VPN: Difference between revisions

From Grid5000
Jump to navigation Jump to search
No edit summary
Line 1: Line 1:
= Présentation CT =
= VPN main objectives =
== Principe ==


* Connecter des hôtes/réseaux distants "comme si" ils appartiennent au même réseau local
* Connect remote hosts or networks "as if" they were in Grid'5000 network
* Chiffrer / Authentifier tout ce qui passe sur les réseaux publiques
** No need for SSH gateway (ease life of Windows user, direct access to node Web server, ...)
* Intêret pour G5K
** Interconnection with the outside world (servers, networks, ...)
** S'affranchir de la passerelle SSH
* Encrypt communication forwarded on public networks
** Accès au monde extérieur (à un serveur, à un réseau)


== Implémentation ==


* OpenVPN: Interfaces virtuelles, Linux, portage Windows, SSL, flexible
= Configuration =
* L2 VPN:
** Encapsulation de la trame Ethernet (L2) ou paquet IP (L3)
** Fonctionnement des applications non-IP
* Réseau VPN VLAN dédié
** meilleur isolation, pas le VLAN de production
** besoin de configuration des routeurs G5K {{Yes}}
* Encapsulation dans
** UDP {{Yes}}
** TCP fallback {{Yes}}


== Configuration client ==
== Summary ==
* Software used: OpenVPN
* Layer 2 VPN
** Ethernet frame encapsulation (L2)
** Encapsulation within UDP packet: Most efficient
** Fallback encapsulation within TCP packet: Most robust to cross firewall
* Dedicated VLAN for VPN (600)
** Implemented in south DMZ
** VPN IP network: 172.20.0.0/16
** Every site routers need an additional route
ip route 172.20.0.0 255.255.0.0 192.168.4.254 name vpn_viasouth


* addresse IP dans réseau VPN {{Yes}}
== Network Equipment ==
* persistence:
 
** Par nom de certificat / login {{Yes}}
=== On equipment hosting VPN ===
** DNS name:
 
*** vpn1.grid5000.fr, vpn2.grid5000.fr {{No}}
!
*** <login>.vpn.grid5000.fr ? {{Inprogress}} : Besoin de DNS dynamique
interface GigabitEthernet0/3/4
* routes G5K (Golden rules !)
  description DMZ (to srv2.sophia)
** 172.16.0.0/16 {{Yes}}
  switchport trunk allowed vlan 1,600,666,1002-1005
** 10.0.0.0/8 ? {{Yes}}
  switchport mode trunk
* Configuratiuon DNS G5K du client
  no ip address
** Linux CLI: {{Yes}}
!
** Linux Network Manager: {{Yes}} (pas DOMAIN)
interface GigabitEthernet0/3/5
** Windows: {{No}}
  description DMZ (to srv2.sophia)
** OSX: {{No}}
  switchport trunk allowed vlan 1,600,666,1002-1005
* Authentification Client
  switchport mode trunk
** Génération certificat Client à la demande {{Yes}}
  no ip address
** Révocation et regénération des certificats {{Inprogress}}
  shutdown
!
  interface GigabitEthernet0/3/6
  description DMZ (to srv2.sophia)
  switchport trunk allowed vlan 1,600,666,1002-1005
  switchport mode trunk
  no ip address
  shutdown
!
interface Vlan600
  description DMZ: gw-south-vpn
  ip address 172.20.255.254 255.255.0.0
!


== Securité ==


* Serveur : Idem access nationale {{Yes}}
=== On other sites' routers ===
** Interfaces:
*** interface DMZ Publique (pour connexion client VPN depuis Internet)
*** interface DMZ Privée (pour administration G5K)
*** interface VLAN VPN, sans adresse IP (pour acheminement sur VLAN VPN)
** Utilisation des classes puppet DMZ
*** fail2ban {{No}}


= L2 Ethernet Networks =
ip route 172.20.0.0 255.255.0.0 192.168.4.12


Some additional VLAN is needed :
* <code class='host'>VPN</code> : Hosts connected to Grid5000 using VPN access use a dedicated VLAN implemented in sophia site. {{Yes}}


