vpn-cubed 2.x datacenter connect lite edition · launch openvpn start openvpn. on windows xp and...

Copyright 2011 - CohesiveFT

VPN-Cubed 2.x Datacenter ConnectLite Edition

v201107

1

Monday, October 10, 2011

cfffff


Requirements

You have an Amazon AWS account that CohesiveFT can use for enabling your access to the VPN-Cubed Manager AMIs.

Ability to configure a client (whether desktop based or cloud based) to use OpenVPN client software.

Ability to use the Amazon EC2 Command Line tools is preferred.

You have a compliant IPsec firewall/router networking device:-Preferred: Cisco ASA

-Validated: Cisco 1800, Cisco PIX, Juniper JunOS Models, Fortigate (3 years old or less), Watchguard Firebox (3 years old or less)

-Best Effort: Any IPsec device that supports: IKE1 or IKE2, AES256 or AES 128 or 3DES, SHA1 or MD5, AND NAT-Traversal

-Will Not Work: Checkpoint

2


cfffff


Getting Help with VPN-Cubed

3

This guide uses Cisco’s Adaptive Security Device Manager UI. Setting up your IPsec Extranet device may have a different user experience than what is shown here. All the information entered in this guide will be same regardless of your UI or cmd line setup.

Please send all support inquiries to:

[email protected]


mailto:[email protected]



Your Configuration Begins Here!

4


cfffff


Firewall Considerations

VPN-Cubed Manager instance uses the following TCP and UDP ports.- UDP 1194

For client VPN connections; must be accessible from all servers that will join VPN-Cubed topology as clients.

- TCP 8000 HTTPS admin interface; must be accessible from hosts where you will want to obtain runtime status or configure peering, also needs to be open to and from the managers at least for the peering process, and needs to be accessible when downloading credentials for installation on overlay network clients.

- UDP 500 and 4500These ports are used for IPsec NAT-TRAVERSAL and need to be configured in your IPsec device. If you would like the EC2 IPsec Gateway to be able to initiate a connection (for example in the event of a broken connection) then you need to allow the public IP address of the gateway to connect to your IPsec device over these ports. If you want your IPsec device to initiate the connection, then these ports need to be opened to the public address of your IPsec device in the EC2 Security Group your gateway AMI was launched in.

5


cfffff


Remote Support

6

Note that TCP 22 (ssh) is not required for normal operations.

Each VPN-Cubed Manager is running a restricted SSH daemon, with access limited only to CohesiveFT for debugging purposes controlled by the user via the Remote Support toggle and key exchange generation.

In the event CohesiveFT needs to observe runtime state of a VPN-Cubed Manager in response to a tech support request, we will ask you to open Security Group access to SSH from our support IP range and Enable Remote Support via the Web UI.

CohesiveFT will send you an encrypted passphrase to generate a private key used by CohesiveFT Support staff to access your Manager. Access to the restricted SSH daemon is completely controlled by the user. Once the support ticket has been closed you can disable remote support access.


cfffff


Sizing Considerations

VPN-Cubed Lite Managers are available as 32bit images. The Enterprise Edition provides 64bit images on request. Contact us at [email protected] for AMI information.

VPN Cubed Managers currently generate 1024 bit keys for connecting the clients to the overlay network via the “clientpacks”. Smaller or larger encryption keys can be provided upon request (from 64 bit to 2048 bit).

7


mailto:[email protected]?subject=64bit%20VPN-Cubed%20Manager%20AMIs

mailto:[email protected]?subject=64bit%20VPN-Cubed%20Manager%20AMIs

cfffff


Setting up the Amazon Security Groups Option 1:Use the Amazon EC2 command line tools

Download the latest Amazon API tools from:http://aws.amazon.com/developertools/368?_encoding=UTF8&jiveRedirect=1

At a system command line (Mac examples shown here, see the API Doc for Windows):export JAVA_HOME=/usr (Set Java Home directory)

export LAUNCH_HOME=/Users/me/Desktop/BYO/ec2 (Set the path to the directory where you unzipped the export)

export EC2_HOME=$LAUNCH_HOME/ec2apitools

export PATH=$PATH:$EC2_HOME/bin

export EC2_PRIVATE_KEY=$LAUNCH_HOME/myexcellentkey.pem (point to where you have your EC2 private key stored)

export EC2_CERT=$LAUNCH_HOME/myexcellentcert.pem (point to where you have your EC2 cert stored)

