You are browsing a read-only backup copy of Wikitech. The live site can be found at wikitech.wikimedia.org
Labs VPN proposal
Straw-dog proposal for a Labs VPN service
What would be built
A VPN service for Labs users to access Labs instances as if the user was inside the Labs network. Users would authenticate with the VPN service LDAP server to access the VPN. The VPN LDAP accounts could be created with Striker (tools-admin.wikimedia.org), created manually by ops or with a special interface.
- OpenVPN server
- with openvpn-auth-ldap
- tunnel interface firewalled so users can only access inside Labs
- LDAP server
- completely separate to the production LDAP server
- only for the VPN service
- users authenticate with this LDAP server
Who the service would help
- Windows users - it is hard to do ProxyCommand
- It is easier to develop locally when using the replicas for example - rather than having to set up SSH tunnels and connecting to localhost:<some port>, the user would connect to enwiki.labsdb, and other hosts directly
- Some users (especially Windows users) cannot make SSH tunnels easily
- Also with SSH tunnels all ports that need to be tunneled have to be tunneled specifically. Cannot just have “tunnel all ports on all instances”.
- Users could access instances that they should not be accessing - they could do this with SSH tunnels anyway and the Labs network is insecure, so all instances should be locked down.
- Users could saturate the connection - those users could be denied access or their connections throttled.
- Users could access the internet through the VPN - the VPN tunnel would be firewalled so that only internal networks can be accessed.
- Hackers could spy on other users’ traffic - OpenVPN is secure, the tunnel would use 256-bit AES.
- Users could access the LDAP server used for VPN authentication - this server would be firewalled and protected so that only authorised users can access it.