Difference between revisions of "VPN"

From Software Heritage Wiki
Jump to navigation Jump to search
(Install redirection to the docs page)
Tag: New redirect
 
(23 intermediate revisions by 5 users not shown)
Line 1: Line 1:
The [[Software Heritage]] server and the VMs running on it are severely firewalled.
+
#REDIRECT [[swhdocs:sysadm/user-management/openvpn/openvpn.html]]
To get onto their network unrestricted, a VPN based on [https://openvpn.net/ OpenVPN] is available.
 
 
 
The setup is client-server, with per-client certificates.
 
 
 
== Openvpn client configuration ==
 
 
 
Sample configuration file, e.g., /etc/openvpn/softwareheritage.conf:
 
 
 
<pre>
 
remote louvre.softwareheritage.org
 
ns-cert-type server
 
comp-lzo
 
nobind
 
dev tun
 
proto udp
 
port 1194
 
log /var/log/openvpn.log
 
up-restart
 
persist-key
 
persist-tun
 
client
 
ca /etc/openvpn/keys/softwareheritage-ca.crt
 
cert /etc/openvpn/keys/softwareheritage.crt
 
key /etc/openvpn/keys/softwareheritage.key
 
user nobody
 
group nogroup
 
</pre>
 
 
 
In addition to the above configuration file, you will need to install the following 3 files under /etc/openvpn/keys:
 
 
 
* '''[[softwareheritage-ca.crt]]''': ''public'' certificate for the Software Heritage certification authority (CA)
 
* '''softwareheritage.crt''': ''public'', client-specific certificate (see below)
 
* '''softwareheritage.key''': ''private'', client-specific key (see below)
 
 
 
== Obtaining a client certificate ==
 
 
 
=== For users ===
 
 
 
Ask an admin ([[Olasd]] or [[Zack]], currently) to produce a pair of client-specific certificate/key for you.
 
 
 
Please ensure there is a way to send you the certificate and the key securely (e.g., GPG).
 
 
 
=== For admins ===
 
 
 
On louvre:
 
 
 
<pre>
 
root@louvre:~# cd /etc/openvpn/easy-rsa/
 
root@louvre:/etc/openvpn/easy-rsa# . vars
 
root@louvre:/etc/openvpn/easy-rsa# ./build-key USERNAME
 
[ accept defaults, they should be OK ]
 
</pre>
 
 
 
At the end of the process certificate and key will be in /etc/openvpn/keys/USERNAME.{crt,key}.
 
Send them to USERNAME (securely).
 
 
 
== /etc/hosts entries ==
 
 
 
Once the Vpn is setup on your machine, you can access Software Heritage hosts via their private IP addresses; see [[Network configuration]].
 
 
 
The following lines in your /etc/hosts might make it easier to access the machine via mnemonic names:
 
<pre>
 
192.168.100.1  louvre    louvre.internal.softwareheritage.org
 
192.168.100.29  pergamon  pergamon.internal.softwareheritage.org
 
192.168.100.30  tate      tate.internal.softwareheritage.org
 
192.168.100.31  moma      moma.internal.softwareheritage.org
 
192.168.100.100 prado    prado.internal.softwareheritage.org
 
192.168.100.101 uffizi    uffizi.internal.softwareheritage.org
 
192.168.100.21  worker01  worker01.internal.softwareheritage.org
 
192.168.100.22  worker02  worker02.internal.softwareheritage.org
 
192.168.100.23  worker03  worker03.internal.softwareheritage.org
 
192.168.100.24  worker04  worker04.internal.softwareheritage.org
 
192.168.100.25  worker05  worker05.internal.softwareheritage.org
 
192.168.100.26  worker06  worker06.internal.softwareheritage.org
 
192.168.100.27  worker07  worker07.internal.softwareheritage.org
 
192.168.100.28  worker08  worker08.internal.softwareheritage.org
 
</pre>
 
 
 
In the future, we might push a DNS entry via the openvpn server.
 
 
 
[[Category:Infrastructure]]
 

Latest revision as of 12:59, 28 October 2021