VPN: Difference between revisions
No edit summary |
No edit summary |
||
| Line 12: | Line 12: | ||
To start using Grid'5000 VPN, you first need to get a certificate: | To start using Grid'5000 VPN, you first need to get a certificate: | ||
Go to your [https://api.grid5000.fr/ui/account account management page], select "My account" and from the "Actions" drop-down list, select "Generate VPN certificate". | Go to your [https://api.grid5000.fr/ui/account account management page], select "My account" and from the "Actions" drop-down list, select "Generate VPN certificate". To generate a new certificate click on "Generate from Passphrase" (recommended). If you generated your certificate and private key your self, select "Sign public key". | ||
Your certificate will appear at the bottom of the page. Click on " | Your certificate will appear at the bottom of the page. Click on "Download Files" to download an archive which includes the certificates and the configuration file needed to establish the VPN connexion. | ||
You must extract the archive content on your workstation. Please choose a secure place to store those files: an attacker could use them to steal your identity in Grid'5000 otherwise. | You must extract the archive content on your workstation. Please choose a secure place to store those files: an attacker could use them to steal your identity in Grid'5000 otherwise. | ||
| Line 26: | Line 26: | ||
If you have not done it yet, [https://openvpn.net/index.php/open-source/downloads.html download and install OpenVPN for Windows] (default installation options should be fine). | If you have not done it yet, [https://openvpn.net/index.php/open-source/downloads.html download and install OpenVPN for Windows] (default installation options should be fine). | ||
Then, from the folder where you extracted the ZIP archive, execute | Then, from the folder where you extracted the ZIP archive, execute ''Grid'5000 VPN for Windows'' '''as an administrator''' (on most Windows system, you need to right click on ''Grid'5000 VPN for Windows'' file and select "Run as administrator"). | ||
| Line 32: | Line 32: | ||
On OS X systems, we recommend downloading and installing [https://code.google.com/p/tunnelblick/ Tunnelblick] as OpenVPN client. | On OS X systems, we recommend downloading and installing [https://code.google.com/p/tunnelblick/ Tunnelblick] as OpenVPN client. | ||
Then, from the folder where you extracted the ZIP archive, double click on Grid5000_VPN.ovpn file to install Grid'5000 VPN configuration inside Tunnelblick. | Then, from the folder where you extracted the ZIP archive, double click on ''Grid5000_VPN.ovpn'' file to install Grid'5000 VPN configuration inside Tunnelblick. | ||
To connect to VPN, select Grid5000_VPN from Tunnelblick application (top right on the screen). | To connect to VPN, select Grid5000_VPN from Tunnelblick application (top right on the screen). | ||
| Line 42: | Line 42: | ||
You can also connect to Grid'5000 as normal user using the "Network Manager" applet (you may require to install packages such as "network-manager-openvpn-gnome"). | You can also connect to Grid'5000 as normal user using the "Network Manager" applet (you may require to install packages such as "network-manager-openvpn-gnome"). | ||
From "Network Settings" application, add a Network Connection and select "VPN". Choose " | From "Network Settings" application, add a Network Connection and select "VPN". Choose "OpenVPN" and use this parameters : | ||
* Name: Grid'5000 | |||
* Gateway: vpn.grid5000.fr | |||
* User Certificate, CA Certificate, Private Key: Select ''<username>.crt'', ''cavpn.crt'' and ''<username>.key'' files, respectively. | |||
* Private Key Password: Enter the password needed to unlock your private key | |||
Then, click on "Advanced" button and select "TLS Authentication" tab. Enable "Use additional TLS authentication" and select ''ta.key'' as "Key File" and OK. | |||
Finally, select "IPv4" menu on the left-side and select "Use this connection only for resources on its network" | |||
You're done. You can connect to the VPN from Network Manager applet usually present in some corner of your screen. | |||
* Linux (using command line) | * Linux (using command line) | ||
From the folder where you extracted the ZIP archive, you only have to execute this as root: | From the folder where you extracted the ZIP archive, you only have to execute this as root: | ||
sudo openvpn | sudo openvpn Grid5000_VPN.ovpn | ||
Note that OpenVPN linux client does not support DNS VPN configuration natively. In most distributions, installing openresolv package and uncommenting last lines of | Note that OpenVPN linux client does not support DNS VPN configuration natively. In most distributions, installing openresolv package and uncommenting last lines of ''Grid5000_VPN.ovpn'' file should enable automatic DNS VPN configuration. | ||
| Line 68: | Line 76: | ||
* Gateway: vpn.grid5000.fr | * Gateway: vpn.grid5000.fr | ||
* Gateway port: 1194 UDP or 443 TCP | * Gateway port: 1194 UDP or 443 TCP | ||
* Device type: | * Device type: tun (Layer 3 VPN) | ||
* Authentication type: Certificate (TLS) | * Authentication type: Certificate (TLS) | ||
* User certificate: <username>.crt | * User certificate: <username>.crt | ||
| Line 74: | Line 82: | ||
* User private key: <username>.key | * User private key: <username>.key | ||
* Additional TLS authentication file: ta.key (no direction) | * Additional TLS authentication file: ta.key (no direction) | ||
* Grid'5000 VPN routes: 172. | * Grid'5000 VPN routes: 172.16.0.0/16, 10.0.0.0/8 and 172.20.0.0/16 (use Grid'5000 VPN for these networks only) | ||
* Grid'5000 VPN DNS: 172.20.255. | * Grid'5000 VPN DNS: 172.20.255.254 | ||
| Line 83: | Line 91: | ||
# In case of problem with UDP connexion, use TCP. | # In case of problem with UDP connexion, use TCP. | ||
#remote vpn.grid5000.fr 443 tcp | #remote vpn.grid5000.fr 443 tcp | ||
dev | dev tun | ||
ca cavpn.crt | ca cavpn.crt | ||
Revision as of 13:31, 17 June 2015
|
Warning |
|---|---|
Work in Progress | |
Grid'5000 Virtual Private Network (VPN) allows to connect your workstation or personal computer to Grid'5000 network, while preserving security.
