Deployment on private network

Table of contents

Deployment on private network

Introduction

For users that don't have or not willing to obtain the system administrator nomination, but still would like to deploy services in a personal virtual machine, it is possible to do so by using a deployments on private network. Working on a private network means that the VM will not be accessible directly from the internet, thus greatly reducing security risks. The relevant difference is that, to connect to the instance, the user will now have to first connect to a VPN and then connect to the VM using the assigned private IP address.

Important

Access to a deployment on private network is allowed only to its owner. It is not possible to share access to deployments on private network with other users.

Important

To be authorized to use this feature, your IAM account needs to join one of the priv-admins/* IAM groups. The priv-admins/catchall group allows to instantiate a maximum of 2 VMs. Read our guide on how to join a new group.

Beside this, the deployment procedures of the services remain unchanged from those described in the specific sections of this documentation. Therefore in this guide we will show you only the few additional steps required to gain access to the deployment.

Deploy a service on a private network

First you must connect to the INFN Cloud Dashboard as usual, by going to the following URL: https://my.cloud.infn.it/

/users_guides/img/new_dashb.png — Figure 1: PaaS dashboard home page - Click on the "Please login, or register" button to continue

and log in using your INFN AAI credentials

/users_guides/img/new_iam.png — Figure 2: IAM login page

Once logged in, you select the priv-admins/catchall group from the menu on the bottom left corner of the page, just under your name.

/users_guides/img/priv_admins/select_priv_admins_group.png — Figure 3: Select a `priv-admins/*` group

You can then proceed with the deployment of the service from the Dashboard as usual, for this you can read the specific guide of this documentation for the service you are interested in.

Obtain the private IP address and VPN config file

Once the service is deployed (you will receive a notification via email) you have to go back to the dashboard and click in the menu bar on the top Deployments and then List

/users_guides/img/priv_admins/deployment_list0.png — Figure 4: Select one of the `priv-admins/*` groups you have access to

You will see a list of all your deployments inside the priv-admins group, click on the one you just deployed.

/users_guides/img/priv_admins/deployment_list1.png — Figure 6: List of personal deployments

You will see the usual page with the details of the deployment. Click now on the OUTPUT VALUES tab (Fig. 6, box 1): this time the private IP address of the VM will be reported as node_ip (Fig. 6, box 2) alongside a link to download the VPN configuration file (Fig. 6, box 3).

/users_guides/img/priv_admins/deployment_details.png — Figure 7: Details for the specific deployment

Please take note of the private IP address, you will need to connect to this instance, and download the VPN configuration file, you will use it in the following section.

Connect to the VPN

To connect to the VPN you will need to download the configuration file from the link in the deployment details page (Fig. 6, box 3) and import it in your VPN client of choice. In this guide we will show some examples for the main desktop OS (Windows, macOS and Linux), but you can use any client you prefer on your OS of choice, as long as it is compatible with the .ovpn file format. In that case we suggest you to read the official documentation of the client you want to use.

Windows and macOS (OpenVPN connect)

Important

The client used here (v3) is compatible with Windows versions above 7 and macOS versions above 10.13. For older OS versions you can use the older release (v2.7) of the client, also available in the official website linked below.

Download the OpenVPN connect client from the official website:
- For Windows: https://openvpn.net/client/client-connect-vpn-for-windows/
- For macOS: https://openvpn.net/client-connect-vpn-for-mac-os/
Install and open the client
It will ask you to import a VPN Profile. To do so, click on "Upload file" in the upper right corner of the window.

/users_guides/img/priv_admins/openvpn_import.png — Figure 8: OpenVPN Connect interface

Drop in this window the .ovpn file you downloaded from the deployment details page or, alternatively, click on browse and select the same file and click on "Open".

/users_guides/img/priv_admins/openvpn_from_file.png — Figure 9: OpenVPN file import interface

To complete the import process, the client will ask you to fill the "Username" field. Write here a valid email address, it will be used to send you the authentication link. If you want you can give a custom Profile name or use the default one. Then click on the "Connect" button.

/users_guides/img/priv_admins/openvpn_login.png — Figure 10: OpenVPN profile details interface

The import process should be now completed and in the main window you should see the profile you just imported. Click on the toggle on the left of the profile to connect to the VPN.

/users_guides/img/priv_admins/openvpn_main.png — Figure 11: OpenVPN profile interface

It will now ask you to insert a password. Leave it empty or write a random string (it will not be used) and click on "OK".

