====== OpenVPN ======
===== Summary =====
Users access the sepia lab by tunnelling through an [[https://openvpn.net/|OpenVPN]] server run at gw.sepia.ceph.com.  It's a Highly Available VM living in [[services:RHEV]].

Managed by Ansible using the gateway role in [[https://github.com/ceph/ceph-cm-ansible/blob/master/roles/gateway/README.rst|ceph-cm-ansible]].

The process for requesting lab access is documented [[https://ceph.github.io/sepia/adding_users/#requesting-lab-access|here]].

===== Ops Tasks =====
==== Adding Users ====
A ticket should be filed for paper trail purposes.  Put the ticket in the commit messages for the PRs created below.

To grant a new user access to the VPN,
  - Add the user's public key to the [[https://github.com/ceph/keys|keys.git]] repo. ((This step is not required for non-humans or humans that don't need access to schedule runs.))
  - Add their credentials to the [[https://github.com/ceph/ceph-sepia-secrets/blob/master/ansible/inventory/group_vars/all.yml|ceph-sepia-secrets.git repo]].
    - If they **only** need VPN access, add them to ''openvpn_users'' ((This will not create an SSH user account on any lab hosts including teuthology.front.  It only grants VPN access.  An example of this use case would be for accessing the Reference Architecture lab in Sepia.))
    - Otherwise, add their username (''name'') and ''ovpn'' credentials to ''lab_users''
  - Once your PR has been merged, run the [[https://github.com/ceph/ceph-cm-ansible/tree/master/roles/gateway|gateway]] role in [[https://github.com/ceph/ceph-cm-ansible|ceph-cm-ansible]] to push the new user entry to the server. ((WARNING: Running with just the users tag will not restart the OpenVPN service.  Running the rest of the role will.))

<code>ansible-playbook gateway.yml --tags="users"</code>

==== fail2ban ====
fail2ban is configured via the gateway role.  It's configured to work with firewalld.  Run ''ipset list'' to see list of currently banned IPs.

An additional filter is in place in ''/etc/fail2ban/filter.d/sshd.conf'' that needs to be added to the role.

<code>
^%(__prefix_line)sReceived disconnect from <HOST>: 11: (Bye Bye)? \[preauth\]$
</code>

==== Updating sepia-vpn-client.tar.gz ====
This shouldn't need to happen often but was necessary when python3 came out.

  - ''%%ssh www.ceph.com%%''
  - ''sudo -i''
  - ''cd /var/www/ceph.com/sage/''
  - ''mkdir wip && cp sepia-vpn-client.tar.gz wip/ && cd wip && tar xzf sepia-vpn-client.tar.gz''
  - Make your edits in the sepia dir
  - When you're done, ''tar -czvf sepia-vpn-client.tar.gz sepia''
  - ''mv sepia-vpn-client.tar.gz /var/www/ceph.com/sage/''
  - ''chown dgalloway:www-data /var/www/ceph.com/sage/sepia-vpn-client.tar.gz''
  - ''rm -rf /var/www/ceph.com/sage/wip''

===== Troubleshooting =====
==== ValueError: need more than 2 values to unpack ====

**Resolution:** You likely forgot a space in a user's hashed credential.  Check recent commits in ceph-sepia-secrets.git and make sure all users have three values per ''ovpn'' key.

===== To-Do =====
==== DNS ====
In order to stop serving our private DNS records, we're going to need an OS-agnostic script (shipped with the client archive) that will add the internal DNS server to OpenVPN clients' ''/etc/resolv.conf''.  This works natively on Windows and with OS X clients already with the ''push "dhcp-option DNS 172.21.0.1"'' directive.

===== Historical Info =====
Detailed information on our particular setup (how auth works and such) can be found in the old [[https://github.com/ceph/cookbook-gw/tree/master/cookbooks/cephco-openvpn|cookbook-gw.git repo]].