VPN

From Grid5000
Jump to navigation Jump to search

Présentation CT

Principe

  • Connecter des hôtes/réseaux distants "comme si" ils appartiennent au même réseau local
  • Chiffrer / Authentifier tout ce qui passe sur les réseaux publiques
  • Intêret pour G5K
    • S'affranchir de la passerelle SSH
    • Accès au monde extérieur (à un serveur, à un réseau)

Implémentation

  • OpenVPN: Interfaces virtuelles, Linux, portage Windows, SSL, flexible
  • L2 VPN:
    • Encapsulation de la trame Ethernet (L2) ou paquet IP (L3)
    • Fonctionnement des applications non-IP
  • Réseau VPN VLAN dédié
    • meilleur isolation, pas le VLAN de production
    • besoin de configuration des routeurs G5K Check.png
  • Encapsulation dans
    • UDP Check.png
    • TCP fallback Check.png

Configuration client

  • addresse IP dans réseau VPN Check.png
  • persistence:
    • Par nom de certificat / login Check.png
    • DNS name:
      • vpn1.grid5000.fr, vpn2.grid5000.fr Fail.png
      • <login>.vpn.grid5000.fr ? InProgress.png : Besoin de DNS dynamique
  • routes G5K (Golden rules !)
    • 172.16.0.0/16 Check.png
    • 10.0.0.0/8 ? Check.png
  • Configuratiuon DNS G5K du client
    • Linux CLI: Check.png
    • Linux Network Manager: Check.png (pas DOMAIN)
    • Windows: Fail.png
    • OSX: Fail.png
  • Authentification Client
    • Génération certificat Client à la demande Check.png
    • Révocation et regénération des certificats InProgress.png

Securité

  • Serveur : Idem access nationale Check.png
    • Interfaces:
      • interface DMZ Publique (pour connexion client VPN depuis Internet)
      • interface DMZ Privée (pour administration G5K)
      • interface VLAN VPN, sans adresse IP (pour acheminement sur VLAN VPN)
    • Utilisation des classes puppet DMZ
      • fail2ban Fail.png

L2 Ethernet Networks

Some additional VLAN is needed :

  • VPN : Hosts connected to Grid5000 using VPN access use a dedicated VLAN implemented in sophia site. Check.png

Vlan number

VLAN number Usage Name
600 VPN network VPN

L3 IP Networks

Routing policy

The following table gives detail about the routing policy of each L2 VLAN :

Network Routed locally Routed globally
VPN network Check.png Check.png

Addressing plan

About VPN

Site VPN
Sophia 172.20.0.0/16

Configuration

DomU

Network interfaces configuration

Puppet logo.png Managed by Puppet

Classes : networkg5k

Files : {{{files}}}

Note :

Iptables configuration

Puppet logo.png Managed by Puppet

Classes : iptablesg5k

Files : {{{files}}}

Note :

OpenVPN configuration

Puppet logo.png Managed by Puppet

Classes : openvpn,openvpng5k

Files : {{{files}}}

Note :

OpenVPN SSL Certificates management

Puppet logo.png Managed by Puppet

Classes : openvpng5k::sll

Files : {{{files}}}

Note : Deployed on ums.grid5000.fr

Dom0

Puppet logo.png Managed by Puppet

Classes : networkg5k

Files : {{{files}}}

Note :

Network Equipment

On equipment hosting VPN Check.png

vlan 600 name VPN by port
 tagged 7/19
 router-interface ve 60
interface ve 60
 port-name VPN
 ip address 172.20.255.254 255.255.0.0

On other sites' routers Check.png

 ip route 172.20.0.0 255.255.0.0 192.168.4.12

VPN User Documentation InProgress.png

Grid'5000 Virtual Private Network (VPN) allows to connect to Grid'5000 network from your personal computer, while preserving security by encrypting your communications.

When connected to Grid'5000 VPN, your computer will be "inside" the Grid'5000 network thus you won't require to perform several SSH hops to access Grid'5000 nodes and frontends.

Grid'5000 VPN is based on OpenVPN http://openvpn.net.


Getting started

To start using Grid'5000 VPN, you first need to get a certificate. InProgress.png. You will download a ZIP archive including certificates and configuration file needed for VPN connexion. You must extract the archive content onto your computer. Choose a secure place to store those files, as an attacker could use them to steal your identity in Grid'5000.


Launch a connection

The procedure to start a connection to Grid'5000 VPN depends on your Operating System :

  • Windows

Fail.png


  • Linux (using command line)

From the folder where you extracted the ZIP archive, you only have to execute this as root:

openvpn <username>_vpnclient.conf

Note that OpenVPN linux client does not support DNS VPN configuration natively (see ??). In most distributions, installing resolvconf package and uncommenting last lines of <username>_vpnclient.conf file should enable automatic DNS VPN configuration.


  • Linux (using network-manager)

You can also connect to Grid'5000 as normal user using the "Network Manager" applet (you may require to install packages like "network-manager-openvpn-gnome").

Refer to Grid'5000 VPN parameters to know how to configure it.


  • MAC OS

Fail.png


Testing your connection

When your VPN connexion is established, you will be able to connect directly to any Grid'5000 node or frontend. Try it with:

ssh <username>@frontend.lyon.grid5000.fr


Grid'5000 VPN parameters

  • Gateway: vpn.grid5000.fr
  • Gateway port: 1194 UDP or 443 TCP
  • Device type: tap (Ethernet Bridging / Layer 2 VPN)
  • Authentication type: Certificate (TLS)
  • User certificate: <username>.crt
  • CA certificate: cavpn.crt
  • User private key: <username>.key
  • Additional TLS authentication file: ta.key (no direction)
  • Grid'5000 VPN routes: 172.20.0.0/20 and 10.0.0.0/8 (use Grid'5000 VPN for these networks only)
  • Grid'5000 VPN DNS: 172.16.143.101


Here is an example configuration file :

client
remote vpn.grid5000.fr 1194 udp
remote vpn.grid5000.fr 443 tcp
dev tap

ca cavpn.crt
cert sdelamare.crt
key sdelamare.key
tls-auth ta.key

# On Linux systems, you can uncomment following lines to automatically use Grid'5000 DNS (resolvconf binary needed)
#script-security 2
#up /etc/openvpn/update-resolv-conf
#down /etc/openvpn/update-resolv-conf