VPN: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
(minor edits because some of the dialog boxes have changed) |
||
| (49 intermediate revisions by 7 users not shown) | |||
| Line 1: | Line 1: | ||
{{Portal|User}} | |||
{{Portal|Tutorial}} | |||
{{TutorialHeader}} | |||
Grid'5000 Virtual Private Network (VPN) allows to connect your workstation or personal computer to Grid'5000 network, while preserving security. | |||
When connected to Grid'5000 VPN, your computer will be "inside" the Grid'5000 network, thus it won't be required to perform several SSH hops or tunnels to access Grid'5000 nodes, since direct connections are possible. | |||
Grid'5000 VPN is based on [http://openvpn.net OpenVPN]. | |||
= | {{Warning|text=There is no performance guarantee on the VPN infrastructure. It's fine to use the VPN to access and configure your nodes, but avoid running performance-sensitive experiments over the VPN: the results would be unreliable and not reproducible. If you need to access your nodes directly from the Internet, we provide a [[Reconfigurable_Firewall|reconfigurable IPv6 firewall]] service.}} | ||
== | == Getting started == | ||
To start using Grid'5000 VPN, you first need to get a certificate: | |||
* Go to your [https://api.grid5000.fr/ui/account account management page], in the "My account" tab and go to "VPN Certificates" on the left. | |||
* If you do not have a certificate yet, click on "Create new certificate". | |||
** To generate a new certificate click on "Create with Passphrase" (recommended). | |||
** If you already generated a certificate by yourself, click on "Create from public key", paste your public key in the text field and finally "Sign". | |||
* Your certificate appears in the list. Click on "Zip file" to download an archive which includes the certificates and an OpenVPN configuration file. | |||
* Extract the archive content in your workstation. Please choose a secure place to store those files: an attacker could use them to steal your identity in Grid'5000. | |||
== | == Configure your VPN connection == | ||
The Grid'5000 VPN settings are the following: | |||
* '''Gateway:''' vpn.grid5000.fr | |||
* '''Gateway port:''' UDP 1194 or TCP 443 | |||
* '''Device type:''' tun (Layer 3 VPN) | |||
* '''Authentication type:''' Certificate (TLS) | |||
* '''CA certificate:''' cavpn.crt | |||
* '''User certificate:''' <username>.crt | |||
* '''User private key:''' <username>.key | |||
* '''Additional TLS authentication file:''' ta.key (no direction) | |||
* '''Grid'5000 VPN routes:''' 172.16.0.0/16, 10.0.0.0/8 and 172.20.0.0/16 (use Grid'5000 VPN for these networks only) | |||
* '''Grid'5000 VPN DNS:''' 172.20.255.254 | |||
Depending on your operation system or work environement, the configuration and start of the Grid'5000 VPN varies. See below. | |||
=== | === Linux (using network-manager) === | ||
You can connect to the Grid'5000 VPN using "Network Manager", for instance using the Network manager applet in the status bar of a gnome graphical environment (you may require to install a package such as "network-manager-openvpn-gnome"). | |||
To configure the Grid'5000 VPN in Network Manager, go the the "Network Settings" application, add a Network Connection and select "VPN". Choose "OpenVPN" and set the following parameters: | |||
* '''Name:''' as you wish, e.g. ''Grid'5000'' | |||
* '''Gateway:''' choose ''vpn.grid5000.fr'' | |||
* '''Type:''' choose ''Certificates (TLS)'' | |||
* '''User Certificate:''' use your ''<username>.crt'' file | |||
* '''CA Certificate:''' your ''cavpn.crt'' file | |||
* '''Private Key:''' use your ''<username>.key'' file | |||
* '''Private Key Password:''' enter the password needed to unlock your private key | |||
Then, click on the '''Advanced''' button: | |||
* Select '''Configure type of network device''' (also called '''Set virtual device type''') to use '''TUN'''. | |||
* If you prefer to use TCP (recommended if your network is filtered, and UDP does not work), select ''Use TCP'' and under ''Use a specific port'' (also called ''Use custom gateway port''), choose ''443''. | |||
* In the '''TLS Authentication''' tab, enable '''Use additional TLS authentication''' with mode '''TLS-Auth''' and set the ''ta.key'' file as '''Key File'''. | |||
Finally, go to the '''IPv4''' tab: | |||
* Click the '''Routes...''' button | |||
* Check the '''Use this connection only for resources on its network''' | |||
You're done. You can connect to the VPN from Network Manager applet usually present in some corner of your screen. If you need to troubleshoot potential problems, diagnostics can be printed with '''sudo journalctl -fu NetworkManager''' | |||
{{Note|text=Network manager provides an import function which unfortunately does not work well with the configuration we provide in the zip file. Please configure your VPN as described above instead of using that import function.}} | |||
= | === Linux (using command line) === | ||
From the directory where you extracted the ZIP archive, you only have to execute this as root: | |||
{{Term|location=workstation| cmd=<code class="command">sudo openvpn</code> Grid5000_VPN.ovpn}} | |||
