VPN

From Grid5000
Revision as of 09:29, 2 October 2013 by Sdelamare (talk | contribs) (→‎Dom0)
Jump to navigation Jump to search

Présentation CT

Principe

  • Connecter des hôtes/réseaux distants "comme si" ils appartiennent au même réseau local
  • Chiffrer / Authentifier tout ce qui passe sur les réseaux publiques
  • Intêret pour G5K
    • S'affranchir de la passerelle SSH
    • Accès au monde extérieur (à un serveur, à un réseau)

Implémentation

  • OpenVPN : Interfaces virtuelles, Linux, portage Windows, SSL, flexible
  • L2 VPN ou L3 VPN
    • Encapsulation de la trame Ethernet (L2) ou paquet IP (L3)
    • Fonctionnement des applications non-IP
  • Réseau VPN VLAN dédié
    • meilleur isolation, pas le VLAN de production
    • non lié à un site
    • besoin de configuration des routeurs G5K
  • Encapsulation dans UDP (+ TCP ?)

Configuration client

  • addresse IP dans réseau VPN
  • persistence:
    • Par nom de certificat / login
    • DNS name: vpn1.grid5000.fr, vpn2.grid5000.fr ou <login>.vpn.grid5000.fr
  • routes G5K (Golden rules !)
    • 172.16.0.0/16
    • 10.0.0.0/8 ?
  • DNS G5K
  • Authentification Client
    • Génération certificat Client à la demande

Securité

  • Serveur : Idem access nationale
    • 1 interface DMZ + 1 interface VLAN VPN
    • Fail2ban, etc.


L2 Ethernet Networks

Some additional VLAN is needed :

  • VPN : Hosts connected to Grid5000 using VPN access use a dedicated VLAN implemented in ?? site.

Vlan number

VLAN number Usage Name
600 VPN network VPN

L3 IP Networks

Routing policy

The following table gives detail about the routing policy of each L2 VLAN :

Network Routed locally Routed globally
VPN network Check.png Check.png

Addressing plan

About VPN

Site VPN
? 172.20.0.0/16

Configuration

DomU

Network interfaces configuration

 # The DMZ private network interface
 auto eth0
 iface eth0 inet static
   address 192.168.67.14
   netmask 255.255.255.0
   broadcast 192.168.67.255
   post-up ip route add 172.16.0.0/16 via 192.168.67.253
 
 # The DMZ public network interface
 auto eth1
 iface eth1 inet static
   address 194.254.60.14
   netmask 255.255.255.192
   gateway 194.254.60.61
 
 # The VPN network interface, bridged
 auto br-vpn
 iface br-vpn inet static
  address 172.20.0.1
  netmask 255.255.0.0
  bridge-ports eth2 tap0
  pre-up ip tuntap add dev tap0 mode tap

OpenVPN configuration

Puppet logo.png Managed by Puppet

Classes : openvpn,openvpng5k

Files : {{{files}}}

Note :


Dom0

 sudo vconfig add eth3 600
 sudo brctl addbr br-vpn
 sudo brctl addif br-vpn eth3.600
 sudo ifconfig eth3.600 up
 sudo ifconfig br-vpn up
 
 
 # /etc/xen/vpn.cfg
 vif         = [ 'ip=192.168.67.14,mac=00:16:3E:94:30:D7,bridge=br-dmz-priv',
                 'ip=194.254.60.14,mac=00:16:3E:44:4B:FC,bridge=br-dmz-pub',
                 'mac=00:16:3E:A9:B1:26,bridge=br-vpn' ]
 
 
 # /etc/network/interfaces 
 
 auto eth1 eth2 eth3
 # eth1 -- production (188)
 iface eth1 inet manual
 # eth2 -- dmz pub (666)
 iface eth2 inet manual
 # eth3 -- dmz priv (667) & vpn (600)
 iface eth3 inet manual
 
 #==================
 # = switch-prod =
 #==================
 auto switch-prod
 iface switch-prod inet static
   address 172.16.143.2
   netmask 255.255.240.0
   gateway 172.16.143.254
   bridge_ports eth1
   bridge_stp off
 
 
 #=======================
 # = dmz public bridge =
 #=======================
 # Interface 7/18 du fastiron (eth2 de srv2)
 auto br-dmz-pub
 iface br-dmz-pub inet manual
       bridge_ports eth2.666
       bridge_stp off
       pre-up /sbin/ifup eth2.666
       post-down /sbin/ifdown eth2.666
 
 #========================
 # = dmz private bridge =
 #========================
 # Interface 7/19 du fastiron (eth3 de srv2)
 auto br-dmz-priv
 iface br-dmz-priv inet manual
      bridge_ports eth3.667
       bridge_stp off
       pre-up /sbin/ifup eth3.667
       post-down /sbin/ifdown eth3.667
 
 #===============
 # = VPN bridge =
 #===============
 # Interface 7/19 du fastiron (eth3 de srv2)
 auto br-vpn
 iface br-vpn inet manual
      bridge_ports eth3.600
       bridge_stp off
       pre-up /sbin/ifup eth3.600
       post-down /sbin/ifdown eth3.600

Network Equipment

On equipment hosting VPN

 create vlan VPN 
 configure vlan "VPN" tag 600 
 show configuration
 configure vlan "VPN" ipaddress 172.20.255.254 255.255.0.0
 enable ipforwarding vlan "VPN"
 configure vlan "VPN" add ports 2:32 tagged #Dom0 port

On other sites' routers

 route add 172.20.0.0/16 gw 192.168.4.<VPN_site>


VPN Client

OpenVPN's client.conf file: 

 client
 remote access.lyon.grid5000.fr 1194
 proto udp
 ca ca.crt
 cert client1.crt
 key client1.key
 #tls-auth ta.key 1
 dev tap
Retrieved from "https://www.grid5000.fr/mediawiki/index.php?title=VPN&oldid=48084"