VPN main objectives

• Connect remote hosts or networks "as if" they were in Grid'5000 network
  • No need for SSH gateway (ease life of Windows user, direct access to node Web server, ...)
  • Interconnection with the outside world (servers, networks, ...)
• Encrypt communication forwarded on public networks

Configuration

Summary

• Software used: OpenVPN
• Layer 2 VPN
  • Ethernet frame encapsulation (L2)
  • Encapsulation within UDP packet: Most efficient
  • Fallback encapsulation within TCP packet: Most robust to cross firewall
• Dedicated VLAN for VPN (600)
  • Implemented in south DMZ
  • VPN IP network: 172.20.0.0/16
  • Every site routers need an additional route

ip route 172.20.0.0 255.255.0.0 192.168.4.254 name vpn_viasouth

Network Equipment

On equipment hosting VPN

!
interface GigabitEthernet0/3/4
 description DMZ (to srv2.sophia)
 switchport trunk allowed vlan 1,600,666,1002-1005
 switchport mode trunk
 no ip address
!
interface GigabitEthernet0/3/5
 description DMZ (to srv2.sophia)
 switchport trunk allowed vlan 1,600,666,1002-1005
 switchport mode trunk
 no ip address
 shutdown 
!
interface GigabitEthernet0/3/6
 description DMZ (to srv2.sophia)
 switchport trunk allowed vlan 1,600,666,1002-1005
 switchport mode trunk
 no ip address
 shutdown
!
interface Vlan600
 description DMZ: gw-south-vpn
 ip address 172.20.255.254 255.255.0.0
!

On other sites' routers

ip route 172.20.0.0 255.255.0.0 192.168.4.12

Dom0

	Managed by Puppet
	Classes : networkg5k Files : {{{files}}} Note : Current Dom0 is srv2.sophia

DomU

OpenVPN configuration

	Managed by Puppet
	Classes : openvpn,openvpng5k Files : {{{files}}} Note :

Configuration file explained (/etc/openvpn/server_{udp,tcp}.conf on vpn.grid5000.fr)

# Server mode, using SSL/TLS authentication
mode server
tls-server 

port 1194
proto udp
# VPN clients traffic comes from server's tap0 interface
dev tap0

# SSL credentials
## As with clients, the server cert is signed by the CA
ca /etc/openvpn/keys/ca.api.grid5000.fr.crt
cert /etc/openvpn/keys/vpn.grid5000.fr.crt
dh /etc/openvpn/keys/dh2048.pem
key /etc/openvpn/keys/vpn.grid5000.fr.key
## This last file is share by g5k users. It avoids DoS attacks from outsiders
tls-auth /etc/openvpn/keys/ta.key

# The VPN pool of IP addresses that are assigned to client
ifconfig-pool 172.20.100.0 172.20.255.253 255.255.0.0

# Route and DNS configuration sent to client
## The VPN gateway to reach other G5K networks (it's a gw-south interface)
push route-gateway 172.20.255.254
## Client can reach these networks through the VPN
push route 172.16.0.0 255.255.0.0
push route 10.0.0.0 255.0.0.0
## DNS configuration to resolv Grid'5000 hostnames
push dhcp-option DNS 172.16.143.101
push dhcp-option DOMAIN grid5000.fr

# Use a certificate revocation list, for closed accounts or lost certificate
crl-verify /var/local/ca.api.grid5000.fr.crl.pem
# Implement a soft persistence between username and VPN IP address
ifconfig-pool-persist /var/local/openvpn_ipp.txt

# Drop privilege of openvpn daemon
user nobody
group nogroup

Network interfaces configuration

	Managed by Puppet
	Classes : networkg5k Files : {{{files}}} Note :

Iptables configuration

	Managed by Puppet
	Classes : iptablesg5k Files : {{{files}}} Note :

OpenVPN configuration

	Managed by Puppet
	Classes : openvpn,openvpng5k Files : {{{files}}} Note :

Security

	Managed by Puppet
	Classes : sanityg5k Files : {{{files}}} Note :

OpenVPN SSL Certificates management for UMS

	Managed by Puppet
	Classes : openvpng5k::sll Files : {{{files}}} Note : Deployed on ums.grid5000.fr

Whislist

• ensure persistent client IP addreess
  • by certificate / login: , not well tested
• provide DNS name to client
  • Example <login>.vpn.grid5000.fr
• Implement fail2ban rule for OpenVPN

VPN User Documentation

Grid'5000 Virtual Private Network (VPN) allows to connect to Grid'5000 network from your personal computer, while preserving security by encrypting your communications.

