GroupVPN

From Grid-Appliance Wiki

Jump to: navigation, search

Contents

Introduction

GroupVPN allows users to create a group secured VPN using IPOP (IP Over P2P). Configuration files required for group formation can be generated using our shared web user interface or WebUI. The features available on the web user interface are explained below. If you desire to host your own user/group database, you may use this VMware appliance which contains the required Web UI and the Joomla backend. Video tutorials on GroupVPN are available in our youtube channel.

GroupVPN Web User Interface

The web interface allows you to create individual accounts, create new groups, request to join an existing group, and manage what users are allowed to join groups you have created. To access the GroupVPN Web UI, you should be a registered user of www.grid-appliance.org. Click here to register for a new account. To access the GroupVPN user interface, sign-in and click on GroupVPN under User Menu.

Creating a new Group

  1. Sign-in and navigate to GroupVPN UI
  2. Under the User Menu, select GroupVPN
  3. Select 'Create New Group'
  4. Input values for all input. Besides the name and description for the group, the most important values to configure are:
    1. Which P2P pool to use: From the "Use a Managed P2PPool:" pull-down, select the P2PPool: real_ufl_test0
    2. IP namespace: Select a unique name for your IPOP pool - you can use a long string, e.g. a concatenation of a meaningful human-readable string and a random string
    3. Base IP address and network mask: define the region of virtual IP addresses allowed
    4. End-to-end security: check this to enable GroupVPN's security stack. If you plan to run IPsec on top of IPOP, you should not enable security.
  5. This will create the group with you as the Administrator of the group.
  6. The administrator and all authorized members of the group can all then download configuration files for IPOP nodes through the Web interface

Joining a Group

  1. Sign-in and navigate to GroupVPN UI
  2. Select a Group to join
  3. Wait for an e-mail from the system notifying you of your acceptance or denial
  4. Upon acceptance, return to the web site and enter the Group's page. You will now have Member privileges in this group.

User Privileges

WebUI registered users

  • View group members of a group
  • Create group - They will then become the administrator of the group and obtain the associated roles
  • Join group - Requests membership into a group

Administrator (admin)

  • Accept - Allows a user to join a group
  • Deny - Ignores a users request to join a group
  • Auto - (Default) Allows the WebUI to automatically sign certificates (enabled per user or the whole group)
  • Sign - (Unimplemented) signs a users certificate
  • Revoke - Removes a user from a group and adds them to the revocation list
  • Promote - Allows a user to become an administrator for the group
  • Demote - Pemoves a user from the administrators group
  • Delete - Permanently erases the group

Member

  • Obtain credentials (Download Config files) - Provides configuration files that allow the user to automatically request and obtain a signed certificate
  • Leave group - Removes the user from the group

Installation

Debian / Ubuntu

Follow the instructions in the Debian hands-on tutorial.

Other versions of Linux

  1. Download the IPOP files link, execute one of the installer scripts, prepare your system to have a proper directory structure, or prepare for ambiguity.
  2. As root, execute groupvpn_prepare.sh on the groupvpn config
    groupvpn_prepare.sh config.zip
  3. As root, start groupvpn
    /etc/init.d/groupvpn.sh
    or
    /etc/rc.d/groupvpn.sh

Windows

  1. Download the IPOP files link
  2. Extract the zip file
  3. If this your first time installing, you'll need an IpopTap
    1. Move into ipop\drivers\windows_tap
    2. Double-click install_tap.vbs, which will ask for Admin permissions if necessary
  4. Install ipop
    1. Move into the ipop folder
    2. Double-click install_windows(.bat)
    3. GroupVPN service will be available as a service
  5. Add a GroupVPN config
    1. Move into the ipop\bin folder
    2. Download and place the groupvpn config file into this directory
    3. Execute groupvpn_prepare(.vbs), which will prepare the groupvpn configuration files
  6. One time start -- start button -> run -> net start GroupVPN
  7. Through services:
    1. Click the start button, select run, type services.msc, navigate to GroupVPN, double click, click start
    2. (Optionally) if you'd like GroupVPN to autostart, click the select bar that says manual and move it to auto and click okay
  8. After starting, wait for an non APIPA (169.x.y.z) address to appear on the tap device
  9. Our goal is to have a cleaner installation in the long term, if this is something that interests you, consider looking into NSIS, a popular and light weight mechanism for installing applications onto Windows.

Security Model

The security architecture is based on the Archer security framework. As such each user obtains a CA signed certificate, that is maintained at the web interface.

Certificates are requested and signed by:

  • When a user obtains their credentials and links GroupVPN to them,
  • The GroupVPN sends a request with the credentials via HTTPS to the WebInterface
  • The WebInterface verifies the credentials and...
  • Case 1) automatically signs a new certificate for the user
  • (Unimplemented) Case 2) waits for review from an administrator

Revocation is done via three mechanisms

  • A message is sent to all members of the pool via the overlay (instanteous) -- (Unimplemented)
  • The revocation is stored on the DHT (checked hourly) -- (Unimplemented)
  • The revocation is stored on the website (checked daily)
Personal tools