Difference between revisions of "VPN"

From Software Heritage Wiki
Jump to navigation Jump to search
(Install redirection to the docs page)
Tag: New redirect
 
(One intermediate revision by one other user not shown)
Line 1: Line 1:
The [[Software Heritage]] server and the VMs running on it are severely firewalled.
+
#REDIRECT [[swhdocs:sysadm/user-management/openvpn/openvpn.html]]
To get onto their network unrestricted, a VPN based on [https://openvpn.net/ OpenVPN] is available.
 
 
 
The setup is client-server, with per-client certificates.
 
 
 
== OpenVPN client configuration ==
 
 
 
=== Raw OpenVPN ===
 
 
 
Sample configuration file, e.g., /etc/openvpn/swh.conf:
 
 
 
<pre>
 
remote vpn.softwareheritage.org
 
ns-cert-type server
 
comp-lzo
 
nobind
 
dev tun
 
proto udp
 
port 1194
 
log /var/log/openvpn.log
 
up-restart
 
persist-key
 
persist-tun
 
client
 
ca /etc/openvpn/keys/softwareheritage-ca.crt
 
cert /etc/openvpn/keys/softwareheritage.crt
 
key /etc/openvpn/keys/softwareheritage.key
 
user nobody
 
group nogroup
 
 
 
# If you are using resolvconf, add this:
 
# Make sure you add louvre to /etc/hosts to avoid issues in using the vpn-provided DNS server.
 
script-security 2
 
up /etc/openvpn/update-resolv-conf
 
down /etc/openvpn/update-resolv-conf
 
 
 
# If you want the connection to persist when your network fails, add this:
 
ping-restart 10
 
</pre>
 
 
 
In addition to the above configuration file, you will need to install the following 3 files under /etc/openvpn/keys (matching the paths within the sample above):
 
 
 
* '''[[softwareheritage-ca.crt]]''': ''public'' certificate for the Software Heritage certification authority (CA)
 
* '''[https://wiki.softwareheritage.org/index.php?title=VPN#For_admins softwareheritage.crt]''': ''public'', client-specific (certificate signed by the admin, see below)
 
* '''[https://wiki.softwareheritage.org/wiki/VPN#For_users softwareheritage.key]''': ''private'', client-specific key (generated by the user, see below)
 
 
 
Activate the openvpn server
 
 
 
as root, run
 
 
 
  systemctl enable openvpn@swh.service
 
  systemctl start openvpn@swh.service
 
  systemctl status openvpn@swh.service
 
 
 
Note: Internally, the `swh` must match the /etc/openvpn/swh.conf filename.
 
 
 
Excerpt of a successful start:
 
 
 
  root@machine:~# systemctl status openvpn@swh.service
 
  openvpn@swh.service - OpenVPN connection to swh
 
  Loaded: loaded (/lib/systemd/system/openvpn@.service; indirect; vendor preset: enabled)
 
  Active: active (running) since Thu 2020-12-17 19:03:29 IST; 22min ago
 
    Docs: man:openvpn(8)
 
          https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
 
          https://community.openvpn.net/openvpn/wiki/HOWTO
 
Main PID: 12302 (openvpn)
 
  Status: "Initialization Sequence Completed"
 
    Tasks: 1 (limit: 4915)
 
  CGroup: /system.slice/system-openvpn.slice/openvpn@swh.service
 
          └─12302 /usr/sbin/openvpn --daemon ovpn-swh --status /run/openvpn/swh.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/swh.conf --writepid /run/openvpn/swh.pid
 
 
 
Dec 17 19:03:29 machine systemd[1]: Starting OpenVPN connection to swh...
 
Dec 17 19:03:29 machine systemd[1]: Started OpenVPN connection to swh.
 
 
 
=== Network Manager GUI ===
 
 
 
You need network-manager-openvpn and network-manager-openvpn-gnome for the configuration gui.
 
 
 
[[File:nm_openvpn_base.png]]
 
[[File:nm_openvpn_routes.png]]
 
[[File:nm_openvpn_advanced_general.png]]
 
[[File:nm_openvpn_advanced_security.png]]
 
[[File:nm_openvpn_advanced_tls_auth.png]]
 
 
 
== Obtaining a client certificate ==
 
 
 
=== For users ===
 
 
 
Generate a keypair (key + certificate signing request) using the following command:
 
 
 
<pre>
 
openssl req -new -newkey rsa:2048 -nodes -keyout openvpn.key -out openvpn.csr -subj "/CN=<your username>"
 
</pre>
 
 
 
Please replace <your username> with something that uniquely identifies the certificate.
 
 
 
Make sure openvpn.key is stored in a safe place (it's your private key, which will allow anyone to connect to the VPN).
 
 
 
Provide the CSR file to a sysadmin through a reasonably authenticated medium.
 
 
 
=== For admins ===
 
 
 
* On the firewall (192.168.50.1), go to the [https://192.168.50.1/system_certmanager.php System / Trust / Certificates page]
 
* click on the add button on the upper right
 
[[File:Vpn-main-trust-page.png]]
 
* On the Method list, choose "Sign a certificate Signing Request"
 
[[File:Vpn-csr-signing.png]]
 
 
 
Fetch the CSR file provided by the user, for instance with <tt>scp USERNAME.csr louvre:</tt>
 
 
 
* Enter the user name on the descriptive name
 
* Select "OpenVPN Software Heritage (louvre)" as Certificate Authority
 
* Enter the duration, usually 10 years
 
* Paste the csr
 
* Validate
 
 
 
* check the details of the csr and validate
 
 
 
== Revoking a client certificate ==
 
 
 
On the firewall (master) [https://192.168.50.1]:
 
* go to the [[https://192.168.50.1/system_crlmanager.php System / Trust / Revocation]] page
 
* edit the "OpenVPN certificate revocation list" CRL
 
 
 
[[File:Vpn-crl-list.png]]
 
 
 
* go to the bottom of the page
 
 
 
[[File:Vpn-csr-certificate.png]]
 
 
 
* select the certificate to revoke
 
* Add
 
 
 
The counter of revoked certificate should be increased by one on for the OpenVPN CSR on the CSR list
 
 
 
== /etc/hosts entries ==
 
 
 
Once the Vpn is setup on your machine, you can access Software Heritage hosts via their private IP addresses; see [[Network configuration]].
 
 
 
OpenVPN now pushes the address of our DNS server (192.168.100.29, pergamon).
 
 
 
You might want to add louvre.softwareheritage.org in your /etc/hosts to avoid a bootstrap problem if the "on-vpn" DNS server is in your resolv.conf.
 
 
 
[[Category:Infrastructure]]
 
[[Category:System administration]]
 

Latest revision as of 12:59, 28 October 2021