Employee Posts

VPN Image

Background and Introduction

A core use case for many scientists is being able to access their systems and data when they are off-site. With today's ever present security threats, providing a way to enable this remote access in a way that is secure, simple, inexpensive and easy to administer is a key element of scientific systems design. A common way to do this is via a commercial VPN solution authenticating to an existing directory service (most frequently Microsoft's Active Directory), but the licensing costs for these solutions can be expensive, and may not necessarily meet customization requirements. Additionally, updates and upgrades can be contingent on costly capital expenditure in the form of new firewall hardware. "Stand up a free remote access VPN authenticating to AD (or other LDAP server) with OTP two-factor authentication" seems to me like a fairly common use case; it's deployed in a paid iteration at plenty of businesses, government agencies and in other organizational infrastructure. Here at the BioTeam Convergence Lab, we needed a remote access solution for as little cost as possible that still leveraged reliable, secure technologies and would be fairly easy to administer. Yet, after having Googled around for a while, looking for a comprehensive guide to how to do this, I came up only with pieces of a solution, but not the whole enchilada. So, here it is, fresh out of the oven. The general workflow is as follows: you have an existing user directory service, such as FreeIPA or Active Directory, and a network infrastructure such that you can either expose firewalled machines directly to the Internet or forward ports through a router performing NAT or PAT to a machine inside your network. You want to stand up a remote access VPN that allows users on the Internet to connect remotely to this infrastructure and be authenticated with a combination of your user directory and a TOTP app like Google Authenticator (or FreeOTP, or any number of other mobile apps that use the OATH spec). To accomplish this, you'll set up a server on your network that will both serve OpenVPN connection requests and perform authentication both to e.g. Active Directory and, in this case, the Google Authenticator PAM plugin. This one machine will combine SSSD (software that can bind a Linux machine to a directory service), PAM (software that manages authentication, logins, etc.), Google Authenticator, and OpenVPN to accomplish everything, and the best part of this arrangement is that no RADIUS server is necessary! This is a fairly modular setup. You could leave out the SSSD part and just authenticate your VPN to a given computer's local PAM database rather than to an Active Directory or FreeIPA server. You could leave out the Google Authenticator part, especially if you're only going to have one user, and just depend on password authentication plus your client certificate to secure logins.

Some Notes on Use Cases

The caveat here, of course, is that this won't scale terribly well. You might be able to extract some reasonably good performance out of a sufficiently well-equipped machine up to about 50 simultaneous users, but things will begin to degrade after that. This is okay! This is not a commercial VPN solution and shouldn't be treated like one. It is, however, a great option for small networks, including out-of-control homelabs like mine. The envisioned environment for a setup like this is "users who are technical enough to SSH into a machine and run a script, and admins who would rather let their users do this than go through the pain of generating and managing individual client configurations and keys for every user." If that looks like your lab, office, or other small network, then these instructions are for you. So, let's break down how to set this up. Note: I've linked all the source documents I've glued together to make this at the bottom of this article; I highly recommend checking those out as well for additional details!

In this post we'll dive into the technical details of how one can expose data in an iRODS zone as S3 object storage. What is Minio? - https://minio.io/ Minio is an open source object storage server with Amazon S3 compatible API. Build cloud-native applications portable across all major...

Chris has been delivering his "trends from the trenches" presentation at the BioIT World Conference & Expo since 2010 and the talk has evolved into a fairly popular annual tradition. The intent of the talk is to deliver a candid (and occasionally blunt) assessment of the best, the...

Using PIV smart cards for HHS VPN login with Mac OS X 10.10 Yosemite Note: This entire post is basically google search bait designed to (hopefully) allow others struggling with the same issues to save a bit of time. Hope it helps! October 30, 2014 Update There is...

I recently presented at the annual Molecular Medicine Triconference in San Francisco, CA. This talk focused on horizontal and vertical scaling in the life sciences. Scaling Systems for Research Computing from adamkraut ...

As the adoption of NGS increases, more users are evaluating what type of infrastructure to use to manage their data. With the varying levels of throughput, size of labs, and complexities of data analysis, there is no one-size-fits-all solution for managing NGS data. BioTeam has...

We have a lot of freedom as BioTeam employees. One of the biggest advantages is that we're a virtual firm, we work from home or a coffee shop or wherever we happen to be - we have no offices to report to and no rush...