VPN

From Open Source Ecology
Jump to navigation Jump to search

A VPN is a system that establishes a private network across a public network, such as the Internet

Use in Dev Server

OSE launched a single staging/dev server in Hetzner Cloud in 2019. For security reasons it's imperative that this server is locked-down and sitting *behind* a VPN.

Important Files & Directories

For more information about our vpn configuration, please see the following files & directories on the osedev1 server:

  1. /usr/share/easy-rsa/3/pki/
  2. /etc/openvpn/

How to connect to the VPN

Execute openvpn with sudo, passing it your client config file. 

cd openvpn
sudo openvpn client.conf

You will be prompted for two credentials:

  1. Enter Auth Password: - This is your 2FA 6-digit token that changes every 30 seconds. Get it from your 2FA FLOSS TOTP app-of-choice.
  2. Enter Private Key Password: - This is the passphrase you used to symmetrically encrypt your OpenVPN client RSA certificate when you were first setup with access to the OSE VPN. Check your personal password database.

Developers: How to request access to the dev VPN

This section is intended for the OSE Developer that requires access to the developer VPN and would like to make a request for access to the OSE sysadmin.

Install Prerequisites

In order to connect to our vpn, you should install the following prerequisite software 

sudo apt-get install openvpn openresolv easy-rsa

Now generate a RSA certificate and certificate signing request 

cd $HOME
mkdir openvpn
cd /usr/share/easy-rsa
source vars
KEY_DIR=$HOME/openvpn
KEY_CONFIG=/etc/ssl/openssl.cnf

# inputs
echo -n "Enter your two-digit country code: "; read KEY_COUNTRY
echo -n "Enter your state/province: "; read KEY_PROVINCE
echo -n "Enter your city: "; read KEY_CITY
echo -n "Enter the name of your organization: "; read KEY_ORG
echo -n "Enter your email address: "; read KEY_EMAIL

# generate certificate request
./build-req `whoami`

Sysadmin: How to grant access to the dev VPN

This section is intended for the OSE sysadmin and will describe the process of granting access to the developer VPN for OSE developers.

First, make sure that the user requesting access to the dev VPN has a valid reason to need this access. Iff the request is valid, then proceed:

On the dev node, create a OS-level user on the OSE Development server and add the developer's public ssh key to their authorized_keys file 

user@ose:~$ ssh osedev1
Last login: Tue Dec  3 12:40:51 2019 from 182.74.197.50
[maltfield@osedev1 ~]$ sudo su -
Last login: Mon Dec  2 15:21:42 CET 2019 on pts/17
[root@osedev1 ~]# adduser marcin
[root@osedev1 ~]# mkdir /home/marcin/.ssh/
[root@osedev1 ~]# echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDDMiIUel3xYyxuiXAj82PzoJDwRczrEpDgUoRI4W9ceL5FqVcY38Go9q3SF2Nx0FEj+IdCUXc08lyy6ZPUbPcKvscFxWeue4aMM62ikzNxmhGBdjqgT3q3wpJgyjTXmt9AJcglcAm9mcQffSUi3RD9KDlCyc/T923eZdaLAkW/BMhjuOZqY90tjGqs/r/kxN0gf4vI24NMFL/41ct7OMKVnNNsjIpQtceX9fCOCumAx53OdtJEcp46TvzevZk2987Zn0VsONznvVCJ0kmm8B0RJxwIfmiLM73f+reo0pv+sSc2rU7SrpzLfPWLFcM7pkJQc3HtLnktl5form3flp+EkI7fr7348r8A7W+QIifjXk66ohJReDni9H/S4JSX2L1lf8LfJKSHtAqrFRWSPp22MKre5hiH0IybED6XZfz59HT0cgMK2iNcPRj/J+hEbBM0f4zZu62PUad7rr1JI4Vv078/ROaD47fykicxYhauI4R71J1YucSj/vekXf17x3xlO+u8ucSeUhdpMuIAa3Yk16bXsrwo4nIdcApC6rwfNiQDK8Ecx6+M6pV6z+dII4OMHvEYWw92wWJZfIyk7emvAoataqp3DfI0DQagPNBo2ieEZYLvNYny+X9hf6faZ6trsGnR4GfN83PEt3ZfmoEoyTVB2POiBdM8a1GNTlEasQ== marcin@Precision-M6500" >> /home/marcin/.ssh/authorized_keys
[root@osedev1 ~]# chown -R marcin:marcin /home/marcin/.ssh
[root@osedev1 ~]# chmod -R 0600 /home/marcin/.ssh
[root@osedev1 ~]# chmod 0700 /home/marcin/.ssh
[root@osedev1 ~]#

Now have the user ssh into the dev server, generate a 2FA TOTP secret key, and scan it into their 2FA FLOSS app-of-choice. 

marcin@Precision-M6500:~$ ssh -p 32415 marcin@195.201.233.113
[marcin@osedev1 ~]$ google-authenticator --time-based --disallow-reuse --issuer "vpn.opensourceecology.org" --label "`whoami`@osedev1" --emergency-codes=1 --window-size=8 --rate-limit=2 --rate-time=30

Looking Forward

Ideally, OSE would have a single rack of colocated hardware at a datacenter near FeF. As campuses pop-up, we could provision new racks at new datacenters that peer with each-other over time, if needed.

The reality is that we have a dedicated server in Falkenstein, Germany[1]; a cloud instance at a different DC in Falkenstein; a physical office in Missouri, USA that will likely have servers in the future[2]; and developers (some with their own servers) all over the world -- which begs the question: how do you architect a VPN with this hodge-podge of geographically dispersed servers & clients?

Certainly a hub-and-spoke [3] openvpn model is possible, but that introduces a single-point-of-failure.

A better option would be a decentralized mesh-style VPN solution, such as ZeroTier.

See Also

Links

  1. https://wiki.hetzner.de/index.php/Benennung_Rechenzentren/en
  2. https://wiki.opensourceecology.org/wiki/OSE_Internet#Internet_Upgrades_2019
  3. http://www.internet-computer-security.com/VPN-Guide/VPN-Topologies.html
Retrieved from "https://wiki.opensourceecology.org/index.php?title=VPN&oldid=204595"