The oVirt datacenter in Phoenix has got several internal networks used for various purposes. Since they are not accessible from the outside, the easiest way to connect is via VPN. An OpenVPN service is available and served by gw02.phx.ovirt.org.
OpenVPN uses TLS to authenticate users and encrypt traffic. It works via TCP on port 443 which is permitted by most network firewalls and proxies.
Add a new user
To allow access to the VPN for a new user it's necessary to generate a certificate and sign it by the OpenVPN CA. The CSR file can be provided by the user but in this example we'll generate a certificate and sign it immediately.
First - log in the machine which contains the oVirt OpenVPN CA. At the moment of this writing the CA is on the PHX Gateway. Root access to this machine is required as well as the CA password to perform signing tasks.
$ ssh gw02.phx.ovirt.org $ sudo su - # cd /etc/openvpn/ssl/ca
The CA uses a wrapper around openssl called easyrsa that is suited specifically for use with OpenVPN.
To generate a certificate and private key with no password for user testuser run:
./easyrsa build-client-full testuser nopass
The script will ask for the CA password and generate files in the following locations:
pki/private/testuser.key - private key pki/issued/testuser.crt - signed certificate
Also, the CA certificate is needed by the client, it is located here:
OpenVPN config template
Ensure the client system has OpenVPN installed, it is provided by the "openvpn" package on all major distibutions.
The above data can be inserted into this template and saved as /etc/openvpn/client/ovirt.conf on the client system.
client dev tun4 proto tcp remote gw02.phx.ovirt.org 443 remote 220.127.116.11 443 resolv-retry infinite nobind persist-key persist-tun cipher AES-128-CBC verb 3 <ca> -----BEGIN CERTIFICATE----- ...CA certificate goes here... -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- ...Client certificate goes here... -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- ...Private key goes here... -----END PRIVATE KEY----- </key>
after it is saved, enable and start the service to run permanently:
systemctl enable openvpn-client@ovirt systemctl start openvpn-client@ovirt
Alternatively - import the config file via network manager to be able to connect through the applet when needed. In this case, certificates and keys need to be saved in a location reachable by Network Manager.
Delete a user
To ensure an existing user cannot connect, the certifiate needs to be revoked by the CA. For that, go into the CA directory as described in the user creation step and run:
./easyrsa revoke testuser
After performing revocation, generate a new CRL file so that OpenVPN knows about the change:
OpenVPN re-reads this file each time a client connects to it, so no restart is necessary.