Difference between revisions of "VPN"

From Software Heritage Wiki
Jump to navigation Jump to search
(→‎Revoking a client certificate: Update to easy-rsa 3.x)
(Install redirection to the docs page)
Tag: New redirect
 
(11 intermediate revisions by 3 users not shown)
Line 1: Line 1:
The [[Software Heritage]] server and the VMs running on it are severely firewalled.
+
#REDIRECT [[swhdocs:sysadm/user-management/openvpn/openvpn.html]]
To get onto their network unrestricted, a VPN based on [https://openvpn.net/ OpenVPN] is available.
 
 
 
The setup is client-server, with per-client certificates.
 
 
 
== OpenVPN client configuration ==
 
 
 
=== Raw OpenVPN ===
 
 
 
Sample configuration file, e.g., /etc/openvpn/softwareheritage.conf:
 
 
 
<pre>
 
remote louvre.softwareheritage.org
 
ns-cert-type server
 
comp-lzo
 
nobind
 
dev tun
 
proto udp
 
port 1194
 
log /var/log/openvpn.log
 
up-restart
 
persist-key
 
persist-tun
 
client
 
ca /etc/openvpn/keys/softwareheritage-ca.crt
 
cert /etc/openvpn/keys/softwareheritage.crt
 
key /etc/openvpn/keys/softwareheritage.key
 
user nobody
 
group nogroup
 
 
 
# If you are using resolvconf, add this:
 
# Make sure you add louvre to /etc/hosts to avoid issues in using the vpn-provided DNS server.
 
script-security 2
 
up /etc/openvpn/update-resolv-conf
 
down /etc/openvpn/update-resolv-conf
 
 
 
# If you want the connection to persist when your network fails, add this:
 
ping-restart 10
 
</pre>
 
 
 
In addition to the above configuration file, you will need to install the following 3 files under /etc/openvpn/keys:
 
 
 
* '''[[softwareheritage-ca.crt]]''': ''public'' certificate for the Software Heritage certification authority (CA)
 
* '''softwareheritage.crt''': ''public'', client-specific certificate (see below)
 
* '''softwareheritage.key''': ''private'', client-specific key (see below)
 
 
 
=== Network Manager GUI ===
 
 
 
You need network-manager-openvpn and network-manager-openvpn-gnome for the configuration gui.
 
 
 
[[File:nm_openvpn_base.png]]
 
[[File:nm_openvpn_routes.png]]
 
[[File:nm_openvpn_advanced_general.png]]
 
[[File:nm_openvpn_advanced_security.png]]
 
[[File:nm_openvpn_advanced_tls_auth.png]]
 
 
 
== Obtaining a client certificate ==
 
 
 
=== For users ===
 
 
 
Ask an admin to produce a pair of client-specific certificate/key for you.
 
 
 
Please ensure there is a way to send you the certificate and the key securely (e.g., GPG).
 
 
 
=== For admins ===
 
 
 
On louvre:
 
 
 
<pre>
 
root@louvre:~# cd /etc/openvpn/keys
 
root@louvre:/etc/openvpn/keys# ./easyrsa build-client-full USERNAME nopass
 
</pre>
 
 
 
At the end of the process certificate and key will be in /etc/openvpn/keys/pki/issued/USERNAME.crt and /etc/openvpn/keys/pki/private/USERNAME.key.
 
Send them to USERNAME (securely).
 
 
 
Add the DNS entry for the new host to hiera and do a puppet run on pergamon.
 
 
 
== Revoking a client certificate ==
 
 
 
On louvre:
 
 
 
<pre>
 
root@louvre:~# cd /etc/openvpn/keys
 
root@louvre:/etc/openvpn/keys# ./easyrsa revoke USERNAME
 
[ say yes ]
 
root@louvre:/etc/openvpn/keys# ./easyrsa gen-crl
 
</pre>
 
 
 
OpenVPN re-reads the CRL at each connection, so once the cert is revoked, there's nothing more to do. You can restart openvpn to make sure the client is disconnected.
 
 
 
== /etc/hosts entries ==
 
 
 
Once the Vpn is setup on your machine, you can access Software Heritage hosts via their private IP addresses; see [[Network configuration]].
 
 
 
OpenVPN now pushes the address of our DNS server (192.168.100.29, pergamon).
 
 
 
You might want to add louvre.softwareheritage.org in your /etc/hosts to avoid a bootstrap problem if the "on-vpn" DNS server is in your resolv.conf.
 
 
 
[[Category:Infrastructure]]
 
[[Category:System administration]]
 

Latest revision as of 12:59, 28 October 2021

Redirect to:

Retrieved from "https://wiki.softwareheritage.org/index.php?title=VPN&oldid=1625"