Note that the OpenVPN linux client does not support the DNS VPN configuration natively. In most distributions, installing resolvconf package and uncommenting last lines of the ''Grid5000_VPN.ovpn'' file should enable the automatic DNS VPN configuration. | |||
If you prefer to use TCP (recommended if your network is filtered, and UDP does not work), comment the second line and uncomment the fourth. | |||
There is also a bug in the generated config file, you must change "dev tap" by "dev tun". | |||
== | === MAC OS X === | ||
On OS X systems, we recommend downloading and installing [https://tunnelblick.net/ Tunnelblick] as OpenVPN client. | |||
Then, from the folder where you extracted the ZIP archive, double click on the ''Grid5000_VPN.ovpn'' file to install Grid'5000 VPN configuration inside Tunnelblick. | |||
To connect to the VPN, select Grid5000_VPN from Tunnelblick application (top right on the screen). | |||
In case of troubles, check the connection logs inside "VPN details, Grid5000 VPN, Messages" | |||
=== Windows === | |||
If you have not done it yet, [https://openvpn.net/index.php/open-source/downloads.html download and install OpenVPN for Windows] (default installation options should be fine). | If you have not done it yet, [https://openvpn.net/index.php/open-source/downloads.html download and install OpenVPN for Windows] (default installation options should be fine). | ||
Extract the zip file into C:/Users/<your_user>/OpenVPN/config/ and import file "Grid5000_VPN.ovpn" from OpenVPN GUI. | |||
* | * Common errors on Windows : | ||
You | ** The users can't import files into OpenVPN GUI if the directory permissions has changed. | ||
** The last Grid5000_VPN.ovpn lines need to be commented for Windows configuration. | |||
* If the program stays frozen with a message such as <code>... UDPv4 link remote: [AF_INET]194.254.60.14:1194</code>, this means that your local network is probably blocking the UDP conenction to the VPN. | |||
** You need to edit the ''Grid_5000_VPN'' file (with notepad++ or any editor that knows how to handle UNIX text file, the file should show multiple line, not just one). | |||
** Comment the second line (add a #) and uncomment the fourth (remove the #) to switch the connection to TCP instead of UDP. | |||
<syntaxhighlight lang="bash" line="line" highlight="2,4"> | |||
client | |||
#remote vpn.grid5000.fr 1194 udp | |||
# In case of problem with UDP connexion, you can use TCP. | |||
remote vpn.grid5000.fr 443 tcp | |||
dev tun | |||
ca cavpn.crt | |||
cert sdelamare.crt | |||
key sdelamare.key | |||
tls-auth ta.key | |||
# On Linux systems, you can uncomment following lines to automatically use Grid'5000 DNS (openresolv package needed) | |||
#script-security 2 | |||
#up /etc/openvpn/update-resolv-conf | |||
#down /etc/openvpn/update-resolv-conf | |||
</syntaxhighlight> | |||
== Testing your connection == | == Testing your connection == | ||
When your VPN connexion is established, you | When your VPN connexion is established, you should be able to connect directly to any Grid'5000 frontend. Make a try with: | ||
{{Term|location=workstation| cmd=<code class="command">ssh</code> <code class="replace"><your Grid'5000 username></code>@frontend.lyon.grid5000.fr}} | |||
Latest revision as of 17:22, 11 March 2024
|
Note |
|---|---|
This page is actively maintained by the Grid'5000 team. If you encounter problems, please report them (see the Support page). Additionally, as it is a wiki page, you are free to make minor corrections yourself if needed. If you would like to suggest a more fundamental change, please contact the Grid'5000 team. | |
Grid'5000 Virtual Private Network (VPN) allows to connect your workstation or personal computer to Grid'5000 network, while preserving security.
When connected to Grid'5000 VPN, your computer will be "inside" the Grid'5000 network, thus it won't be required to perform several SSH hops or tunnels to access Grid'5000 nodes, since direct connections are possible.
Grid'5000 VPN is based on OpenVPN.
|
Warning |
|---|---|
There is no performance guarantee on the VPN infrastructure. It's fine to use the VPN to access and configure your nodes, but avoid running performance-sensitive experiments over the VPN: the results would be unreliable and not reproducible. If you need to access your nodes directly from the Internet, we provide a reconfigurable IPv6 firewall service. | |
Getting started
To start using Grid'5000 VPN, you first need to get a certificate:
- Go to your account management page, in the "My account" tab and go to "VPN Certificates" on the left.
- If you do not have a certificate yet, click on "Create new certificate".
- To generate a new certificate click on "Create with Passphrase" (recommended).
- If you already generated a certificate by yourself, click on "Create from public key", paste your public key in the text field and finally "Sign".
- Your certificate appears in the list. Click on "Zip file" to download an archive which includes the certificates and an OpenVPN configuration file.
- Extract the archive content in your workstation. Please choose a secure place to store those files: an attacker could use them to steal your identity in Grid'5000.
