Flamenco and OpenVPN
Goal: To have client workstations connect and access Flamenco Shared storage (ie: NFS) and Flamenco Manager via the Add-On and Console.
This guide focuses on installing the opensource OpenVPN Server Community Edition and creating secure OpenVPN client configurations. This is not specific to Flamenco and can be useful way of connecting remote workstations for any purpose.
The network operates at Layer 3 (ip-routing) of the OSI Stack and above so some broadcast and Layer 2 services will fail to route properly. Applications that use TCP connections (such as HTTP, Websockets etc) will be able to communicate over a Layer 3 network.
Note: There is also a paid OpenVPN Server which can greatly simplify the setup and configuration. The paid OpenVPN Server is not covered here.
If you have remote workstations (such as Flamenco Workers or Blender Workstations) then using OpenVPN to securely connect into the Home or Cluster network.
OpenVPN Server
This is hosted on the Home or Cluster Gateway. It is assumed the OpenVPN port is port-forwarded from the WWW to the Cluster Gateway or wherever it may be running (eg: Router).
This example is of a full-tunnel VPN connection which means all traffic and DNS lookups made by the workstations is routed through the VPN. You can decide on split-tunnel configuration but that is not covered here.
port YOUR-PORT
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DOMAIN cluster.home"
push "dhcp-option DNS 192.168.1.125"
client-to-client
keepalive 10 120
tls-auth ta.key 0
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 0
VPN Subnet
The VPN Subnet 10.8.0.0 will connect to the machine that is running OpenVPN.
It is necessary to ensure that machine can then route 10.8.0.0/24 addresses
within the network.
Example routing table on the OpenVPN Server machine
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 100 0 0 enp0s3
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun1
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun1
192.168.1.0 0.0.0.0 255.255.255.0 U 202 0 0 enp0s3
192.168.1.1 0.0.0.0 255.255.255.255 UH 100 0 0 enp0s3
It will be necessary to ensure firewall and routes are setup between enp0s3 and tun1 to allow traffic to flow otherwise all clients on OpenVPN subnet will not be able to reach anything.
Routing between Cluster and VPN Subnets
Routing is covered by the subnet that the OpenVPN Server is running on. You can push routes using OpenVPN if necessary, or route traffic on the OpenVPN Server.
DNS Push
DNS is provided from a DNS server within the OpenVPN Network (192.168.1.125)
using the command push "dhcp-option DNS 192.168.1.125".
In addition, DNS names can be also be pushed, like cluster.home. This is useful if you want your remotely connected workstations and users to be able to use well-known domain names like flamenco.cluster.home to reach the Flamenco Manager.
OpenVPN Client
Example Client Config
Example base config where the default encryption algorithm is changes to AES-256-CBC and TLS Server.
client
dev tun
proto tcp
remote YOUR-SERVER YOUR-PORT
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
auth SHA256
verb 3
key-direction 1
The CA,Key and TLS certs can be appended to the OpenVPN Client configuration based on how you wish to deploy OpenVPN.
Tweaks
iOS
TBD
FAQ regarding OpenVPN Connect iOS
MacOS
None required, just use the base config.
Windows
TBD
Linux (Ubuntu)
Install resolved on the client following beamtic.com.
sudo apt install openvpn-systemd-resolved
Include these following lines in the OpenVPN Client base config file so that any DNS that is pushed by the OpenVPN server is picked up.
script-security 2
up /etc/openvpn/update-systemd-resolved
up-restart
down /etc/openvpn/update-systemd-resolved
down-pre
dhcp-option DOMAIN-ROUTE .
Troubleshooting
Example Linux Client Connection Log
Full-Tunnel connection.
