Lucidum has been acquired by Cyderes → [Read the announcement]

Lucidum has been acquired by Cyderes → [Read the announcement]

View Categories

Renewing a Proxy Server

Estimated Reading Time: 5 min read

When to Renew the Tunnel Proxy #

There are two circumstances that require you to renew your existing tunnel proxy:

  • Lucidum releases a new version of the proxy image. Periodically, Lucidum updates the proxy image. The latest image includes the latest OS updates and latest package updates and is therefore most secure. The current tunnel proxy image is v1.1.3.

To determine the latest image version:

    1. Log in to Lucidum.

    2. Go to Settings > Tunnel Proxy Settings.

    3. In the Tunnel Proxy Settings page, click the View Setup Instruction (briefcase) icon.

    4. The last line of code in Step 8 displays the latest image version.

  • VPN certificate expired or is soon to expire. The Lucidum tunnel proxy uses OpenVPN and creates its own self-signed certificate with a 2-year lifetime. When the certificate expires, the tunnel proxy will no longer work. Prior to certificate expiration, follow the steps in this chapter to renew your tunnel proxy.

To determine when your certificate will expire:

    1. Log in to Lucidum

    2. go to Settings > Tunnel Proxy Settings.

    3. In the Tunnel Proxy Settings page, view the Expires On column to determine the expiration date for each tunnel proxy.

Prerequisites #

To perform the steps in this chapter, you must know the root user name and password for the Linux server that serves as the proxy. Note that Lucidum has no way to track or retrieve the root user name and password.

NOTE: If you cannot locate the root user name and password, you can rebuild the Linux server using the steps in the chapter on Configuration a Proxy Server:

  1. Deploy and Prep the Virtual Machine or Server

  2. Validate Network Connectivity

  3. Install and Configure Docker

  4. Copy client.conf to the Server

You can then return to this chapter and perform the steps in this chapter.

Updating the Proxy Image #

  1. Either log in to the console of the proxy server or use SSH to access the server.

  2. On the proxy server, open a shell session.

  3. See if the proxy is is running. To do this, at the shell prompt, type:

    docker ps

  4. Stop the proxy. To do this, at the shell prompt, type:

    docker stop lucidum-tunnel

  5. Remove the proxy. To do this, at the shell prompt, type:

    docker rm lucidum-tunnel

  6. If you are using Red Hat Enterprise Linux, enter the following commands to start the new Docker container and the new proxy image. At the shell prompt, type:

    docker run -d --cap-add=NET_ADMIN \

    --device=/dev/net/tun \

    --restart=unless-stopped \

    --network=bridge \

    --tmpfs /var/run \

    -v /usr/lucidum/tunnel: /data:ro \

    --name=lucidum-tunnel \

    --ulimit nofile=1048576:1048576 \

    public.ecr.aws/lucidum/tunnel-client:v1.1.3

  7. If you are using any version of Linux except Red Hat Enterprise Linux, enter the following commands to start the new Docker container with the new proxy image. At the shell prompt, type:

    docker run -d --cap-add=NET_ADMIN \

    --device=/dev/net/tun \

    --restart=unless-stopped \

    --network=bridge \

    --tmpfs /var/run \

    -v /usr/lucidum/tunnel: /data:ro \

    --name=lucidum-tunnel \

    public.ecr.aws/lucidum/tunnel-client:v1.1.3

  8. After the you enter the last command, Docker will:

    • download the latest image from the Lucidum public repository and create a Docker container from the image

    • read the connection and certificate information from /usr/lucidum/tunnel/client.conf

    • attempt to connect to the server defined in the client.conf file. The server is defined in the line that begins with “remote“, usually line 7 of the file.

Troubleshooting #

The first step in troubleshooting the tunnel proxy is to examine the Docker logs. To do this:

  1. Either log in to the console of the proxy server or use SSH to access the server.

  2. On the proxy server, open a shell session.

  3. View the logs for the tunnel connection. To do this, at the shell prompt, type:

    docker logs lucidum-tunnel

  4. If you see this error in the log:

    Options error: In [CMD-LINE]:1: Error opening configuration file: /data/client.conf

    Docker was unable to read the file /usr/lucidum/tunnel/client.conf file.

Possible reasons for this failure:

Problem Diagnostics and Repair
File does not exist Check that the file exists:
  1. Log in to the console of the proxy server or use SSH to access the server.
  2. Open a shell session
  3. Enter the following at the shell prompt:
    cd /usr/lucidum/tunnel
    ls
  4. Output should include client.conf
File has incorrect permissions Check read permissions for the file
  1. Log in to the console of the proxy server or use SSH to access the server.
  2. Open a shell session
  3. Enter the following at the shell prompt:
    cd /usr/lucidum/tunnel
    ls -l
  4. Note the permissions for client.conf
  5. If client.conf does not include read permissions, enter the following at the shell prompt:

chmod +r client.conf
Path has incorrect permissions Check read permissions for the path
  1. Log in to the console of the proxy server or use SSH to access the server.
  2. Open a shell session
  3. Enter the following at the shell prompt:
    cd /
    ls -l
  4. Note the permissions for /usr
  5. Enter the following at the shell prompt:
    cd /usr
    ls -l
  6. Note the permissions for lucidum
  7. Enter the following at the shell prompt:
    cd /usr/lucidum
    ls -l
  8. Note the permissions for tunnel
  9. The easiest solution is to make the entire path readable to all users. To do this, enter the following at the shell prompt:
    chmod a=r /usr/lucidum/tunnel
The contents of /usr/lucidum/tunnel/client.conf are incorrect View the file:
  1. Log in to the console of the proxy server or use SSH to access the server.
  2. Open a shell session
  3. Enter the following at the shell prompt:
    cd /usr/lucidum/tunnel
    vi client.conf
  4. Ensure that you erased the previous contents
  5. Ensure that you fully copied the contents of the new client.conf file.
Outbound network connection has been filtered by firewall rules View client.conf to find the hostname
  1. Log in to the console of the proxy server or use SSH to access the server.
  2. Open a shell session
  3. Enter the following at the shell prompt:
    cat /usr/lucidum/tunnel/client.conf
  4. Note the value in line 7. It looks like:
    remote tunnel.yourcompany.lcuidum.cloud 1194 tcp
  5. Exit the file.
  6. Use this command to check connectivity:
    nc -zv tunnel.acme.lucidum.cloud 1194
  7. If the connection is healthy, you will see:
    Connection to tunnel.acme.lucidum.cloud (n.n.n.n) 1194 port [tcp/openvpn] succeeded!
  8. If the connection is not healthy, contact your Lucidum account representative for help.
  9. Use this command to check the connectivity again:
    nmap -Pn -p 1194 tunnel.acme.lucidum.cloud
  10. If the connection is healthy, you will see:
    Nmap scan report for tunnel.acme.lucidum.cloud (n.n.n.n)
    Host is up (0.00090s latency).rDNS record for 54.208.148.32: ec2-n-n-n-n.compute-1.amazonaws.com
    PORT     STATE SERVICE
    1194/tcp open  openvpn
    Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds
  11. If the connection is not healthy, contact your Lucidum account representative for help.
Your egress IP changed, and Lucidum needs to update the allow-list for your organization. For your protection, Lucidum maintains a strict allow-list of IP addresses that are allowed to attempt connection to your system.When your proxy was initially configured, we added your current egress IP to the list of allowed addresses.

If your egress IP changes, contact your Lucidum account representative. We can update the Lucidum allow-list. Let us know via email or Slack and we will make the change and verify that the proxy connection succeeds.
All other issues: Contact your Lucidum account representative for assistance.

What are your Feelings