When connected to Grid'5000 VPN, your computer will be "inside" the Grid'5000 network, thus it won't be required to perform several SSH hops or tunnels to access Grid'5000 nodes, since direct connections are possible.
Grid'5000 VPN is based on OpenVPN.
Getting started
To start using Grid'5000 VPN, you first need to get a certificate:
Go to your account management page, select "My account" and from the "Actions" drop-down list, select "Generate VPN certificate". To generate a new certificate click on "Generate from Passphrase" (recommended). If you generated your certificate and private key your self, select "Sign public key".
Your certificate will appear at the bottom of the page. Click on "Download Files" to download an archive which includes the certificates and the configuration file needed to establish the VPN connexion.
You must extract the archive content on your workstation. Please choose a secure place to store those files: an attacker could use them to steal your identity in Grid'5000 otherwise.
Launch a connection
The procedure to start a connection to Grid'5000 VPN depends on your Operating System :
- Windows
If you have not done it yet, download and install OpenVPN for Windows (default installation options should be fine).
Then, from the folder where you extracted the ZIP archive, execute Grid'5000 VPN for Windows as an administrator (on most Windows system, you need to right click on Grid'5000 VPN for Windows file and select "Run as administrator").
- MAC OS X
On OS X systems, we recommend downloading and installing Tunnelblick as OpenVPN client.
Then, from the folder where you extracted the ZIP archive, double click on Grid5000_VPN.ovpn file to install Grid'5000 VPN configuration inside Tunnelblick.
To connect to VPN, select Grid5000_VPN from Tunnelblick application (top right on the screen).
In case of troubles, check connection logs inside "VPN details, Grid5000 VPN, Messages"
- Linux (using network-manager)
You can also connect to Grid'5000 as normal user using the "Network Manager" applet (you may require to install packages such as "network-manager-openvpn-gnome").
From "Network Settings" application, add a Network Connection and select "VPN". Choose "OpenVPN" and use this parameters :
- Name: Grid'5000
- Gateway: vpn.grid5000.fr
- User Certificate, CA Certificate, Private Key: Select <username>.crt, cavpn.crt and <username>.key files, respectively.
- Private Key Password: Enter the password needed to unlock your private key
Then, click on "Advanced" button and select "TLS Authentication" tab. Enable "Use additional TLS authentication" and select ta.key as "Key File" and OK.
Finally, select "IPv4" menu on the left-side and select "Use this connection only for resources on its network"
You're done. You can connect to the VPN from Network Manager applet usually present in some corner of your screen.
- Linux (using command line)
From the folder where you extracted the ZIP archive, you only have to execute this as root:
sudo openvpn Grid5000_VPN.ovpn
Note that OpenVPN linux client does not support DNS VPN configuration natively. In most distributions, installing openresolv package and uncommenting last lines of Grid5000_VPN.ovpn file should enable automatic DNS VPN configuration.
- Others
Refer to VPN#Grid'5000 VPN parameters to know how to manually configure the VPN.
Testing your connection
When your VPN connexion is established, you will be able to connect directly to any Grid'5000 node or frontend. Try it with:
ssh <username>@frontend.lyon.grid5000.fr
Grid'5000 VPN parameters
- Gateway: vpn.grid5000.fr
- Gateway port: 1194 UDP or 443 TCP
- Device type: tun (Layer 3 VPN)
- Authentication type: Certificate (TLS)
- User certificate: <username>.crt
- CA certificate: cavpn.crt
- User private key: <username>.key
- Additional TLS authentication file: ta.key (no direction)
- Grid'5000 VPN routes: 172.16.0.0/16, 10.0.0.0/8 and 172.20.0.0/16 (use Grid'5000 VPN for these networks only)
- Grid'5000 VPN DNS: 172.20.255.254
Here is an example configuration file :
client remote vpn.grid5000.fr 1194 udp # In case of problem with UDP connexion, use TCP. #remote vpn.grid5000.fr 443 tcp dev tun ca cavpn.crt cert sdelamare.crt key sdelamare.key tls-auth ta.key # On Linux systems, you can uncomment following lines to automatically use Grid'5000 DNS (openresolv package needed) #script-security 2 #up /etc/openvpn/update-resolv-conf #down /etc/openvpn/update-resolv-conf