====== Setting up VPN ====== ===== Obtaining VPN credentials ===== Once access is approved send the following information to [[opnfv-helpdesk@rt.linuxfoundation.org]] along with attached approval email - Your name and email address - Add a copy of your PGP public key, as attachment - If you do not have a PGP key, please generate it [[https://fedoraproject.org/wiki/Creating_GPG_Keys#Creating_GPG_Keys_Using_the_Command_Line|following this guide]] - Export your public key using "''gpg %%--%%export -a [your@email.addr] > pgp-key.asc''" and attach pgp-key.asc to the request It is important to send the request to [[opnfv-helpdesk@rt.linuxfoundation.org]] as opposed to any individual administrator, as we require the ticket number for the necessary papertrail. ===== Setting up OpenVPN ===== Prerequisites: Make sure that you have openvpn installed (e.g. "apt-get install openvpn" on a Debian system) on your system. Also make sure that you have a user and a group "openvpn" configured (e.g. "addgroup openvpn", "adduser openvpn openvpn"). Note: In case you're behind a firewall (e.g. a corporate firewall), udp port 1203 needs to be open - or you experience issues (i.e it won't work). You should have received an encrypted tarball with your credentials. This tarball includes the following files: - opnfv.ovpn : configuration file for the command-line client - opnfv-ca.crt : CA certificate for the VPN - opnfv-ta.key : TLS Authentication key - //your@email.addr//.crt : Your VPN certificate - //your@email.addr//.key : Your VPN private key - admin-credentials.txt : admin credentials to access the UCS manager ===== Command-line client ===== To use the command-line client, just copy these files into /etc/openvpn/ and run: sudo openvpn --config /etc/openvpn/opnfv.ovpn ===== Graphical client (Network Manager) ===== - Click on Add->VPN->OpenVPN - Name: opnfv VPN - Firewall Zone: default - Gateway: vpn.opnfv.org - Type: Certificates (TLS) - User Certificate: Choose //your@email.addr//.crt from the bundle - CA Certificate: Choose opnfv-ca.crt from the bundle - Private key: Choose //your@email.addr//.key from the bundle - Private key password: leave blank - Click the "Advanced" button - General Tab: - Use custom gateway port: 1203 - Use LZO data compression: yes - Set virtual device type: Choose TUN, name: tun - Use custom UDP fragment size: 1400 - TLS Authentication tab: - Use additional TLS authentication: yes - Key file: Choose opnfv-ta.key from the bundle - Key direction: 1 ===== Checking connectivity ===== Once you establish the VPN connection, you should be able to access two private subnets: - 172.30.8.0/24 : lights-out management subnet - 172.30.9.0/24 : POD1 subnet - 172.30.10.0/24 : POD2 subnet - 172.30.11.0/24 : POD3 subnet - 172.30.12.0/24 : POD4 subnet - 172.30.13.0/24 : POD5 subnet You can test your connectivity by pinging 172.30.[8-13].1 for each range. NOTE: Traffic between 172.30.8.0/24 and 172.30.9-13.0/24 is filtered. If you need specific ports to be open, contact opnfv-helpdesk@rt.linuxfoundation.org with details. ===== Accessing the UCS manager ===== To access UCS infrastructure, please connect to the following addresses: - https://172.30.8.21/ : UCS Manager (make sure that you have JRE (pick Oracle's Java) installed on your machine) - 172.30.8.11:22 : SSH access for fiber interconnect A - 172.30.8.12:22 : SSH access for fiber interconnect B The credentials have been shared with you as part of the encrypted bundle. POD1 jump host opnfv@172.30.9.66 POD2 jump host opnfv@172.30.10.72 ====== Hardware setup ====== * {{:get_started:opnfv_lf_lab_wiring_and_topology.pdf|OPNFV Linux Foundation Lab wiring}} * {{:get_started:pdx-opnfv-pod-1.pdf|POD1 hardware setup}} * {{:get_started:pdx-opnfv-pod-2.pdf|POD2 hardware setup}} IP rules for the class-C networks: (UCSM, CIMC usage) * 172.30.8.1-63 : reserved LF use * 172.30.8.64-255 : project use similar rules for 172.30.9-13.0/24 subnet: (POD1-POD5 subnets) * 172.30.x.1-63 : reserved LF use * 172.30.x.64-255 : project use ====== Traffic filtering ====== There are three main firewall zones: ^ Zone name ^ VLAN ^ IP range ^ Description ^ | nfvad | - | 172.30.15.0/24 | Admin P2P VPN access | | nfvlo | 410 | 172.30.8.0/24 | Lights-out Management | | nfvp1-5 | 411-415 | 