Requirements

• To generate a request to join, you’ll need a system with GNU Make (gmake), openssl, git, and bash. You can generate a registration request from any system that has these tools - it does not need to be the system used in testing.

• The system joining the testing network needs to be able to run OpenVPN version 2.5 or later, and have ipv6 capability. The VPN network is ipv6-only, though the connection to our VPN concentrator is an ipv4 connection. You do not need to have real-world ipv6 connectivity.

Request to add your host to nfs-vpn

Step 1 - Get the required software on your testing system

You’ll need either wireguard or OpenVPN 2.5 or later. You can build from the source tarball if you don’t want to hack around with autotools.

Some known distro packages for OpenVPN are:

• Fedora 34 RPM: https://src.fedoraproject.org/rpms/openvpn

• CentOS-8: There’s a 2.5-beta build by Dave Sommerseth, but you’ll need the pkcs11-helper package from EPEL too:

dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
dnf copr enable dsommers/openvpn-beta
dnf install openvpn

• OS X: You can build a working version directly from https://swupdate.openvpn.org/community/releases/openvpn-2.5_beta1.tar.xz using a local build of openssl.

Step 2 - Clone the nfs-vpn git repo on a system that has GNU Make, openssl, git, and bash.

git clone git://vpn.nfsv4.dev/nfs-vpn

Step 3 - Generate a vpn host request:

There’s a helper to generate this request (you can run ‘make request’). This provides the folks registering your system on the network with some necessary information, such as:

• your email address
• a public key
• what your system’s hostname should be (choose any name of the form <host>.nfsv4.dev)
• what your system’s ip address should be (choose any address in fd51:5f56:d79b:a64e::/64)

Please provide sane values for these fields. Hostnames should be the hostname of the system that will participate in NFS testing, and have the “.nfsv4.dev” domain.

Here’s an example run of the helper:

$ make request
./scripts/vpn_host_request
What email address is a good point-of-contact for this host? [ bcodding@vpn.nfsv4.dev ]:Benjamin Coddington <bcodding@example.com>
What public_key file should be used?  Found: [ bcodding@porthole.nfsv4.dev.pem ]:
What hostname should this system have on the test network? [ porthole.nfsv4.dev ]:
What IP address would you like to register? (generated: ) [ fd51:5f56:d79b:a64e:3c6a:5da7:604a:101b/64 ]:
/home/bcodding/nfs-vpn/public_keys/bcodding@porthole.nfsv4.dev.pem

Send an email to <bcodding@redhat.com> with a body like the following:
8<---------------------------------------------------

Hello, please add a VPN client with these parameters:

# This is the a host config file auto generated
# by scripts/vpn_host_request

CLIENT[owner]=Benjamin Coddington <bcodding@example.com>
CLIENT[owner_key]=bcodding@porthole.nfsv4.dev.pem
CLIENT[owner_key_hash=6e367441cd3764891fa54f47d1bb83ed5c4576f6
CLIENT[hostname]=vpn.nfsv4.dev
CLIENT[ip6_addr]=fd51:5f56:d79b:a64e:3c6a:5da7:604a:101b/64
-----BEGIN PUBLIC KEY-----
MIICJDCCARcGCSqGSIb3DQEDATCCAQgCggEBAJa+9mNDdtfbv7FlKhgj3v6pXkvS
/wjRswK1oBbgALeCW5eUC9CiXwymZ3EshhlVSAOgfgNeoG760VUKalCkwjce/y84
TuRtnD8BKx04CqPlvp/baBJWdYfQGo9SpFD+sqz+y4FTo1B2c3BrtX3wWM1uLODM
K3dVNLRDLpcaNneK/HVRWxgoB5vTeZhGLE/iPm3km5GFq76mDG1HLRsJITJxP55T
k/NZYeO5h3RG4aZjdXHFFYRT529LaXhhizHmxrPjaUHmHO6iLi6bUYgZRMqS888Y
MUAxEHKZZzPeggJ4vxNcG3RoE2SVSgxJU1DLQVMZPQNnJ5KplI7vWTEwMjsCAQID
ggEFAAKCAQADjmEmuuSAwLTDxWc1BnxrkNK/Rm0OITtdm2/aGo/Q5bhBjjJpY4dL
SJ09wRNwCJSTvxibmyxLN5cQ13r5gfsTXO6R6ZtQtsoHxoqeax/+oCdcG3eOBTTi
OBkys6buawI+KpA77GZ27OICEuFdW6mxLJhLrjuFMw0K+frndh5eUxiA2ncyuMaE
gymHEckRgSVjTGLjMIJpeOLmtjHW2Umn8I1YBUSnBskDKDQlU62BLfzCAXCd64mi
i6FLqRVXhVkoE9R66Gsetv/suP7z4NvNYCJ5NDMn2P7RyCj39yzm98NzwlI/4gV0
G8G5owzvlvWKWPRO0IvNhHkEeMW7h8bo
-----END PUBLIC KEY-----

Optional: At this point you should have a private key in your ./private_keys/ directory. You may want to copy it somewhere safe. You may want to re-use it if you rebuild or rename your system.

Step 4 - Send the output of the helper to bcodding@redhat.com.

Ben will use this information to issue certificates and a VPN configuration, and then encrypt it in the nfs-vpn git repo. Once this is done, he’ll respond to your mail and you can proceed to:

Step 5 - Pull certificates into your local repo:

git fetch && git reset --hard origin/master

Step 6 - Build the client’s VPN config file with the needed certs.

make

Step 7 - Start the vpn client using the config file:

openvpn --config vpn_config/<short name>.conf

Step 8 - Do some testing!

Your system should now have TUN adapter and the ipv6 address specified in your host.conf file. At the very least, you should be able to ping the vpn concentrator, vpn.nfsv4.dev: fd51:5f56:d79b:a64e::1

[root@fs-i24c-02 ~]# ping6 fd51:5f56:d79b:a64e::1
PING fd51:5f56:d79b:a64e::1(fd51:5f56:d79b:a64e::1) 56 data bytes
64 bytes from fd51:5f56:d79b:a64e::1: icmp_seq=1 ttl=64 time=34.8 ms
64 bytes from fd51:5f56:d79b:a64e::1: icmp_seq=2 ttl=64 time=34.9 ms
64 bytes from fd51:5f56:d79b:a64e::1: icmp_seq=3 ttl=64 time=34.8 ms
64 bytes from fd51:5f56:d79b:a64e::1: icmp_seq=4 ttl=64 time=34.8 ms
--- fd51:5f56:d79b:a64e::1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 34.783/34.831/34.920/0.052 ms

Next steps:

If you’re able to ping the vpn concentrator (fd51:5f56:d79b:a64e::1), congratulations! You’ve got basic connectivity working. From here, you can further improve your system by doing some/all of:

• configure your system’s DNS
• configure your system’s ldap/kerberos ( you should have a keytab in /keytabs )
• configure your OpenVPN client to start automatically
• ping some other hosts (try ./scripts/getall hostnames)