This is an old revision of the document!
Table of Contents
Setting up VPN
Requesting a VPN account
Please send the following info to opnfv-helpdesk@rt.linuxfoundation.org
- Your name and email address
- The reason you require admin access to the LF Lab
- Add a copy of your PGP public key, as attachment
- If you do not have a PGP key, please generate it following this guide
- Export your public key using "
gpg --export -a [your@email.addr] > pgp-key.asc" and attach pgp-key.asc to the request
It is important to send the request to opnfv-helpdesk@rt.linuxfoundation.org as opposed to any individual administrator, as we require the ticket number for the necessary papertrail.
Setting up OpenVPN
Prerequisites: Make sure that you have openvpn installed (e.g. "apt-get install openvpn" on a Debian system) on your system. Also make sure that you have a user and a group "openvpn" configured (e.g. "addgroup openvpn", "adduser openvpn openvpn").
Note: In case you're behind a firewall (e.g. a corporate firewall), udp port 1203 needs to be open - or you experience issues (i.e it won't work).
You should have received an encrypted tarball with your credentials. This tarball includes the following files:
- opnfv.ovpn : configuration file for the command-line client
- opnfv-ca.crt : CA certificate for the VPN
- opnfv-ta.key : TLS Authentication key
- your@email.addr.crt : Your VPN certificate
- your@email.addr.key : Your VPN private key
- admin-credentials.txt : admin credentials to access the UCS manager
Command-line client
To use the command-line client, just copy these files into /etc/openvpn/ and run:
sudo openvpn --config /etc/openvpn/opnfv.ovpn
Graphical client (Network Manager)
- Click on Add→VPN→OpenVPN
- Name: opnfv VPN
- Firewall Zone: default
- Gateway: vpn.opnfv.org
- Type: Certificates (TLS)
- User Certificate: Choose your@email.addr.crt from the bundle
- CA Certificate: Choose opnfv-ca.crt from the bundle
- Private key: Choose your@email.addr.key from the bundle
- Private key password: leave blank
- Click the "Advanced" button
- General Tab:
- Use custom gateway port: 1203
- Use LZO data compression: yes
- Set virtual device type: Choose TUN, name: tun
- Use custom UDP fragment size: 1400
- TLS Authentication tab:
- Use additional TLS authentication: yes
- Key file: Choose opnfv-ta.key from the bundle
- Key direction: 1
Checking connectivity
Once you establish the VPN connection, you should be able to access two private subnets:
- 172.30.8.0/24 : lights-out management subnet
- 172.30.9.0/24 : POD1 subnet
- 172.30.10.0/24 : POD2 subnet
- 172.30.11.0/24 : POD3 subnet
- 172.30.12.0/24 : POD4 subnet
- 172.30.13.0/24 : POD5 subnet
You can test your connectivity by pinging 172.30.[8-13].1 for each range.
NOTE: Traffic between 172.30.8.0/24 and 172.30.9-13.0/24 is filtered. If you need specific ports to be open, contact opnfv-helpdesk@rt.linuxfoundation.org with details.
Accessing the UCS manager
To access UCS infrastructure, please connect to the following addresses:
- https://172.30.8.21/ : UCS Manager (make sure that you have JRE (pick Oracle's Java) installed on your machine)
- 172.30.8.11:22 : SSH access for fiber interconnect A
- 172.30.8.12:22 : SSH access for fiber interconnect B
The credentials have been shared with you as part of the encrypted bundle.
