To generate a request to join, you’ll need a system with GNU Make (gmake), openssl, git, and bash. You can generate a registration request from any system that has these tools - it does not need to be the system used in testing.
The system joining the testing network needs to be able to run OpenVPN version 2.5 or later, and have ipv6 capability. The VPN network is ipv6-only, though the connection to our VPN concentrator is an ipv4 connection. You do not need to have real-world ipv6 connectivity.
You’ll need either wireguard or OpenVPN 2.5 or later. You can build from the source tarball if you don’t want to hack around with autotools.
Fedora 34 RPM: https://src.fedoraproject.org/rpms/openvpn
CentOS-8: There’s a 2.5-beta build by Dave Sommerseth, but you’ll need the pkcs11-helper package from EPEL too:
dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm dnf copr enable dsommers/openvpn-beta dnf install openvpn
- OS X: You can build a working version directly from https://swupdate.openvpn.org/community/releases/openvpn-2.5_beta1.tar.xz using a local build of openssl.
git clone git://vpn.nfsv4.dev/nfs-vpn
There’s a helper to generate this request (you can run ‘make request’). This provides the folks registering your system on the network with some necessary information, such as:
- your email address
- a public key
- what your system’s hostname should be (choose any name of the form <host>.nfsv4.dev)
- what your system’s ip address should be (choose any address in fd51:5f56:d79b:a64e::/64)
Please provide sane values for these fields. Hostnames should be the hostname of the system that will participate in NFS testing, and have the “.nfsv4.dev” domain.
Here’s an example run of the helper:
$ make request ./scripts/vpn_host_request What email address is a good point-of-contact for this host? [ firstname.lastname@example.org ]:Benjamin Coddington <email@example.com> What public_key file should be used? Found: [ firstname.lastname@example.org ]: What hostname should this system have on the test network? [ porthole.nfsv4.dev ]: What IP address would you like to register? (generated: ) [ fd51:5f56:d79b:a64e:3c6a:5da7:604a:101b/64 ]: /email@example.com Send an email to <firstname.lastname@example.org> with a body like the following: 8<--------------------------------------------------- Hello, please add a VPN client with these parameters: # This is the a host config file auto generated # by scripts/vpn_host_request CLIENT[owner]=Benjamin Coddington <email@example.com> CLIENT[owner_key]=firstname.lastname@example.org CLIENT[owner_key_hash=6e367441cd3764891fa54f47d1bb83ed5c4576f6 CLIENT[hostname]=vpn.nfsv4.dev CLIENT[ip6_addr]=fd51:5f56:d79b:a64e:3c6a:5da7:604a:101b/64 -----BEGIN PUBLIC KEY----- MIICJDCCARcGCSqGSIb3DQEDATCCAQgCggEBAJa+9mNDdtfbv7FlKhgj3v6pXkvS /wjRswK1oBbgALeCW5eUC9CiXwymZ3EshhlVSAOgfgNeoG760VUKalCkwjce/y84 TuRtnD8BKx04CqPlvp/baBJWdYfQGo9SpFD+sqz+y4FTo1B2c3BrtX3wWM1uLODM K3dVNLRDLpcaNneK/HVRWxgoB5vTeZhGLE/iPm3km5GFq76mDG1HLRsJITJxP55T k/NZYeO5h3RG4aZjdXHFFYRT529LaXhhizHmxrPjaUHmHO6iLi6bUYgZRMqS888Y MUAxEHKZZzPeggJ4vxNcG3RoE2SVSgxJU1DLQVMZPQNnJ5KplI7vWTEwMjsCAQID ggEFAAKCAQADjmEmuuSAwLTDxWc1BnxrkNK/Rm0OITtdm2/aGo/Q5bhBjjJpY4dL SJ09wRNwCJSTvxibmyxLN5cQ13r5gfsTXO6R6ZtQtsoHxoqeax/+oCdcG3eOBTTi OBkys6buawI+KpA77GZ27OICEuFdW6mxLJhLrjuFMw0K+frndh5eUxiA2ncyuMaE gymHEckRgSVjTGLjMIJpeOLmtjHW2Umn8I1YBUSnBskDKDQlU62BLfzCAXCd64mi i6FLqRVXhVkoE9R66Gsetv/suP7z4NvNYCJ5NDMn2P7RyCj39yzm98NzwlI/4gV0 G8G5owzvlvWKWPRO0IvNhHkEeMW7h8bo -----END PUBLIC KEY-----
Optional: At this point you should have a private key in your ./private_keys/ directory. You may want to copy it somewhere safe. You may want to re-use it if you rebuild or rename your system.
Ben will use this information to issue certificates and a VPN configuration, and then encrypt it in the nfs-vpn git repo. Once this is done, he’ll respond to your mail and you can proceed to:
git fetch && git reset --hard origin/master
openvpn --config vpn_config/<short name>.conf
Your system should now have TUN adapter and the ipv6 address specified in your host.conf file. At the very least, you should be able to ping the vpn concentrator, vpn.nfsv4.dev: fd51:5f56:d79b:a64e::1
[root@fs-i24c-02 ~]# ping6 fd51:5f56:d79b:a64e::1 PING fd51:5f56:d79b:a64e::1(fd51:5f56:d79b:a64e::1) 56 data bytes 64 bytes from fd51:5f56:d79b:a64e::1: icmp_seq=1 ttl=64 time=34.8 ms 64 bytes from fd51:5f56:d79b:a64e::1: icmp_seq=2 ttl=64 time=34.9 ms 64 bytes from fd51:5f56:d79b:a64e::1: icmp_seq=3 ttl=64 time=34.8 ms 64 bytes from fd51:5f56:d79b:a64e::1: icmp_seq=4 ttl=64 time=34.8 ms --- fd51:5f56:d79b:a64e::1 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3005ms rtt min/avg/max/mdev = 34.783/34.831/34.920/0.052 ms
If you’re able to ping the vpn concentrator (fd51:5f56:d79b:a64e::1), congratulations! You’ve got basic connectivity working. From here, you can further improve your system by doing some/all of: