Renewing a Proxy Server

When to Renew the Tunnel Proxy #

There are two circumstances that require you to renew your existing tunnel proxy:

• Lucidum releases a new version of the proxy image. Periodically, Lucidum updates the proxy image. The latest image includes the latest OS updates and latest package updates and is therefore most secure. The current tunnel proxy image is v1.1.2.

To determine the latest image version:

• 1. Log in to Lucidum.

  2. Go to Settings > Tunnel Proxy Settings.

  3. In the Tunnel Proxy Settings page, click the View Setup Instruction (briefcase) icon.

  4. The last line of code in Step 8 displays the latest image version.

• VPN certificate expired or is soon to expire. The Lucidum tunnel proxy uses OpenVPN and creates its own self-signed certificate with a 2-year lifetime. When the certificate expires, the tunnel proxy will no longer work. Prior to certificate expiration, follow the steps in this chapter to to renew your tunnel proxy.

To determine when your certificate will expire:

1. 1. Log in to Lucidum

   2. go to Settings > Tunnel Proxy Settings.

   3. In the Tunnel Proxy Settings page, view the Expires On column to determine the expiration date for each tunnel proxy.

Prerequisites #

To perform the steps in this chapter, you must know the root user name and password for the Linux server that serves as the proxy. Note that Lucidum has no way to track or retrieve the root user name and password.

If you cannot locate the root user name and password, you can rebuild the Linux server using these steps in the chapter on Configuration a Proxy Server:

1. Deploy and Prep the Virtual Machine or Server

2. Validate Network Connectivity

3. Install and Configure Docker

You can then return to this chapter and perform the steps in this chapter.

Lucidum: Delete the Current Proxy #

To renew your tunnel proxy, you need to first delete the existing tunnel proxy from Lucidum. To do this:

1. Login to your Lucidum system.

2. Go to Settings > Tunnel Proxy Settings.

3. In the Tunnel Proxy Settings page, find the tunnel proxy you want to renew and click the Delete Tunnel Proxy (trashcan) icon.

   

4. When prompted, click Confirm.

Linux Server: Stop Docker and Remove the Docker Container #

You must delete the existing docker container from the Linux server. To do this:

1. Either log in to the console of the proxy server or use SSH to access the server

2. Open a shell session.

3. View a list of docker containers that are running. To do this, at the shell prompt, type:

   docker ps

4. In the output, you should see a container with NAMES of “lucidum-tunnel“. This is the tunnel proxy for Lucidum.

5. Stop the docker container. To do this, at the shell prompt, type:

   docker stop lucidum-tunnel

6. Delete the docker container. To do this, at the shell prompt, type:

   docker rm lucidum-tunnel

Lucidum: Define the new Tunnel Proxy and Download client.conf #

To create the proxy server, Lucidum supplies a file called client.conf.

1. Login to your Lucidum system.

2. Go to Settings > Tunnel Proxy Settings.

3. In the Tunnel Proxy Settings page, click the Add (plus sign) icon.

   

4. In the Add Tunnel Proxy modal page, supply a name of the proxy and click Save.

   

5. The new tunnel proxy appears in the Tunnel Proxy Settings page.

6. Click the Download Configuration (download) icon for the new tunnel proxy. Lucidum will download a file named client.conf to your local computer.

7. The client.conf file includes:

   • FQDN and port for the tunnel endpoint

   • Keys

   • TLS certs

Linux Server: Update client.conf #

You now must replace the existing file, client.conf, with the new version you downloaded from Lucidum.

The easiest way to do this is by editing the existing file and replacing its contents. To do this:

1. Either log in to the console of the proxy server or use SSH to access the server.

2. Navigate to the directory /usr/lucidum/tunnel. To do this, at the shell prompt, type:

   cd /usr/lucidum/tunnel

3. Using vi (or an editor of your choice) open the file client.conf.

   vi client.confl

4. Delete the contents of client.conf.

5. To do so, first press the [Esc] key. Then press the colon ( : ) key. This enables a command line at the bottom of the file.

6. At the colon command line at the bottom of the page, enter %d

7. Press the [Enter] key.

8. Leave the file open.

9. On your local computer, navigate to the directory where you downloaded the latest version of client.conf. Copy its contents.

10. Back at the shell prompt, in the open file, press the [Esc] key and press the [i] key. This enables insert mode.

11. Paste the copied text with [ctrl] + [v]

12. Press the [Esc] key. Then press the colon ( : ) key. This enables a command line at the bottom of the file.

13. At the colon command line at the bottom of the page, enter wq

14. The client.conf file is saved with the new content.

Linux Server: Start Docker and Run the Docker Image #

Next, you must start docker and run the docker image.

1. Either log in to the console of the proxy server or use SSH to access the server.

2. On the proxy server, open a shell session.

3. See if Docker is running. To do this, at the shell prompt, type:

   docker ps

4. If you see the message “Cannot connect to Docker daemon…”, you must start Docker.

5. Start Docker. To do this, at the shell prompt, type:

   sudo systemctl start docker

6. See if Docker is running. To do this, at the shell prompt, type:

   docker ps

7. If you are using Red Hat Enterprise Linux, enter the following commands to start the new Docker container. At the shell prompt, type:

   docker run -d --cap-add=NET_ADMIN \

   --device=/dev/net/tun \

   --restart=unless-stopped \

   --network=bridge \

   -v /usr/lucidum/tunnel: /data:ro \

   --name=lucidum-tunnel \

   --ulimit nofile=1048576:1048576 \

   public.ecr.aws/lucidum/tunnel-client:v1.1.2

8. If you are using any version of Linux except Red Hat Enterprise Linux, enter the following commands to start the new Docker container. At the shell prompt, type:

   docker run -d --cap-add=NET_ADMIN \

   --device=/dev/net/tun \

   --restart=unless-stopped \

   --network=bridge \

   -v /usr/lucidum/tunnel: /data:ro \

   --name=lucidum-tunnel \

   public.ecr.aws/lucidum/tunnel-client:v1.1.2

9. After the you enter the last command, Docker will:

   • download the latest image from the Lucidum public repository and create a Docker container from the image

   • read the connection and certificate information from /usr/lucidum/tunnel/client.conf

   • attempt to connect to the server defined in the client.conf file. The server is defined in the line that begins with “remote“, usually line 7 of the file.

Lucidum: Verify Connection #

To verify the tunnel proxy connection:

1. Login to your Lucidum system.

2. Go to Settings > Tunnel Proxy Settings.

3. In the Tunnel Proxy Settings page, find the new proxy.

   

4. If the Status column displays a green checkmark, the connection is healthy.

5. If the Status column displays a red box, the connection has errors.

Troubleshooting #

The first step in troubleshooting the tunnel proxy is to examine the Docker logs. To do this:

1. Either log in to the console of the proxy server or use SSH to access the server.

2. On the proxy server, open a shell session.

3. View the logs for the tunnel connection. To do this, at the shell prompt, type:

   docker logs lucidum-tunnel

4. If you see this error in the log:

   Options error: In [CMD-LINE]:1: Error opening configuration file: /data/client.conf

   Docker was unable to read the file /usr/lucidum/tunnel/client.conf file.

Possible reasons for this failure: