Inclusion of a P2S VPN

[mattwestby]

✅ Checklist

• I have searched open and closed issues for duplicates.
• This is a request for a new feature in the Data Safe Haven or an upgrade to an existing feature.
• The feature is still missing in the latest version.
• I have read through the documentation.
• This isn't an open-ended question (open a discussion if it is).

🍓 Suggested change

To include the ability to use a VPN to connect to the TRE. This was a feature in V4 to manage the VMs but this request would be for a researcher to connect to the TRE via a VPN client which would make the security requirement of knowing your IP address redundant as the vpn would provide the security.

🚂 How could this be done?

Include a VPN gateway in the deployed infrastructure. I did a poc with this but couldnt get the DNS to work correctly so that when you enter the url of the TRE it still resolved publicly.

[JimMadge]

I think this is a good idea, and would be a common use case.

I believe @helendduncan and @craddm have set up a TRE (in an ad-hoc way) to be accessible from an institutional VPN. That sounds a bit different to what you are suggesting @mattwestby, as in it is access the TRE only from an existing VPN rather than the TRE has its own VPN. @helendduncan, @craddm any input/advice?

[jemrobinson]

Azure VPN Gateway can be quite expensive. We also never got the OpenVPN P2S connection to work reliably, although this may have improved recently.

@mattwestby: Is there an advantage in using the Azure VPN (which would use your Entra credentials to authenticate) as a step in front of the Guacamole dashboard (which already uses Entra to authenticate) over simply allow-listing all IP addresses?

[craddm]

We do say that Tier 2 allows access from only specific IP addresses ("connections to the in-browser remote desktop can only be made from an agreed set of IP addresses"), so if that isn't quite true it's not quite the full Tier 2.

Like James, I'm not sure there's much advantage to provisioning an Azure VPN alongside the SRE when it'll use the same credentials anyway, particularly if the intent is for the VPN to allow connections from anywhere without allowlisting specific IP addresses. It'd make the SRE comply with the letter of Tier 2, but not sure it adds much in practice. The only advantage is people who don't have access to the VPN can't see the Guacamole dashboard at all. But in practice it mostly just means they'd have to login the same way twice, which just seems redundant.

If the VPN is accessible with a different set of credentials (e.g. it's an institutional VPN) that's a different matter, but that would be outside our remit and not something we should be setting up as part of the SRE.
That then serves as an additional way of validating who is able to access the TRE, in that only people who have access to an organisation's network can get on that VPN.

[mattwestby]

HI, My thoughts with this were some brief experience with the University of Derby who are using a SRE we’ve setup and it took time for the source IP address to be whitelisted to be discovered and we thought if we had a VPN then the range of VPN addresses could be whitelisted which would potentially make it easier for the user. And yes to authenticate to the VPN using the creds from entra. Thanks Matt