VPN
|
Warning |
|---|---|
Work in Progress | |
Grid'5000 Virtual Private Network (VPN) allows to connect your workstation or personal computer to Grid'5000 network, while preserving security.
When connected to Grid'5000 VPN, your computer will be "inside" the Grid'5000 network, thus it won't be required to perform several SSH hops or tunnels to access Grid'5000 nodes, since direct connections are possible.
Grid'5000 VPN is based on OpenVPN.
Getting started
To start using Grid'5000 VPN, you first need to get a certificate:
Go to your account management page, select "My account" and from the "Actions" drop-down list, select "Generate VPN certificate".
Your certificate will appear at the bottom of the page. Click on "Zip file" to download an archive including certificates and configuration file needed for VPN connexion.
You must extract the archive content onto your computer. Choose a secure place to store those files, as an attacker could use them to steal your identity in Grid'5000.
Launch a connection
The procedure to start a connection to Grid'5000 VPN depends on your Operating System :
- Windows
If you have not done it yet, download and install OpenVPN for Windows (default installation options should be fine).
Then, from the folder where you extracted the ZIP archive, execute "Grid'5000 VPN for Windows" as an administrator (on most Windows system, you need to right click on "Grid'5000 VPN for Windows" file and select "Run as administrator").
- MAC OS X
On OS X systems, we recommend downloading and installing Tunnelblick as OpenVPN client.
Then, from the folder where you extracted the ZIP archive, double click on Grid5000_VPN.ovpn file to install Grid'5000 VPN configuration inside Tunnelblick.
To connect to VPN, select Grid5000_VPN from Tunnelblick application (top right on the screen).
In case of troubles, check connection logs inside "VPN details, Grid5000 VPN, Messages"
- Linux (using network-manager)
You can also connect to Grid'5000 as normal user using the "Network Manager" applet (you may require to install packages such as "network-manager-openvpn-gnome").
From "Network Settings" application, add a Network Connection and select "VPN". Choose "Import from file..." and select Grid5000_VPN.ovpn file from the folder where you extracted the ZIP archive. Add your private key password and validate. The Grid'5000 VPN is now configured.
To connect to VPN, select "VPN" and click on Connect from the top right screen applet.
- Linux (using command line)
From the folder where you extracted the ZIP archive, you only have to execute this as root:
openvpn <username>_vpnclient.conf
Note that OpenVPN linux client does not support DNS VPN configuration natively. In most distributions, installing openresolv package and uncommenting last lines of <username>_vpnclient.conf file should enable automatic DNS VPN configuration.
- Others
Refer to VPN#Grid'5000 VPN parameters to know how to manually configure the VPN.
Testing your connection
When your VPN connexion is established, you will be able to connect directly to any Grid'5000 node or frontend. Try it with:
ssh <username>@frontend.lyon.grid5000.fr
Grid'5000 VPN parameters
- Gateway: vpn.grid5000.fr
- Gateway port: 1194 UDP or 443 TCP
- Device type: tap (Ethernet Bridging / Layer 2 VPN)
- Authentication type: Certificate (TLS)
- User certificate: <username>.crt
- CA certificate: cavpn.crt
- User private key: <username>.key
- Additional TLS authentication file: ta.key (no direction)
- Grid'5000 VPN routes: 172.20.0.0/20 and 10.0.0.0/8 (use Grid'5000 VPN for these networks only)
- Grid'5000 VPN DNS: 172.20.255.253
Here is an example configuration file :
client remote vpn.grid5000.fr 1194 udp # In case of problem with UDP connexion, use TCP. #remote vpn.grid5000.fr 443 tcp dev tap ca cavpn.crt cert sdelamare.crt key sdelamare.key tls-auth ta.key # On Linux systems, you can uncomment following lines to automatically use Grid'5000 DNS (openresolv package needed) #script-security 2 #up /etc/openvpn/update-resolv-conf #down /etc/openvpn/update-resolv-conf