| 1 |
This documentation is of low quality -- I'll replace it with something better when I get time. Sorry -- Pat |
|---|
| 2 |
|
|---|
| 3 |
Summary |
|---|
| 4 |
--------------------- |
|---|
| 5 |
|
|---|
| 6 |
MetaVPN is a tool that wraps the configuration details of using |
|---|
| 7 |
OpenVPN so people with only a conceptual understanding of VPNs |
|---|
| 8 |
can use it. The details of setting up an OpenVPN instance are |
|---|
| 9 |
wrapped, and people can easily create and manage multiple VPNs at |
|---|
| 10 |
the same time. The details of getting a configuration/SSLkey pairing |
|---|
| 11 |
for the user are also handled. |
|---|
| 12 |
|
|---|
| 13 |
State of the code |
|---|
| 14 |
---------------------- |
|---|
| 15 |
|
|---|
| 16 |
Beta. Users should be willing to tweak some simple configuration |
|---|
| 17 |
parameters at the head of the relevant scripts as appropriate for |
|---|
| 18 |
their network. This is still easier than learning OpenVPN. |
|---|
| 19 |
|
|---|
| 20 |
Prerequisites |
|---|
| 21 |
---------------------- |
|---|
| 22 |
Perl 5.8 or higher |
|---|
| 23 |
Nonstandard perl modules: SDBM_File, MLDBM, File::Copy, File::Path, Archive::Tar, CGI, DBI |
|---|
| 24 |
Some of these modules may not be needed depending on which utilities |
|---|
| 25 |
you intend to use |
|---|
| 26 |
You do not need Emulab to use MetaVPN (using the "loosely managed" key management) |
|---|
| 27 |
|
|---|
| 28 |
Files |
|---|
| 29 |
---------------------- |
|---|
| 30 |
docs/ - Development documentation, unlikely to be of interest. |
|---|
| 31 |
ezpurge - Script to completely remove the configuration |
|---|
| 32 |
database and files for all VPNs |
|---|
| 33 |
metavpn - Primary script, creates, configures, and manages VPNs |
|---|
| 34 |
metv_import_openvpn_keys - For those going with a |
|---|
| 35 |
tightly-managed VPN, this imports the node keys into |
|---|
| 36 |
the emulab database |
|---|
| 37 |
metv_direct_keygen - For those going with a loosely-managed VPN, |
|---|
| 38 |
this generates a configuration tarball for a given client |
|---|
| 39 |
serve_openvpn_keys.cgi - For those going with a tightly-managed |
|---|
| 40 |
VPN, this serves the node keys to clients using a CGI |
|---|
| 41 |
interface |
|---|
| 42 |
openvpn-clients.cfg - Template openvpn config for clients, used |
|---|
| 43 |
by both serve_openvpn_keys and metv_direct_keygen |
|---|
| 44 |
|
|---|
| 45 |
Details |
|---|
| 46 |
----------------------- |
|---|
| 47 |
MetaVPN is a wrapper for the OpenVPN software. OpenVPN is a popular |
|---|
| 48 |
VPN server. It is a powerful package with a steep learning curve |
|---|
| 49 |
and a lack of tools to automate common tasks. MetaVPN attempts to |
|---|
| 50 |
lessen the learning curve down to understanding VPN basics, as well |
|---|
| 51 |
as reduce the labour needed to configure each VPN. OpenVPN clients must |
|---|
| 52 |
each have a unique key permitting them access (and identifying them), |
|---|
| 53 |
as well as a configfile with settings that approriately match that on |
|---|
| 54 |
the server. |
|---|
| 55 |
|
|---|
| 56 |
MetaVPN can function in two environments, tightly integrated and loosely |
|---|
| 57 |
integrated. In the first, MetaVPN has a single shared instance that |
|---|
| 58 |
manages VPNs from potentially a number of people, typically on ops. |
|---|
| 59 |
OpenVPN client keys are stored inside the database on boss, and clients |
|---|
| 60 |
can use a simple wget-wrapping client to request a configuration tarball |
|---|
| 61 |
needed to |
|---|
| 62 |
allow them to join the VPN. In the second, MetaVPN can be run on an |
|---|
| 63 |
experimental node (or even a non-testbed system outside the Emulab |
|---|
| 64 |
environment). In this instance, the person managing that VPN will use |
|---|
| 65 |
metv_direct_keygen to directly make tarballs for all clients. |
|---|
| 66 |
|
|---|
| 67 |
In either environment, the user can use metavpn to see the state of all |
|---|
| 68 |
configured VPNs, bring them up or down, add new client keys, create new |
|---|
| 69 |
VPNs, or archive/delete VPNs. |
|---|
| 70 |
|
|---|
| 71 |
Getting Started |
|---|
| 72 |
----------------------------- |
|---|
| 73 |
After unpacking the software, look at the head of each script that |
|---|
| 74 |
you intend to use, changing any paths or other configuration details |
|---|
| 75 |
to your liking. In each script, any configuration you may need to |
|---|
| 76 |
change exists before the call to main(). Look at the "test1" script |
|---|
| 77 |
for simple commands that you might run to setup a VPN. MetaVPN will |
|---|
| 78 |
need to be run as root if it is to actually bring VPNs up or down - |
|---|
| 79 |
otherwise it will only be able to create configurations and manage |
|---|
| 80 |
nodekeys. |
|---|
| 81 |
|
|---|
| 82 |
Future Development/Bugs |
|---|
| 83 |
----------------------------- |
|---|
| 84 |
Right now, tap VPNs (Layer 2) are the only kind configurable with this tool. |
|---|
| 85 |
tun VPNs (Layer 3) will be supported in a future version provided a sensible |
|---|
| 86 |
way to manage bridging, avoid IP collisions, etc. can be found. Some |
|---|
| 87 |
configuration variables that are presently hardcoded in the head of |
|---|
| 88 |
several scripts will be used into the databases MetaVPN uses so the |
|---|
| 89 |
scripts themselves will not need to change so much on a per-site basis. |
|---|
| 90 |
Documentation will be improved, and a tutorial covering a simple usage |
|---|
| 91 |
will be written. |
|---|
