~fkooman/vpn-documentation

ref: HEAD vpn-documentation/GUEST_USAGE.md -rw-r--r-- 3.4 KiB
89d06477François Kooman update TODO 5 days ago

#title: Guest Usage description: Setup and Enable Guest Usage (VPN Federation) category: advanced

NOTE: "Guest Usage" is only relevant is you are part of the eduVPN community, i.e. an NREN.

The VPN server software implements "Guest Usage". This means that users of one VPN server deployment, e.g operated by organization A, can use another deployment, say operated by organization B, and vice versa.

The trust created between the VPN servers is based on signatures over OAuth 2.0 access tokens. Each server can configure public keys of other VPN servers it trusts, thus allowing users of those lists servers to access its VPN service as well.

This "Guest Usage" scenario is OPTIONAL and DISABLED by default.

#Configuration

In the file /etc/vpn-user-portal/config.php you need to enable remoteAccess:

// ...

'Api' => [
    'remoteAccess' => true,
],

// ...

#Registration

If you want to register your server for eduVPN, please contact eduvpn-support@lists.geant.org and provide the following information:

The following information needs to be provided in order to be added:

  • A generic contact email address to be contacted for general inquiries, to be listed on the Participants page;
  • An abuse contact email address to be contacted in case of abuse (preferably a role-based mail address);
  • A technical contact email address to be contacted in case of technical problems (preferably a role-based mail address);
  • End-user support contact(s), at least one of: mail, URL, phone number. NOTE these will become public;
  • A web site we can refer end-users to for this particular Secure Internet server (Optional);
  • The SAML metadata URL that contains all the organizations that have access to your server which will be used to populate the eduVPN applications;
  • The full hostname (FQDN) of your VPN server;
  • Make sure TLS is configured properly! Use e.g. SSL Server Test;
  • The name of the country / region your VPN server is located in (English);
  • Full information on any filtering/blocking of traffic by your VPN server or upstream network(s), either because of legal reasons or local policy;
  • The public key of your server (sudo vpn-user-portal-show-oauth-key);
  • A signed copy of the policy document by a person authorized to do so at your organization;
  • Send your request to eduvpn-support@lists.geant.org, use "Add [${FQDN}] to Secure Internet eduVPN" as title.

#Template

Use the following example template in your mail to eduvpn-support@lists.geant.org, please update all values for your situation:

Subject: Add [vpn.example.org] to Secure Internet eduVPN

Body:

Generic Contact: admin@example.org
Abuse Contact: abuse@example.org
Technical Contact: eduvpn@example.org
End-user Support Contact: 
  - support@example.org
  - +1234567890
  - https://support.example.org/
Information Website: https://www.example.org/services/eduvpn
SAML Metadata: https://federation.example.org/metadata.xml
FQDN: vpn.example.org
Country / Region: The Netherlands
Restrictions: 
  - in/outbound tcp/25 blocked
Public Key: O53DTgB956magGaWpVCKtdKIMYqywS3FMAC5fHXdFNg

Do NOT forget to attach the signed copy of the policy document!