Difference between revisions of "VPN"

From Software Heritage Wiki
Jump to: navigation, search
(Obtaining a client certificate: Improve instructions to avoid key material transfers.)
m (23 revisions imported)
(No difference)

Revision as of 08:44, 17 July 2020

The Software Heritage server and the VMs running on it are severely firewalled. To get onto their network unrestricted, a VPN based on OpenVPN is available.

The setup is client-server, with per-client certificates.

OpenVPN client configuration

Raw OpenVPN

Sample configuration file, e.g., /etc/openvpn/softwareheritage.conf:

remote louvre.softwareheritage.org
ns-cert-type server 
dev tun
proto udp 
port 1194 
log /var/log/openvpn.log
ca /etc/openvpn/keys/softwareheritage-ca.crt
cert /etc/openvpn/keys/softwareheritage.crt
key /etc/openvpn/keys/softwareheritage.key
user nobody
group nogroup

# If you are using resolvconf, add this:
# Make sure you add louvre to /etc/hosts to avoid issues in using the vpn-provided DNS server.
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

# If you want the connection to persist when your network fails, add this:
ping-restart 10

In addition to the above configuration file, you will need to install the following 3 files under /etc/openvpn/keys:

  • softwareheritage-ca.crt: public certificate for the Software Heritage certification authority (CA)
  • softwareheritage.crt: public, client-specific certificate (see below)
  • softwareheritage.key: private, client-specific key (see below)

Network Manager GUI

You need network-manager-openvpn and network-manager-openvpn-gnome for the configuration gui.

Nm openvpn base.png Nm openvpn routes.png Nm openvpn advanced general.png Nm openvpn advanced security.png Nm openvpn advanced tls auth.png

Obtaining a client certificate

For users

Generate a keypair (key + certificate signing request) using the following command:

openssl req -new -newkey rsa:2048 -nodes -keyout openvpn.key -out openvpn.csr -subj "/CN=<your username>"

Please replace <your username> with something that uniquely identifies the certificate.

Make sure openvpn.key is stored in a safe place (it's your private key, which will allow anyone to connect to the VPN).

Provide the CSR file to a sysadmin through a reasonably authenticated medium.

For admins

On louvre:

Fetch the CSR file provided by the user, for instance with scp USERNAME.csr louvre:

Then, as root on louvre:

root@louvre:~# cd /etc/openvpn/keys
root@louvre:/etc/openvpn/keys# ./easyrsa import-req ~ADMIN/USERNAME.csr USERNAME
root@louvre:/etc/openvpn/keys# ./easyrsa sign-req client USERNAME

The first command imports the csr into the EasyRSA PKI. The second command lets you review and sign it.

Send the signed certificate, /etc/openvpn/keys/pki/issued/USERNAME.crt, to the user. That file only contains public key material.

Add the DNS entry for the new host to hiera and do a puppet run on pergamon.

Revoking a client certificate

On louvre:

root@louvre:~# cd /etc/openvpn/keys
root@louvre:/etc/openvpn/keys# ./easyrsa revoke USERNAME
[ say yes ]
root@louvre:/etc/openvpn/keys# ./easyrsa gen-crl; chmod a+r pki/crl.pem

OpenVPN re-reads the CRL at each connection (which is why we need the CRL to be world-readable), so once the cert is revoked, there's nothing more to do. If you want to make sure the client is disconnected, you need to restart OpenVPN (which will make all clients reconnect).

/etc/hosts entries

Once the Vpn is setup on your machine, you can access Software Heritage hosts via their private IP addresses; see Network configuration.

OpenVPN now pushes the address of our DNS server (, pergamon).

You might want to add louvre.softwareheritage.org in your /etc/hosts to avoid a bootstrap problem if the "on-vpn" DNS server is in your resolv.conf.