Users access the sepia lab by tunnelling through an OpenVPN server run at gw.sepia.ceph.com. It's a Highly Available VM living in RHEV.
Managed by Ansible using the gateway role in ceph-cm-ansible.
The process for requesting lab access is documented here.
A ticket should be filed for paper trail purposes. Put the ticket in the commit messages for the PRs created below.
To grant a new user access to the VPN,
openvpn_users
2)name
) and ovpn
credentials to lab_users
ansible-playbook gateway.yml --tags="users"
fail2ban is configured via the gateway role. It's configured to work with firewalld. Run ipset list
to see list of currently banned IPs.
An additional filter is in place in /etc/fail2ban/filter.d/sshd.conf
that needs to be added to the role.
^%(__prefix_line)sReceived disconnect from <HOST>: 11: (Bye Bye)? \[preauth\]$
This shouldn't need to happen often but was necessary when python3 came out.
ssh www.ceph.com
sudo -i
cd /var/www/ceph.com/sage/
mkdir wip && cp sepia-vpn-client.tar.gz wip/ && cd wip && tar xzf sepia-vpn-client.tar.gz
tar -czvf sepia-vpn-client.tar.gz sepia
mv sepia-vpn-client.tar.gz /var/www/ceph.com/sage/
chown dgalloway:www-data /var/www/ceph.com/sage/sepia-vpn-client.tar.gz
rm -rf /var/www/ceph.com/sage/wip
Resolution: You likely forgot a space in a user's hashed credential. Check recent commits in ceph-sepia-secrets.git and make sure all users have three values per ovpn
key.
In order to stop serving our private DNS records, we're going to need an OS-agnostic script (shipped with the client archive) that will add the internal DNS server to OpenVPN clients' /etc/resolv.conf
. This works natively on Windows and with OS X clients already with the push “dhcp-option DNS 172.21.0.1”
directive.
Detailed information on our particular setup (how auth works and such) can be found in the old cookbook-gw.git repo.