Changeset View
Changeset View
Standalone View
Standalone View
sysadm/user-management/openvpn/openvpn.rst
- This file was added.
.. _howto_configure_openvpn: | |||||
How to configure OpenVPN | |||||
======================== | |||||
.. admonition:: Intended audience | |||||
:class: important | |||||
staff members | |||||
The `Software Heritage <https://wiki.softwareheritage.org/wiki/Software_Heritage>`_ | |||||
server and the VMs running on it are severely firewalled. To get onto their network | |||||
unrestricted, a VPN based on `OpenVPN <https://openvpn.net/>`_ is available. | |||||
The setup is client-server, with per-client certificates. | |||||
.. _openvpn_client_configuration: | |||||
OpenVPN client configuration | |||||
---------------------------- | |||||
.. _raw_openvpn: | |||||
Raw OpenVPN | |||||
~~~~~~~~~~~ | |||||
Sample configuration file, e.g., /etc/openvpn/swh.conf: | |||||
:: | |||||
remote vpn.softwareheritage.org | |||||
ns-cert-type server | |||||
comp-lzo | |||||
nobind | |||||
dev tun | |||||
proto udp | |||||
port 1194 | |||||
log /var/log/openvpn.log | |||||
up-restart | |||||
persist-key | |||||
persist-tun | |||||
client | |||||
ca /etc/openvpn/keys/softwareheritage-ca.crt | |||||
cert /etc/openvpn/keys/softwareheritage.crt | |||||
key /etc/openvpn/keys/softwareheritage.key | |||||
user nobody | |||||
group nogroup | |||||
# If you are using resolvconf, add this: | |||||
# Make sure you add louvre to /etc/hosts to avoid issues in using the vpn-provided DNS server. | |||||
script-security 2 | |||||
up /etc/openvpn/update-resolv-conf | |||||
down /etc/openvpn/update-resolv-conf | |||||
# If you want the connection to persist when your network fails, add this: | |||||
ping-restart 10 | |||||
In addition to the above configuration file, you will need to install the following 3 | |||||
files under /etc/openvpn/keys (matching the paths within the sample above): | |||||
- :ref:`softwareheritage-ca.crt <softwareheritage-ca-crt>`: *public* certificate for the | |||||
Software Heritage certification authority (CA) | |||||
- :ref:`softwareheritage.crt <openvpn_for_admins>`: *public*, client-specific (certificate | |||||
signed by the admin, see below) | |||||
- :ref:`softwareheritage.key <openvpn_for_users>`: *private*, client-specific key (generated | |||||
by the user, see below) | |||||
Activate the openvpn server, as root (on your machine), run: | |||||
.. code:: | |||||
NAME=swh # or "work" as you wish | |||||
systemctl enable openvpn@$NAME.service | |||||
systemctl start openvpn@$NAME.service | |||||
systemctl status openvpn@$NAME.service | |||||
Note: Internally, the ``swh`` must match the /etc/openvpn/``swh``.conf filename. You can | |||||
name it as you want (e.g ``work``), just be consistent about it. | |||||
Excerpt of a successful start: | |||||
.. code:: | |||||
root@machine:~# systemctl status openvpn@swh.service`` | |||||
openvpn@swh.service - OpenVPN connection to swh`` | |||||
Loaded: loaded (/lib/systemd/system/openvpn@.service; indirect; vendor preset: enabled)`` | |||||
Active: active (running) since Thu 2020-12-17 19:03:29 UTC; 22min ago`` | |||||
Docs: man:openvpn(8)`` | |||||
``\ ```https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage`` <https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage>`_ | |||||
``\ ```https://community.openvpn.net/openvpn/wiki/HOWTO`` <https://community.openvpn.net/openvpn/wiki/HOWTO>`_ | |||||
Main PID: 12302 (openvpn)`` | |||||
Status: "Initialization Sequence Completed"`` | |||||
Tasks: 1 (limit: 4915)`` | |||||
CGroup: /system.slice/system-openvpn.slice/openvpn@swh.service`` | |||||