== Vlan number ==
== Dom0 ==
{|class="karafon"
{{Managed by Puppet|classes=networkg5k|note=Current Dom0 is srv2.sophia}}
! VLAN number        !! Usage                        !! Name                   
|-
| 600    || <code class="host">VPN network</code> || <code class="host">VPN</code>
|}


= L3 IP Networks =
== DomU ==


== Routing policy ==
The following table gives detail about the routing policy of each L2 VLAN :
{|
|- style="background-color: #cccccc; border:1px solid #c9c9c9;"
! Network  !! Routed locally !! Routed globally                   
|-
| VPN network || {{Yes}} || {{Yes}}
|}


== Addressing plan ==
=== OpenVPN configuration ===
=== About VPN ===
{{Managed by Puppet|classes=openvpn,openvpng5k|note=}}
{|
|- style="background-color: #cccccc; border:1px solid #c9c9c9;"
! Site        !! VPN
|-
| Sophia    || <code class="host">172.20.0.0/16</code>
|}


= Configuration =
Configuration file explained (/etc/openvpn/server_{udp,tcp}.conf on vpn.grid5000.fr)


== DomU ==
# Server mode, using SSL/TLS authentication
mode server
tls-server
port 1194
proto udp
# VPN clients traffic comes from server's tap0 interface
dev tap0
# SSL credentials
## As with clients, the server cert is signed by the CA
ca /etc/openvpn/keys/ca.api.grid5000.fr.crt
cert /etc/openvpn/keys/vpn.grid5000.fr.crt
dh /etc/openvpn/keys/dh2048.pem
key /etc/openvpn/keys/vpn.grid5000.fr.key
## This last file is share by g5k users. It avoids DoS attacks from outsiders
tls-auth /etc/openvpn/keys/ta.key
# The VPN pool of IP addresses that are assigned to client
ifconfig-pool 172.20.100.0 172.20.255.253 255.255.0.0
# Route and DNS configuration sent to client
## The VPN gateway to reach other G5K networks (it's a gw-south interface)
push route-gateway 172.20.255.254
## Client can reach these networks through the VPN
push route 172.16.0.0 255.255.0.0
push route 10.0.0.0 255.0.0.0
## DNS configuration to resolv Grid'5000 hostnames
push dhcp-option DNS 172.16.143.101
push dhcp-option DOMAIN grid5000.fr
# Use a certificate revocation list, for closed accounts or lost certificate
crl-verify /var/local/ca.api.grid5000.fr.crl.pem
# Implement a soft persistence between username and VPN IP address
ifconfig-pool-persist /var/local/openvpn_ipp.txt
# Drop privilege of openvpn daemon
user nobody
group nogroup


=== Network interfaces configuration ===
=== Network interfaces configuration ===
Line 96: Line 118:
{{Managed by Puppet|classes=openvpn,openvpng5k|note=}}
{{Managed by Puppet|classes=openvpn,openvpng5k|note=}}


=== OpenVPN SSL Certificates management ===
=== Security ===
{{Managed by Puppet|classes=sanityg5k|note=}}
 
== OpenVPN SSL Certificates management for UMS ==
{{Managed by Puppet|classes=openvpng5k::sll|note=Deployed on ums.grid5000.fr}}
{{Managed by Puppet|classes=openvpng5k::sll|note=Deployed on ums.grid5000.fr}}


== Dom0 ==
{{Managed by Puppet|classes=networkg5k|note=}}


== Network Equipment ==
= Whislist =
 
=== On equipment hosting VPN {{Yes}}===
 
vlan 600 name VPN by port
  tagged 7/19
  router-interface ve 60
 
interface ve 60
  port-name VPN
  ip address 172.20.255.254 255.255.0.0


=== On other sites' routers {{Yes}} ===
* ensure persistent client IP addreess
** by certificate / login: {{Inprogress}}, not well tested
* provide DNS name to client
** Example &lt;login&gt;.vpn.grid5000.fr
* Implement fail2ban rule for OpenVPN


  ip route 172.20.0.0 255.255.0.0 192.168.4.12


= VPN User Documentation {{ Inprogress }} =
= VPN User Documentation {{ Inprogress }} =

