VPN concentrator for control network
This is about setting up a physical machine, probably in MEB or the DDC, to act as an openvpn server to the various POWDER aggregates; configuring its openvpn software; and setting up appropriate routing/firewalling to the mothership (et al). (The aggregate (client) side of this issue is being discussed in #439 (closed)).
Subtasks:
-
@hibler is going to obtain a new /22 from campus and have them route it to the MEB firewall -
@hibler or @kwebb configure the firewall with the routes for the concentrated /29s to point to a gateway address on the VPN outside all those /29s -
@johnsond will setup a physical VPN concentrator box, probably running Ubuntu 18.04. -
@mike or @kwebb will setup a path from the firewall to the concentrator, and from the concentrator to the mothership control net. -
@johnsond is going to write a profile that is a mockup of (most of) the software, including the failover stuff (wired to start, then wireless using a nuc), to validate the design (this is happening in https://gitlab.flux.utah.edu/johnsond/powder-vpn) -
@johnsond needs to turn the scripts from https://gitlab.flux.utah.edu/johnsond/powder-vpn into a single script on the concentrator; this is trivial.
- [ ] @johnsond needs to tweak the concentrator's configuration to move to the "scalable", one openvpn server process per client (aggregate) -- and adapt his profile's scripts to add configuration for each new aggregate. (Given that UConnect bandwidth is what it is, we decided that there is currently no need to move to the scalable design.)
Edited by David Johnson