User Tools

Site Tools


services:openvpn

OpenVPN

Summary

Users access the sepia lab by tunnelling through an OpenVPN server run at gw.sepia.ceph.com. It's a Highly Available VM living in RHEV.

Managed by Ansible using the gateway role in ceph-cm-ansible.

The process for requesting lab access is documented here.

Adding Users

A ticket should be filed for paper trail purposes. Put the ticket in the commit messages for the PRs created below.

To grant a new user access to the VPN,

  1. Add the user's public key to the keys.git repo. 1)
  2. Add their crededentials to the ceph-sepia-secrets.git repo.
    1. If they only need VPN access, add them to openvpn_users 2)
    2. Otherwise, add their username (name) and ovpn credentials to lab_users
  3. Once your PR has been merged, run the gateway role in ceph-cm-ansible to push the new user entry to the server. 3)
ansible-playbook gateway.yml --tags="users"

fail2ban

fail2ban is configured via the gateway role. It's configured to work with firewalld. Run ipset list to see list of currently banned IPs.

An additional filter is in place in /etc/fail2ban/filter.d/sshd.conf that needs to be added to the role.

^%(__prefix_line)sReceived disconnect from <HOST>: 11: (Bye Bye)? \[preauth\]$

To-Do

DNS

In order to stop serving our private DNS records, we're going to need an OS-agnostic script (shipped with the client archive) that will add the internal DNS server to OpenVPN clients' /etc/resolv.conf. This works natively on Windows and with OS X clients already with the push “dhcp-option DNS 172.21.0.1” directive.

Historical Info

Detailed information on our particular setup (how auth works and such) can be found in the old cookbook-gw.git repo.

1) This step is not required for non-humans or humans that don't need access to schedule runs.
2) This will not create an SSH user account on any lab hosts including teuthology.front. It only grants VPN access. An example of this use case would be for accessing the Reference Architecture lab in Sepia.
3) WARNING: Running with just the users tag will not restart the OpenVPN service. Running the rest of the role will.
services/openvpn.txt · Last modified: 2016/08/30 19:34 by dgalloway