1 | This documentation is of low quality -- I'll replace it with something better when I get time. Sorry -- Pat |
---|
2 | |
---|
3 | Summary |
---|
4 | --------------------- |
---|
5 | |
---|
6 | MetaVPN is a tool that wraps the configuration details of using |
---|
7 | OpenVPN so people with only a conceptual understanding of VPNs |
---|
8 | can use it. The details of setting up an OpenVPN instance are |
---|
9 | wrapped, and people can easily create and manage multiple VPNs at |
---|
10 | the same time. The details of getting a configuration/SSLkey pairing |
---|
11 | for the user are also handled. |
---|
12 | |
---|
13 | State of the code |
---|
14 | ---------------------- |
---|
15 | |
---|
16 | Beta. Users should be willing to tweak some simple configuration |
---|
17 | parameters at the head of the relevant scripts as appropriate for |
---|
18 | their network. This is still easier than learning OpenVPN. |
---|
19 | |
---|
20 | Prerequisites |
---|
21 | ---------------------- |
---|
22 | Perl 5.8 or higher |
---|
23 | Nonstandard perl modules: SDBM_File, MLDBM, File::Copy, File::Path, Archive::Tar, CGI, DBI |
---|
24 | Some of these modules may not be needed depending on which utilities |
---|
25 | you intend to use |
---|
26 | You do not need Emulab to use MetaVPN (using the "loosely managed" key management) |
---|
27 | |
---|
28 | Files |
---|
29 | ---------------------- |
---|
30 | docs/ - Development documentation, unlikely to be of interest. |
---|
31 | ezpurge - Script to completely remove the configuration |
---|
32 | database and files for all VPNs |
---|
33 | metavpn - Primary script, creates, configures, and manages VPNs |
---|
34 | metv_import_openvpn_keys - For those going with a |
---|
35 | tightly-managed VPN, this imports the node keys into |
---|
36 | the emulab database |
---|
37 | metv_direct_keygen - For those going with a loosely-managed VPN, |
---|
38 | this generates a configuration tarball for a given client |
---|
39 | serve_openvpn_keys.cgi - For those going with a tightly-managed |
---|
40 | VPN, this serves the node keys to clients using a CGI |
---|
41 | interface |
---|
42 | openvpn-clients.cfg - Template openvpn config for clients, used |
---|
43 | by both serve_openvpn_keys and metv_direct_keygen |
---|
44 | |
---|
45 | Details |
---|
46 | ----------------------- |
---|
47 | MetaVPN is a wrapper for the OpenVPN software. OpenVPN is a popular |
---|
48 | VPN server. It is a powerful package with a steep learning curve |
---|
49 | and a lack of tools to automate common tasks. MetaVPN attempts to |
---|
50 | lessen the learning curve down to understanding VPN basics, as well |
---|
51 | as reduce the labour needed to configure each VPN. OpenVPN clients must |
---|
52 | each have a unique key permitting them access (and identifying them), |
---|
53 | as well as a configfile with settings that approriately match that on |
---|
54 | the server. |
---|
55 | |
---|
56 | MetaVPN can function in two environments, tightly integrated and loosely |
---|
57 | integrated. In the first, MetaVPN has a single shared instance that |
---|
58 | manages VPNs from potentially a number of people, typically on ops. |
---|
59 | OpenVPN client keys are stored inside the database on boss, and clients |
---|
60 | can use a simple wget-wrapping client to request a configuration tarball |
---|
61 | needed to |
---|
62 | allow them to join the VPN. In the second, MetaVPN can be run on an |
---|
63 | experimental node (or even a non-testbed system outside the Emulab |
---|
64 | environment). In this instance, the person managing that VPN will use |
---|
65 | metv_direct_keygen to directly make tarballs for all clients. |
---|
66 | |
---|
67 | In either environment, the user can use metavpn to see the state of all |
---|
68 | configured VPNs, bring them up or down, add new client keys, create new |
---|
69 | VPNs, or archive/delete VPNs. |
---|
70 | |
---|
71 | Getting Started |
---|
72 | ----------------------------- |
---|
73 | After unpacking the software, look at the head of each script that |
---|
74 | you intend to use, changing any paths or other configuration details |
---|
75 | to your liking. In each script, any configuration you may need to |
---|
76 | change exists before the call to main(). Look at the "test1" script |
---|
77 | for simple commands that you might run to setup a VPN. MetaVPN will |
---|
78 | need to be run as root if it is to actually bring VPNs up or down - |
---|
79 | otherwise it will only be able to create configurations and manage |
---|
80 | nodekeys. |
---|
81 | |
---|
82 | Future Development/Bugs |
---|
83 | ----------------------------- |
---|
84 | Right now, tap VPNs (Layer 2) are the only kind configurable with this tool. |
---|
85 | tun VPNs (Layer 3) will be supported in a future version provided a sensible |
---|
86 | way to manage bridging, avoid IP collisions, etc. can be found. Some |
---|
87 | configuration variables that are presently hardcoded in the head of |
---|
88 | several scripts will be used into the databases MetaVPN uses so the |
---|
89 | scripts themselves will not need to change so much on a per-site basis. |
---|
90 | Documentation will be improved, and a tutorial covering a simple usage |
---|
91 | will be written. |
---|