VPN

From Grid5000
Jump to: navigation, search


Grid'5000 Virtual Private Network (VPN) allows to connect your workstation or personal computer to Grid'5000 network, while preserving security.

When connected to Grid'5000 VPN, your computer will be "inside" the Grid'5000 network, thus it won't be required to perform several SSH hops or tunnels to access Grid'5000 nodes, since direct connections are possible.

Grid'5000 VPN is based on OpenVPN.

Getting started

To start using Grid'5000 VPN, you first need to get a certificate:

Go to your account management page, select "My account" and the "VPN" tab on the left, then click "Create new certificate". To generate a new certificate click on "Generate from Passphrase" (recommended). If you generated your certificate and private key your self, select "Sign public key".

Your certificate will appear on the "VPN" tab. Click on "Zip file" to download an archive which includes the certificates and the configuration file needed to establish the VPN connexion.

You must extract the archive content on your workstation. Please choose a secure place to store those files: an attacker could use them to steal your identity in Grid'5000.

Launch a connection

The procedure to start a connection to Grid'5000 VPN depends on your Operating System :

Windows

If you have not done it yet, download and install OpenVPN for Windows (default installation options should be fine).

Then, from the folder where you extracted the ZIP archive, execute Grid'5000 VPN for Windows as an administrator (on most Windows system, you need to right click on Grid'5000 VPN for Windows file and select "Run as administrator"). This should start a command shell with the program requesting your certificate password. The three common problems are:

  • The shell closes immediatly. You might have mistyped your certificate password: retry, or retry in the context of a power shell to diagnose the problem (see next item)
  • If the shell closes after entering your password, you are probably experiencing a local firewall issue. You'll need to start from the power shell as admin (invite de commande (admin) in french)
    • right click on the start menu, and run shell (as admin). Type cd (notice the trailing space)
    • open the windows file explorer in the folder you extracted the ZIP archive, right click on the folder icon at the left of the location bar, and copy the location
    • go back to the shell, and right click to paste the location you just copied. Type enter
    • Type dir : this should give you the list of files extracted from the archive
    • Type "Grid'5000_VPN_for_Windows.bat". This should require your certificate password, and then trigger alerts if your firewall needs configured to allow that program to access the internet.
  • If the program stays frozen on Tue Oct 13 10:02:37 2015 UDPv4 link remote: [AF_INET]194.254.60.14:1194, your local site is probably blocking UDP access to the VPN. You'll need to edit a file (with notepad++ or an other editor that presents more than one line when opening the file for edition)
    • Grid_5000_VPN. Here, you should comment the second line (add a #) and uncomment the fourth (remove #)


MAC OS X

On OS X systems, we recommend downloading and installing Tunnelblick as OpenVPN client.

Then, from the folder where you extracted the ZIP archive, double click on Grid5000_VPN.ovpn file to install Grid'5000 VPN configuration inside Tunnelblick.

To connect to VPN, select Grid5000_VPN from Tunnelblick application (top right on the screen).

In case of troubles, check connection logs inside "VPN details, Grid5000 VPN, Messages"


Linux (using network-manager)

You can also connect to Grid'5000 using the "Network Manager" applet (you may require to install packages such as "network-manager-openvpn-gnome").

From "Network Settings" application, add a Network Connection and select "VPN". Choose "OpenVPN" and use this parameters :

  • Name: as you wish, e.g. Grid'5000
  • Gateway: choose vpn.grid5000.fr
  • Type: choose Certificates (TLS)
  • User Certificate: use your <username>.crt file
  • CA Certificate: your cavpn.crt file
  • Private Key: use your <username>.key file
  • Private Key Password: enter the password needed to unlock your private key

Then, click on the "Advanced" button and select "Configure type of network device" to use "TUN". If you prefer to use TCP (recommended if your network is filtered, and UDP does not work), select "Use TCP" and under "Use a specific port", choose 443. Then, on "TLS Authentication" tab., enable "Use additional TLS authentication" and use the ta.key file as "Key File" and OK.

Finally, go to the "IPv4" tab, click the "Routes..." button and select "Use this connection only for resources on its network".

You're done. You can connect to the VPN from Network Manager applet usually present in some corner of your screen.

Linux (using command line)

From the folder where you extracted the ZIP archive, you only have to execute this as root:

sudo openvpn Grid5000_VPN.ovpn

Note that OpenVPN linux client does not support DNS VPN configuration natively. In most distributions, installing resolvconf package and uncommenting last lines of Grid5000_VPN.ovpn file should enable automatic DNS VPN configuration.

If you prefer to use TCP (recommended if your network is filtered, and UDP does not work), comment the second line and uncomment the fourth.

There is also a bug in the generated config file, you must change "dev tap" by "dev tun".

Others

Refer to VPN#Grid'5000 VPN parameters to know how to manually configure the VPN.

Testing your connection

When your VPN connexion is established, you will be able to connect directly to any Grid'5000 node or frontend. Try it with:

ssh <username>@frontend.lyon.grid5000.fr


Grid'5000 VPN parameters

  • Gateway: vpn.grid5000.fr
  • Gateway port: 1194 UDP or 443 TCP
  • Device type: tun (Layer 3 VPN)
  • Authentication type: Certificate (TLS)
  • User certificate: <username>.crt
  • CA certificate: cavpn.crt
  • User private key: <username>.key
  • Additional TLS authentication file: ta.key (no direction)
  • Grid'5000 VPN routes: 172.16.0.0/16, 10.0.0.0/8 and 172.20.0.0/16 (use Grid'5000 VPN for these networks only)
  • Grid'5000 VPN DNS: 172.20.255.254


Here is an example configuration file :

client
remote vpn.grid5000.fr 1194 udp
# In case of problem with UDP connexion, use TCP.
#remote vpn.grid5000.fr 443 tcp
dev tun

ca cavpn.crt
cert sdelamare.crt
key sdelamare.key
tls-auth ta.key

# On Linux systems, you can uncomment following lines to automatically use Grid'5000 DNS (resolvconf package needed)
#script-security 2
#up /etc/openvpn/update-resolv-conf
#down /etc/openvpn/update-resolv-conf