You are browsing a read-only backup copy of Wikitech. The live site can be found at wikitech.wikimedia.org
Labs VPN proposal
Straw-dog proposal for a Labs VPN service
What would be built
A VPN service for Labs users to access Labs instances as if the user was inside the Labs network. Users would authenticate with the central LDAP server to access the VPN.
- with openvpn-auth-ldap
- tunnel interface firewalled so users can only access inside Labs
Who the service would help
- Windows users - it is hard to do ProxyCommand
- It is easier to develop locally when using the replicas for example - rather than having to set up SSH tunnels and connecting to localhost:<some port>, the user would connect to enwiki.labsdb, and other hosts directly
- Some users (especially Windows users) cannot make SSH tunnels easily
- Also with SSH tunnels all ports that need to be tunneled have to be tunneled specifically. Cannot just have “tunnel all ports on all instances”.
- Users could access instances that they should not be accessing - they could do this with SSH tunnels anyway and the Labs network is insecure, so all instances should be locked down.
- Users could saturate the connection - those users could be denied access or their connections throttled.
- Users could access the internet through the VPN - the VPN tunnel would be firewalled so that only internal networks can be accessed.
- Hackers could spy on other users’ traffic - OpenVPN is secure, the tunnel would use 256-bit AES.