# Manually Creating & Removing OpenVPN access for users

## Prerequisites

In order to manually create/remove OpenVPN access for users, there are pre-requisites
steps which should be fulfilled.

* Access to below Nordix OpenVPN/Jump and CA servers with sudo access to infra user
  from your local machine,
  +----------------+---------------+--------------------------------------+
  | Nordix OpenVPN |  IP ADDRESS   |              SSH ACCESS              |
  +================+===============+======================================+
  | ONAP-CityCloud |  77.81.6.42   | ssh <USER_ID>@77.81.6.42 -p 52413    |
  +----------------+---------------+--------------------------------------+
  | ONAP-Xerces    | 129.192.70.24 | ssh <USER_ID>@129.192.70.24 -p 52413 |
  +----------------+---------------+--------------------------------------+
  | Acumos         | 91.106.193.58 | ssh <USER_ID>@91.106.193.58 -p 52413 |
  +----------------+---------------+--------------------------------------+
  | CCD            | 188.212.109.53| ssh <USER_ID>@188.212.109.53 -p 52413|
  +----------------+---------------+--------------------------------------+
  | CA Server      |  77.81.6.250  | ssh <USER_ID>@77.81.6.250 -p 52413   |
  +----------------+---------------+--------------------------------------+

* Install virtualenv, python3-minimal, python3-dev, and python3-pip
```
sudo apt update
sudo apt install -y virtualenv python3-minimal python3-dev python3-pip
```
* Create and set virtualenv
```
virtualenv -p python3 .venv
source ~/.venv/bin/activate
```
* Install Ansible 2.9.6
```
pip install ansible==2.9.6
```

## Generate User ovpn file

* Clone infra/tools repository from Nordix Gerrit

```
git clone "https://gerrit.nordix.org/infra/tools"
```
You are now ready to create ovpn files for users in project specific OpenVPN server,

* Change directory in your computer where the repo cloned,
```
cd tools/infra/openvpn_automation
```

* Export the `user_name` and `vpn_server_public_ip` as environment variable
```
export user_name=<Client_name>
export vpn_server_public_ip=<PUBLIC_IP_OF_REQUIRED_OPENVPNSERVER>
```
NOTE:
* OpenVPN server public IP's can be taken from the table in the top of this file
* Client user ID should be user's username (first character of user firstname + lastname)
* {{ client_name }} should be given as per specific OpenvVPN servers listed below,
  +----------------+---------------+---------------------------+
  | Nordix OpenVPN |     CIDR      |    Client_name            |
  +================+===============+===========================+
  | ONAP-CityCloud | 10.1.0.0/24   | client_userid.onap        |
  |                | 10.2.0.0/24   |                           |
  +----------------+---------------+---------------------------+
  | ONAP-Xerces    | 10.10.10.0/24 | client_userid.xerces.onap |
  |                | 172.16.0.0/16 |                           |
  +----------------+---------------+---------------------------+
  | Acumos         | 10.1.0.0/24   | client_userid.acumos      |
  +----------------+---------------+---------------------------+
  | CCD            | 10.4.0.0/24   | client_userid.ccd         |
  +----------------+---------------+---------------------------+

* Update the invetory file to proceed, 
```
cat >> inventory/inventory.ini <<EOF
[jumphost]
# Nordix OpenVPN server
jumphost ansible_connection=ssh ansible_host=$vpn_server_public_ip ansible_user=infra ansible_port=52413 ansible_python_interpreter=/usr/bin/python3
EOF
```

* Created user OpenVPN file by running the script,
```
./generate_openvpn_client.sh
```

* Once user specific ovpn file is generated, this file should be shared with user's email with below instructions,

  * Please install the openvpn on your laptop. Assuming you using Ubuntu:
    $ sudo apt install openvpn
  * Then you need to open the VPN connection using the .ovpn file which contain all the required certificates:
    $ sudo openvpn --config {{ client_name }}.ovpn
  * Now, you should have access to all the VMs directly from your laptop
    $ nmap -n -sP <CIDR>/24
  * In case you use Windows 10 OS, please use the community version of OpenVPN client:
    https://swupdate.openvpn.org/community/releases/openvpn-install-2.4.8-I602-Win10.exe


## Revoke User ovpn file

* Clone infra/tools repository from Nordix Gerrit

```
git clone "ssh://<USERNAME>@gerrit.nordix.org:29418/infra/tools && scp -p -P 29418 <USERNAME>@gerrit.nordix.org:hooks/commit-msg "tools/.git/hooks/"
```
You are now ready to revoke Openvpn access for users in project specific OpenVPN server,

* Change directory in your computer where the repo cloned,
```
cd tools/infra/openvpn_automation
```

* Export the `user_name` and `vpn_server_public_ip` as environment variable
```
export user_name=<Client_name>
export vpn_server_public_ip=<PUBLIC_IP_OF_REQUIRED_OPENVPNSERVER>
```
NOTE:
* OpenVPN server public IP's can be taken from the table in the top of this file
* Client user ID should be user's username (first character of user firstname + lastname)
* {{ client_name }} should be given as per specific OpenvVPN servers listed below,
  +----------------+---------------+---------------------------+
  | Nordix OpenVPN |     CIDR      |    Client_name            |
  +================+===============+===========================+
  | ONAP-CityCloud | 10.1.0.0/24   | client_userid.onap        |
  |                | 10.2.0.0/24   |                           |
  +----------------+---------------+---------------------------+
  | ONAP-Xerces    | 10.10.10.0/24 | client_userid.xerces.onap |
  |                | 172.16.0.0/16 |                           |
  +----------------+---------------+---------------------------+
  | Acumos         | 10.1.0.0/24   | client_userid.acumos      |
  +----------------+---------------+---------------------------+
  | CCD            | 10.4.0.0/24   | client_userid.ccd         |
  +----------------+---------------+---------------------------+

* Update the invetory file to proceed, 
```
cat >> inventory/inventory.ini <<EOF
[jumphost]
# Nordix OpenVPN server
jumphost ansible_connection=ssh ansible_host=$vpn_server_public_ip ansible_user=infra ansible_port=52413 ansible_python_interpreter=/usr/bin/python3
EOF
```

* Delete user entries from OpenVPN server & Nordix CA servers by running the script,
```
./delete_openvpn_client.sh
```

You are done!