You are browsing a read-only backup copy of Wikitech. The live site can be found at wikitech.wikimedia.org

Labs VPN proposal: Difference between revisions

From Wikitech-static
Jump to navigation Jump to search
imported>Tom29739
(Create page.)
 
imported>Tom29739
(Changes)
 
Line 3: Line 3:


== What would be built ==
== What would be built ==
A VPN service for Labs users to access Labs instances as if the user was inside the Labs network. Users would authenticate with the VPN service LDAP server to access the VPN. The VPN LDAP accounts could be created with Striker (tools-admin.wikimedia.org), created manually by ops or with a special interface.
A VPN service for Labs users to access Labs instances as if the user was inside the Labs network. Users would authenticate with the central LDAP server to access the VPN.


== Instances ==
== Instances ==
* OpenVPN server
=== OpenVPN server ===
** with openvpn-auth-ldap
* with openvpn-auth-ldap
** tunnel interface firewalled so users can only access inside Labs
* tunnel interface firewalled so users can only access inside Labs
* LDAP server
** completely separate to the production LDAP server
** only for the VPN service
** users authenticate with this LDAP server


== Who the service would help ==
== Who the service would help ==
Line 25: Line 21:
* Users could access the internet through the VPN - the VPN tunnel would be firewalled so that only internal networks can be accessed.
* Users could access the internet through the VPN - the VPN tunnel would be firewalled so that only internal networks can be accessed.
* Hackers could spy on other users’ traffic - OpenVPN is secure, the tunnel would use 256-bit AES.
* Hackers could spy on other users’ traffic - OpenVPN is secure, the tunnel would use 256-bit AES.
* Users could access the LDAP server used for VPN authentication - this server would be firewalled and protected so that only authorised users can access it.

Latest revision as of 21:58, 10 September 2016

Straw-dog proposal for a Labs VPN service

What would be built

A VPN service for Labs users to access Labs instances as if the user was inside the Labs network. Users would authenticate with the central LDAP server to access the VPN.

Instances

OpenVPN server

  • with openvpn-auth-ldap
  • tunnel interface firewalled so users can only access inside Labs

Who the service would help

  • Windows users - it is hard to do ProxyCommand
  • It is easier to develop locally when using the replicas for example - rather than having to set up SSH tunnels and connecting to localhost:<some port>, the user would connect to enwiki.labsdb, and other hosts directly
  • Some users (especially Windows users) cannot make SSH tunnels easily
  • Also with SSH tunnels all ports that need to be tunneled have to be tunneled specifically. Cannot just have “tunnel all ports on all instances”.

Risks

  • Users could access instances that they should not be accessing - they could do this with SSH tunnels anyway and the Labs network is insecure, so all instances should be locked down.
  • Users could saturate the connection - those users could be denied access or their connections throttled.
  • Users could access the internet through the VPN - the VPN tunnel would be firewalled so that only internal networks can be accessed.
  • Hackers could spy on other users’ traffic - OpenVPN is secure, the tunnel would use 256-bit AES.