Revision as of 14:49, 5 December 2014

VPN main objectives

  • Connect remote hosts or networks "as if" they were in Grid'5000 network
    • No need for SSH gateway (ease life of Windows user, direct access to node Web server, ...)
    • Interconnection with the outside world (servers, networks, ...)
  • Encrypt communication forwarded on public networks


Configuration

Summary

  • Software used: OpenVPN
  • Layer 2 VPN
    • Ethernet frame encapsulation (L2)
    • Encapsulation within UDP packet: Most efficient
    • Fallback encapsulation within TCP packet: Most robust to cross firewall
  • Dedicated VLAN for VPN (600)
    • Implemented in south DMZ
    • VPN IP network: 172.20.0.0/16
    • Every site routers need an additional route
ip route 172.20.0.0 255.255.0.0 192.168.4.254 name vpn_viasouth

Network Equipment

On equipment hosting VPN

!
interface GigabitEthernet0/3/4
 description DMZ (to srv2.sophia)
 switchport trunk allowed vlan 1,600,666,1002-1005
 switchport mode trunk
 no ip address
!
interface GigabitEthernet0/3/5
 description DMZ (to srv2.sophia)
 switchport trunk allowed vlan 1,600,666,1002-1005
 switchport mode trunk
 no ip address
 shutdown 
!
interface GigabitEthernet0/3/6
 description DMZ (to srv2.sophia)
 switchport trunk allowed vlan 1,600,666,1002-1005
 switchport mode trunk
 no ip address
 shutdown
!
interface Vlan600
 description DMZ: gw-south-vpn
 ip address 172.20.255.254 255.255.0.0
!


On other sites' routers

ip route 172.20.0.0 255.255.0.0 192.168.4.12


Dom0

Puppet logo.png Managed by Puppet

Classes : networkg5k

Files : {{{files}}}

Note : Current Dom0 is srv2.sophia

DomU

OpenVPN configuration

Puppet logo.png Managed by Puppet

Classes : openvpn,openvpng5k

Files : {{{files}}}

Note :

Configuration file explained (/etc/openvpn/server_{udp,tcp}.conf on vpn.grid5000.fr) 

# Server mode, using SSL/TLS authentication
mode server
tls-server 

port 1194
proto udp
# VPN clients traffic comes from server's tap0 interface
dev tap0

# SSL credentials
## As with clients, the server cert is signed by the CA
ca /etc/openvpn/keys/ca.api.grid5000.fr.crt
cert /etc/openvpn/keys/vpn.grid5000.fr.crt
dh /etc/openvpn/keys/dh2048.pem
key /etc/openvpn/keys/vpn.grid5000.fr.key
## This last file is share by g5k users. It avoids DoS attacks from outsiders
tls-auth /etc/openvpn/keys/ta.key

# The VPN pool of IP addresses that are assigned to client
ifconfig-pool 172.20.100.0 172.20.255.253 255.255.0.0

# Route and DNS configuration sent to client
## The VPN gateway to reach other G5K networks (it's a gw-south interface)
push route-gateway 172.20.255.254
## Client can reach these networks through the VPN
push route 172.16.0.0 255.255.0.0
push route 10.0.0.0 255.0.0.0
## DNS configuration to resolv Grid'5000 hostnames
push dhcp-option DNS 172.16.143.101
push dhcp-option DOMAIN grid5000.fr

# Use a certificate revocation list, for closed accounts or lost certificate
crl-verify /var/local/ca.api.grid5000.fr.crl.pem
# Implement a soft persistence between username and VPN IP address
ifconfig-pool-persist /var/local/openvpn_ipp.txt

# Drop privilege of openvpn daemon
user nobody
group nogroup

Network interfaces configuration

Puppet logo.png Managed by Puppet

Classes : networkg5k

Files : {{{files}}}

Note :

