services:openvpn
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Last revision Both sides next revision | ||
|
services:openvpn [2016/03/23 16:45] dgalloway |
services:openvpn [2020/10/27 17:55] djgalloway |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== WIP - OpenVPN ====== | + | ====== OpenVPN ====== |
| ===== Summary ===== | ===== Summary ===== | ||
| - | Users access the sepia lab by tunnelling through an [[https://openvpn.net/|OpenVPN]] server run at gw.sepia.ceph.com. It's currently one of many services running on [[http://wiki.front.sepia.ceph.com/doku.php?id=hardware:infrastructure#gwsepiacephcom|gw]] | + | Users access the sepia lab by tunnelling through an [[https://openvpn.net/|OpenVPN]] server run at gw.sepia.ceph.com. It's a Highly Available VM living in [[services:RHEV]]. |
| + | |||
| + | Managed by Ansible using the gateway role in [[https://github.com/ceph/ceph-cm-ansible/blob/master/roles/gateway/README.rst|ceph-cm-ansible]]. | ||
| The process for requesting lab access is documented [[https://ceph.github.io/sepia/adding_users/#requesting-lab-access|here]]. | The process for requesting lab access is documented [[https://ceph.github.io/sepia/adding_users/#requesting-lab-access|here]]. | ||
| - | ===== Adding Users ===== | + | ===== Ops Tasks ===== |
| + | ==== Adding Users ==== | ||
| + | A ticket should be filed for paper trail purposes. Put the ticket in the commit messages for the PRs created below. | ||
| To grant a new user access to the VPN, | To grant a new user access to the VPN, | ||
| - Add the user's public key to the [[https://github.com/ceph/keys|keys.git]] repo. ((This step is not required for non-humans or humans that don't need access to schedule runs.)) | - Add the user's public key to the [[https://github.com/ceph/keys|keys.git]] repo. ((This step is not required for non-humans or humans that don't need access to schedule runs.)) | ||
| - | - Add their username and hashed password to ''lab_users'' in the [[https://github.com/ceph/ceph-sepia-secrets/blob/master/ansible/inventory/group_vars/all.yml|ceph-sepia-secrets.git repo]]. | + | - Add their credentials to the [[https://github.com/ceph/ceph-sepia-secrets/blob/master/ansible/inventory/group_vars/all.yml|ceph-sepia-secrets.git repo]]. |
| - | - Once your PR has been merged, run the [[https://github.com/ceph/ceph-cm-ansible/tree/master/roles/gateway|gateway]] role in [[https://github.com/ceph/ceph-cm-ansible|ceph-cm-ansible]] to push the new user entry to the server. | + | - If they **only** need VPN access, add them to ''openvpn_users'' ((This will not create an SSH user account on any lab hosts including teuthology.front. It only grants VPN access. An example of this use case would be for accessing the Reference Architecture lab in Sepia.)) |
| + | - Otherwise, add their username (''name'') and ''ovpn'' credentials to ''lab_users'' | ||
| + | - Once your PR has been merged, run the [[https://github.com/ceph/ceph-cm-ansible/tree/master/roles/gateway|gateway]] role in [[https://github.com/ceph/ceph-cm-ansible|ceph-cm-ansible]] to push the new user entry to the server. ((WARNING: Running with just the users tag will not restart the OpenVPN service. Running the rest of the role will.)) | ||
| <code>ansible-playbook gateway.yml --tags="users"</code> | <code>ansible-playbook gateway.yml --tags="users"</code> | ||
| + | |||
| + | ==== fail2ban ==== | ||
| + | fail2ban is configured via the gateway role. It's configured to work with firewalld. Run ''ipset list'' to see list of currently banned IPs. | ||
| + | |||
| + | An additional filter is in place in ''/etc/fail2ban/filter.d/sshd.conf'' that needs to be added to the role. | ||
| + | |||
| + | <code> | ||
| + | ^%(__prefix_line)sReceived disconnect from <HOST>: 11: (Bye Bye)? \[preauth\]$ | ||
| + | </code> | ||
| + | |||
| + | ==== Updating sepia-vpn-client.tar.gz ==== | ||
| + | This shouldn't need to happen often but was necessary when python3 came out. | ||
| + | |||
| + | - ''%%ssh www.ceph.com%%'' | ||
| + | - ''sudo -i'' | ||
| + | - ''cd /var/www/ceph.com/sage/'' | ||
| + | - ''mkdir wip && cp sepia-vpn-client.tar.gz wip/ && cd wip && tar xzf sepia-vpn-client.tar.gz'' | ||
| + | - Make your edits in the sepia dir | ||
| + | - When you're done, ''tar -czvf sepia-vpn-client.tar.gz sepia'' | ||
| + | - ''mv sepia-vpn-client.tar.gz /var/www/ceph.com/sage/'' | ||
| + | - ''chown dgalloway:www-data /var/www/ceph.com/sage/sepia-vpn-client.tar.gz'' | ||
| + | - ''rm -rf /var/www/ceph.com/sage/wip'' | ||
| + | |||
| + | ===== Troubleshooting ===== | ||
| + | ==== TLS Error: local/remote TLS keys are out of sync ==== | ||
| + | You may also see ''ValueError: need more than 2 values to unpack'' in ''/var/log/openvpn/openvpn.log'' | ||
| + | |||
| + | **Resolution:** You likely forgot a space in a user's hashed credential. Check recent commits in ceph-sepia-secrets.git and make sure all users have three values per ''ovpn'' key. | ||
| + | |||
| + | ===== To-Do ===== | ||
| + | ==== DNS ==== | ||
| + | In order to stop serving our private DNS records, we're going to need an OS-agnostic script (shipped with the client archive) that will add the internal DNS server to OpenVPN clients' ''/etc/resolv.conf''. This works natively on Windows and with OS X clients already with the ''push "dhcp-option DNS 172.21.0.1"'' directive. | ||
| ===== Historical Info ===== | ===== Historical Info ===== | ||
| - | Detailed information on our particular setup (how auth works and such) can be found in the old [[https://github.com/ceph/cookbook-gw/commit/73a54b0cb8482558f2ec534a32a83962af935bfa|cookbook-gw.git repo]]. | + | Detailed information on our particular setup (how auth works and such) can be found in the old [[https://github.com/ceph/cookbook-gw/tree/master/cookbooks/cephco-openvpn|cookbook-gw.git repo]]. |
services/openvpn.txt · Last modified: 2020/10/27 19:22 by djgalloway
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
