From Grid5000
Jump to: navigation, search
G5K kavlanvpn.png

This feature allows users to build a Virtual Private Network (VPN) between a KaVLAN network and the outside world. Hence, it is possible to interconnect Grid'5000 nodes with any external network (from the user's laptop to the Internet), bypassing Grid'5000 network isolation.

Warning.png Warning

This is an advanced feature. It requires a good understanding of KaVLAN, VPNs and networking in Linux

Some information:

  • This service currently uses SSH VPN at Layer-2 (Ethernet level). Since that VPN is built on top of TCP protocol, you should not expect high network performance.
  • The VPN requires two end points (or gateway) to be interconnected. On Grid'5000 side, VPN gateways are installed on kavlan-{1,2,3}.<site>.grid5000.fr servers.
  • On the user's side (outside of Grid'5000), a GNU/Linux system with root privileges is required, to act as the user's gateway.
  • On Grid'5000, the user must reserve a non-routed local kavlan network (the VPN only works with this kind of kavlan). Grid'5000 nodes must be switched into that kavlan to be accessible through the VPN.

The VPN is initiated from the user's gateway machine using a SSH connection to the appropriate kavlan-X server (which depends on kavlan network previously reserved). To enable VPN, SSH "-w" options must be used to connect to remote tap0 on kavlan-X server, with VPN tunnel configured in Ethernet mode. See ssh and ssh_config manpages for more information about those options.

Example, with KaVLAN network "1" at lyon :

  • As root, create a virtual tap device that will be connected to your kavlan using SSH VPN. (Replace $USERNAME by your user name)
 laptop: sudo ip tuntap add dev tap0 mode tap user $USERNAME
  • Assign an IP address to this interface.
 laptop: sudo ifconfig tap0
Warning.png Warning

The IP address you choose must be inside the kavlan network, which depends on the kavlan number you are using. See Grid5000:Network#KaVLAN_networks

  • Start the SSH VPN
 laptop: ssh -o Tunnel=ethernet -w 0:0 -N kavlan-1.lyon.g5k

If the command runs correctly, it should not output anything.

  • Options description:
    • -o Tunnel=ethernet: Use an ethernet (layer 2) VPN
    • -w 0:0: Use interface tap0 on client side (first 0) and tap0 on server side (second 0, mandatory)
    • -N  : Do not execute a remote command
    • kavlan-1.lyon.g5k: Connect to lyon kavlan-1 gateway. Trailing .g5k assumes that you appropriately configured your ssh_config to connect to Grid5000 nodes using .g5k extension
  • Client's tap0 interface is now connected to the kavlan network. You should be able to ping other nodes inside this network.
 laptop: ping
 PING ( 56(84) bytes of data.
 64 bytes from icmp_req=1 ttl=64 time=82.7 ms
 64 bytes from icmp_req=2 ttl=64 time=39.9 ms
Warning.png Warning

DNS hostname resolution cannot be used here, as DNS servers are inside Grid'5000 network and this command is executed from your local workstation