally but with the IAC license

  • If we want to run a local copy of IDL but use the IAC license, then we need to make 2 tunnels. The first port is the one required to contact the license server (from a IAC machine you can see the license file /usr/pkg/rsi/license/license.dat). But to get a local IDL working with the IAC license server we will also need to open another port after successfully connected to the port 1700, which (since February 2011) is 51700.
  • Now, before we launch IDL we will need to tell it where to locate the IDL license servers, using the ssh tunnels. The quickest way is to define the following environment variable:
    setenv LM_LICENSE_FILE "9000@localhost"
    This should work in virtually all cases. If not, you may need to install (and modify a bit) the IDL license file; get in touch with us.

Reading mail with a mail client (not through Webmail)

  • Nothing special to do in here. We already created the two necessary tunnels to correo.iac.es. So, with this in place, you just have to configure your mail client so that your IMAP server is localhost and the port 10000 and your SMTP server is localhost and the port 10001. With that all should be fine. If you use this computer sometimes at home and sometimes at the IAC, maybe your mail client lets you create different profiles, so that you don't have to change the server configuration everytime, but that's up to you to investigate...

Accessing ApJ and other Journals

Note: as of April 2009, it seems that the proxy below is no longer operative. Please use a VPN connection to get access to Journals.

  • This requires a tunnel to the IAC proxy server, proxy.ll.iac.es on port 3128 (see the example .ssh/config file).
  • After connecting to the IAC by ssh, we need to configure the Web Browser to use the proxy rather than connecting directly to Internet. For instance, in Firefox 1.5 for Linux, open Edit -> Preferences, click on General, then on Connection Settings.
    Activate the Manual Proxy Configuration, put "localhost" in HTTP Proxy, and 3128 in Port. Similar settings can be used for other browsers.
    Save the changes, and access to ApJ etc. should already be enabled. If you still cannot access the contents of the journal you might need to delete the cookies in your browser (open Edit -> Preferences, and then click on Privacy, then Cookies, and lastly Clear Cookies Now).
    A very useful Firefox Extension to manage and switch between multiple proxy configurations easily and quickly is SwitchProxy
  • Of course, when finished we should disable the proxy and change the browser back to Direct Connection to Internet.

Section: Tutorials and Manuals

edit · print · PDF
Page last modified on March 13, 2020, at 12:58 PM