VPN
Jump to navigation
Jump to search
Présentation CT
Principe
- Connecter des hôtes/réseaux distants "comme si" ils appartiennent au même réseau local
- Chiffrer / Authentifier tout ce qui passe sur les réseaux publiques
- Intêret pour G5K
- S'affranchir de la passerelle SSH
- Accès au monde extérieur (à un serveur, à un réseau)
Implémentation
- OpenVPN : Interfaces virtuelles, Linux, portage Windows, SSL, flexible
- L2 VPN
- Encapsulation de la trame Ethernet (L2) ou paquet IP (L3)
- Fonctionnement des applications non-IP
- Réseau VPN VLAN dédié
- Encapsulation dans
Configuration client
- addresse IP dans réseau VPN
- persistence:
- routes G5K (Golden rules !)
- Configuratiuon DNS G5K du client
- Authentification Client
Securité
- Serveur : Idem access nationale
- Interfaces:
- interface DMZ Publique (pour connexion client VPN depuis Internet)
- interface DMZ Privée (pour administration G5K)
- interface VLAN VPN, sans adresse IP (pour acheminement sur VLAN VPN)
- Utilisation des classes puppet DMZ
- Interfaces:
L2 Ethernet Networks
Some additional VLAN is needed :
Vlan number
VLAN number | Usage | Name |
---|---|---|
600 | VPN network |
VPN
|
L3 IP Networks
Routing policy
The following table gives detail about the routing policy of each L2 VLAN :
Network | Routed locally | Routed globally |
---|---|---|
VPN network |
Addressing plan
About VPN
Site | VPN |
---|---|
? | 172.20.0.0/16
|
Configuration
DomU
Network interfaces configuration
# The DMZ private network interface auto eth0 iface eth0 inet static address 192.168.67.14 netmask 255.255.255.0 broadcast 192.168.67.255 post-up ip route add 172.16.0.0/16 via 192.168.67.253 # The DMZ public network interface auto eth1 iface eth1 inet static address 194.254.60.14 netmask 255.255.255.192 gateway 194.254.60.61 # The VPN network interface, bridged auto br-vpn iface br-vpn inet static address 172.20.0.1 netmask 255.255.0.0 bridge-ports eth2 tap0 pre-up ip tuntap add dev tap0 mode tap
OpenVPN configuration
Dom0
sudo vconfig add eth3 600 sudo brctl addbr br-vpn sudo brctl addif br-vpn eth3.600 sudo ifconfig eth3.600 up sudo ifconfig br-vpn up # /etc/xen/vpn.cfg vif = [ 'ip=192.168.67.14,mac=00:16:3E:94:30:D7,bridge=br-dmz-priv', 'ip=194.254.60.14,mac=00:16:3E:44:4B:FC,bridge=br-dmz-pub', 'mac=00:16:3E:A9:B1:26,bridge=br-vpn' ] # /etc/network/interfaces auto eth1 eth2 eth3 # eth1 -- production (188) iface eth1 inet manual # eth2 -- dmz pub (666) iface eth2 inet manual # eth3 -- dmz priv (667) & vpn (600) iface eth3 inet manual #================== # = switch-prod = #================== auto switch-prod iface switch-prod inet static address 172.16.143.2 netmask 255.255.240.0 gateway 172.16.143.254 bridge_ports eth1 bridge_stp off #======================= # = dmz public bridge = #======================= # Interface 7/18 du fastiron (eth2 de srv2) auto br-dmz-pub iface br-dmz-pub inet manual bridge_ports eth2.666 bridge_stp off pre-up /sbin/ifup eth2.666 post-down /sbin/ifdown eth2.666 #======================== # = dmz private bridge = #======================== # Interface 7/19 du fastiron (eth3 de srv2) auto br-dmz-priv iface br-dmz-priv inet manual bridge_ports eth3.667 bridge_stp off pre-up /sbin/ifup eth3.667 post-down /sbin/ifdown eth3.667 #=============== # = VPN bridge = #=============== # Interface 7/19 du fastiron (eth3 de srv2) auto br-vpn iface br-vpn inet manual bridge_ports eth3.600 bridge_stp off pre-up /sbin/ifup eth3.600 post-down /sbin/ifdown eth3.600
Network Equipment
On equipment hosting VPN
vlan 600 name VPN by port tagged 7/19 router-interface ve 60
interface ve 60 port-name VPN ip address 172.20.255.254 255.255.0.0
On other sites' routers
route add 172.20.0.0/16 gw 192.168.4.<VPN_site>
VPN Client
OpenVPN's client.conf file:
client remote access.lyon.grid5000.fr 1194 proto udp ca ca.crt cert client1.crt key client1.key #tls-auth ta.key 1 dev tap