OpenVPN
From DHVLab
Contents
Installing required dependencies
yum install openvpn easy-rsa
Continue with the process on the primary cluster node where the /sync resource is mounted
Generate Keys and Certificates
As OpenVPN runs as a cluster resource, the certificates and configuration files need to be on a drbd resource and accessible by all cluster nodes.
#create directory
mkdir -p /sync/openvpn/easy-rsa/keys
cp -rf /usr/share/easy-rsa/2.0/* /sync/openvpn/easy-rsa
#adapt variables to your environment
nano -w /etc/openvpn/easy-rsa/vars
cp /sync/openvpn/easy-rsa/openssl-1.0.0.cnf /sync/openvpn/easy-rsa/openssl.cnf
cd /sync/openvpn/easy-rsa
source ./vars
./clean-all
#create certificate
./build-ca
./build-key-server server
./build-dh
openvpn --genkey --secret /sync/openvpn/ta.key
cd /sync/openvpn/easy-rsa/keys
cp dh2048.pem ca.crt server.crt server.key /sync/openvpn
Configure OpenVPN server
/sync/openvpn/server.conf
local PUBLIC_CLUSTER_IP
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server VPN_IP VPN_SUBNET
ifconfig-pool-persist ipp.txt
push "route VPN_NETWORK VPN_SUBNET"
; enable vpn clients to access the mgmt network and to access ovirt engine
push "route CLUSTER_MGMT_NETWORK CLUSTER_MGMT_SUBNET"
keepalive 10 120
tls-auth ta.key 0
comp-lzo
max-clients 10
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
log-append openvpn.log
verb 3
Create client
#create client certificate
cd /sync/openvpn/easy-rsa
./build-key CLIENT_NAME
#provide your client with the ca.crt, CLIENT.key, CLIENT.crt and following configuration
client.conf
client
remote PUBLIC_CLUSTER_IP 1194
ca "ca.crt"
cert "CLIENT.crt"
key "CLIENT.key"
comp-lzo yes
dev tun
proto udp
nobind
auth-nocache
script-security 2
persist-key
persist-tun
user nobody
group nobody
Enable OpenVPN server
systemctl -f enable openvpn@server.service
systemctl start openvpn@server.service
Add OpenVPN as cluster resource
pcs resource create openvpn-server systemd:openvpn@server \
op monitor interval=30s --force