|
|
(19 intermediate revisions by 5 users not shown) |
Line 1: |
Line 1: |
− | The [[Software Heritage]] server and the VMs running on it are severely firewalled.
| + | #REDIRECT [[swhdocs:sysadm/user-management/openvpn/openvpn.html]] |
− | To get onto their network unrestricted, a VPN based on [https://openvpn.net/ OpenVPN] is available.
| |
− | | |
− | The setup is client-server, with per-client certificates.
| |
− | | |
− | == Openvpn client configuration ==
| |
− | | |
− | Sample configuration file, e.g., /etc/openvpn/softwareheritage.conf:
| |
− | | |
− | <pre>
| |
− | remote louvre.softwareheritage.org
| |
− | ns-cert-type server
| |
− | comp-lzo
| |
− | nobind
| |
− | dev tun
| |
− | proto udp
| |
− | port 1194
| |
− | log /var/log/openvpn.log
| |
− | up-restart
| |
− | persist-key
| |
− | persist-tun
| |
− | client
| |
− | ca /etc/openvpn/keys/softwareheritage-ca.crt
| |
− | cert /etc/openvpn/keys/softwareheritage.crt
| |
− | key /etc/openvpn/keys/softwareheritage.key
| |
− | user nobody | |
− | group nogroup
| |
− | </pre>
| |
− | | |
− | In addition to the above configuration file, you will need to install the following 3 files under /etc/openvpn/keys:
| |
− | | |
− | * '''[[softwareheritage-ca.crt]]''': ''public'' certificate for the Software Heritage certification authority (CA)
| |
− | * '''softwareheritage.crt''': ''public'', client-specific certificate (see below)
| |
− | * '''softwareheritage.key''': ''private'', client-specific key (see below)
| |
− | | |
− | == Obtaining a client certificate ==
| |
− | | |
− | === For users ===
| |
− | | |
− | Ask an admin to produce a pair of client-specific certificate/key for you.
| |
− | | |
− | Please ensure there is a way to send you the certificate and the key securely (e.g., GPG).
| |
− | | |
− | === For admins ===
| |
− | | |
− | On louvre:
| |
− | | |
− | <pre>
| |
− | root@louvre:~# cd /etc/openvpn/easy-rsa/
| |
− | root@louvre:/etc/openvpn/easy-rsa# . vars
| |
− | root@louvre:/etc/openvpn/easy-rsa# ./build-key USERNAME
| |
− | [ accept defaults, they should be OK ]
| |
− | </pre>
| |
− | | |
− | At the end of the process certificate and key will be in /etc/openvpn/keys/USERNAME.{crt,key}.
| |
− | Send them to USERNAME (securely).
| |
− | | |
− | Add the DNS entry for the new host to hiera and do a puppet run on pergamon.
| |
− | | |
− | == /etc/hosts entries ==
| |
− | | |
− | Once the Vpn is setup on your machine, you can access Software Heritage hosts via their private IP addresses; see [[Network configuration]].
| |
− | | |
− | OpenVPN now pushes the address of our DNS server (192.168.100.29, pergamon).
| |
− | | |
− | [[Category:Infrastructure]]
| |
− | [[Category:System administration]]
| |