Difference between revisions of "VPN"
m |
|||
Line 81: | Line 81: | ||
[[Category:Infrastructure]] | [[Category:Infrastructure]] | ||
+ | [[Category:System administration]] |
Revision as of 20:31, 17 July 2015
The Software Heritage server and the VMs running on it are severely firewalled. To get onto their network unrestricted, a VPN based on OpenVPN is available.
The setup is client-server, with per-client certificates.
Openvpn client configuration
Sample configuration file, e.g., /etc/openvpn/softwareheritage.conf:
remote louvre.softwareheritage.org ns-cert-type server comp-lzo nobind dev tun proto udp port 1194 log /var/log/openvpn.log up-restart persist-key persist-tun client ca /etc/openvpn/keys/softwareheritage-ca.crt cert /etc/openvpn/keys/softwareheritage.crt key /etc/openvpn/keys/softwareheritage.key user nobody group nogroup
In addition to the above configuration file, you will need to install the following 3 files under /etc/openvpn/keys:
- softwareheritage-ca.crt: public certificate for the Software Heritage certification authority (CA)
- softwareheritage.crt: public, client-specific certificate (see below)
- softwareheritage.key: private, client-specific key (see below)
Obtaining a client certificate
For users
Ask an admin (Olasd or Zack, currently) to produce a pair of client-specific certificate/key for you.
Please ensure there is a way to send you the certificate and the key securely (e.g., GPG).
For admins
On louvre:
root@louvre:~# cd /etc/openvpn/easy-rsa/ root@louvre:/etc/openvpn/easy-rsa# . vars root@louvre:/etc/openvpn/easy-rsa# ./build-key USERNAME [ accept defaults, they should be OK ]
At the end of the process certificate and key will be in /etc/openvpn/keys/USERNAME.{crt,key}. Send them to USERNAME (securely).
/etc/hosts entries
Once the Vpn is setup on your machine, you can access Software Heritage hosts via their private IP addresses; see Network configuration.
The following lines in your /etc/hosts might make it easier to access the machine via mnemonic names:
192.168.100.1 louvre louvre.internal.softwareheritage.org 192.168.100.29 pergamon pergamon.internal.softwareheritage.org 192.168.100.30 tate tate.internal.softwareheritage.org 192.168.100.31 moma moma.internal.softwareheritage.org 192.168.100.100 prado prado.internal.softwareheritage.org 192.168.100.101 uffizi uffizi.internal.softwareheritage.org 192.168.100.21 worker01 worker01.internal.softwareheritage.org 192.168.100.22 worker02 worker02.internal.softwareheritage.org 192.168.100.23 worker03 worker03.internal.softwareheritage.org 192.168.100.24 worker04 worker04.internal.softwareheritage.org 192.168.100.25 worker05 worker05.internal.softwareheritage.org 192.168.100.26 worker06 worker06.internal.softwareheritage.org 192.168.100.27 worker07 worker07.internal.softwareheritage.org 192.168.100.28 worker08 worker08.internal.softwareheritage.org
In the future, we might push a DNS entry via the openvpn server.