Skip to content

OpenVPN OKTA Server

Imported from Confluence

Content may be outdated. Verify before following any procedures. View original | Last updated: November 2023

Chef Cookbook - fyber_openvpn-okta (Github)

Policyfile - Policyfile.rb (Github)

How to add route

  1. Open policyfile for gw-rnd-1.production.fyber.com (RND OpenVPN Server Policyfile)

  2. Add routes to default['openvpn']['config']['routes'] attribute
    For example to add load balancer for rtb consul to be routed through rnd openvpn server add following hashes to the list:

cd /Users/username/repos/fyber/aws-infrastructure-code/chef-ng/policyfiles/production/eu-west-1/openvpn_rnd_1/main/

  vim Policyfile.rb
  ...
  { 'target' => '54.171.15.145',  'mask' => '255.255.255.255', 'comment' => 'rtb consul ui' },
  { 'target' => '54.246.194.132', 'mask' => '255.255.255.255', 'comment' => 'rtb consul ui' },
  1. Update chef and push to server to production policy group:
chef update 
CHEFSERVER=aws chef push production_eu-west-1 Policyfile.lock.json

If chef update doesn't work, remove Policyfile.lock.json file and then run chef install

Don't forget to add ip of openvpn server (3.248.93.214) into the security group of the resource for which you added route.

Access to services in inneractive production account

Motivation

  • we couldn't get approve for providing access to services in AWS Inneractive PRD account to openvpn in ofw account over vpc peering due to security reasons
  • we want to have more control on openvpn to be able help our developers quicker
  • inability to use security groups as a sources for firewall rules in peering for different regions makes approval and execution procedures even more hard
  • give users one openvpn to access all needed services in both accounts

Solution

Create another openvpn as a gateway in inn prd account in FairBid subnets, create tunnels between openvpn servers in ofw and inn account, configure routes and iptables rules to forward traffic for inn subnets for openvpn in FairBid account.