8


http://aws.amazon.com/developertools/368?_encoding=UTF8&jiveRedirect=1

http://aws.amazon.com/developertools/368?_encoding=UTF8&jiveRedirect=1

http://docs.amazonwebservices.com/AmazonEC2/gsg/2006-06-26/

http://docs.amazonwebservices.com/AmazonEC2/gsg/2006-06-26/

cfffff


Setting up the Amazon Security Groups Option 1:Command Examples

For US-East VPN-Cubed Manager:export EC2_URL=https://ec2.us-east-1.amazonaws.comec2-add-group vpncubed-mgr -d "vpncubed managers"ec2-add-group vpncubed-client -d "vpncubed clients"ec2auth vpncubed-mgr -P udp -p 1194 -o vpncubed-client -u AWS_ACCOUNTec2auth vpncubed-mgr -P udp -p 1195-1197 -o vpncubed-mgr -u AWS_ACCOUNTec2auth vpncubed-mgr -P tcp -p 8000 -o vpncubed-mgr -u AWS_ACCOUNTec2auth vpncubed-mgr -P tcp -p 8000 -s ip_address_of_your_firewall/32ec2auth vpncubed-mgr -P udp -p 500 -s ip_address_of_your_firewall/32ec2auth vpncubed-mgr -P udp -p 4500 -s ip_address_of_your_firewall/32

For US-West VPN-Cubed Manager:export EC2_URL=https://ec2.us-west-1.amazonaws.com<ec2 commands from above>

For EU-West VPN-Cubed Manager:export EC2_URL=https://ec2.eu-west-1.amazonaws.com<ec2 commands from above>

For APAC-Southeast VPN-Cubed Manager:export EC2_URL=https://ec2.ap-southeast-1.amazonaws.com<ec2 commands from above>

9


https://us-east-1.ec2.amazonaws.com


https://eu-west-1.ec2.amazonaws.com






cfffff


Setting up the Amazon Security Groups Option 2:Use the AWS Console

Select your desired region.

Click Security Groups in the left column menu.

Click Create Security Group in the Security Group window pane menu bar.

Create a vpncubed-mgr group (for the VPN-Cubed Managers) and a vpncubed-client group (for the VPN-Cubed Overlay Connected Devices).

Note the Security Group ID for the Client Group (sg-xxxxxxxx).

10


cfffff


Setting up the Amazon Security Groups Option 2:Add Exceptions to the vpncubed-mgr Group

Configure the vpncubed-mgr group with the following exceptions. Add exceptions to your vpncubed-client group as needed based on your topology.

UDP Exceptions:Custom UDP rule: ports 1194-1197 from Source vpncubed-client Security Group ID (sg-xxxxxxxx)Custom UDP rule: port 500 from the IP address of your Firewall/IPsec DeviceCustom UDP rule: port 4500 from the IP address of your Firewall/IPsec Device

TCP Exceptions:Custom TCP rule: port 8000 from Source vpncubed-client Security Group ID (sg-xxxxxxxx)Custom TCP rule: port 8000 from the IP address of your current location (http://whatismyip.com) to allow you to connect to the VPN-Cubed Manager UI

Click Apply Rule Changes.

11


http://whatismyip.com

http://whatismyip.com

cfffff


Launching VPN-Cubed Managers Option 1: From the CMD Line

Use the AMI IDs provided by CohesiveFT. Below are some examples of the launch command.

Launch your VPN-Cubed Manager in US region, in vpncubed-mgr security group:ec2run -U https://us-east-1.ec2.amazonaws.com AMI_ID_US -n 1 -g vpncubed-mgr

OR

Launch VPN-Cubed Manager in EU region:ec2run -U https://eu-west-1.ec2.amazonaws.com AMI_ID_EU -n 1 -g vpncubed-mgr

IMPORTANT: VPN-Cubed 2.0 AMIs do not need to be launched with a different kernel or ramdisk parameter as with previous VPN-Cubed AMI versions.

12






cfffff


Launching VPN-Cubed Managers Option 2 : Via ElasticFox

13

vpncubed-mgr


cfffff


Running VPN-Cubed Manager Instance Details

14

Once the Instance is running copy the Instance ID and Public IP Address to your worksheet.

Double Click the Running Instance in ElasticFox for Details

-or-

Enter the following command:

ec2-describe-instances instance_id

Note: the instance_id would have been displayed after launching via the command line


cfffff


Logging in and Configuring the Manager

15

Login to the VPN-Cubed Web UI - https://<Manager IP>:8000

In order to have an encrypted connection to the VPN-Cubed Manager, the web UI uses HTTPS with a self-signed certificate generated on each manager individually on boot. You may need to add a security exception in your browser.

Log in with a username of “vpncubed”, password is the instance id of this EC2 instance (i-XXXXXXX). You can obtain instance id with ec2-describe-instances command line, ElasticFox or AWS Console.

Three Configuration Options:- License Parameters (choose this when launching the first

Manager of a Customer Cloudlet) - Launch a new Manager using the default subnet or use a custom subnet.

- Upload runtime snapshot (choose this when recovering from a Manager failure) - Launch a copy of an old manager using a locally stored snapshot to retain old client packs.

- Fetch remote configuration (choose this when launching a second Manager of a Customer Cloudlet) - Launch a copy of an existing manager by grabbing configuration live.


cfffff


Logging in and Configuring the Manager Option 1:License Parameters

16

The resulting screen allows you to choose between the subnet range that comes preconfigured with the license or a customer subnet defined by your specific topo needs.

Click the “Custom” Radio button to specify a custom subnet range.

In addition to selecting a custom subnet range you can specify linear addressing for your Overlay Connected Devices (OLNDs).

In this example we use 172.31.10.0/24 for our custom subnet range. The Manager IP is 172.31.10.1 and the Overlay Connected Device IPs are 172.31.10.2-12. Your specific license might allow for more or less OLNDs.

Once you complete this step, the manager instance will reboot itself and will come up with your specified topology enabled and running.

Click Submit and reboot. Skip to Generate Keys on VPN-Cubed Manager.


cfffff


Logging in and Configuring the Manager Option 2:Upload runtime snapshot

17

If this manager is a replacement for another manager in an existing topology and you have a recent runtime snapshot from the old manager, you can instantiate the manager by uploading the snapshot. Uploading a snapshot will configure the new Manager the same as the old including using the same Client Packs for the connected Overlay Network Devices.

Once you have selected a locally stored snapshot, click Submit and reboot. Skip to Generate Keys on VPN-Cubed Manager.


cfffff


Logging in and Configuring the Manager Option 3:Fetch remote configuration

18

Fetching remote configurations can speed the configuration of Managers you wish to Peer to an existing topology.

Specify the IP address of the Manager from where you would like to fetch configuration. The security token is used for negotiation between Manager peers and must be the same for all Managers you intend to Peer with one another.

Click Submit and reboot. Skip to Generate Keys on VPN-Cubed Manager.


cfffff


Generate Keys on VPN-Cubed Manager

The Manager is now configured to the License specs (how many managers it can peer with, how many clientpacks are available, and how many ipsec links are available).

Click Generate New under SSL Certs and Keys in the left column.

During key generation you can specify a Topology name to be displayed in the Manager UI for a given set of peered Managers. This can be changed at anytime by clicking on the Topology Name left column menu item.

You will also be prompted for a security token. This can be anything you choose or left blank. The security token is used during keyset generation in order to make your topologyʼs keys as unique as possible.

Click Generate keys button. Key generator will be started in the background, and you can refresh screen to observe progress.

This process will generate the client credentials that will be loaded onto the devices you wish to connect to the VPN-Cubed overlay network.

NOTE: The Client Packs generated will depend on your license and if you selected to a custom subnet.

19


cfffff


Peering the Managers:Peering Manager 1

Click Setup Manager Peering.

Managers connect to each other in a process called Peering. Peered Managers create a redundant, highly available and secure overlay network and share traffic load from the overlay network connected servers.

The Peering Setup Page will display the number of Managers allowed to peer together in your topology as defined by the license file used to configure the Manager.

For Manager #1 select "this instance" from drop down, instead of specifying its IP. To be valid, your form must have "this instance" value in one and only one drop-down.

If your topology has unused Managers, leave the extra fields set to "not set”.

When done select Save Changes.

You should then get a status page showing that this manager was able to reach the other launched manager instance.

20


cfffff


VPN-Cubed Manager Status

21

The VPN-Cubed Manager is ready to setup an IPsec Tunnel.

You should see all your peered Managers listed under the “Links to Other Managers” section on each Manager Runtime Status Page.

Click IPsec under Peering left menu heading.

On the resulting IPsec page note the Configuration Settings needed for configuration. Click Define new remote endpoint.


cfffff


VPN-Cubed Manager Setup: Define a New Remote Endpoint

22

Enter descriptive name for the Endpoint configuration, this can be anything.

Occasionally there is another router between the IPsec firewall and the Internet. Enter the public facing IP address of either the IPsec device or router between EC2 and the IPsec device (see picture below).

Enter a Pre-shared Key and keep a record of that key to be entered into the IPsec device. In this example we use “VPNCubedRocks” for obvious reasons.

If your IPsec device is behind a router, enter the external IP interface of the IPsec device (see picture below).

Click Create. One the resulting page click New subnet.

Exta Config Parameters:We recommend connecting to the Manager with tunnels using AES256 encryption and SHA authentication for both IKE and ESP. Add the lines shown to the right - ike=aes256-sha1 and esp=aes256-sha1.

Extra Parameters can be found on the following page. Please contact [email protected] for assistance.




cfffff


IPsec Configuration: Extra Parameters

23

VPN-Cubed's IPSec subsystem is good at autodiscovery on IKE and ESP choices with a wide range of boxes. We recommend being as specific as possible when entering tunnel parameters. Match the algorithm, hash and DiffieH group for your gateway settings by specifying them in the "Extra Params" text field. We support combinations algorithms 3DES, AES128, or AES256; hashes SHA1 or MD5; and DH groups 2 or 5 (which are represented by the software we use as "modp1024" and "modp1536" respectively).

Example entries for IKE (Phase 1) and ESP (Phase 2) in the extra params box: ike=aes128-sha1ike=aes256-sha1ike=3des-md5-modp1024ike=aes256-sha1-modp1536phase2alg=aes256-sha1phase2alg=3des-sha1; modp1536(the "modpxxxx" value can only be added to phase2alg={value of esp} with a semi-colon as show above.)

PFS GroupExtra params entry for PFS Group is technically required only when it must be diff from pfs group in phase1. If that is the case, then use phase2alg={value of esp};modpXXXX

IKE and ESP Lifetimesikelifetime=3600s (default setting on VPN-Cubed)salifetime=28800s (default setting on VPN-Cubed)

Dead Peer Detection - Disabled by default, to enable DPD to attempt to re-connect during periods of no response use the following:dpdaction=restartdpddelay=30dpdtimeout=90


cfffff


VPN-Cubed Manager Setup: Setup a Subnet

24

Enter the subnet this is or will be configured behind the datacenter IPsec Extranet Device. In this example we used 192.168.3.0/24.

Provide a name for the Subnet to allow for easy identification in more complex topologies.

External Ping is a new optional feature for 2.0. It provides a pinging functionality over the IPsec tunnel that can be used in addition to IPsec DPD and Keep Alive settings to ensure the tunnel remains up during low traffic periods

Enter an IP address of a pingable server located on the Subnet specified.

Set the time interval (in seconds) for the ping.

Click Create.

Your VPN-Cubed Manager IPsec setup is complete. The next steps will detail setting the IPsec connection from your extranet device. Once the IPsec connection is live, this guide will detail how to add clients to the created overlay network.

Note the “Configuration Settings” values, you will need these to correctly configure your extranet device.


cfffff


Configuring the IPsec Extranet Device: Adding Network Objects

25

Note: As mentioned earlier these screenshots are from a Cisco ASA extranet device. Your setup user experience may differ slightly.

The first step in configuring any IPsec extranet device is to add the appropriate Network Objects. The screenshot to the right shows all the objects that need to be added. Their details are below:

- ec2_inside: inside NAT of your AWS subnet- inside-network: inside interface network of extranet device- inside_network_test_client: initial inside test IP for IPsec

connectivity- outside_network: outside interface network of extranet device- outsideinterface: address of outside interface of extranet device- vpncubed_mgr: public IP address of the VPN-Cubed Manager- vpncubed_mgr_inside: inside tunnel test for use before

connecting clients (VPN-Cubed IPsec to EC2 Test Gateway)


cfffff


Configuring the IPsec Extranet Device: VPN Wizard

26

Create a new VPN Tunnel.

