OpenVPN

From DHVLab

Revision as of 15:47, 8 September 2016 by Wiki admin (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Installing required dependencies

yum install openvpn easy-rsa

Continue with the process on the primary cluster node where the /sync resource is mounted

Generate Keys and Certificates

As OpenVPN runs as a cluster resource, the certificates and configuration files need to be on a drbd resource and accessible by all cluster nodes.

#create directory
mkdir -p /sync/openvpn/easy-rsa/keys
cp -rf /usr/share/easy-rsa/2.0/* /sync/openvpn/easy-rsa

#adapt variables to your environment
nano -w /etc/openvpn/easy-rsa/vars
cp /sync/openvpn/easy-rsa/openssl-1.0.0.cnf /sync/openvpn/easy-rsa/openssl.cnf
cd /sync/openvpn/easy-rsa
source ./vars
./clean-all

#create certificate
./build-ca
./build-key-server server
./build-dh
openvpn --genkey --secret /sync/openvpn/ta.key
cd /sync/openvpn/easy-rsa/keys
cp dh2048.pem ca.crt server.crt server.key /sync/openvpn

Configure OpenVPN server

/sync/openvpn/server.conf

local PUBLIC_CLUSTER_IP
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server VPN_IP VPN_SUBNET
ifconfig-pool-persist ipp.txt
push "route VPN_NETWORK VPN_SUBNET"
; enable vpn clients to access the mgmt network and to access ovirt engine
push "route CLUSTER_MGMT_NETWORK CLUSTER_MGMT_SUBNET"
keepalive 10 120
tls-auth ta.key 0
comp-lzo
max-clients 10
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log         openvpn.log
log-append  openvpn.log
verb 3

Create client

#create client certificate
cd /sync/openvpn/easy-rsa
./build-key CLIENT_NAME

#provide your client with the ca.crt, CLIENT.key, CLIENT.crt and following configuration

client.conf

client
remote PUBLIC_CLUSTER_IP 1194
ca "ca.crt"
cert "CLIENT.crt"
key "CLIENT.key"
comp-lzo yes
dev tun
proto udp
nobind
auth-nocache
script-security 2
persist-key
persist-tun
user nobody
group nobody

Enable OpenVPN server

systemctl -f enable openvpn@server.service
systemctl start openvpn@server.service

Add OpenVPN as cluster resource

pcs resource create openvpn-server systemd:openvpn@server \
                    op monitor interval=30s --force