1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
|
@title = 'Examples'
@summary = 'Example provider setups using the LEAP platform.'
A minimal three node OpenVPN provider
=======================================
Our goal
------------------
We are going to create a minimal LEAP provider offering OpenVPN service. This basic setup can be expanded by adding more OpenVPN nodes to increase capacity, or more webapp and couchdb nodes to increase availability (performance wise, a single couchdb and a single webapp are more than enough for most usage, since they are only lightly used, but you might want redundancy).
Our goal is something like this:
leap list
NODES SERVICES TAGS
clam couchdb
elephant webapp
snail openvpn
NOTE: You won't be able to run those `leap list` commands yet, not until we actually create the node configurations.
Create configuration files
--------------------------------
Create the provider directory:
leap new bitmask --domain bitmask.net --name bitmask --contacts root@bitmask.net
Add you ssh key:
leap add-user --self
Add some nodes:
leap node add clam ip_address:176.53.69.22 services:couchdb
leap node add elephant ip_address:176.53.69.13 services:webapp
leap node add snail ip_address:176.53.69.14 \
openvpn.gateway_address:176.53.69.15 services:openvpn
NOTE: openvpn gateways must be assigned two IP addresses, one for the host itself and one for the openvpn gateway. We do this to prevent incoming and outgoing VPN traffic on the same IP. Without this, the client might send some traffic to other VPN users in the clear, bypassing the VPN.
Now that you have the nodes configured, you should create the DNS entries for these nodes.
Set up your DNS with these hostnames:
leap list --print ip_address,domain.full,dns.aliases
clam 176.53.69.22, clam.bitmask.net, null
elephant 176.53.69.13, elephant.bitmask.net, api.bitmask.net
snail 176.53.69.14, snail.bitmask.net, null
Alternately, you can adapt this zone file snippet:
leap compile zone
Create certificates
------------------------------------
Create two certificate authorities, one for server certs and one for client certs:
leap cert ca
Create a temporary cert for your main domain (you should replace with a real commercial cert at some point)
leap cert csr
Create the Diffie-Hellman parameters file, needed for forward secret OpenVPN ciphers:
leap cert dh
Create server certificates for all the nodes you have added:
leap cert update
NOTE: the file `files/ca/ca.key` is extremely sensitive and must be carefully protected. The other key files are much less sensitive and can simply be regenerated if needed.
Deploy to nodes
------------------------
Initialize all nodes (only needs to be done once for each node):
leap node init
Deploy to all nodes:
leap deploy
Those two commands create pretty busy output, so it may be more clear to initial and deploy each node one by one:
leap node init clam
leap deploy clam
leap node init elephant
leap deploy elephant
leap node init snail
leap deploy snail
Testing
--------------------------
Automated testing is in the works, but for now you manually test to see if the OpenVPN gateways and the webapp are working like so.
OpenVPN:
leap test init
sudo openvpn test/openvpn/unlimited.ovpn
Webapp:
* run `leap list --print ip_address webapp` to remind yourself the ip address(es) of the webapp.
* edit your local `/etc/hosts` to add entries like `176.53.69.13 example.org`, for whatever domain is appropriate in your case.
* open your browser to `https://example.org`
|