Difference between revisions of "OpenVPN"

From DHVLab

(Created page with "Category:OVirt Engine Cluster == Installing required dependencies == <syntaxhighlight lang="bash"> yum install openvpn easy-rsa </syntaxhighlight> ''Continue with the pro...")
 
Line 91: Line 91:
 
systemctl start openvpn@server.service
 
systemctl start openvpn@server.service
 
</syntaxhighlight>
 
</syntaxhighlight>
 +
 +
== Add OpenVPN as cluster resource ==
 +
<syntaxhighlight lang="bash">
 +
pcs resource create openvpn-server systemd:openvpn@server \
 +
                    op monitor interval=30s --force
 +
<syntaxhighlight>

Revision as of 15:47, 8 September 2016

Installing required dependencies

yum install openvpn easy-rsa

Continue with the process on the primary cluster node where the /sync resource is mounted

Generate Keys and Certificates

As OpenVPN runs as a cluster resource, the certificates and configuration files need to be on a drbd resource and accessible by all cluster nodes.

#create directory
mkdir -p /sync/openvpn/easy-rsa/keys
cp -rf /usr/share/easy-rsa/2.0/* /sync/openvpn/easy-rsa

#adapt variables to your environment
nano -w /etc/openvpn/easy-rsa/vars
cp /sync/openvpn/easy-rsa/openssl-1.0.0.cnf /sync/openvpn/easy-rsa/openssl.cnf
cd /sync/openvpn/easy-rsa
source ./vars
./clean-all

#create certificate
./build-ca
./build-key-server server
./build-dh
openvpn --genkey --secret /sync/openvpn/ta.key
cd /sync/openvpn/easy-rsa/keys
cp dh2048.pem ca.crt server.crt server.key /sync/openvpn

Configure OpenVPN server

/sync/openvpn/server.conf

local PUBLIC_CLUSTER_IP
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server VPN_IP VPN_SUBNET
ifconfig-pool-persist ipp.txt
push "route VPN_NETWORK VPN_SUBNET"
; enable vpn clients to access the mgmt network and to access ovirt engine
push "route CLUSTER_MGMT_NETWORK CLUSTER_MGMT_SUBNET"
keepalive 10 120
tls-auth ta.key 0
comp-lzo
max-clients 10
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log         openvpn.log
log-append  openvpn.log
verb 3

Create client

#create client certificate
cd /sync/openvpn/easy-rsa
./build-key CLIENT_NAME

#provide your client with the ca.crt, CLIENT.key, CLIENT.crt and following configuration

client.conf

client
remote PUBLIC_CLUSTER_IP 1194
ca "ca.crt"
cert "CLIENT.crt"
key "CLIENT.key"
comp-lzo yes
dev tun
proto udp
nobind
auth-nocache
script-security 2
persist-key
persist-tun
user nobody
group nobody

Enable OpenVPN server

systemctl -f enable openvpn@server.service
systemctl start openvpn@server.service

Add OpenVPN as cluster resource

<syntaxhighlight lang="bash"> pcs resource create openvpn-server systemd:openvpn@server \

                   op monitor interval=30s --force

<syntaxhighlight>