README
This project contents everything related to Jenkins infrastructure VPN. It includes the following elements:
- Build an Openvpn docker image integrated with openldap.
- Manage client configuration and certificate
CONNECTION
To connect to this VPN, your VPN client must be configured with your Jenkins account username/password and certificate authentication. Certificate authentication requires the following files:
- The ca.crt
- username.key cfr HowTo Get client access !! Your private key must remain secret,
- username.crt is located in cert/pki/issued, once an administrator signs your request and publish it.
client
remote vpn.jenkins.io 443
ca "~/.cert/jenkins/ca.crt"
cert "~/.cert/jenkins/username.crt"
key "~/.cert/jenkins/username.key"
auth-user-pass
dev tun
proto tcp
nobind
auth-nocache
script-security 2
persist-key
persist-tun
user nobody
group nobody
With network manager client, you must enable the option :
Use this connection only for resources on its network
DNS Problems
If you are having issues connecting to resources behind the VPN, but the VPN appears to be working correctly, check your DNS settings. Some providers seem to filter out requests to the zone. To test, try dig release.ci.jenkins.io
.
To enable a different DNS provider only when connected to the VPN you can add the following to you OpenVPN config file
dhcp-option DNS 8.8.8.8
Windows only
If you want to use multiple VPN connections at the same time with OpenVPN, you have to install a new TAP adapter. This can be very easily by running as Admin the C:\Program Files\TAP-Windows\bin\addtap.bat
. The TAP-Windows tool is installed in parallel with OpenVPN.
CERTIFICATES
This project holds VPN keys for connecting on Jenkins infrastructure VPN.
If you think that you should have access to this network, feel free to read HowTo Get client access.
Client
HowTo get client access
To access the Jenkins infrastructure private network, you need a certificate containing your Jenkins username as CN. Then this certificate must be signed by an administrator who also assigns you a static IP configuration.
Feel free to follow the next action points:
- Fork this repository on your own Github account: fork a repo
- Build EASYVPN binary by running one of the following commands depending on your
make init_osx
make init_linux
make init_windows
then copy utils/easyvpn/easyvpn.exe at the root of this repository
- Generate your private key and certificate request:
./easyvpn request <your username>
Your private key will be generated incert/pki/private
, this key must remain secret. - Create a new Pull Request on jenkinsinfra/openvpn, staging branch: How to Create a pull request
- Open an INFRA ticket on JIRA referencing your PR
- Grab a cup of coffee and wait patiently for an administrator to sign your certificate request.
- Once an admin notify you that everything is right, you can then retrieve your certificate from
./cert/pki/issued/<your_username>.crt
HowTo show request information
- Enter in the VPN network directory:
cd cert
- Run
make show-req name=<username>
HowTo show certificate information
- Enter in the VPN network directory:
cd cert
- Run
make show-cert name=<username>
Howto validate your vpn access
You can test if your private key matches your certificate and certificate request by running following commands:
openssl pkey -in <your_private_key> -pubout -outform pem | sha256sum
==
openssl x509 -in <your_certificate> -pubkey -noout -outform pem | sha256sum
==
openssl req -in <your_certificate_request> -pubkey -noout -outform pem | sha256sum
Administrator
HowTo become an administrator
To add/revoke certificates, you must be allowed to decrypt cert/pki/private/ca.key.enc
.
This file is encrypted with sops and you are public gpg key must be added to .sops.yaml by an existing administrator to be allowed to run make decrypt
.
This repository relies on easy-rsa.
HowTo approve client access?
To validate and sign a client certificate, you are going to execute the following actions
- Build EASYVPN binary by running one of the following commands depending on your
make init_osx
make init_linux
make init_windows
then copy utils/easyvpn/easyvpn.exe at the root of this repository- Git checkout on the right branch "staging"
- Sign certificate request:
./easyvpn sign <CN_to_sign>
- Update Docker image tag in the puppet configuration.
HowTo revoke client access?
- Build EASYVPN binary by running one of the following commands depending on your
make init_osx
make init_linux
make init_windows
and copy utils/easyvpn/easyvpn.exe at the root of this repository- Revoke certificate:
./easyvpn revoke <CN_to_sign>
- Update Docker image tag in the puppet configuration.
HowTo review certificate revocation list
If the certificate revocation list expired, then the openvpn logs will contains errors like 'VERIFY ERROR: depth=0, error=CRL has expired:...'
We can run openssl crl -in cert/pki/crl.pem -noout -text
to validate that the crl expired and that we need to generate a new one.
To generate a new one:
- Decrypt ca.key
sops -d cert/pki/private/ca.key.enc > cert/pki/private/ca.key
- Generate a new crl.pem -
cd cert ; ./easyrsa gen-crl
- Publish the new crl.pem -
git add cert/pki/crl.pem && git commit cert/pki/crl.pem -s -m 'Renew revocation list certificate'
- Delete local ca.key -
rm cert/pki/private/ca.key
DOCKER
CONFIGURATION
This image can be configured at runtime with different environment variables.
AUTH_LDAP_BINDDN
Define user dn used to query the ldap databaseAUTH_LDAP_URL
Define ldap endpoint urlAUTH_LDAP_PASSWORD
Define user dn passwordAUTH_LDAP_GROUPS_MEMBER
Define required group member to authenticate
Some examples can be found inside docker-compose.yaml
TESTING
To test this image, you need a "mock" ldap and SSL certificates.
Then go in directory docker
and run one of the following commands
! Certificates must be readable by UID 101
make start
- Start the ldap and vpn service
INFRASTRUCTURE
This project is designed to work with the following requirements:
CONTRIBUTING
Feel free to contribute to this image by:
- Fork this project into your account
- Make your changes in your local fork
- Submit a pull request with a description and a link to a Jira ticket
- Ask for a review
ISSUE
Please report any issue on the Jenkins infrastructure project