OpenVPN SOP

OpenVPN is our server→server VPN solution. It is deployed in a routeless manner and uses ansible managed keys for authentication. All hosts should be given static IP’s and a hostname.vpn.fedoraproject.org DNS address.

Contact Information

Owner

Fedora Infrastructure Team

Contact

#fedora-admin, sysadmin-main

Servers

bastion (vpn.fedoraproject.org)

Purpose

Provides vpn solution for our infrastructure.

Add a new host

Create Static IP

Giving static IP’s out in openvpn is mostly painless. Take a look at other examples but each host gets a file and 2 IP’s.:

git clone https://pagure.io/fedora-infra/ansible.git
vi ansible/roles/openvpn/server/files/ccd/$FQDN

The file format should look like this:

ifconfig-push 192.168.1.314 192.168.0.314

Basically the first IP is the IP that is contactable over the vpn and should always take the format "192.168.1.x" and the PtPIP is the same ip on a different network: "192.168.0.x"

Commit and install:

git add .
git commit -m "What have you done?"
git push

And then push that out to bastion:

sudo -i ansible-playbook $(pwd)/playbooks/groups/bastion.yml -t openvpn

Create DNS entry

After you have your static IP ready, just add the entry to DNS:

git clone /srv/git/dns && cd dns
vi master/168.192.in-addr.arpa
# pick out an ip that's unused
vi master/vpn.fedoraproject.org
git commit -m "What have you done?"
./do-domains
git commit -m "done build."
git push

And push that out to the name servers with:

sudo -i ansible ns\* -a "/usr/local/bin/update-dns"

Update resolv.conf on the client

To make sure traffic actually goes over the VPN, make sure the search line in /etc/resolv.conf looks like:

search vpn.fedoraproject.org fedoraproject.org

for external hosts and:

search iad2.fedoraproject.org vpn.fedoraproject.org fedoraproject.org

for IAD2 hosts.

Remove a host

# This is to ensure that the clone is not world-readable at any point.
RESTORE_UMASK=$(umask -p)
umask 0077
git clone /srv/git/ansible-private
$RESTORE_UMASK
cd ansible-private/files/vpn

Next, use the easyrsa command to revoke the certificate:

/usr/share/easy-rsa/3.0/easyrsa revoke $FQDN
git add .
git commit -a
git push

TODO

Deploy an additional VPN server outside of IAD2. OpenVPN does support failover automatically so if configured properly, when the primary VPN server goes down all hosts should connect to the next host in the list.