121 lines
2.6 KiB
Text
121 lines
2.6 KiB
Text
= OpenVPN SOP
|
|
|
|
OpenVPN is our server->server VPN solution. It is deployed in a
|
|
routeless manner and uses ansible managed keys for authentication. All
|
|
hosts should be given static IP's and a _hostname.vpn.fedoraproject.org_
|
|
DNS address.
|
|
|
|
== Contact Information
|
|
|
|
Owner::
|
|
Fedora Infrastructure Team
|
|
Contact::
|
|
#fedora-admin, sysadmin-main
|
|
Servers::
|
|
bastion (vpn.fedoraproject.org)
|
|
Purpose::
|
|
Provides vpn solution for our infrastructure.
|
|
|
|
== Add a new host
|
|
|
|
=== Create/sign the keys
|
|
|
|
See xref:howtos:generate_openvpn_keys.adoc[How to generate private key and certificate for OpenVPN client]
|
|
|
|
=== Create Static IP
|
|
|
|
Giving static IP's out in openvpn is mostly painless. Take a look at
|
|
other examples but each host gets a file and 2 IP's.:
|
|
|
|
....
|
|
git clone https://pagure.io/fedora-infra/ansible.git
|
|
vi ansible/roles/openvpn/server/files/ccd/$FQDN
|
|
....
|
|
|
|
The file format should look like this:
|
|
|
|
....
|
|
ifconfig-push 192.168.1.314 192.168.0.314
|
|
....
|
|
|
|
Basically the first IP is the IP that is contactable over the vpn and
|
|
should always take the format "192.168.1.x" and the PtPIP is the same ip
|
|
on a different network: "192.168.0.x"
|
|
|
|
Commit and install:
|
|
|
|
....
|
|
git add .
|
|
git commit -m "What have you done?"
|
|
git push
|
|
....
|
|
|
|
And then push that out to bastion:
|
|
|
|
....
|
|
sudo -i ansible-playbook $(pwd)/playbooks/groups/bastion.yml -t openvpn
|
|
....
|
|
|
|
=== Create DNS entry
|
|
|
|
After you have your static IP ready, just add the entry to DNS:
|
|
|
|
....
|
|
git clone /srv/git/dns && cd dns
|
|
vi master/168.192.in-addr.arpa
|
|
# pick out an ip that's unused
|
|
vi master/vpn.fedoraproject.org
|
|
git commit -m "What have you done?"
|
|
./do-domains
|
|
git commit -m "done build."
|
|
git push
|
|
....
|
|
|
|
And push that out to the name servers with:
|
|
|
|
....
|
|
sudo -i ansible ns\* -a "/usr/local/bin/update-dns"
|
|
....
|
|
|
|
=== Update resolv.conf on the client
|
|
|
|
To make sure traffic actually goes over the VPN, make sure the search
|
|
line in `/etc/resolv.conf` looks like:
|
|
|
|
....
|
|
search vpn.fedoraproject.org fedoraproject.org
|
|
....
|
|
|
|
for external hosts and:
|
|
|
|
....
|
|
search iad2.fedoraproject.org vpn.fedoraproject.org fedoraproject.org
|
|
....
|
|
|
|
for IAD2 hosts.
|
|
|
|
== Remove a host
|
|
|
|
....
|
|
# This is to ensure that the clone is not world-readable at any point.
|
|
RESTORE_UMASK=$(umask -p)
|
|
umask 0077
|
|
git clone /srv/git/ansible-private
|
|
$RESTORE_UMASK
|
|
cd ansible-private/files/vpn
|
|
....
|
|
|
|
Next, use the `easyrsa` command to revoke the certificate:
|
|
|
|
....
|
|
/usr/share/easy-rsa/3.0/easyrsa revoke $FQDN
|
|
git add .
|
|
git commit -a
|
|
git push
|
|
....
|
|
|
|
== TODO
|
|
|
|
Deploy an additional VPN server outside of IAD2. OpenVPN does support
|
|
failover automatically so if configured properly, when the primary VPN
|
|
server goes down all hosts should connect to the next host in the list.
|