VPN: Difference between revisions
Line 19: | Line 19: | ||
* Encapsulation dans | * Encapsulation dans | ||
** UDP {{Yes}} | ** UDP {{Yes}} | ||
** TCP | ** TCP fallback {{Yes}} | ||
== Configuration client == | == Configuration client == |
Revision as of 10:26, 10 October 2014
Présentation CT
Principe
- Connecter des hôtes/réseaux distants "comme si" ils appartiennent au même réseau local
- Chiffrer / Authentifier tout ce qui passe sur les réseaux publiques
- Intêret pour G5K
- S'affranchir de la passerelle SSH
- Accès au monde extérieur (à un serveur, à un réseau)
Implémentation
- OpenVPN: Interfaces virtuelles, Linux, portage Windows, SSL, flexible
- L2 VPN:
- Encapsulation de la trame Ethernet (L2) ou paquet IP (L3)
- Fonctionnement des applications non-IP
- Réseau VPN VLAN dédié
- Encapsulation dans
Configuration client
- addresse IP dans réseau VPN
- persistence:
- routes G5K (Golden rules !)
- Configuratiuon DNS G5K du client
- Authentification Client
Securité
L2 Ethernet Networks
Some additional VLAN is needed :
Vlan number
VLAN number | Usage | Name |
---|---|---|
600 | VPN network |
VPN
|
L3 IP Networks
Routing policy
The following table gives detail about the routing policy of each L2 VLAN :
Network | Routed locally | Routed globally |
---|---|---|
VPN network |
Addressing plan
About VPN
Site | VPN |
---|---|
Sophia | 172.20.0.0/16
|
Configuration
DomU
Network interfaces configuration
Iptables configuration
OpenVPN configuration
OpenVPN SSL Certificates management
Dom0
Network Equipment
On equipment hosting VPN
vlan 600 name VPN by port tagged 7/19 router-interface ve 60
interface ve 60 port-name VPN ip address 172.20.255.254 255.255.0.0
On other sites' routers
ip route 172.20.0.0 255.255.0.0 192.168.4.12
VPN User Documentation
Grid'5000 Virtual Private Network (VPN) allows to connect to Grid'5000 network from your personal computer, while preserving security by encrypting your communications.
When connected to Grid'5000 VPN, your computer will be "inside" the Grid'5000 network thus you won't require to perform several SSH hops to access Grid'5000 nodes and frontends.
Grid'5000 VPN is based on OpenVPN http://openvpn.net.
Getting started
To start using Grid'5000 VPN, you first need to get a certificate. . You will download a ZIP archive including certificates and configuration file needed for VPN connexion. You must extract the archive content onto your computer. Choose a secure place to store those files, as an attacker could use them to steal your identity in Grid'5000.
Launch a connection
The procedure to start a connection to Grid'5000 VPN depends on your Operating System :
- Windows
- Linux (using command line)
From the folder where you extracted the ZIP archive, you only have to execute this as root:
openvpn <username>_vpnclient.conf
Note that OpenVPN linux client does not support DNS VPN configuration natively (see ??). In most distributions, installing resolvconf package and uncommenting last lines of <username>_vpnclient.conf file should enable automatic DNS VPN configuration.
- Linux (using network-manager)
You can also connect to Grid'5000 as normal user using the "Network Manager" applet (you may require to install packages like "network-manager-openvpn-gnome").
Refer to Grid'5000 VPN parameters to know how to configure it.
- MAC OS
Testing your connection
When your VPN connexion is established, you will be able to connect directly to any Grid'5000 node or frontend. Try it with:
ssh <username>@frontend.lyon.grid5000.fr
Grid'5000 VPN parameters
- Gateway: vpn.grid5000.fr
- Gateway port: 1194 UDP
- Device type: tap (Ethernet Bridging / Layer 2 VPN)
- Authentication type: Certificate (TLS)
- User certificate: <username>.crt
- CA certificate: cavpn.crt
- User private key: <username>.key
- Additional TLS authentication file: ta.key (no direction)
- Grid'5000 VPN routes: 172.20.0.0/20 and 10.0.0.0/8 (use Grid'5000 VPN for these networks only)
- Grid'5000 VPN DNS: 172.16.143.101
Here is an example configuration file :
client remote vpn.grid5000.fr 1194 proto udp dev tap ca cavpn.crt cert sdelamare.crt key sdelamare.key tls-auth ta.key # On Linux systems, you can uncomment following lines to automatically use Grid'5000 DNS (resolvconf binary needed) #script-security 2 #up /etc/openvpn/update-resolv-conf #down /etc/openvpn/update-resolv-conf