diff --git a/sysadm/images/openvpn/nm-openvpn-advanced-general.png b/sysadm/images/openvpn/nm-openvpn-advanced-general.png new file mode 100644 index 0000000000000000000000000000000000000000..0000000000000000000000000000000000000000 GIT binary patch literal 0 Hc$@`_ +server and the VMs running on it are severely firewalled. To get onto their network +unrestricted, a VPN based on `OpenVPN `_ is available. + +The setup is client-server, with per-client certificates. + +.. _openvpn_client_configuration: + +OpenVPN client configuration +---------------------------- + +.. _raw_openvpn: + +Raw OpenVPN +~~~~~~~~~~~ + +Sample configuration file, e.g., /etc/openvpn/swh.conf: + +:: + + remote vpn.softwareheritage.org + ns-cert-type server + comp-lzo + nobind + dev tun + proto udp + port 1194 + log /var/log/openvpn.log + up-restart + persist-key + persist-tun + client + ca /etc/openvpn/keys/softwareheritage-ca.crt + cert /etc/openvpn/keys/softwareheritage.crt + key /etc/openvpn/keys/softwareheritage.key + user nobody + group nogroup + + # If you are using resolvconf, add this: + # Make sure you add louvre to /etc/hosts to avoid issues in using the vpn-provided DNS server. + script-security 2 + up /etc/openvpn/update-resolv-conf + down /etc/openvpn/update-resolv-conf + + # If you want the connection to persist when your network fails, add this: + ping-restart 10 + +In addition to the above configuration file, you will need to install the following 3 +files under /etc/openvpn/keys (matching the paths within the sample above): + +- :ref:`softwareheritage-ca.crt `: *public* certificate for the + Software Heritage certification authority (CA) +- :ref:`softwareheritage.crt `: *public*, client-specific (certificate + signed by the admin, see below) +- :ref:`softwareheritage.key `: *private*, client-specific key (generated + by the user, see below) + +Activate the openvpn server, as root (on your machine), run: + +.. code:: + + NAME=swh # or "work" as you wish + systemctl enable openvpn@$NAME.service + systemctl start openvpn@$NAME.service + systemctl status openvpn@$NAME.service + +Note: Internally, the ``swh`` must match the /etc/openvpn/``swh``.conf filename. You can +name it as you want (e.g ``work``), just be consistent about it. + +Excerpt of a successful start: + +.. code:: + + root@machine:~# systemctl status openvpn@swh.service`` + openvpn@swh.service - OpenVPN connection to swh`` + Loaded: loaded (/lib/systemd/system/openvpn@.service; indirect; vendor preset: enabled)`` + Active: active (running) since Thu 2020-12-17 19:03:29 UTC; 22min ago`` + Docs: man:openvpn(8)`` + ``\ ```https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage`` `_ + ``\ ```https://community.openvpn.net/openvpn/wiki/HOWTO`` `_ + Main PID: 12302 (openvpn)`` + Status: "Initialization Sequence Completed"`` + Tasks: 1 (limit: 4915)`` + CGroup: /system.slice/system-openvpn.slice/openvpn@swh.service`` + └─12302 /usr/sbin/openvpn --daemon ovpn-swh --status /run/openvpn/swh.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/swh.conf --writepid /run/openvpn/swh.pid`` + + Dec 17 19:03:29 machine systemd[1]: Starting OpenVPN connection to swh... + Dec 17 19:03:29 machine systemd[1]: Started OpenVPN connection to swh. + +.. _network_manager_gui: + +Network Manager GUI +~~~~~~~~~~~~~~~~~~~ + +You need network-manager-openvpn and network-manager-openvpn-gnome for the configuration +gui. + +|nm-openvpn-base.png| |nm-openvpn-routes.png| +|nm-openvpn-advanced-general.png| |nm-openvpn-advanced-security.png| +|nm-openvpn-advanced-tls-auth.png| + +.. _obtaining_a_client_certificate: + +Obtaining a client certificate +------------------------------ + +.. _openvpn_for_users: + +For users +~~~~~~~~~ + +Generate a keypair (key + certificate signing request) using the following command: + +.. code:: + + openssl req -new -newkey rsa:2048 -nodes -keyout openvpn.key -out openvpn.csr -subj "/CN=" + +Please replace with something that uniquely identifies the certificate. + +Make sure openvpn.key is stored in a safe place (it's your private key, which will allow +anyone to connect to the VPN). + +Provide the CSR file