OpenVPN is our server→server VPN solution. It is deployed in a routeless manner and uses ansible managed keys for authentication. All hosts should be given static IP’s and a hostname.vpn.fedoraproject.org DNS address.
Fedora Infrastructure Team
Provides vpn solution for our infrastructure.
Giving static IP’s out in openvpn is mostly painless. Take a look at other examples but each host gets a file and 2 IP’s.:
git clone https://pagure.io/fedora-infra/ansible.git vi ansible/roles/openvpn/server/files/ccd/$FQDN
The file format should look like this:
ifconfig-push 192.168.1.314 192.168.0.314
Basically the first IP is the IP that is contactable over the vpn and should always take the format "192.168.1.x" and the PtPIP is the same ip on a different network: "192.168.0.x"
Commit and install:
git add . git commit -m "What have you done?" git push
And then push that out to bastion:
sudo -i ansible-playbook $(pwd)/playbooks/groups/bastion.yml -t openvpn
After you have your static IP ready, just add the entry to DNS:
git clone /srv/git/dns && cd dns vi master/168.192.in-addr.arpa # pick out an ip that's unused vi master/vpn.fedoraproject.org git commit -m "What have you done?" ./do-domains git commit -m "done build." git push
And push that out to the name servers with:
sudo -i ansible ns\* -a "/usr/local/bin/update-dns"
# This is to ensure that the clone is not world-readable at any point. RESTORE_UMASK=$(umask -p) umask 0077 git clone /srv/git/ansible-private $RESTORE_UMASK cd ansible-private/files/vpn
Next, use the
easyrsa command to revoke the certificate:
/usr/share/easy-rsa/3.0/easyrsa revoke $FQDN git add . git commit -a git push
Deploy an additional VPN server outside of IAD2. OpenVPN does support failover automatically so if configured properly, when the primary VPN server goes down all hosts should connect to the next host in the list.
Want to help? Learn how to contribute to Fedora Docs ›