When connected to Grid'5000 VPN, your computer will be "inside" the Grid'5000 network thus you won't require to perform several SSH hops to access Grid'5000 nodes and frontends.

Grid'5000 VPN is based on OpenVPN http://openvpn.net.

Getting started

To start using Grid'5000 VPN, you first need to get a certificate:

Go to your account management page, select "My account" and from the "Actions" drop-down list, select "Generate VPN certificate".

Your certificate will appear at the bottom of the page. Click on "Zip file" to download an archive including certificates and configuration file needed for VPN connexion.

You must extract the archive content onto your computer. Choose a secure place to store those files, as an attacker could use them to steal your identity in Grid'5000.

Launch a connection

The procedure to start a connection to Grid'5000 VPN depends on your Operating System :

• Windows

If you have not done it yet, download and install OpenVPN for Windows (default installation options should be fine).

Then, from the folder where you extracted the ZIP archive, execute "Grid'5000 VPN for Windows" as an administrator (on most Windows system, you need to right click on "Grid'5000 VPN for Windows" file and select "Run as administrator").

• MAC OS X

On OS X systems, we recommend downloading and installing Tunnelblick as OpenVPN client.

Then, from the folder where you extracted the ZIP archive, double click on Grid5000_VPN.ovpn file to install Grid'5000 VPN configuration inside Tunnelblick.

To connect to VPN, select Grid5000_VPN from Tunnelblick application (top right on the screen).

In case of troubles, check connection logs inside "VPN details, Grid5000 VPN, Messages"

• Linux (using network-manager)

You can also connect to Grid'5000 as normal user using the "Network Manager" applet (you may require to install packages such as "network-manager-openvpn-gnome").

From "Network Settings" application, add a Network Connection and select "VPN". Choose "Import from file..." and select Grid5000_VPN.ovpn file from the folder where you extracted the ZIP archive. Add your private key password and validate. The Grid'5000 VPN is now configured.

To connect to VPN, select "VPN" and click on Connect from the top right screen applet.

• Linux (using command line)

From the folder where you extracted the ZIP archive, you only have to execute this as root:

openvpn <username>_vpnclient.conf

Note that OpenVPN linux client does not support DNS VPN configuration natively. In most distributions, installing openresolv package and uncommenting last lines of <username>_vpnclient.conf file should enable automatic DNS VPN configuration.

• Others

Refer to Grid'5000 VPN parameters to know how to manually configure the VPN.

Testing your connection

When your VPN connexion is established, you will be able to connect directly to any Grid'5000 node or frontend. Try it with:

ssh <username>@frontend.lyon.grid5000.fr

Grid'5000 VPN parameters

• Gateway: vpn.grid5000.fr
• Gateway port: 1194 UDP or 443 TCP
• Device type: tap (Ethernet Bridging / Layer 2 VPN)
• Authentication type: Certificate (TLS)
• User certificate: <username>.crt
• CA certificate: cavpn.crt
• User private key: <username>.key
• Additional TLS authentication file: ta.key (no direction)
• Grid'5000 VPN routes: 172.20.0.0/20 and 10.0.0.0/8 (use Grid'5000 VPN for these networks only)
• Grid'5000 VPN DNS: 172.20.255.253

Here is an example configuration file :

client
remote vpn.grid5000.fr 1194 udp
# In case of problem with UDP connexion, use TCP.
#remote vpn.grid5000.fr 443 tcp
dev tap

ca cavpn.crt
cert sdelamare.crt
key sdelamare.key
tls-auth ta.key

# On Linux systems, you can uncomment following lines to automatically use Grid'5000 DNS (openresolv package needed)
#script-security 2
#up /etc/openvpn/update-resolv-conf
#down /etc/openvpn/update-resolv-conf