MetaVPN Usage
From Cmcl
MetaVPN is a tool that, as part of a testbed, provides management of OpenVPN-run Virtual Networks.
Contents |
Terminology
- MetaVPN - Software written at CMU to wrap, configure, and manage OpenVPN instances
- OpenVPN - Open-source software that manages Layer2 and Layer3 virtual networks. One OpenVPN instance exists per OpenVPN virtual network.
- VPN Key - OpenSSL keys used by a node to authenticate with an OpenVPN instance
Usage model
- MetaVPN is used to configure an OpenVPN server instance, assigning it a port, a network type (Layer2 or Layer3), and a name. It then brings this server instance up
- MetaVPN is used to register nodes to that server instance, generating SSL keys allowing them to authenticate to the server instance
- MetaVPN helper scripts store those keys in a database (optional)
- Helper scripts are used to distribute the keys as well as a configuration file to the VPN clients
- Helper scripts running on the client install those keys and configuration files, and then launch OpenVPN client software on that client, bringing them onto the network
- Clients get a new virtual network interface, provided by OpenVPN and representing a virtual ethernet (layer2/tap) or virtual network (layer3/tun) between all the specified nodes. They then configure those nodes
Step 1
./metavpn add port=2048 exp=mytest expnwk=fnord type=tap ./metavpn show ./metavpn up 1
This configures an OpenvPN server instance, running on port 2048 with the "tap" (layer2) type". The "./metavpn show" command is used to get its vpnid (this document assumes that will be 1) for further commands. The VPN is then brought up.
Step 2
./metavpn nodeadd 1 mynode1 ./metavpn nodeadd 1 mynode2
This registers two nodes into VPN 1, one named mynode1, the other named mynode2
Step 3
./metv_import_openvpn_keys mynode1 1 ./metv_import_openvpn_keys mynode2 1
OR
./metv_direct_keygen 1 mynode1 VPN_SERVER ./metv_direct_keygen 1 mynode2 VPN_SERVER
- In the first instance, the VPN keys are imported into the emulab database running on the server, so clients can retrieve a configuration through wget (this is the emulab-integrated model)
- In the second instance, the VPN keys are immediately packed into a tarball along with a configuration file so the user can distribute the tarball manually (this is the non-emulab-integrated model)
Step 4
Clients do:
wget http://boss/serve_openvpn_keys.cgi?keytype=mv_openvpn&conid=1&nodeid=mynode1&port=2048&dev=tap -O S1-mynode1.tar
OR On the VPN server, scp /usr/local/opt/openvpn/databases/client-tarballs/S1-mynode1.tar mynode1:/~
- In the first instance, the client retrieves the VPN key from the server using a CGI running on the Emulab webserver. The CGI builds a tarball on-the-fly, which the client receives. (emulab-integrated)
- In the second instance, the user copies the tarball to the particular node (non-emulab-integrated)
Step 5
Having a tarball, helper scripts (or the user manually) will untar that in /etc/openvpn
Inside the tarball is an openvpn.conf - the command "openvpn --config /etc/openvpn/openvpn.conf" will bring up the VPN on the client
Step 6
A tapX device is registered. Now it is time to configure it. The specific details for layer 2 network device configuration depend both on the operating system and the protocol that is to be layered on top. For this example, we assume that TCP/IP is to be layered on top of the Virtual Ethernet network that Layer 2 provides.
ifconfig tap0 192.168.1.1
and so on for other nodes with their own IPs
Different parameters might be used for inet6, ipx, or other network types.