The Cisco ASA used in this guide does this through a VPN Wizard. If you are using another facility to create your IPsec Tunnel, make sure to enter the same information we enter in the following slides.

Choose a Site-to-Site Tunnel Type.

Click Next

Tunnel Configuration ConsiderationsIf you want the tunnel to be perpetual and as close to "always on" as IPSec can do, then:- Your gateway should be using its "keepalive" feature, VPN-Cubed

has this enabled by default- Your gateway should be using Dead Peer Detection (DPD) with a

"restart" parameter in the event it believes tunnel is dropped- Your VPN-Cubed manager has DPD disabled by default, enable it

by adding "dpdaction=restart" “dpddelay=30” and “dpdtimeout=90” in the extra parameters box (no quotes needed).

- Your gateway should allow the VPN-Cubed manager to make a connection "inbound to it", by default the VPN-Cubed manager allows inbound connections and attempts outbound


cfffff



27

Enter the VPN-Cubed Managerʼs IP address in the “Peer IP Address” field.

Enter the same “Pre-Shared Key” entered from page 22 (our example used “VPNCubedRocks”).

Click Next


cfffff



28

Choose your Key Exchange Policy (IKE). Make sure it is the same as the one used in the VPN-Cubed Manager setup. On page 22 we used “AES-256.”

Click Next


cfffff



29

Select the ecryption and authentication algos for the Encapsulating Security Payload (ESP). Make sure it is the same as the one used in the VPN-Cubed Manager setup. Again our recommended setup uses “AES-256” from page 22.

Click Next


cfffff



30

Setting up Hosts and Networks.

The following information will setup a test tunnel to your VPN-Cubed Manager. After the tunnel is up and running you can return to this step and change the Source and Destination information to open up more traffic between your IPsec extranet device and the cloud.

Setup a test connection using “inside_network_test_client” as the Source and “vpncubed_mgr_inside” as the Destination.

The screenshot to the right shows how to open up your network to the overlay network at AWS, select the “inside-network” in the Source section and select “ec2_inside” in the Destination section.

Click Next


cfffff



31

Double check that all the information is entered correctly.

Click Finish


cfffff


IPsec Extranet Device: Session Details

32

Make sure the IPsec VPN session is up and running.

Goto Monitoring > VPN Statistics > Sessions

You should be able to see the session under LAN-to-LAN Click Details


cfffff


IPsec Extranet Device: Session Details

33

The Session Details will give you expanded information about your Key Exchange and IPsec status.


cfffff


VPN-Cubed Manager: Check the IPsec Status

34

To check the status of your IPsec connection from the VPN-Cubed Manager click on “Runtime Status.”

Each Subnet will be displayed as a connected tunnel. Click the Remote Subnet for tunnel parameters and to access the IPsec log for that specific connection.

If you do not see your IPsec Tunnel listed, it is not correctly configured. Double check that you have entered all the information correctly in both the VPN-Cubed Manager and your IPsec device. If you are having difficulties please email [email protected].

Repeat the steps on pages 22-33 to setup a second IPsec VPN tunnel to your overlay network.

NOTE: If you have 2 tunnels servicing the same datacenter subnet, these tunnels should not be up both at the same time.

If you have questions about setting up a second tunnel please contact us at [email protected].

Now that the IPsec Tunnel is up and running, clients in EC2 can be added to the secure Overlay Network extension of your Datacenter.




mailto:[email protected]?subject=VPN-Cubed%20IPsec%20to%20EC2%20Lite%20Edition:%20Tunnel%20Setup%20Question

mailto:[email protected]?subject=VPN-Cubed%20IPsec%20to%20EC2%20Lite%20Edition:%20Tunnel%20Setup%20Question

cfffff


IPsec Connection Trouble Shooting: Verbose Logging

35

VPN-Cubed allows users to enable Verbose Logging to help with IPsec connection troubleshooting.

To enable Verbose Logging click IPsec in the left column menu.

Click Logging on the IPsec Page.

Click the radio button next to verbose logging.

Click Submit.

