VPN: Difference between revisions
Jump to navigation
Jump to search
(→Dom0) |
(→Dom0) |
||
| Line 106: | Line 106: | ||
== Dom0 == | == Dom0 == | ||
sudo vconfig add | |||
sudo brctl addbr | sudo vconfig add eth3 600 | ||
sudo brctl addif | sudo brctl addbr br-vpn | ||
sudo ifconfig | sudo brctl addif br-vpn eth3.600 | ||
sudo ifconfig | sudo ifconfig eth3.600 up | ||
sudo ifconfig br-vpn up | |||
# /etc/xen/vpn.cfg | |||
vif = [ 'ip=192.168.67.14,mac=00:16:3E:94:30:D7,bridge=br-dmz-priv', | |||
'ip=194.254.60.14,mac=00:16:3E:44:4B:FC,bridge=br-dmz-pub', | |||
'mac=00:16:3E:A9:B1:26,bridge=br-vpn' ] | |||
| Line 126: | Line 127: | ||
# eth2 -- dmz pub (666) | # eth2 -- dmz pub (666) | ||
iface eth2 inet manual | iface eth2 inet manual | ||
# eth3 -- dmz priv (667) | # eth3 -- dmz priv (667) & vpn (600) | ||
iface eth3 inet manual | iface eth3 inet manual | ||
| Line 162: | Line 163: | ||
pre-up /sbin/ifup eth3.667 | pre-up /sbin/ifup eth3.667 | ||
post-down /sbin/ifdown eth3.667 | post-down /sbin/ifdown eth3.667 | ||
#=============== | |||
# = VPN bridge = | |||
#=============== | |||
# Interface 7/19 du fastiron (eth3 de srv2) | |||
auto br-vpn | |||
iface br-vpn inet manual | |||
bridge_ports eth3.600 | |||
bridge_stp off | |||
pre-up /sbin/ifup eth3.600 | |||
post-down /sbin/ifdown eth3.600 | |||
== Network Equipment == | == Network Equipment == | ||
Revision as of 09:29, 2 October 2013
Présentation CT
Principe
- Connecter des hôtes/réseaux distants "comme si" ils appartiennent au même réseau local
- Chiffrer / Authentifier tout ce qui passe sur les réseaux publiques
- Intêret pour G5K
- S'affranchir de la passerelle SSH
- Accès au monde extérieur (à un serveur, à un réseau)
Implémentation
- OpenVPN : Interfaces virtuelles, Linux, portage Windows, SSL, flexible
- L2 VPN ou L3 VPN
- Encapsulation de la trame Ethernet (L2) ou paquet IP (L3)
- Fonctionnement des applications non-IP
- Réseau VPN VLAN dédié
- meilleur isolation, pas le VLAN de production
- non lié à un site
- besoin de configuration des routeurs G5K
- Encapsulation dans UDP (+ TCP ?)
Configuration client
- addresse IP dans réseau VPN
- persistence:
- Par nom de certificat / login
- DNS name: vpn1.grid5000.fr, vpn2.grid5000.fr ou <login>.vpn.grid5000.fr
- routes G5K (Golden rules !)
- 172.16.0.0/16
- 10.0.0.0/8 ?
- DNS G5K
- Authentification Client
- Génération certificat Client à la demande
Securité
- Serveur : Idem access nationale
- 1 interface DMZ + 1 interface VLAN VPN
- Fail2ban, etc.
L2 Ethernet Networks
Some additional VLAN is needed :
VPN: Hosts connected to Grid5000 using VPN access use a dedicated VLAN implemented in ?? site.
Vlan number
| VLAN number | Usage | Name |
|---|---|---|
| 600 | VPN network |
VPN
|
L3 IP Networks
Routing policy
The following table gives detail about the routing policy of each L2 VLAN :
| Network | Routed locally | Routed globally |
|---|---|---|
| VPN network |  |
|
Addressing plan
About VPN
| Site | VPN |
|---|---|
| ? | 172.20.0.0/16
|
Configuration
DomU
Network interfaces configuration
# The DMZ private network interface auto eth0 iface eth0 inet static address 192.168.67.14 netmask 255.255.255.0 broadcast 192.168.67.255 post-up ip route add 172.16.0.0/16 via 192.168.67.253 # The DMZ public network interface auto eth1 iface eth1 inet static address 194.254.60.14 netmask 255.255.255.192 gateway 194.254.60.61 # The VPN network interface, bridged auto br-vpn iface br-vpn inet static address 172.20.0.1 netmask 255.255.0.0 bridge-ports eth2 tap0 pre-up ip tuntap add dev tap0 mode tap
OpenVPN configuration
 |
Managed by Puppet |
|---|---|
|
Classes : Files : Note : | |
Dom0
sudo vconfig add eth3 600
sudo brctl addbr br-vpn
sudo brctl addif br-vpn eth3.600
sudo ifconfig eth3.600 up
sudo ifconfig br-vpn up
# /etc/xen/vpn.cfg
vif = [ 'ip=192.168.67.14,mac=00:16:3E:94:30:D7,bridge=br-dmz-priv',
'ip=194.254.60.14,mac=00:16:3E:44:4B:FC,bridge=br-dmz-pub',
'mac=00:16:3E:A9:B1:26,bridge=br-vpn' ]
# /etc/network/interfaces
auto eth1 eth2 eth3
# eth1 -- production (188)
iface eth1 inet manual
# eth2 -- dmz pub (666)
iface eth2 inet manual
# eth3 -- dmz priv (667) & vpn (600)
iface eth3 inet manual
#==================
# = switch-prod =
#==================
auto switch-prod
iface switch-prod inet static
address 172.16.143.2
netmask 255.255.240.0
gateway 172.16.143.254
bridge_ports eth1
bridge_stp off
#=======================
# = dmz public bridge =
#=======================
# Interface 7/18 du fastiron (eth2 de srv2)
auto br-dmz-pub
iface br-dmz-pub inet manual
bridge_ports eth2.666
bridge_stp off
pre-up /sbin/ifup eth2.666
post-down /sbin/ifdown eth2.666
#========================
# = dmz private bridge =
#========================
# Interface 7/19 du fastiron (eth3 de srv2)
auto br-dmz-priv
iface br-dmz-priv inet manual
bridge_ports eth3.667
bridge_stp off
pre-up /sbin/ifup eth3.667
post-down /sbin/ifdown eth3.667
#===============
# = VPN bridge =
#===============
# Interface 7/19 du fastiron (eth3 de srv2)
auto br-vpn
iface br-vpn inet manual
bridge_ports eth3.600
bridge_stp off
pre-up /sbin/ifup eth3.600
post-down /sbin/ifdown eth3.600
Network Equipment
On equipment hosting VPN
create vlan VPN configure vlan "VPN" tag 600 show configuration configure vlan "VPN" ipaddress 172.20.255.254 255.255.0.0 enable ipforwarding vlan "VPN" configure vlan "VPN" add ports 2:32 tagged #Dom0 port
On other sites' routers
route add 172.20.0.0/16 gw 192.168.4.<VPN_site>
VPN Client
OpenVPN's client.conf file:
client remote access.lyon.grid5000.fr 1194 proto udp ca ca.crt cert client1.crt key client1.key #tls-auth ta.key 1 dev tap