Why These VPNs Suit Rocks Cluster Distribution
Rocks Cluster Distribution is tailored for high-performance computing (HPC) environments, built atop CentOS/RHEL’s RPM and yum (or dnf) package manager. Administrators typically interact via SSH on a command-line-only “head” node, rolling out compute nodes with automated Rolls and Kickstart profiles. GUI desktops (GNOME, Xfce) are optional Rolls, and most security tooling must integrate without a desktop. The ideal VPN solution must therefore:
- Install cleanly via
yum/dnfor RPM - Offer CLI-centric management and service control
- Load as a kernel module (for performance) or run efficiently in user space
- Be stable on CentOS 7/8-based kernels used by Rocks
Based on these criteria, the top candidates are WireGuard, OpenVPN, and SoftEther VPN. Below is a feature comparison customized for the Rocks ecosystem.
Comparison of VPN Solutions on Rocks Cluster Distribution
| Solution | Protocol Type | Kernel Module | CLI Management | Notes |
|---|---|---|---|---|
| WireGuard | WireGuard | Yes (kmod-wireguard) | wg, wg-quick |
Exceptional throughput, minimal config |
| OpenVPN | SSL/TLS | No (user space) | openvpn |
Proven, flexible, supports many auth modes |
| SoftEther VPN | EtherIP/L2TP/IPsec/SSL | No (user space) | vpncmd, vpnserver |
Multi-protocol, Windows-compatible bridges |
Detailed Installation and Configuration
1. WireGuard
WireGuard integrates directly into the Linux kernel on CentOS/RHEL via ELRepo or EPEL for CentOS 7/8. It’s ideal for head-node-to-node encryption in HPC networks.
# Enable EPEL (CentOS 7/8) and ELRepo for kernel module yum install -y epel-release yum install -y https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm # Install WireGuard tools and kernel module yum install -y kmod-wireguard wireguard-tools # Generate keys mkdir -p /etc/wireguard cd /etc/wireguard wg genkey tee privatekey wg pubkey > publickey # Sample wg0.conf cat > /etc/wireguard/wg0.conf ltltEOF [Interface] PrivateKey = (cat privatekey) Address = 10.0.0.1/24 ListenPort = 51820 # Peer definitions go here # [Peer] # PublicKey =# AllowedIPs = 10.0.0.2/32 EOF # Enable and start service systemctl enable wg-quick@wg0 systemctl start wg-quick@wg0 # Verify status wg show
2. OpenVPN
OpenVPN runs in user space and leverages easy-rsa for certificate management. It’s robust for multi-site HPC head nodes and remote management PCs.
# Enable EPEL yum install -y epel-release # Install OpenVPN and Easy-RSA yum install -y openvpn easy-rsa # Prepare PKI directory make-cadir /etc/openvpn/easy-rsa cd /etc/openvpn/easy-rsa # Initialize and build CA ./easyrsa init-pki ./easyrsa build-ca nopass # Generate server certificate/key ./easyrsa gen-req server nopass ./easyrsa sign-req server server # Diffie-Hellman parameters ./easyrsa gen-dh # Copy artifacts and sample server.conf cp pki/ca.crt pki/private/server.key pki/issued/server.crt /etc/openvpn/ gunzip -c /usr/share/doc/openvpn/sample/sample-config-files/server.conf.gz > /etc/openvpn/server.conf # Adjust server.conf as needed, then: systemctl enable openvpn@server systemctl start openvpn@server
3. SoftEther VPN
SoftEther is a user-space, multi-protocol VPN supporting L2 bridging over SSL/TLS. Good for environments needing Windows-compatible clients or L2 segments.
# Install build dependencies yum install -y epel-release yum install -y gcc make readline-devel openssl-devel # Download and compile SoftEther cd /usr/local/src wget https://github.com/SoftEtherVPN/SoftEtherVPN_Stable/archive/v4.34-9745.tar.gz tar xzf v4.34-9745.tar.gz cd SoftEtherVPN_Stable-4.34-9745 ./configure make make install # Start the VPN server service /usr/local/vpnserver/vpnserver start # Secure the admin interface (interactive via vpncmd) # /usr/local/vpnserver/vpncmd
Each of these VPN solutions integrates smoothly with Rocks Cluster Distribution’s package and roll systems, allowing automated deployment to compute nodes and secure tunneling between head nodes and remote management stations.
Leave a Reply