/users_guides/img/priv_admins/openvpn_pass.png — Figure 12: OpenVPN login interface

You will receive an email with the 'VPN Authentication Request' subject and the authentication link as message. Click on the provided link and login with your INFN AAI credentials if requested.

/users_guides/img/priv_admins/vpn_email.png — Figure 13: Authorization link received via e-mail

Your browser will be redirected to an authorization page, similar to the one showed in the figure below. Click on "Authorize" to complete the authentication process.

/users_guides/img/priv_admins/vpn_auth_req.png — Figure 14: IAM authorization page

You should now be connected to the VPN and the client should show a window like the one below. In this window you could also disconnect from the VPN (Fig. 14, box 1) or add a new profile (Fig. 14, box 2).

/users_guides/img/priv_admins/openvpn_connected.png — Figure 15: OpenVPN status and control interface

Important

If you receive a connection timeout from the VPN please be sure to promptly click on the link in the email you received and authorize the VPN connection. If you don't receive the email please check your spam folder.

Linux

Linux users can either use the OpenVPN command-line client or the integrated NetworkManager via the settings page provided in most of the Desktop Environments. For the latter, in this guide we will use the GNOME Desktop Environment since it is the default one in most of the distributions, however the steps are similar for other DEs.

GNOME Settings

Open the Settings app, i.e. by clicking on the upper right corner of the screen and then on the "Settings" button.

/users_guides/img/priv_admins/gnome_open_settings.png — Figure 16: GNOME Desktop - your linux environment may differ

In the Settings app, click on the "Network" tab on the left side (Fig. 15, box 1). Then click on the "+" button on the right side of the VPN section (Fig. 15, box 2).

/users_guides/img/priv_admins/gnome_settings_network.png — Figure 17: GNOME network settings interface

A pop-up window will appear, select "Import from file..." and choose the .ovpn file you downloaded from the deployment details page, then click on "Open".

/users_guides/img/priv_admins/gnome_settings_network_importfile.png — Figure 18: GNOME VPN setup interface

You should now see the imported VPN profile, click on username and insert a valid email address, it will be used to send you the authentication link. Then click on "Add" in the upper right corner to complete the process.

/users_guides/img/priv_admins/gnome_settings_network_vpnprofile.png — Figure 19: GNOME VPN profile settings interface

To connect to the VPN, click on the toggle on the right of the profile you just created. A password prompt will appear, in this case you will have to write a random string (it will not be used) and click on "OK".

/users_guides/img/priv_admins/gnome_settings_network_imported.png — Figure 20: GNOME VPN toggle

You will receive an email with the 'VPN Authentication Request' subject and the authentication link as message. Click on the provided link and login with your INFN AAI credentials if requested.

Your browser will be redirected to an authorization page, similar to the one showed in the figure below. Click on "Authorize" to complete the authentication process.

You should now be connected to the VPN and in the Settings app you should see something similar to the figure below. In this window you could also disconnect by simply turning the toggle off.

/users_guides/img/priv_admins/gnome_settings_network_connected.png — Figure 23: GNOME VPN toggle on

OpenVPN command-line client

For most Linux distributions the OpenVPN client should be already installed, otherwise you can install it from the official repositories of your distribution.
Open a terminal and run the following command:

$ sudo openvpn --config <path_to_ovpn_file>

The client will then ask you to:
- Enter Auth Username: please insert a valid email address, it will be used to send you the authentication link.
- Enter Auth Password: leave it empty and press enter.
You will receive an email with the 'VPN Authentication Request' subject and the authentication link as message. Click on the provided link and login with your INFN AAI credentials if requested.

Your browser will be redirected to an authorization page, similar to the one showed in the figure below. Click on "Authorize" to complete the authentication process.

You should now be connected to the VPN and the terminal output should look like the one shown below.

/users_guides/img/priv_admins/openvpn_cli_connected.png — Figure 26: A terminal running the OpenVPN cli

To disconnect from the VPN, press CTRL+C in the terminal to kill the process.

Important

If you receive a connection timeout from the VPN please be sure to promptly click on the link in the email you received and authorize the VPN connection. If you don't receive the email please check your spam folder.

Connect to the VM

Once you are connected to the VPN you can connect to the VM using the private IP address you found in the deployment details page (Fig. 6, box 2). You can now follow the specific guide for the service you deployed, using the private IP address in place of the public one.