+# Creating OpenVPN files for users
+
+## Prerequisites
+
+In order to follow the steps documented here, few things must be prepared
+in advance.
+
+* Access to required below Nordix OpenVPN/Jump servers with sudo access to infra user,
+ +----------------+---------------+--------------------------------------+
+ | Nordix OpenVPN | IP ADDRESS | SSH ACCESS |
+ +================+===============+======================================+
+ | ONAP-CityCloud | 77.81.6.42 | ssh <USER_ID>@77.81.6.42 -p 52413 |
+ +----------------+---------------+--------------------------------------+
+ | ONAP-Xerces | 129.192.70.24 | ssh <USER_ID>@129.192.70.24 -p 52413 |
+ +----------------+---------------+--------------------------------------+
+ | Acumos | 91.106.193.58 | ssh <USER_ID>@91.106.193.58 -p 52413 |
+ +----------------+---------------+--------------------------------------+
+
+* Ensure SSH key based authentication enabled between Openvpn server and CA
+
+* Login to required Nordix OpenVPN/Jump server from your machine
+
+* Install virtualenv, python3-minimal, python3-dev, and python3-pip
+```bash
+sudo apt update
+sudo apt install -y virtualenv python3-minimal python3-dev python3-pip
+```
+* Create and set virtualenv
+```bash
+virtualenv -p python3 .venv
+source .venv/bin/activate
+```
+* Install Ansible 2.9.6
+```
+pip install ansible==2.9.6
+```
+
+## Generate User ovpn file
+
+* Login to OpenVPN/Jump server with your credentials
+
+* Clone infra/tools repository from Nordix Gerrit
+
+```bash
+git clone "ssh://<USERNAME>@gerrit.nordix.org:29418/infra/tools" && scp -p -P 29418 <USERNAME>@gerrit.nordix.org:hooks/commit-msg "tools/.git/hooks/"
+```
+You are now ready to create ovpn files for users in project specific OpenVPN server,
+
+* Switch to infra user in OpenVPN/Jump server
+
+* Change directory to you home directory from where repo cloned
+```bash
+cd <YOUR_HOME_DIR>/tools/infra/openvpn_automation
+source <YOUR_HOME_DIR>/.venv/bin/activate
+ansible-playbook -i inventory/inventory.ini openvpn_user_setup.yaml -e "client_name=<USERNAME_TO_CREATE_OVPN_CERT>"
+```
+
+NOTE:
+* Client user ID should be user's username (first character of user firstname + lastname)
+* {{ client_name }} should be given as per specific OpenvVPN servers listed below,
+ +----------------+---------------+---------------------------+
+ | Nordix OpenVPN | CIDR | Client_name |
+ +================+===============+===========================+
+ | ONAP-CityCloud | 10.1.0.0/24 | client_userid.onap |
+ | | 10.2.0.0/24 | |
+ +----------------+---------------+---------------------------+
+ | ONAP-Xerces | 10.10.10.0/24 | client_userid.xerces.onap |
+ | | 172.16.0.0/16 | |
+ +----------------+---------------+---------------------------+
+ | Acumos | 10.1.0.0/24 | client_userid.acumos |
+ +----------------+---------------+---------------------------+
+
+* Once user specific ovpn file is generated, this file should be shared with user's email with below instructions,
+
+ * Please install the openvpn on your laptop. Assuming you using Ubuntu:
+ $ sudo apt install openvpn
+ * Then you need to open the VPN connection using the .ovpn file which contain all the required certificates:
+ $ sudo openvpn --config {{ client_name }}.ovpn
+ * Now, you should have access to all the VMs directly from your laptop
+ $ nmap -n -sP <CIDR>/24
+ * In case you use Windows 10 OS, please use the community version of OpenVPN client:
+ https://swupdate.openvpn.org/community/releases/openvpn-install-2.4.8-I602-Win10.exe
+
+
+## Revoke User ovpn file
+
+* Login to required Nordix OpenVPN/Jump server from your machine
+
+* Clone infra/tools repository from Nordix Gerrit
+
+```bash
+git clone "ssh://<USERNAME>@gerrit.nordix.org:29418/infra/tools && scp -p -P 29418 <USERNAME>@gerrit.nordix.org:hooks/commit-msg "tools/.git/hooks/"
+```
+You are now ready to revoke Openvpn access for users in project specific OpenVPN server,
+
+* Switch to infra user in OpenVPN/Jump server
+
+* Change directory to you home directory from where repo cloned
+```bash
+cd <YOUR_HOME_DIR>/tools/infra/openvpn_automation
+source <YOUR_HOME_DIR>/.venv/bin/activate
+ansible-playbook -i inventory/inventory.ini openvpn_user_revoke.yaml -e "client_name=<USERNAME_TO_REVOKE_ACCESS>"
+```
+NOTE:
+* Client user ID should be user's username (first character of user firstname + lastname)
+* {{ client_name }} should be given as per specific OpenvVPN servers listed below,
+ +----------------+---------------+---------------------------+
+ | Nordix OpenVPN | CIDR | Client_name |
+ +================+===============+===========================+
+ | ONAP-CityCloud | 10.1.0.0/24 | client_userid.onap |
+ | | 10.2.0.0/24 | |
+ +----------------+---------------+---------------------------+
+ | ONAP-Xerces | 10.10.10.0/24 | client_userid.xerces.onap |
+ | | 172.16.0.0/16 | |
+ +----------------+---------------+---------------------------+
+ | Acumos | 10.1.0.0/24 | client_userid.acumos |
+ +----------------+---------------+---------------------------+
+
+You are done!