Deployment on private network

Introduction

For users that don’t have or don’t want to obtain the system administrator nomination but still would like to deploy services in a personal virtual machine, it is possible to do so by using a private network. Working on a private network means that the VM will not be accessible directly from the internet, thus greatly reducing security risks. The only difference is that, to connect to the instance, the user will now have to first connect to a VPN and then connect to the VM using the assigned private IP address.

Important

Access to a deployment on private network is allowed only to its owner. It is not possible to share access to deployments on private network with other users.

Important

To be authorized to use this feature, your IAM account needs to join one of the priv-admins/* IAM groups. The priv-admins/catchall group allows to instantiate a maximum of 2 VMs. Read our guide on how to join a new group.

Beside this, the deployment procedures of the services remain unchanged from those described in the specific sections of this documentation. Therefore in this guide we will show you only the few additional steps required to gain access to the deployment.

Deploy a service on a private network

First you must connect to the INFN Cloud Dashboard as usual, by going to the following URL: https://my.cloud.infn.it/

INFN Cloud Dashboard Figure 1. INFN Cloud Dashboard

and login using your INFN Cloud credentials

INFN Cloud IAM Login page Figure 2. INFN Cloud IAM Login page

Once logged in you must select the priv-admins/catchall group from the menu on the bottom left corner of the page, just under your name.

Select priv-admins group Figure 3. Select priv-admins group

You can then proceed with the deployment of the service from the Dashboard as usual, for this you can read the specific guide of this documentation for the service you are interested in.

Obtain the private IP address and VPN config file

Once the service is deployed (you will receive a notification via email) you have to go back to the dashboard and click in the menu bar on the top Deployments and then List

Open the deployments list Figure 4. Open the deployments list

You will see a list of all your deployments inside the priv-admins group, click on the one you just deployed.

List of deployments Figure 5. List of deployments

You will see the usual page with the details of the deployment. Click now on the OUTPUT VALUES tab (Fig. 6, box 1): this time the private IP address of the VM will be reported as node_ip (Fig. 6, box 2) alongside a link to download the VPN configuration file (Fig. 6, box 3).

Deployment details Figure 6. Deployment details

Please take note of the private IP address, you will need to connect to this instance, and download the VPN configuration file, you will use it in the following section.

Connect to the VPN

To connect to the VPN you will need to download the configuration file from the link in the deployment details page (Fig. 6, box 3) and import it in your VPN client of choice. In this guide we will show some examples for the main desktop OS (Windows, macOS and Linux), but you can use any client you prefer on your OS of choice, as long as it is compatible with the .ovpn file format. In that case we suggest you to read the official documentation of the client you want to use.

Windows and macOS (OpenVPN connect)

Important

The client used here (v3) is compatible with Windows versions above 7 and macOS versions above 10.13. For older OS versions you can use the older release (v2.7) of the client, also available in the official website linked below.

OpenVPN connect import window Figure 7. OpenVPN connect import window
  • Drop in this window the .ovpn file you downloaded from the deployment details page or, alternatively, click on browse and select the same file and click on “Open”.
OpenVPN connect upload file window Figure 8. OpenVPN connect upload file window
  • To complete the import process, the client will ask you to fill the “Username” field. Write here a valid email address, it will be used to send you the authentication link. If you want you can give a custom Profile name or use the default one. Then click on the “Connect” button.
OpenVPN connect profile Figure 9. OpenVPN connect profile
  • The import process should be now completed and in the main window you should see the profile you just imported. Click on the toggle on the left of the profile to connect to the VPN.
OpenVPN connect main window connected Figure 10. OpenVPN connect main window connected
  • It will now ask you to insert a password. Leave it empty or write a random string (it will not be used) and click on “OK”.
OpenVPN connect password prompt Figure 11. OpenVPN connect password prompt
  • You will receive an email with the ‘VPN Authentication Request’ subject and the authentication link as message. Click on the provided link and login with your INFN AAI credentials if requested.
Notification email Figure 12. OpenVPN connect email
  • Your browser will be redirected to an authorization page, similar to the one showed in the figure below. Click on “Authorize” to complete the authentication process.
IAM VPN authorization page Figure 13. IAM VPN authorization page
  • You should now be connected to the VPN and the client should show a window like the one below. In this window you could also disconnect from the VPN (Fig. 14, box 1) or add a new profile (Fig. 14, box 2).
OpenVPN connect main window connected Figure 14. OpenVPN connected

