VPN

From Software Heritage Wiki
Jump to navigation Jump to search

The Software Heritage server and the VMs running on it are severely firewalled. To get onto their network unrestricted, a VPN based on OpenVPN is available.

The setup is client-server, with per-client certificates.

Openvpn client configuration

Sample configuration file, e.g., /etc/openvpn/softwareheritage.conf:

remote louvre.softwareheritage.org
ns-cert-type server 
comp-lzo 
nobind
dev tun
proto udp 
port 1194 
log /var/log/openvpn.log
up-restart 
persist-key 
persist-tun 
client 
ca /etc/openvpn/keys/softwareheritage-ca.crt
cert /etc/openvpn/keys/softwareheritage.crt
key /etc/openvpn/keys/softwareheritage.key
user nobody
group nogroup

In addition to the above configuration file, you will need to install the following 3 files under /etc/openvpn/keys:

  • softwareheritage-ca.crt: public certificate for the Software Heritage certification authority (CA)
  • softwareheritage.crt: public, client-specific certificate (see below)
  • softwareheritage.key: private, client-specific key (see below)

Obtaining a client certificate

For users

Ask an admin (Olasd or Zack, currently) to produce a pair of client-specific certificate/key for you.

Please ensure there is a way to send you the certificate and the key securely (e.g., GPG).

For admins

On louvre:

root@louvre:~# cd /etc/openvpn/easy-rsa/
root@louvre:/etc/openvpn/easy-rsa# . vars 
root@louvre:/etc/openvpn/easy-rsa# ./build-key USERNAME
[ accept defaults, they should be OK ]

At the end of the process certificate and key will be in /etc/openvpn/keys/USERNAME.{crt,key}. Send them to USERNAME (securely).

/etc/hosts recommended entries

TODO