|
|
(23 intermediate revisions by 5 users not shown) |
Line 1: |
Line 1: |
− | The [[Software Heritage]] server and the VMs running on it are severely firewalled.
| + | #REDIRECT [[swhdocs:sysadm/user-management/openvpn/openvpn.html]] |
− | To get onto their network unrestricted, a VPN based on [https://openvpn.net/ OpenVPN] is available.
| |
− | | |
− | The setup is client-server, with per-client certificates.
| |
− | | |
− | == Openvpn client configuration ==
| |
− | | |
− | Sample configuration file, e.g., /etc/openvpn/softwareheritage.conf:
| |
− | | |
− | <pre>
| |
− | remote louvre.softwareheritage.org
| |
− | ns-cert-type server
| |
− | comp-lzo
| |
− | nobind
| |
− | dev tun
| |
− | proto udp
| |
− | port 1194
| |
− | log /var/log/openvpn.log
| |
− | up-restart
| |
− | persist-key
| |
− | persist-tun
| |
− | client
| |
− | ca /etc/openvpn/keys/softwareheritage-ca.crt
| |
− | cert /etc/openvpn/keys/softwareheritage.crt
| |
− | key /etc/openvpn/keys/softwareheritage.key
| |
− | user nobody | |
− | group nogroup
| |
− | </pre>
| |
− | | |
− | In addition to the above configuration file, you will need to install the following 3 files under /etc/openvpn/keys:
| |
− | | |
− | * '''[[softwareheritage-ca.crt]]''': ''public'' certificate for the Software Heritage certification authority (CA)
| |
− | * '''softwareheritage.crt''': ''public'', client-specific certificate (see below)
| |
− | * '''softwareheritage.key''': ''private'', client-specific key (see below)
| |
− | | |
− | == Obtaining a client certificate ==
| |
− | | |
− | === For users ===
| |
− | | |
− | Ask an admin ([[Olasd]] or [[Zack]], currently) to produce a pair of client-specific certificate/key for you.
| |
− | | |
− | Please ensure there is a way to send you the certificate and the key securely (e.g., GPG).
| |
− | | |
− | === For admins ===
| |
− | | |
− | On louvre:
| |
− | | |
− | <pre>
| |
− | root@louvre:~# cd /etc/openvpn/easy-rsa/
| |
− | root@louvre:/etc/openvpn/easy-rsa# . vars
| |
− | root@louvre:/etc/openvpn/easy-rsa# ./build-key USERNAME
| |
− | [ accept defaults, they should be OK ]
| |
− | </pre>
| |
− | | |
− | At the end of the process certificate and key will be in /etc/openvpn/keys/USERNAME.{crt,key}.
| |
− | Send them to USERNAME (securely).
| |
− | | |
− | == /etc/hosts entries ==
| |
− | | |
− | Once the Vpn is setup on your machine, you can access Software Heritage hosts via their private IP addresses; see [[Network configuration]].
| |
− | | |
− | The following lines in your /etc/hosts might make it easier to access the machine via mnemonic names:
| |
− | <pre>
| |
− | 192.168.100.1 louvre louvre.internal.softwareheritage.org
| |
− | 192.168.100.29 pergamon pergamon.internal.softwareheritage.org
| |
− | 192.168.100.30 tate tate.internal.softwareheritage.org
| |
− | 192.168.100.31 moma moma.internal.softwareheritage.org
| |
− | 192.168.100.100 prado prado.internal.softwareheritage.org
| |
− | 192.168.100.101 uffizi uffizi.internal.softwareheritage.org
| |
− | 192.168.100.21 worker01 worker01.internal.softwareheritage.org
| |
− | 192.168.100.22 worker02 worker02.internal.softwareheritage.org
| |
− | 192.168.100.23 worker03 worker03.internal.softwareheritage.org
| |
− | 192.168.100.24 worker04 worker04.internal.softwareheritage.org
| |
− | 192.168.100.25 worker05 worker05.internal.softwareheritage.org
| |
− | 192.168.100.26 worker06 worker06.internal.softwareheritage.org
| |
− | 192.168.100.27 worker07 worker07.internal.softwareheritage.org
| |
− | 192.168.100.28 worker08 worker08.internal.softwareheritage.org
| |
− | </pre>
| |
− | | |
− | In the future, we might push a DNS entry via the openvpn server.
| |
− | | |
− | [[Category:Infrastructure]]
| |