Configure your VPN connection
The Grid'5000 VPN settings are the following:
- Gateway: vpn.grid5000.fr
- Gateway port: UDP 1194 or TCP 443
- Device type: tun (Layer 3 VPN)
- Authentication type: Certificate (TLS)
- CA certificate: cavpn.crt
- User certificate: <username>.crt
- User private key: <username>.key
- Additional TLS authentication file: ta.key (no direction)
- Grid'5000 VPN routes: 172.16.0.0/16, 10.0.0.0/8 and 172.20.0.0/16 (use Grid'5000 VPN for these networks only)
- Grid'5000 VPN DNS: 172.20.255.254
Depending on your operation system or work environement, the configuration and start of the Grid'5000 VPN varies. See below.
Linux (using network-manager)
You can connect to the Grid'5000 VPN using "Network Manager", for instance using the Network manager applet in the status bar of a gnome graphical environment (you may require to install a package such as "network-manager-openvpn-gnome").
To configure the Grid'5000 VPN in Network Manager, go the the "Network Settings" application, add a Network Connection and select "VPN". Choose "OpenVPN" and set the following parameters:
- Name: as you wish, e.g. Grid'5000
- Gateway: choose vpn.grid5000.fr
- Type: choose Certificates (TLS)
- User Certificate: use your <username>.crt file
- CA Certificate: your cavpn.crt file
- Private Key: use your <username>.key file
- Private Key Password: enter the password needed to unlock your private key
Then, click on the Advanced button:
- Select Configure type of network device (also called Set virtual device type) to use TUN.
- If you prefer to use TCP (recommended if your network is filtered, and UDP does not work), select Use TCP and under Use a specific port (also called Use custom gateway port), choose 443.
- In the TLS Authentication tab, enable Use additional TLS authentication with mode TLS-Auth and set the ta.key file as Key File.
Finally, go to the IPv4 tab:
- Click the Routes... button
- Check the Use this connection only for resources on its network
You're done. You can connect to the VPN from Network Manager applet usually present in some corner of your screen. If you need to troubleshoot potential problems, diagnostics can be printed with sudo journalctl -fu NetworkManager
|
|
Note |
|---|---|
Network manager provides an import function which unfortunately does not work well with the configuration we provide in the zip file. Please configure your VPN as described above instead of using that import function. | |
Linux (using command line)
From the directory where you extracted the ZIP archive, you only have to execute this as root:
|
workstation:
|
sudo openvpn Grid5000_VPN.ovpn |
Note that the OpenVPN linux client does not support the DNS VPN configuration natively. In most distributions, installing resolvconf package and uncommenting last lines of the Grid5000_VPN.ovpn file should enable the automatic DNS VPN configuration.
If you prefer to use TCP (recommended if your network is filtered, and UDP does not work), comment the second line and uncomment the fourth.
There is also a bug in the generated config file, you must change "dev tap" by "dev tun".
MAC OS X
On OS X systems, we recommend downloading and installing Tunnelblick as OpenVPN client.
Then, from the folder where you extracted the ZIP archive, double click on the Grid5000_VPN.ovpn file to install Grid'5000 VPN configuration inside Tunnelblick.
To connect to the VPN, select Grid5000_VPN from Tunnelblick application (top right on the screen).
In case of troubles, check the connection logs inside "VPN details, Grid5000 VPN, Messages"
Windows
If you have not done it yet, download and install OpenVPN for Windows (default installation options should be fine).
Extract the zip file into C:/Users/<your_user>/OpenVPN/config/ and import file "Grid5000_VPN.ovpn" from OpenVPN GUI.
- Common errors on Windows :
- The users can't import files into OpenVPN GUI if the directory permissions has changed.
- The last Grid5000_VPN.ovpn lines need to be commented for Windows configuration.
- If the program stays frozen with a message such as
... UDPv4 link remote: [AF_INET]194.254.60.14:1194, this means that your local network is probably blocking the UDP conenction to the VPN.- You need to edit the Grid_5000_VPN file (with notepad++ or any editor that knows how to handle UNIX text file, the file should show multiple line, not just one).
- Comment the second line (add a #) and uncomment the fourth (remove the #) to switch the connection to TCP instead of UDP.
client
#remote vpn.grid5000.fr 1194 udp
# In case of problem with UDP connexion, you can use TCP.
remote vpn.grid5000.fr 443 tcp
dev tun
ca cavpn.crt
cert sdelamare.crt
key sdelamare.key
tls-auth ta.key
# On Linux systems, you can uncomment following lines to automatically use Grid'5000 DNS (openresolv package needed)
#script-security 2
#up /etc/openvpn/update-resolv-conf
#down /etc/openvpn/update-resolv-conf
Testing your connection
When your VPN connexion is established, you should be able to connect directly to any Grid'5000 frontend. Make a try with:
|
|
workstation:
|
ssh <your Grid'5000 username>@frontend.lyon.grid5000.fr |