POD1 jump host opnfv@172.30.9.66 POD2 jump host opnfv@172.30.10.72
Hardware setup
IP rules for the class-C networks: (UCSM, CIMC usage)
- 172.30.8.1-63 : reserved LF use
- 172.30.8.64-255 : project use
similar rules for 172.30.9-13.0/24 subnet: (POD1-POD5 subnets)
- 172.30.x.1-63 : reserved LF use
- 172.30.x.64-255 : project use
Traffic filtering
There are three main firewall zones:
| Zone name | VLAN | IP range | Description |
|---|---|---|---|
| nfvad | - | 172.30.15.0/24 | Admin P2P VPN access |
| nfvlo | 410 | 172.30.8.0/24 | Lights-out Management |
| nfvp1-5 | 411-415 | 172.30.9-13/0/24 | POD1-5 subnets |
| ext | - | - | Public internet |
The following traffic is allowed:
| From | To | Proto | Ports | Description |
|---|---|---|---|---|
| nfvad | nfvp1,nfvp2 | all | all | |
| nfvad | nfvlo | all | all | |
| nfvp1-5 | ext | tcp | 80, 443 | Web |
| nfvp1-5 | ext | udp | 123 | NTP |
| nfvp1-5 | ext:8.8.8.8, ext:8.8.4.4 | udp | 53 | DNS |
| nfvlo | ext | tcp | 80, 443 | Web |
| nfvlo | ext | udp | 123 | NTP |
| nfvlo | ext:8.8.8.8, ext:8.8.4.4 | udp | 53 | DNS |
| nfvp1-5 | nfvlo | udp | 623 | IPMI |
POD1
Public IP to Jumpserver (ssh available):
172.30.9.66 opnfv/octopus
CIMC IPs, same for IPMI:
- Jumpserver 172.30.8.79 MAC a8:9d:21:c9:82:7c
- node1 172.30.8.69 MAC a8:9d:21:c9:84:ee
- node2 172.30.8.78 MAC a8:9d:21:7d:e1:ce
- node3 172.30.8.68 MAC a8:9d:21:c9:8b:1c
- node4 172.30.8.77 MAC A8:9D:21:C9:60:DA
- node5 172.30.8.67 MAC A8:9D:21:C9:67:28
IPMI configured for these IPs. user/pass → admin/octopus
These IPs can be also used for console connection. Use web browser to access them through https (java is required)
POD1 has been decomposed for virtual deploys. Four servers are connected to four different public networks. SSH access:
- centos1 172.30.9.66 opnfv/octopus
- ubuntu1 172.30.11.66 opnfv/octopus
- centos2 172.30.12.66 opnfv/octopus
- ubuntu2 172.30.13.66 opnfv/octopus
POD2
CIMC/Lights+out management Admin Private Public Storage
PXE
vlan 300
172.30.8.64/26 192.168.1.0/24 +
+ + 192.168.0.0/24| |
| | + + |
| | | 172.30.10.0/24 |
| +-----------------+ | | + |
| | | enp6 | | | |
+--------+ Jumpserver | 192.168.1.66 | | | |
| | CentOS 7 +-----------------------------+ | | |
| | | | | | |
| | | enp7 | | | |
| | | 192.168.0.66 | | | |
| | user/pass +---------------------------------------+ | |
| | opnfv/octopus | | | | |
| | | enp8 | | | |
| | | 172.30.10.72 | | | |
| | +-------------------------------------------------+ |
| | | | | | |
| | | enp9 | | | |
| | | | | | |
| | +----------------------------------------------------------+
| | | | | | |
| +-----------------+ | | | |
| | | | |
| | | | |
| | | | |
| +----------------+ | | | |
| | 1 | | | | |
+-------+ +--------------+-+ | | | |
| | | 2 | | | | |
| | | +--------------+-+ | | | |
| | | | 3 | | | | |
| | | | +--------------+-+ | | | |
| | | | | 4 | | | | |
| +-+ | | +--------------+-+ | | | |
| | | | | 5 +-----------------------+ | | |
| +-+ | | nodes for | | | | |
| | | | deploying +---------------------------------+ | |
| +-+ | opnfv | | | | |
| | | +-------------------------------------------+ |
| +-+ | | | | |
| | +----------------------------------------------------+
| +----------------+ | | | |
| | | | |
| | | | |
| + + + +
CIMC IPs:
- Jumpserver 172.30.8.66 a8:9d:21:c9:c4:9e
- node1 172.30.8.75 MAC a8:9d:21:c9:8b:56
- node2 172.30.8.65 MAC a8:9d:21:c9:4d:26
- node3 172.30.8.74 MAC a8:9d:21:c9:3a:92
- node4 172.30.8.73 MAC 74:a2:e6:a4:14:9c
- node5 172.30.8.72 MAC a8:9d:21:a0:15:9c
IPMI configured for these IPs. user/pass → admin/octopus
Jumpserver public IP: 172.30.10.72 (opnfv/octopus)
MACs of PXE boot interfaces (first interface):
- Jumphost 00:25:B5:A0:00:1A
- node1 00:25:B5:A0:00:2A
- node2 00:25:B5:A0:00:3A
- node3 00:25:B5:A0:00:4A
- node4 00:25:B5:A0:00:5A
- node5 00:25:B5:A0:00:6A
MACs of Private interfaces (2nd interface):
- Jumphost 00:25:B5:A0:00:1B
- node1 00:25:B5:A0:00:2B
- node2 00:25:B5:A0:00:3B
- node3 00:25:B5:A0:00:4B
- node4 00:25:B5:A0:00:5B
- node5 00:25:B5:A0:00:6B
