Deployment on private network¶
Table of Contents
Introduction¶
For users that don’t have or don’t want to obtain the system administrator nomination but still would like to deploy services in a personal virtual machine, it is possible to do so by using a private network. Working on a private network means that the VM will not be accessible directly from the internet, thus greatly reducing security risks. The only difference is that, to connect to the instance, the user will now have to first connect to a VPN and then connect to the VM using the assigned private IP address.
Important
Access to a deployment on private network is allowed only to its owner. It is not possible to share access to deployments on private network with other users.
Important
To be authorized to use this feature, your IAM account needs to join one of
the priv-admins/*
IAM groups. The priv-admins/catchall
group allows
to instantiate a maximum of 2 VMs. Read our guide on how to join a new group.
Beside this, the deployment procedures of the services remain unchanged from those described in the specific sections of this documentation. Therefore in this guide we will show you only the few additional steps required to gain access to the deployment.
Deploy a service on a private network¶
First you must connect to the INFN Cloud Dashboard as usual, by going to the following URL: https://my.cloud.infn.it/
and login using your INFN Cloud credentials
Once logged in you must select the priv-admins/catchall group from the menu on the bottom left corner of the page, just under your name.
You can then proceed with the deployment of the service from the Dashboard as usual, for this you can read the specific guide of this documentation for the service you are interested in.
Obtain the private IP address and VPN config file¶
Once the service is deployed (you will receive a notification via email) you have to go back to the dashboard and click in the menu bar on the top Deployments and then List
You will see a list of all your deployments inside the priv-admins group, click on the one you just deployed.
You will see the usual page with the details of the deployment. Click now on the OUTPUT VALUES tab (Fig. 6, box 1): this time the private IP address of the VM will be reported as node_ip (Fig. 6, box 2) alongside a link to download the VPN configuration file (Fig. 6, box 3).
Please take note of the private IP address, you will need to connect to this instance, and download the VPN configuration file, you will use it in the following section.
Connect to the VPN¶
To connect to the VPN you will need to download the configuration file from the link in the deployment details page (Fig. 6, box 3) and import it in your VPN client of choice. In this guide we will show some examples for the main desktop OS (Windows, macOS and Linux), but you can use any client you prefer on your OS of choice, as long as it is compatible with the .ovpn file format. In that case we suggest you to read the official documentation of the client you want to use.
Windows and macOS (OpenVPN connect)¶
Important
The client used here (v3) is compatible with Windows versions above 7 and macOS versions above 10.13. For older OS versions you can use the older release (v2.7) of the client, also available in the official website linked below.
- Download the OpenVPN connect client from the official website:
- Install and open the client
- It will ask you to import a VPN Profile. To do so, click on “Upload file” in the upper right corner of the window.
- Drop in this window the .ovpn file you downloaded from the deployment details page or, alternatively, click on browse and select the same file and click on “Open”.
- To complete the import process, the client will ask you to fill the “Username” field. Write here a valid email address, it will be used to send you the authentication link. If you want you can give a custom Profile name or use the default one. Then click on the “Connect” button.
- The import process should be now completed and in the main window you should see the profile you just imported. Click on the toggle on the left of the profile to connect to the VPN.
- It will now ask you to insert a password. Leave it empty or write a random string (it will not be used) and click on “OK”.
- You will receive an email with the ‘VPN Authentication Request’ subject and the authentication link as message. Click on the provided link and login with your INFN AAI credentials if requested.
- Your browser will be redirected to an authorization page, similar to the one showed in the figure below. Click on “Authorize” to complete the authentication process.
- You should now be connected to the VPN and the client should show a window like the one below. In this window you could also disconnect from the VPN (Fig. 14, box 1) or add a new profile (Fig. 14, box 2).
Important
If you receive a connection timeout from the VPN please be sure to promptly click on the link in the email you received and authorize the VPN connection. If you don’t receive the email please check your spam folder.
Linux¶
Linux users can either use the OpenVPN command-line client or the integrated NetworkManager via the settings page provided in most of the Desktop Environments. For the latter, in this guide we will use the GNOME Desktop Environment since it is the default one in most of the distributions, however the steps are similar for other DEs.
GNOME Settings¶
- Open the Settings app, i.e. by clicking on the upper right corner of the screen and then on the “Settings” button.
- In the Settings app, click on the “Network” tab on the left side (Fig. 15, box 1). Then click on the “+” button on the right side of the VPN section (Fig. 15, box 2).
- A pop-up window will appear, select “Import from file…” and choose the .ovpn file you downloaded from the deployment details page, then click on “Open”.
- You should now see the imported VPN profile, click on username and insert a valid email address, it will be used to send you the authentication link. Then click on “Add” in the upper right corner to complete the process.
- To connect to the VPN, click on the toggle on the right of the profile you just created. A password prompt will appear, in this case you will have to write a random string (it will not be used) and click on “OK”.
- You will receive an email with the ‘VPN Authentication Request’ subject and the authentication link as message. Click on the provided link and login with your INFN AAI credentials if requested.
- Your browser will be redirected to an authorization page, similar to the one showed in the figure below. Click on “Authorize” to complete the authentication process.
- You should now be connected to the VPN and in the Settings app you should see something similar to the figure below. In this window you could also disconnect by simply turning the toggle off.
OpenVPN command-line client¶
- For most Linux distributions the OpenVPN client should be already installed, otherwise you can install it from the official repositories of your distribution.
- Open a terminal and run the following command:
$ sudo openvpn --config <path_to_ovpn_file>
The client will then ask you to:
- Enter Auth Username: please insert a valid email address, it will be used to send you the authentication link.
- Enter Auth Password: leave it empty and press enter.
You will receive an email with the ‘VPN Authentication Request’ subject and the authentication link as message. Click on the provided link and login with your INFN AAI credentials if requested.
- Your browser will be redirected to an authorization page, similar to the one showed in the figure below. Click on “Authorize” to complete the authentication process.
- You should now be connected to the VPN and the terminal output should look like the one shown below.
- To disconnect from the VPN, press CTRL+C in the terminal to kill the process.
Important
If you receive a connection timeout from the VPN please be sure to promptly click on the link in the email you received and authorize the VPN connection. If you don’t receive the email please check your spam folder.
Connect to the VM¶
Once you are connected to the VPN you can connect to the VM using the private IP address you found in the deployment details page (Fig. 6, box 2). You can now follow the specific guide for the service you deployed, using the private IP address in place of the public one.