172.30.9-13/0/24 | POD1-5 subnets | | ext | - | - | Public internet | The following traffic is allowed: ^ From ^ To ^ Proto ^ Ports ^ Description ^ | nfvad | nfvp1,nfvp2 | all | all | | | nfvad | nfvlo | all | all | | | nfvp1-5 | ext | tcp | 80, 443 | Web | | nfvp1-5 | ext | udp | 123 | NTP | | nfvp1-5 | ext:8.8.8.8, ext:8.8.4.4 | udp | 53 | DNS | | nfvlo | ext | tcp | 80, 443 | Web | | nfvlo | ext | udp | 123 | NTP | | nfvlo | ext:8.8.8.8, ext:8.8.4.4 | udp | 53 | DNS | | nfvp1-5 | nfvlo | udp | 623 | IPMI | ----- ====== POD1 ====== Same topology as POD2 Jumpserver public IP: **//172.30.9.66 (opnfv/octopus)//** ^ Slot ^ Role ^ PXE MAC 1st interface ^ Private MAC 2nd interface ^ IPMI IP ^ IPMI MAC ^ IPMI usr/pass ^ | | | ''subnet 192.168.1.0/24'' | ''subnet 192.168.0.0/24'' | | | | | 1 | Jumpserver | 00:25:B5:cc:00:4e | | 172.30.8.79 | a8:9d:21:c9:82:7c | admin/octopus | | 2 | node1 | 00:25:B5:cc:00:1e | | 172.30.8.69 | a8:9d:21:c9:84:ee | admin/octopus | | 3 | node2 | 00:25:B5:cc:00:5d | | 172.30.8.78 | a8:9d:21:7d:e1:ce | admin/octopus | | 4 | node3 | 00:25:B5:cc:00:1d | | 172.30.8.80 | 4e:aa:5d:ee:09:7e | admin/octopus | | 5 | node4 | 00:25:B5:cc:00:3c | | 172.30.8.76 | A8:9D:21:c9:60:da | admin/octopus | | 6 | node5 | 00:25:B5:A0:00:5b | | 172.30.8.71 | A8:9D:21:c9:67:28 | admin/octopus | ----- ====== POD2 ====== Jumpserver public IP: **//172.30.10.72 (opnfv/octopus)//** ^ Slot ^ Role ^ PXE MAC 1st interface ^ Private MAC 2nd interface ^ IPMI IP ^ IPMI MAC ^ IPMI usr/pass ^ | | | ''subnet 192.168.1.0/24'' | ''subnet 192.168.0.0/24'' | | | | | 1 | Jumpserver | 00:25:B5:A0:00:1A | 00:25:B5:A0:00:1B| 172.30.8.66 | a8:9d:21:c9:c4:9e | admin/octopus | | 2 | node1 | 00:25:B5:A0:00:2A | 00:25:B5:A0:00:2B| 172.30.8.75 | a8:9d:21:c9:8b:56 | admin/octopus | | 3 | node2 | 00:25:B5:A0:00:3A | 00:25:B5:A0:00:3B| 172.30.8.65 | a8:9d:21:c9:4d:26 | admin/octopus | | 4 | node3 | 00:25:B5:A0:00:4A | 00:25:B5:A0:00:4B| 172.30.8.74 | a8:9d:21:c9:3a:92 | admin/octopus | | 5 | node4 | 00:25:B5:A0:00:5A | 00:25:B5:A0:00:5B| 172.30.8.73 | 74:a2:e6:a4:14:9c | admin/octopus | | 6 | node5 | 00:25:B5:A0:00:6A | 00:25:B5:A0:00:6B| 172.30.8.72 | a8:9d:21:a0:15:9c | admin/octopus | === POD2 Topology === CIMC/Lights+out management Admin Private Public Storage PXE vlan 300 172.30.8.64/26 192.168.1.0/24 + + + 192.168.0.0/24| | | | + + | | | | 172.30.10.0/24 | | +-----------------+ | | + | | | | enp6 | | | | +--------+ Jumpserver | 192.168.1.66 | | | | | | CentOS 7 +-----------------------------+ | | | | | | | | | | | | | enp7 | | | | | | | 192.168.0.66 | | | | | | user/pass +---------------------------------------+ | | | | opnfv/octopus | | | | | | | | enp8 | | | | | | | 172.30.10.72 | | | | | | +-------------------------------------------------+ | | | | | | | | | | | enp9 | | | | | | | | | | | | | +----------------------------------------------------------+ | | | | | | | | +-----------------+ | | | | | | | | | | | | | | | | | | | | +----------------+ | | | | | | 1 | | | | | +-------+ +--------------+-+ | | | | | | | 2 | | | | | | | | +--------------+-+ | | | | | | | | 3 | | | | | | | | | +--------------+-+ | | | | | | | | | 4 | | | | | | +-+ | | +--------------+-+ | | | | | | | | | 5 +-----------------------+ | | | | +-+ | | nodes for | | | | | | | | | deploying +---------------------------------+ | | | +-+ | opnfv | | | | | | | | +-------------------------------------------+ | | +-+ | | | | | | | +----------------------------------------------------+ | +----------------+ | | | | | | | | | | | | | | | + + + + ====== POD3 ====== This pod is used for virtual deployments. Each server is connected to separate public subnet (if connected). ^ Slot ^ Public IP ^ SSH usr/pass ^ Operating system ^ IPMI IP ^ IPMI MAC ^ IPMI usr/pass ^ Current Use ^ | 1 | N/A | opnfv/octopus | N/A | | a8:9d:21: | admin/octopus | Blade failing | | 2 | 172.30.11.66 | opnfv/octopus | N/A | | a8:9d:21: | admin/octopus | Reinstalling system | | 3 | 172.30.12.66 | opnfv/octopus | Ubuntu 14.04.3 | | a8:9d:21: | admin/octopus | joid virtual | | 4 | 172.30.13.66 | opnfv/octopus | Ubuntu 14.04.3 | | a8:9d:21: | admin/octopus | Not in use | Note: IPMI IPs can be also used for console connection. Use web browser to access them through https (java is required)