VPN: Difference between revisions
Jump to navigation
Jump to search
| Line 19: | Line 19: | ||
* Encapsulation dans | * Encapsulation dans | ||
** UDP {{Yes}} | ** UDP {{Yes}} | ||
** TCP ? | ** TCP ? {{No}} | ||
== Configuration client == | == Configuration client == | ||
Revision as of 14:18, 8 October 2013
Présentation CT
Principe
- Connecter des hôtes/réseaux distants "comme si" ils appartiennent au même réseau local
- Chiffrer / Authentifier tout ce qui passe sur les réseaux publiques
- Intêret pour G5K
- S'affranchir de la passerelle SSH
- Accès au monde extérieur (à un serveur, à un réseau)
Implémentation
- OpenVPN : Interfaces virtuelles, Linux, portage Windows, SSL, flexible
- L2 VPN
- Encapsulation de la trame Ethernet (L2) ou paquet IP (L3)
- Fonctionnement des applications non-IP
- Réseau VPN VLAN dédié
- meilleur isolation, pas le VLAN de production
- besoin de configuration des routeurs G5K
- Encapsulation dans
- UDP
- TCP ?
- UDP
Configuration client
- addresse IP dans réseau VPN
- persistence:
- Par nom de certificat / login
- DNS name: vpn1.grid5000.fr, vpn2.grid5000.fr ou <login>.vpn.grid5000.fr
- routes G5K (Golden rules !)
- 172.16.0.0/16
- 10.0.0.0/8 ?
- DNS G5K
- Authentification Client
- Génération certificat Client à la demande
Securité
- Serveur : Idem access nationale
- Interfaces:
- interface DMZ Publique (pour connexion client VPN depuis Internet)
- interface DMZ Privée (pour administration G5K)
- interface VLAN VPN, sans adresse IP (pour acheminement sur VLAN VPN)
- Utilisation des classes puppet DMZ
- Interfaces:
L2 Ethernet Networks
Some additional VLAN is needed :
VPN: Hosts connected to Grid5000 using VPN access use a dedicated VLAN implemented in sophia site.
Vlan number
| VLAN number | Usage | Name |
|---|---|---|
| 600 | VPN network |
VPN
|
L3 IP Networks
Routing policy
The following table gives detail about the routing policy of each L2 VLAN :
| Network | Routed locally | Routed globally |
|---|---|---|
| VPN network |  |
|
Addressing plan
About VPN
| Site | VPN |
|---|---|
| ? | 172.20.0.0/16
|
Configuration
DomU
Network interfaces configuration
# The DMZ private network interface auto eth0 iface eth0 inet static address 192.168.67.14 netmask 255.255.255.0 broadcast 192.168.67.255 post-up ip route add 172.16.0.0/16 via 192.168.67.253 # The DMZ public network interface auto eth1 iface eth1 inet static address 194.254.60.14 netmask 255.255.255.192 gateway 194.254.60.61 # The VPN network interface, bridged auto br-vpn iface br-vpn inet static address 172.20.0.1 netmask 255.255.0.0 bridge-ports eth2 tap0 pre-up ip tuntap add dev tap0 mode tap
OpenVPN configuration
 |
Managed by Puppet |
|---|---|
|
Classes : Files : Note : | |
Dom0
sudo vconfig add eth3 600
sudo brctl addbr br-vpn
sudo brctl addif br-vpn eth3.600
sudo ifconfig eth3.600 up
sudo ifconfig br-vpn up
# /etc/xen/vpn.cfg
vif = [ 'ip=192.168.67.14,mac=00:16:3E:94:30:D7,bridge=br-dmz-priv',
'ip=194.254.60.14,mac=00:16:3E:44:4B:FC,bridge=br-dmz-pub',
'mac=00:16:3E:A9:B1:26,bridge=br-vpn' ]
# /etc/network/interfaces
auto eth1 eth2 eth3
# eth1 -- production (188)
iface eth1 inet manual
# eth2 -- dmz pub (666)
iface eth2 inet manual
# eth3 -- dmz priv (667) & vpn (600)
iface eth3 inet manual
#==================
# = switch-prod =
#==================
auto switch-prod
iface switch-prod inet static
address 172.16.143.2
netmask 255.255.240.0
gateway 172.16.143.254
bridge_ports eth1
bridge_stp off
#=======================
# = dmz public bridge =
#=======================
# Interface 7/18 du fastiron (eth2 de srv2)
auto br-dmz-pub
iface br-dmz-pub inet manual
bridge_ports eth2.666
bridge_stp off
pre-up /sbin/ifup eth2.666
post-down /sbin/ifdown eth2.666
#========================
# = dmz private bridge =
#========================
# Interface 7/19 du fastiron (eth3 de srv2)
auto br-dmz-priv
iface br-dmz-priv inet manual
bridge_ports eth3.667
bridge_stp off
pre-up /sbin/ifup eth3.667
post-down /sbin/ifdown eth3.667
#===============
# = VPN bridge =
#===============
# Interface 7/19 du fastiron (eth3 de srv2)
auto br-vpn
iface br-vpn inet manual
bridge_ports eth3.600
bridge_stp off
pre-up /sbin/ifup eth3.600
post-down /sbin/ifdown eth3.600
Network Equipment
On equipment hosting VPN
vlan 600 name VPN by port tagged 7/19 router-interface ve 60
interface ve 60 port-name VPN ip address 172.20.255.254 255.255.0.0
On other sites' routers
route add 172.20.0.0/16 gw 192.168.4.<VPN_site>
VPN Client
OpenVPN's client.conf file:
client remote access.lyon.grid5000.fr 1194 proto udp ca ca.crt cert client1.crt key client1.key #tls-auth ta.key 1 dev tap