to a sysadmin through a reasonably authenticated medium. + +.. _openvpn_for_admins: + +For admins +~~~~~~~~~~ + +- On the firewall (192.168.50.1), go to the `System / Trust / Certificates page + `_ +- click on the add button on the upper right + +.. figure:: ../../images/openvpn/vpn-main-trust-page.png + :alt: vpn-main-trust-page.png + +- On the Method list, choose "Sign a certificate Signing Request" + +.. figure:: ../../images/openvpn/vpn-csr-signing.png + :alt: vpn-csr-signing.png + +Fetch the CSR file provided by the user, for instance with ``scp USERNAME.csr louvre:`` + +- Enter the user name on the descriptive name +- Select "OpenVPN Software Heritage (louvre)" as Certificate Authority +- Enter the duration, usually 10 years +- Paste the csr +- Validate + +- check the details of the csr and validate + +.. _revoking_a_client_certificate: + +Revoking a client certificate +----------------------------- + +On the firewall (master) `1 `_: + +- go to the `https://192.168.50.1/system_crlmanager.php System / Trust / Revocation + `_ page +- edit the "OpenVPN certificate revocation list" CRL + +.. figure:: ../../images/openvpn/vpn-ctrl-list.png + :alt: vpn-ctrl-list.png + +- go to the bottom of the page + +.. figure:: ../../images/openvpn/vpn-csr-certificate.png + :alt: vpn-csr-certificate.png + +- select the certificate to revoke +- Add + +The counter of revoked certificate should be increased by one on for the OpenVPN CSR on +the CSR list. + +.. |nm-openvpn-base.png| image:: ../../images/openvpn/nm-openvpn-base.png +.. |nm-openvpn-routes.png| image:: ../../images/openvpn/nm-openvpn-routes.png +.. |nm-openvpn-advanced-general.png| image:: ../../images/openvpn/nm-openvpn-advanced-general.png +.. |nm-openvpn-advanced-security.png| image:: ../../images/openvpn/nm-openvpn-advanced-security.png +.. |nm-openvpn-advanced-tls-auth.png| image:: ../../images/openvpn/nm-openvpn-advanced-tls-auth.png diff --git a/sysadm/user-management/openvpn/softwareheritage-ca-crt.rst b/sysadm/user-management/openvpn/softwareheritage-ca-crt.rst new file mode 100644 --- /dev/null +++ b/sysadm/user-management/openvpn/softwareheritage-ca-crt.rst @@ -0,0 +1,37 @@ +.. _softwareheritage-ca-crt: + +softwareheritage-ca.crt +======================= + +Public certificate for the Software Heritage certification authority (CA) installed on +louvre.softwareheritage.org: + +.. code:: + + -----BEGIN CERTIFICATE----- + MIIEqjCCA5KgAwIBAgIJAJjv4lm3AwjgMA0GCSqGSIb3DQEBCwUAMIGUMQswCQYD + VQQGEwJGUjEOMAwGA1UEBxMFUGFyaXMxGjAYBgNVBAoTEVNvZnR3YXJlIEhlcml0 + YWdlMR0wGwYDVQQDExRTb2Z0d2FyZSBIZXJpdGFnZSBDQTEQMA4GA1UEKRMHRWFz + eVJTQTEoMCYGCSqGSIb3DQEJARYZaW5mb0Bzb2Z0d2FyZWhlcml0YWdlLm9yZzAe + Fw0xNTA3MTcwOTA0MTBaFw0yNTA3MTQwOTA0MTBaMIGUMQswCQYDVQQGEwJGUjEO + MAwGA1UEBxMFUGFyaXMxGjAYBgNVBAoTEVNvZnR3YXJlIEhlcml0YWdlMR0wGwYD + VQQDExRTb2Z0d2FyZSBIZXJpdGFnZSBDQTEQMA4GA1UEKRMHRWFzeVJTQTEoMCYG + CSqGSIb3DQEJARYZaW5mb0Bzb2Z0d2FyZWhlcml0YWdlLm9yZzCCASIwDQYJKoZI + hvcNAQEBBQADggEPADCCAQoCggEBAL9yJKQaRh3kqTXqzwtw6Kiugs1ZQV7UejUI + i9K4lXqLF1seIIq8beJPYMsBcHK6fi3oXJ51ejqCG1sBo4zI6i6hCrk4QOduF5x7 + xK173La8q6K5S+lcevYqROLPRh96MqhMwQvWhy/Y/Q2VeuxfNZxNUs5BB7Y6DWFw + S36v0xntWzEH/0FQQ2phebY3tKMaA9ftPlSSVNkH39b10x1QMrRKE8T+RIuOnbjm + RbYm6WXZetMIDP9TNdBQpJ4VDTHNobFScAFW4qzeCW4q0gB94jK+lyOOKzRuRIn2 + 3oPUXIahhO4HAkmfA8++UzwX8Wigu1+8dGL84y14cy6YE3E38DkCAwEAAaOB/DCB + +TAdBgNVHQ4EFgQUkyOIziKlJuhVuVcu1VNpBaL9+mwwgckGA1UdIwSBwTCBvoAU + kyOIziKlJuhVuVcu1VNpBaL9+myhgZqkgZcwgZQxCzAJBgNVBAYTAkZSMQ4wDAYD + VQQHEwVQYXJpczEaMBgGA1UEChMRU29mdHdhcmUgSGVyaXRhZ2UxHTAbBgNVBAMT + FFNvZnR3YXJlIEhlcml0YWdlIENBMRAwDgYDVQQpEwdFYXN5UlNBMSgwJgYJKoZI + hvcNAQkBFhlpbmZvQHNvZnR3YXJlaGVyaXRhZ2Uub3JnggkAmO/iWbcDCOAwDAYD + VR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAg8bd3vOwqtdJ423ON3CDAnlC + DUm3Lq+iyD8YLyeueXvvI7tvrl2uxLc0KXzOksEi1PvXimAqtFoy9CtpfQGywP7V + DMXc6hom6ddXD08vUknVfgRr6XRL0veDqGC3evTVKXjiDCQhUO2NuFYuaMGufSFx + eCjx1h3huxv7Z4g3n1zkkpBGVIHYO+9r09/8ufTImYMZ9BF5ZQaotstcGvCV6TgV + kLn4o2DOLhGeDpVQUDKNNxRpQCXC0bLBaDVBkP/2pp/QmHHgrJOydpK/TaLGYT2f + eEdfH3QKmPR/AyH2qQTuSxKPPnCzWBYyjLHcKAgjL4023ObDV1YUlSbf08QVcA== + -----END CERTIFICATE-----