Reconsider VPN requirement for login nodes (or at least explain rationale?)

Hello CARC team,

My colleagues and I were disappointed to see your announcement yesterday that all login and transfer nodes will require VPN from off campus. From a user/outside layperson perspective, this will add a lot of hassle and seems unnecessary for already well locked down systems with 2FA requirements. Is duo no longer deemed sufficient for protected systems? Are all university services that are already duo protected going to also go behind VPN, or was this a choice made just for this system?

Explaining the rationale for taking such a step could go a long way to making this easier to swallow. Especially in the context of why this requirement is needed for CARC, when other computing centers that operate on larger scales do not have this requirement (e.g., TACC), including more sensitive DOE machines (e.g., ORNL).

As a user who primarily works off campus, the new barriers imposed by this change include:

  • I need to do 2 duo sign ins in order to first connect. I can of course live with this one, it’s just another annoyance.
  • I must now install and manage VPN connections on every device that I ever use to log in and check job status, read logs, and resubmit jobs, or choose to no longer do any work when away from my primary workstation. A workaround for this would be for you to provide a publicly accessible proxy host where we could SSH into, and then SSH into the login nodes, for situations where VPN is unavailable (an annoyance but at least it would still be possible).
  • Outside users at other institutions with guest accounts will now need to VPN in from their institution to USC, breaking connections with any local resources. This may also be either blocked or prohibited by other institutions.
  • Hopefully VPN performance is better now, but when I last used it regularly performance issues were common

Thank you for your consideration,

Hi Kevin,

Thanks for your comments. There are 2 main reasons/benefits to why we are making changes to the cluster’s network connections. The first is that by requiring users to either be on campus or use a VPN, we can eliminate the need for Duo 2FA to connect to the cluster.

The second reason is that these changes will also allow compute nodes access to the internet (with advanced approval).

I spoke with some of my colleagues about the performance of VPN and lately it seems like we haven’t had any noticeable issues, if that is any reassurance. If there is an issue though, it will have to be resolved by ITS as they manage it.

As for the rest of your comments, unfortunately, there is not much we can do. However, we believe that the new capabilities this network change will provide to Discovery and Endeavor, as well as new services we are planning on bringing online, will outweigh the inconveniences.

Let me know if you have any further questions.

Cesar Sul

Hi Cesar,

Thanks for your detailed reply. We’re currently checking with some of our outside users at the U.S. Geological Survey who connect to the cluster via iVIP accounts to see if their IT people even allow outside VPN connections on government machines (they are very heavy handed with what they block). If not, things could get quite tricky with this proposed policy change.

I do love the idea of fewer duo auth’s to connect to and move files between my workstation and CARC.

Your announcement specifically mentions hpc-transfer2 as moving behind the firewall, but will hpc-transfer1 still be public facing? And if so, could one SSH into hpc-transfer1 (with duo) and then SSH into the login nodes? If so, having that (or a similar system) stay available as a well locked down proxy host for outside connections would take care of most of my concerns.