You are browsing a read-only backup copy of Wikitech. The live site can be found at wikitech.wikimedia.org

Labs VPN proposal

From Wikitech-static
Revision as of 21:58, 10 September 2016 by imported>Tom29739 (Changes)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Straw-dog proposal for a Labs VPN service

What would be built

A VPN service for Labs users to access Labs instances as if the user was inside the Labs network. Users would authenticate with the central LDAP server to access the VPN.

Instances

OpenVPN server

  • with openvpn-auth-ldap
  • tunnel interface firewalled so users can only access inside Labs

Who the service would help

  • Windows users - it is hard to do ProxyCommand
  • It is easier to develop locally when using the replicas for example - rather than having to set up SSH tunnels and connecting to localhost:<some port>, the user would connect to enwiki.labsdb, and other hosts directly
  • Some users (especially Windows users) cannot make SSH tunnels easily
  • Also with SSH tunnels all ports that need to be tunneled have to be tunneled specifically. Cannot just have “tunnel all ports on all instances”.

Risks

  • Users could access instances that they should not be accessing - they could do this with SSH tunnels anyway and the Labs network is insecure, so all instances should be locked down.
  • Users could saturate the connection - those users could be denied access or their connections throttled.
  • Users could access the internet through the VPN - the VPN tunnel would be firewalled so that only internal networks can be accessed.
  • Hackers could spy on other users’ traffic - OpenVPN is secure, the tunnel would use 256-bit AES.