Difference between revisions of "VPN"
Jump to navigation
Jump to search
Line 36: | Line 36: | ||
== Obtaining a client certificate == | == Obtaining a client certificate == | ||
− | === | + | === For users === |
Ask an admin ([[Olasd]] or [[Zack]], currently) to produce a pair of client-specific certificate/key for you. | Ask an admin ([[Olasd]] or [[Zack]], currently) to produce a pair of client-specific certificate/key for you. | ||
− | === | + | Please ensure there is a way to send you the certificate and the key securely (e.g., GPG). |
+ | |||
+ | === For admins === | ||
On louvre: | On louvre: |
Revision as of 20:06, 17 July 2015
The Software Heritage server and the VMs running on it are severely firewalled. To get onto their network unrestricted, a VPN based on OpenVPN is available.
The setup is client-server, with per-client certificates.
Openvpn client configuration
Sample configuration file, e.g., /etc/openvpn/softwareheritage.conf:
remote louvre.softwareheritage.org ns-cert-type server comp-lzo nobind dev tun proto udp port 1194 log /var/log/openvpn.log up-restart persist-key persist-tun client ca /etc/openvpn/keys/softwareheritage-ca.crt cert /etc/openvpn/keys/softwareheritage.crt key /etc/openvpn/keys/softwareheritage.key user nobody group nogroup
In addition to the above configuration file, you will need to install the following 3 files under /etc/openvpn/keys:
- softwareheritage-ca.crt: public certificate for the Software Heritage certification authority (CA)
- softwareheritage.crt: public, client-specific certificate (see below)
- softwareheritage.key: private, client-specific key (see below)
Obtaining a client certificate
For users
Ask an admin (Olasd or Zack, currently) to produce a pair of client-specific certificate/key for you.
Please ensure there is a way to send you the certificate and the key securely (e.g., GPG).
For admins
On louvre:
root@louvre:~# cd /etc/openvpn/easy-rsa/ root@louvre:/etc/openvpn/easy-rsa# . vars root@louvre:/etc/openvpn/easy-rsa# ./build-key USERNAME [ accept defaults, they should be OK ]
At the end of the process certificate and key will be in /etc/openvpn/keys/USERNAME.{crt,key}. Send them to USERNAME (securely).
/etc/hosts recommended entries
TODO