2023-05-27 08:40:45 OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 14 2022
2023-05-27 08:40:45 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
2023-05-27 08:40:45 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2023-05-27 08:40:45 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-05-27 08:40:45 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-05-27 08:40:45 TCP/UDP: Preserving recently used remote address: [AF_INET]123.456.789.100:80
2023-05-27 08:40:45 Socket Buffers: R=[131072->131072] S=[16384->16384]
2023-05-27 08:40:45 Attempting to establish TCP connection with [AF_INET]123.456.789.100:80 [nonblock]
2023-05-27 08:40:45 TCP connection established with [AF_INET]123.456.789.100:80
2023-05-27 08:40:45 TCP_CLIENT link local: (not bound)
2023-05-27 08:40:45 TCP_CLIENT link remote: [AF_INET]123.456.789.100:80
2023-05-27 08:40:45 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
2023-05-27 08:40:45 TLS: Initial packet from [AF_INET]123.456.789.100:80, sid=3c7c00bc 07fde623
2023-05-27 08:40:46 VERIFY OK: depth=1, CN=Easy-RSA CA
2023-05-27 08:40:46 VERIFY KU OK
2023-05-27 08:40:46 Validating certificate extended key usage
2023-05-27 08:40:46 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2023-05-27 08:40:46 VERIFY EKU OK
2023-05-27 08:40:46 VERIFY OK: depth=0, CN=server
2023-05-27 08:40:46 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2023-05-27 08:40:46 [server] Peer Connection Initiated with [AF_INET]123.456.789.100:80
2023-05-27 08:40:47 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
2023-05-27 08:40:47 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DOMAIN cluster.home,dhcp-option DNS 192.168.1.125,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'
2023-05-27 08:40:47 OPTIONS IMPORT: timers and/or timeouts modified
2023-05-27 08:40:47 OPTIONS IMPORT: --ifconfig/up options modified
2023-05-27 08:40:47 OPTIONS IMPORT: route options modified
2023-05-27 08:40:47 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2023-05-27 08:40:47 OPTIONS IMPORT: peer-id set
2023-05-27 08:40:47 OPTIONS IMPORT: adjusting link_mtu to 1626
2023-05-27 08:40:47 OPTIONS IMPORT: data channel crypto options modified
2023-05-27 08:40:47 Data Channel: using negotiated cipher 'AES-256-GCM'
2023-05-27 08:40:47 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-05-27 08:40:47 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-05-27 08:40:47 net_route_v4_best_gw query: dst 0.0.0.0
2023-05-27 08:40:47 net_route_v4_best_gw result: via 192.168.2.10 dev wlp4s0
2023-05-27 08:40:47 ROUTE_GATEWAY 192.168.2.10/255.255.255.0 IFACE=wlp4s0 HWADDR=44:85:00:83:7d:27
2023-05-27 08:40:47 TUN/TAP device tun0 opened
2023-05-27 08:40:47 net_iface_mtu_set: mtu 1500 for tun0
2023-05-27 08:40:47 net_iface_up: set tun0 up
2023-05-27 08:40:47 net_addr_ptp_v4_add: 10.8.0.6 peer 10.8.0.5 dev tun0
2023-05-27 08:40:47 /etc/openvpn/update-systemd-resolved tun0 1500 1554 10.8.0.6 10.8.0.5 init
<14>May 27 08:40:47 update-systemd-resolved: Link 'tun0' coming up
<14>May 27 08:40:47 update-systemd-resolved: Adding DNS Routed Domain .
<14>May 27 08:40:47 update-systemd-resolved: Adding DNS Domain cluster.home
<14>May 27 08:40:47 update-systemd-resolved: Adding IPv4 DNS Server 192.168.1.125
<14>May 27 08:40:47 update-systemd-resolved: SetLinkDNS(21 1 2 4 192 168 1 125)
<14>May 27 08:40:47 update-systemd-resolved: SetLinkDomains(21 2 cluster.home false . true)
2023-05-27 08:40:47 net_route_v4_add: 123.456.789.100/32 via 192.168.2.10 dev [NULL] table 0 metric -1
2023-05-27 08:40:47 net_route_v4_add: 0.0.0.0/1 via 10.8.0.5 dev [NULL] table 0 metric -1
2023-05-27 08:40:47 net_route_v4_add: 128.0.0.0/1 via 10.8.0.5 dev [NULL] table 0 metric -1
2023-05-27 08:40:47 net_route_v4_add: 10.8.0.0/24 via 10.8.0.5 dev [NULL] table 0 metric -1
2023-05-27 08:40:47 GID set to nogroup
2023-05-27 08:40:47 UID set to nobody
2023-05-27 08:40:47 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2023-05-27 08:40:47 Initialization Sequence Completed
Once connected, it is using DNS Server 192.168.1.125 on the Home Network to resolve cluster.home domain names like flamenco.cluster.home…
The Linux /etc/resolv.conf contents will look something like this…
nameserver 127.0.0.53
options edns0 trust-ad
search cluster.home lan
dig flamenco.cluster.home
; <<>> DiG 9.18.12-0ubuntu0.22.04.1-Ubuntu <<>> flamenco.cluster.home
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62243
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;flamenco.cluster.home. IN A
;; ANSWER SECTION:
flamenco.cluster.home. 0 IN A 192.168.1.234
;; Query time: 56 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Sat May 27 08:40:53 EDT 2023
;; MSG SIZE rcvd: 66