Link Search Menu Expand Document


  • To generate a request to join, you’ll need a system with GNU Make (gmake), openssl, git, and bash. You can generate a registration request from any system that has these tools - it does not need to be the system used in testing.

  • The system joining the testing network needs to be able to run OpenVPN version 2.5 or later, and have ipv6 capability. The VPN network is ipv6-only, though the connection to our VPN concentrator is an ipv4 connection. You do not need to have real-world ipv6 connectivity.

Request to add your host to nfs-vpn

Step 1 - Get the required software on your testing system

You’ll need either wireguard or OpenVPN 2.5 or later. You can build from the source tarball if you don’t want to hack around with autotools.

Some known distro packages for OpenVPN are:

dnf install
dnf copr enable dsommers/openvpn-beta
dnf install openvpn

Step 2 - Clone the nfs-vpn git repo on a system that has GNU Make, openssl, git, and bash.

git clone git://

Step 3 - Generate a vpn host request:

There’s a helper to generate this request (you can run ‘make request’). This provides the folks registering your system on the network with some necessary information, such as:

  • your email address
  • a public key
  • what your system’s hostname should be (choose any name of the form <host>
  • what your system’s ip address should be (choose any address in fd51:5f56:d79b:a64e::/64)

Please provide sane values for these fields. Hostnames should be the hostname of the system that will participate in NFS testing, and have the “” domain.

Here’s an example run of the helper:

$ make request
What email address is a good point-of-contact for this host? [ ]:Benjamin Coddington <>
What public_key file should be used?  Found: [ ]:
What hostname should this system have on the test network? [ ]:
What IP address would you like to register? (generated: ) [ fd51:5f56:d79b:a64e:3c6a:5da7:604a:101b/64 ]:

Send an email to <> with a body like the following:

Hello, please add a VPN client with these parameters:

# This is the a host config file auto generated
# by scripts/vpn_host_request

CLIENT[owner]=Benjamin Coddington <>
-----END PUBLIC KEY-----

Optional: At this point you should have a private key in your ./private_keys/ directory. You may want to copy it somewhere safe. You may want to re-use it if you rebuild or rename your system.

Step 4 - Send the output of the helper to

Ben will use this information to issue certificates and a VPN configuration, and then encrypt it in the nfs-vpn git repo. Once this is done, he’ll respond to your mail and you can proceed to:

Step 5 - Pull certificates into your local repo:

git fetch && git reset --hard origin/master

Step 6 - Build the client’s VPN config file with the needed certs.


Step 7 - Start the vpn client using the config file:

openvpn --config vpn_config/<short name>.conf

Step 8 - Do some testing!

Your system should now have TUN adapter and the ipv6 address specified in your host.conf file. At the very least, you should be able to ping the vpn concentrator, fd51:5f56:d79b:a64e::1

[root@fs-i24c-02 ~]# ping6 fd51:5f56:d79b:a64e::1
PING fd51:5f56:d79b:a64e::1(fd51:5f56:d79b:a64e::1) 56 data bytes
64 bytes from fd51:5f56:d79b:a64e::1: icmp_seq=1 ttl=64 time=34.8 ms
64 bytes from fd51:5f56:d79b:a64e::1: icmp_seq=2 ttl=64 time=34.9 ms
64 bytes from fd51:5f56:d79b:a64e::1: icmp_seq=3 ttl=64 time=34.8 ms
64 bytes from fd51:5f56:d79b:a64e::1: icmp_seq=4 ttl=64 time=34.8 ms
--- fd51:5f56:d79b:a64e::1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 34.783/34.831/34.920/0.052 ms

Next steps:

If you’re able to ping the vpn concentrator (fd51:5f56:d79b:a64e::1), congratulations! You’ve got basic connectivity working. From here, you can further improve your system by doing some/all of:

  • configure your system’s DNS
  • configure your system’s ldap/kerberos ( you should have a keytab in /keytabs )
  • configure your OpenVPN client to start automatically
  • ping some other hosts (try ./scripts/getall hostnames)