Important

If you receive a connection timeout from the VPN please be sure to promptly click on the link in the email you received and authorize the VPN connection. If you don’t receive the email please check your spam folder.

Linux

Linux users can either use the OpenVPN command-line client or the integrated NetworkManager via the settings page provided in most of the Desktop Environments. For the latter, in this guide we will use the GNOME Desktop Environment since it is the default one in most of the distributions, however the steps are similar for other DEs.

GNOME Settings

  • Open the Settings app, i.e. by clicking on the upper right corner of the screen and then on the “Settings” button.
Open GNOME Settings Figure 15. Open GNOME Settings
  • In the Settings app, click on the “Network” tab on the left side (Fig. 15, box 1). Then click on the “+” button on the right side of the VPN section (Fig. 15, box 2).
GNOME Settings Figure 16. GNOME Network Settings
  • A pop-up window will appear, select “Import from file…” and choose the .ovpn file you downloaded from the deployment details page, then click on “Open”.
GNOME Settings Figure 17. Import OpenVPN file
  • You should now see the imported VPN profile, click on username and insert a valid email address, it will be used to send you the authentication link. Then click on “Add” in the upper right corner to complete the process.
GNOME Settings Figure 18. GNOME VPN profile settings
  • To connect to the VPN, click on the toggle on the right of the profile you just created. A password prompt will appear, in this case you will have to write a random string (it will not be used) and click on “OK”.
GNOME Settings Figure 18. GNOME VPN profile settings
  • You will receive an email with the ‘VPN Authentication Request’ subject and the authentication link as message. Click on the provided link and login with your INFN AAI credentials if requested.
Notification email Figure 19. OpenVPN connect email
  • Your browser will be redirected to an authorization page, similar to the one showed in the figure below. Click on “Authorize” to complete the authentication process.
IAM VPN authorization page Figure 20. IAM VPN authorization page
  • You should now be connected to the VPN and in the Settings app you should see something similar to the figure below. In this window you could also disconnect by simply turning the toggle off.
GNOME Settings Figure 21. GNOME VPN profile settings

OpenVPN command-line client

  • For most Linux distributions the OpenVPN client should be already installed, otherwise you can install it from the official repositories of your distribution.
  • Open a terminal and run the following command:
$ sudo openvpn --config <path_to_ovpn_file>
  • The client will then ask you to:

    • Enter Auth Username: please insert a valid email address, it will be used to send you the authentication link.
    • Enter Auth Password: leave it empty and press enter.
  • You will receive an email with the ‘VPN Authentication Request’ subject and the authentication link as message. Click on the provided link and login with your INFN AAI credentials if requested.

Notification email Figure 12. OpenVPN connect email
  • Your browser will be redirected to an authorization page, similar to the one showed in the figure below. Click on “Authorize” to complete the authentication process.
IAM VPN authorization page Figure 13. IAM VPN authorization page
  • You should now be connected to the VPN and the terminal output should look like the one shown below.
OpenVPN connect main window connected Figure 14. OpenVPN connected
  • To disconnect from the VPN, press CTRL+C in the terminal to kill the process.

Important

If you receive a connection timeout from the VPN please be sure to promptly click on the link in the email you received and authorize the VPN connection. If you don’t receive the email please check your spam folder.

Connect to the VM

Once you are connected to the VPN you can connect to the VM using the private IP address you found in the deployment details page (Fig. 6, box 2). You can now follow the specific guide for the service you deployed, using the private IP address in place of the public one.