Difference between revisions of "VPN"

From Software Heritage Wiki
Jump to navigation Jump to search
m
Line 81: Line 81:
  
 
[[Category:Infrastructure]]
 
[[Category:Infrastructure]]
 +
[[Category:System administration]]

Revision as of 20:31, 17 July 2015

The Software Heritage server and the VMs running on it are severely firewalled. To get onto their network unrestricted, a VPN based on OpenVPN is available.

The setup is client-server, with per-client certificates.

Openvpn client configuration

Sample configuration file, e.g., /etc/openvpn/softwareheritage.conf:

remote louvre.softwareheritage.org
ns-cert-type server 
comp-lzo 
nobind
dev tun
proto udp 
port 1194 
log /var/log/openvpn.log
up-restart 
persist-key 
persist-tun 
client 
ca /etc/openvpn/keys/softwareheritage-ca.crt
cert /etc/openvpn/keys/softwareheritage.crt
key /etc/openvpn/keys/softwareheritage.key
user nobody
group nogroup

In addition to the above configuration file, you will need to install the following 3 files under /etc/openvpn/keys:

  • softwareheritage-ca.crt: public certificate for the Software Heritage certification authority (CA)
  • softwareheritage.crt: public, client-specific certificate (see below)
  • softwareheritage.key: private, client-specific key (see below)

Obtaining a client certificate

For users

Ask an admin (Olasd or Zack, currently) to produce a pair of client-specific certificate/key for you.

Please ensure there is a way to send you the certificate and the key securely (e.g., GPG).

For admins

On louvre:

root@louvre:~# cd /etc/openvpn/easy-rsa/
root@louvre:/etc/openvpn/easy-rsa# . vars 
root@louvre:/etc/openvpn/easy-rsa# ./build-key USERNAME
[ accept defaults, they should be OK ]

At the end of the process certificate and key will be in /etc/openvpn/keys/USERNAME.{crt,key}. Send them to USERNAME (securely).

/etc/hosts entries

Once the Vpn is setup on your machine, you can access Software Heritage hosts via their private IP addresses; see Network configuration.

The following lines in your /etc/hosts might make it easier to access the machine via mnemonic names:

192.168.100.1   louvre    louvre.internal.softwareheritage.org
192.168.100.29  pergamon  pergamon.internal.softwareheritage.org
192.168.100.30  tate      tate.internal.softwareheritage.org
192.168.100.31  moma      moma.internal.softwareheritage.org
192.168.100.100 prado     prado.internal.softwareheritage.org
192.168.100.101 uffizi    uffizi.internal.softwareheritage.org
192.168.100.21  worker01  worker01.internal.softwareheritage.org
192.168.100.22  worker02  worker02.internal.softwareheritage.org
192.168.100.23  worker03  worker03.internal.softwareheritage.org
192.168.100.24  worker04  worker04.internal.softwareheritage.org
192.168.100.25  worker05  worker05.internal.softwareheritage.org
192.168.100.26  worker06  worker06.internal.softwareheritage.org
192.168.100.27  worker07  worker07.internal.softwareheritage.org
192.168.100.28  worker08  worker08.internal.softwareheritage.org

In the future, we might push a DNS entry via the openvpn server.