I am using DRBD for disaster recovery from a remote location, and I'd
like to encrypt the DRBD network traffic. Additional IP addresses are
unavailable for a VPN on both nodes. It seems stunnel was the best
solution. It took me a while to conceptualize the configuration, but
i've got it working and wanted to share what i did.
An stunnel client and server needs to be running on both nodes. If we
consider the example configuration[1]: First, generate some certificates
on each of the nodes:
alice:/etc/stunnel# openssl req -new -nodes -x509 -out
drbd-alice-pub.pem -keyout drbd-alice-private.pem
alice:/etc/stunnel# chmod 400 drbd-alice-pub.pem drbd-alice-private.pem
bob:/etc/stunnel# openssl req -new -nodes -x509 -out drbd-bob-pub.pem
-keyout drbd-bob-private.pem
bob:/etc/stunnel# chmod 400 drbd-bob-pub.pem drbd-bob-private.pem
Then copy the public keys to the other server using scp for example:
alice:/etc/stunnel# scp drbd-alice-pub.pem 10.1.1.32:/etc/stunnel
bob:/etc/stunnel# scp drbd-bob-pub.pem 10.1.1.31:/etc/stunnel
Now setup the stunnel configurations:
alice:/etc/stunnel# cat drbd-client.conf
[drbd to bob]
client = yes
accept = 127.0.0.1:7790
connect = 10.1.1.32:5000
verify = 2
CAfile = /etc/stunnel/drbd-bob-pub.pem
alice:/etc/stunnel# cat drbd-server.conf
chroot = /usr/local/var/lib/stunnel/
setuid = nobody
setgid = nogroup
pid = /stunnel.pid
cert = /etc/stunnel/drbd-alice-pub.pem
key = /etc/stunnel/drbd-alice-private.pem
; Disable support for insecure SSLv2 protocol
options = NO_SSLv2
; These options provide additional security at some performance degradation
options = SINGLE_ECDH_USE
options = SINGLE_DH_USE
[drbd from bob]
accept = 5000
connect = 127.0.0.1:7789
bob:/etc/stunnel# cat drbd-client.conf
[drbd to alice]
client = yes
accept = 127.0.0.1:7789
connect = 10.1.1.31:5000
verify = 2
CAfile = /etc/stunnel/drbd-alice-pub.pem
bob:/etc/stunnel# cat drbd-server.conf
chroot = /usr/local/var/lib/stunnel/
setuid = nobody
setgid = nogroup
pid = /stunnel.pid
cert = /etc/stunnel/drbd-bob-pub.pem
key = /etc/stunnel/drbd-bob-private.pem
; Disable support for insecure SSLv2 protocol
options = NO_SSLv2
; These options provide additional security at some performance degradation
options = SINGLE_ECDH_USE
options = SINGLE_DH_USE
[drbd from alice]
accept = 5000
connect = 127.0.0.1:7790
(make sure the chroot /usr/local/var/lib/stunnel/ is owned by
nobody.nogroup)
Now, modify the DRBD resource configuration: update the address for
alice to be 127.0.0.1:7789 and bob to be 127.0.0.1:7790
start stunnel on both nodes and make sure there are no errors, then
bring up the drbd resource on both nodes. verify (with netstat for
example) that the only inter-node network connections are happening on
port 5000, the encrypted stunnel.
Summary:
for the DRBD traffic from alice to bob: alice connects to bob using
bob's defined address 127.0.0.1:7790 (from /etc/drbd.d/r0.res), which is
a stunnel client daemon that encrypts the traffic and sends it to bob at
10.1.1.32:5000 (alice:/etc/stunnel/drbd-client.conf), which is a stunnel
server daemon that receives the encrypted data, decrypts it and forwards
it to 127.0.0.1:7790 (bob:/etc/stunnel/drbd-server.conf).
for the DRBD traffic from bob to alice: bob connects to alice using the
defined address of 127.0.0.1:7789 (from /etc/drbd.d/r0.res), which is a
stunnel client daemon that encrypts the traffic and connects to alice at
10.1.1.31:5000 (bob:/etc/stunnel/drbd-client.conf), which is a stunnel
server daemon that receives the encrypted data, decrypts it and forwards
it to 127.0.0.1:7789 (alice:/etc/stunnel/drbd-server.conf)
Please comment if you feel I've overlooked anything.
Thanks
1. http://www.drbd.org/en/doc/users-guide-84/s-configure-resource
_______________________________________________
drbd-user mailing list
[email protected]
http://lists.linbit.com/mailman/listinfo/drbd-user