Iptables configuration

Puppet logo.png Managed by Puppet

Classes : iptablesg5k

Files : {{{files}}}

Note :

OpenVPN configuration

Puppet logo.png Managed by Puppet

Classes : openvpn,openvpng5k

Files : {{{files}}}

Note :

Security

Puppet logo.png Managed by Puppet

Classes : sanityg5k

Files : {{{files}}}

Note :

OpenVPN SSL Certificates management for UMS

Puppet logo.png Managed by Puppet

Classes : openvpng5k::sll

Files : {{{files}}}

Note : Deployed on ums.grid5000.fr


Whislist

  • ensure persistent client IP addreess
    • by certificate / login: InProgress.png, not well tested
  • provide DNS name to client
    • Example <login>.vpn.grid5000.fr
  • Implement fail2ban rule for OpenVPN


VPN User Documentation InProgress.png

Grid'5000 Virtual Private Network (VPN) allows to connect to Grid'5000 network from your personal computer, while preserving security by encrypting your communications.

When connected to Grid'5000 VPN, your computer will be "inside" the Grid'5000 network thus you won't require to perform several SSH hops to access Grid'5000 nodes and frontends.

Grid'5000 VPN is based on OpenVPN http://openvpn.net.


Getting started

To start using Grid'5000 VPN, you first need to get a certificate. InProgress.png. You will download a ZIP archive including certificates and configuration file needed for VPN connexion. You must extract the archive content onto your computer. Choose a secure place to store those files, as an attacker could use them to steal your identity in Grid'5000.


Launch a connection

The procedure to start a connection to Grid'5000 VPN depends on your Operating System :

  • Windows

If you have not done it yet, download and install OpenVPN for Windows (default installation options should be fine).

Then, from the folder where you extracted the ZIP archive, execute "Grid'5000 VPN for Windows" as an administrator (on most Windows system, you need to right click on "Grid'5000 VPN for Windows" file and select "Run as administrator").


  • Linux (using command line)

From the folder where you extracted the ZIP archive, you only have to execute this as root: 

openvpn <username>_vpnclient.conf

Note that OpenVPN linux client does not support DNS VPN configuration natively (see ??). In most distributions, installing resolvconf package and uncommenting last lines of <username>_vpnclient.conf file should enable automatic DNS VPN configuration.


  • Linux (using network-manager)

You can also connect to Grid'5000 as normal user using the "Network Manager" applet (you may require to install packages like "network-manager-openvpn-gnome").

Refer to Grid'5000 VPN parameters to know how to configure it.


  • MAC OS

Fail.png

Testing your connection

When your VPN connexion is established, you will be able to connect directly to any Grid'5000 node or frontend. Try it with: 

ssh <username>@frontend.lyon.grid5000.fr


Grid'5000 VPN parameters

  • Gateway: vpn.grid5000.fr
  • Gateway port: 1194 UDP or 443 TCP
  • Device type: tap (Ethernet Bridging / Layer 2 VPN)
  • Authentication type: Certificate (TLS)
  • User certificate: <username>.crt
  • CA certificate: cavpn.crt
  • User private key: <username>.key
  • Additional TLS authentication file: ta.key (no direction)
  • Grid'5000 VPN routes: 172.20.0.0/20 and 10.0.0.0/8 (use Grid'5000 VPN for these networks only)
  • Grid'5000 VPN DNS: 172.16.143.101


Here is an example configuration file : 

client
remote vpn.grid5000.fr 1194 udp
remote vpn.grid5000.fr 443 tcp
dev tap

ca cavpn.crt
cert sdelamare.crt
key sdelamare.key
tls-auth ta.key

# On Linux systems, you can uncomment following lines to automatically use Grid'5000 DNS (openresolv package needed)
#script-security 2
#up /etc/openvpn/update-resolv-conf
#down /etc/openvpn/update-resolv-conf
Retrieved from "https://www.grid5000.fr/mediawiki/index.php?title=VPN&oldid=52226"