Blog

VPN Image

Background and Introduction

A core use case for many scientists is being able to access their systems and data when they are off-site. With today's ever present security threats, providing a way to enable this remote access in a way that is secure, simple, inexpensive and easy to administer is a key element of scientific systems design. A common way to do this is via a commercial VPN solution authenticating to an existing directory service (most frequently Microsoft's Active Directory), but the licensing costs for these solutions can be expensive, and may not necessarily meet customization requirements. Additionally, updates and upgrades can be contingent on costly capital expenditure in the form of new firewall hardware. "Stand up a free remote access VPN authenticating to AD (or other LDAP server) with OTP two-factor authentication" seems to me like a fairly common use case; it's deployed in a paid iteration at plenty of businesses, government agencies and in other organizational infrastructure. Here at the BioTeam Convergence Lab, we needed a remote access solution for as little cost as possible that still leveraged reliable, secure technologies and would be fairly easy to administer. Yet, after having Googled around for a while, looking for a comprehensive guide to how to do this, I came up only with pieces of a solution, but not the whole enchilada. So, here it is, fresh out of the oven. The general workflow is as follows: you have an existing user directory service, such as FreeIPA or Active Directory, and a network infrastructure such that you can either expose firewalled machines directly to the Internet or forward ports through a router performing NAT or PAT to a machine inside your network. You want to stand up a remote access VPN that allows users on the Internet to connect remotely to this infrastructure and be authenticated with a combination of your user directory and a TOTP app like Google Authenticator (or FreeOTP, or any number of other mobile apps that use the OATH spec). To accomplish this, you'll set up a server on your network that will both serve OpenVPN connection requests and perform authentication both to e.g. Active Directory and, in this case, the Google Authenticator PAM plugin. This one machine will combine SSSD (software that can bind a Linux machine to a directory service), PAM (software that manages authentication, logins, etc.), Google Authenticator, and OpenVPN to accomplish everything, and the best part of this arrangement is that no RADIUS server is necessary! This is a fairly modular setup. You could leave out the SSSD part and just authenticate your VPN to a given computer's local PAM database rather than to an Active Directory or FreeIPA server. You could leave out the Google Authenticator part, especially if you're only going to have one user, and just depend on password authentication plus your client certificate to secure logins.

Some Notes on Use Cases

The caveat here, of course, is that this won't scale terribly well. You might be able to extract some reasonably good performance out of a sufficiently well-equipped machine up to about 50 simultaneous users, but things will begin to degrade after that. This is okay! This is not a commercial VPN solution and shouldn't be treated like one. It is, however, a great option for small networks, including out-of-control homelabs like mine. The envisioned environment for a setup like this is "users who are technical enough to SSH into a machine and run a script, and admins who would rather let their users do this than go through the pain of generating and managing individual client configurations and keys for every user." If that looks like your lab, office, or other small network, then these instructions are for you. So, let's break down how to set this up. Note: I've linked all the source documents I've glued together to make this at the bottom of this article; I highly recommend checking those out as well for additional details!

In this post we'll dive into the technical details of how one can expose data in an iRODS zone as S3 object storage. What is Minio? - https://minio.io/ Minio is an open source object storage server with Amazon S3 compatible API. Build cloud-native applications portable across all major...

BioTeam's end-of-BioIT World session evolved again this year. Having changed in 2017 from Chris Dagdigian's popular 'Trends from the Trenches' solo presentation to a panel of BioTeam consultants, 2018 saw a further change to a Town Hall format with the welcome addition of non-BioTeam perspectives...

With the growth in the use of cloud environments, are the mainstays of traditional HPC, MPI (Message Passing Interface) and HPC Schedulers such as Grid Engine and SLURM, reaching end of life or will they be with us for a while to come? BioTeam's Chris...

[rev_slider alias="bio--it-panel-2017"] After many years of Chris Dagdigian wrapping up Bio-IT World with his popular Trends from the Trenches talks, BioTeam adopted a team approach in 2017. Members of BioTeam gave brief presentations on a variety of Bio-IT-related topics as part of a moderated panel. These...

BioTeam will be participating in the Association of Independent Research Institutes’ (AIRI) 2018 IT Summit on April 30th - May 1st. This is our second year at the AIRI annual meeting and we will have a table in the sponsors area. 

  In this week’s HPCwire, BioTeam’s Ari Berman explores the scientific advances that have lead to this growing data challenge and discusses both the IT implications of managing and utilizing these quantities of data and the challenges these volumes of data present to the scientist...

In part two of the Berman and Gardner interview (Part 1 here) the discussion turns to storage technology options, fast networking for life sciences, and diversifying choices in processors from Intel, AMD, and IBM, , . They consider technology examples and issues of power utilization, raw...