└─12302 /usr/sbin/openvpn --daemon ovpn-swh --status /run/openvpn/swh.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/swh.conf --writepid /run/openvpn/swh.pid`` | |||||
Dec 17 19:03:29 machine systemd[1]: Starting OpenVPN connection to swh... | |||||
Dec 17 19:03:29 machine systemd[1]: Started OpenVPN connection to swh. | |||||
.. _network_manager_gui: | |||||
Network Manager GUI | |||||
~~~~~~~~~~~~~~~~~~~ | |||||
You need network-manager-openvpn and network-manager-openvpn-gnome for the configuration | |||||
gui. | |||||
|nm-openvpn-base.png| |nm-openvpn-routes.png| | |||||
|nm-openvpn-advanced-general.png| |nm-openvpn-advanced-security.png| | |||||
|nm-openvpn-advanced-tls-auth.png| | |||||
.. _obtaining_a_client_certificate: | |||||
Obtaining a client certificate | |||||
------------------------------ | |||||
.. _openvpn_for_users: | |||||
For users | |||||
~~~~~~~~~ | |||||
Generate a keypair (key + certificate signing request) using the following command: | |||||
.. code:: | |||||
openssl req -new -newkey rsa:2048 -nodes -keyout openvpn.key -out openvpn.csr -subj "/CN=<your username>" | |||||
Please replace with something that uniquely identifies the certificate. | |||||
Make sure openvpn.key is stored in a safe place (it's your private key, which will allow | |||||
anyone to connect to the VPN). | |||||
Provide the CSR file to a sysadmin through a reasonably authenticated medium. | |||||
.. _openvpn_for_admins: | |||||
For admins | |||||
~~~~~~~~~~ | |||||
- On the firewall (192.168.50.1), go to the `System / Trust / Certificates page | |||||
<https://192.168.50.1/system_certmanager.php>`_ | |||||
- click on the add button on the upper right | |||||
.. figure:: ../../images/openvpn/vpn-main-trust-page.png | |||||
:alt: vpn-main-trust-page.png | |||||
- On the Method list, choose "Sign a certificate Signing Request" | |||||
.. figure:: ../../images/openvpn/vpn-csr-signing.png | |||||
:alt: vpn-csr-signing.png | |||||
Fetch the CSR file provided by the user, for instance with ``scp USERNAME.csr louvre:`` | |||||
- Enter the user name on the descriptive name | |||||
- Select "OpenVPN Software Heritage (louvre)" as Certificate Authority | |||||
- Enter the duration, usually 10 years | |||||
- Paste the csr | |||||
- Validate | |||||
- check the details of the csr and validate | |||||
.. _revoking_a_client_certificate: | |||||
Revoking a client certificate | |||||
----------------------------- | |||||
On the firewall (master) `1 <https://192.168.50.1>`_: | |||||
- go to the `https://192.168.50.1/system_crlmanager.php System / Trust / Revocation | |||||
<https://192.168.50.1/system_crlmanager.php_System_/_Trust_/_Revocation>`_ page | |||||
- edit the "OpenVPN certificate revocation list" CRL | |||||
.. figure:: ../../images/openvpn/vpn-ctrl-list.png | |||||
:alt: vpn-ctrl-list.png | |||||
- go to the bottom of the page | |||||
.. figure:: ../../images/openvpn/vpn-csr-certificate.png | |||||
:alt: vpn-csr-certificate.png | |||||
- select the certificate to revoke | |||||
- Add | |||||
The counter of revoked certificate should be increased by one on for the OpenVPN CSR on | |||||
the CSR list. | |||||
.. |nm-openvpn-base.png| image:: ../../images/openvpn/nm-openvpn-base.png | |||||
.. |nm-openvpn-routes.png| image:: ../../images/openvpn/nm-openvpn-routes.png | |||||
.. |nm-openvpn-advanced-general.png| image:: ../../images/openvpn/nm-openvpn-advanced-general.png | |||||
.. |nm-openvpn-advanced-security.png| image:: ../../images/openvpn/nm-openvpn-advanced-security.png | |||||
.. |nm-openvpn-advanced-tls-auth.png| image:: ../../images/openvpn/nm-openvpn-advanced-tls-auth.png |