VPN
Revision as of 20:05, 17 July 2015 by StefanoZacchiroli (talk | contribs) (→Obtaining a client certificate)
The Software Heritage server and the VMs running on it are severely firewalled. To get onto their network unrestricted, a VPN based on OpenVPN is available.
The setup is client-server, with per-client certificates.
Openvpn client configuration
Sample configuration file, e.g., /etc/openvpn/softwareheritage.conf:
remote louvre.softwareheritage.org ns-cert-type server comp-lzo nobind dev tun proto udp port 1194 log /var/log/openvpn.log up-restart persist-key persist-tun client ca /etc/openvpn/keys/softwareheritage-ca.crt cert /etc/openvpn/keys/softwareheritage.crt key /etc/openvpn/keys/softwareheritage.key user nobody group nogroup
In addition to the above configuration file, you will need to install the following 3 files under /etc/openvpn/keys:
- softwareheritage-ca.crt: public certificate for the Software Heritage certification authority (CA)
- softwareheritage.crt: public, client-specific certificate (see below)
- softwareheritage.key: private, client-specific key (see below)
Obtaining a client certificate
for users
Ask an admin (Olasd or Zack, currently) to produce a pair of client-specific certificate/key for you.
for admins
On louvre:
root@louvre:~# cd /etc/openvpn/easy-rsa/ root@louvre:/etc/openvpn/easy-rsa# . vars root@louvre:/etc/openvpn/easy-rsa# ./build-key USERNAME [ accept defaults, they should be OK ]
At the end of the process certificate and key will be in /etc/openvpn/keys/USERNAME.{crt,key}. Send them to USERNAME (securely).
/etc/hosts recommended entries
TODO