NOTE: Verbose Logging is disabled by default and should remain disabled during normal operations. Leaving Verbose Logging enabled over a extended period of time can fill the Manager instances virtual disk drive. This causes the Manager to become inaccessible via the UI and requires our intervention to free up disk space.


cfffff


Client Configuration:Install Client Credentials

In the context of VPN-Cubed, “client” means devices which will be configured as members of the overlay network. These network members will usually be servers running in EC2. In more advanced editions of VPN-Cubed this includes desktop based client machines. Note the “Client Download” username and password on Status screen on every manager (username is “clientpack”).

On any Manager go to Client Packs and pick a client pack. A client pack can run on a single client at a time. If you shut down or disconnect client from the topology, you can reuse its client pack. The number of client packs provided in your license depends on your purchased parameters.

36


cfffff


Client Configuration:Security Group Exceptions

Depending on what OS your cloud-based clients are running you will need to add access to the vpncubed-client security group via RDP Port 3389 (Windows) or SSH Port 22 (Linux) in order to add the clientpacks. Additionally Port 8000 access will need to be opened between the vpncubed-mgr and vpncubed-client security groups.

For Linux Clients Configuration follow the steps on pages 38-42

For Windows Clients Configuration follow the steps on page 43-49

37


cfffff


Linux Client Configuration:Add SSH Client Access

In order to SSH into your cloud-based Linux client servers SSH access must be granted from your IP to TCP Port 22 in the vpncubed-client security group.

Using the EC2 command line:ec2auth vpncubed-client -P tcp -p 22 -s your_physical_machine_IP/32

Once you have successfully downloaded the client key credentials from the manager to the client machines you can revoke this authorization. ec2revoke vpncubed-client -P tcp -p 22 -s your_physical_machine_IP/32

38


cfffff


Linux Client Configuration:Add Port 8000 Access from Client to Manager Group

To allow clients launched in the vpncubed-client security group to download their credentials via their command line, you need to MOMENTARILY enable port 8000 access between the vpncubed-mgr and the vpncubed-client groups. Or you download credentials from the VPN-Cubed Manager to an admin machine and then SCP them up to the client - where you would only need the SSH exception described on the previous page.

Using the EC2 command line:ec2auth vpncubed-mgr -P tcp -p 8000 -o vpncubed-client -u AWS_ACCOUNT

Once you have successfully downloaded the client key credentials from the manager to the client machines you can revoke this authorization. ec2revoke vpncubed-mgr -P tcp -p 8000 -o vpncubed-client -u AWS_ACCOUNT

39


cfffff


Linux Client Configuration:Install Client Credentials

TWO PHILOSOPHIES FOR INSTALLATIONa) SSH Port 22 Exception Only - Have ssh access into a client server (if only for the duration of installation). Download credentials to your trusted admin machine via the VPN-Cubed Manager “Client Packs” link. SCP them into the client machines, and then SSH into the client machines to complete the configuration.

b) Port 22 and Port 8000 Exception - Allow port 8000 and port 22 access as described on the previous pages to a Manager. SSH into the client machine and download the credentials from its command line using the following URL:

wget --no-check-certificate https://clientpack:**PASSWORD**@{Manager_IP}:8000/credentials/{name_of_clientpack}.tar.gz

Something like: wget --no-check-certificate https://clientpack:[email protected]:8000/credentials/172_31_1_53.tar.gz

NOTE: The clientpack:password combination is on the status screen of each of the VPN-Cubed Managers.

40


https://clientpack:9c50eb1a78cabfa77663d0429bdd2930c4a3de12@ec2-174-129-124-113.compute-1.amazonaws.com:8000/credentials/172_31_1_53.tar.gz




cfffff


Linux Client Configuration:Install OpenVPN

You can either install OpenVPN 2.1 on physical servers or virtual servers you already possess to connect those devices to the VPN-Cubed overlay network. For a quick test you might want to use the Elastic Server factory at http://elasticserver.com. You can quickly assemble a representative application stack for testing in the overlay network and easily deploy to the your Amazon account. Use the “OpenVPN for VPN-Cubed 2.1” bundle in your servers for a ready-made VPN-Cubed client. You will still have to install a client pack on that device once launched locally or in the EC2 cloud, and configure the file /etc/openvpn/vpncubed.conf.

Extract clientpack contents to /etc/openvpn directory (consult OpenVPN documentation for your OS if not found).

Edit the vpncubed.conf add the managers you want this client to connect to in priority at the bottom of the file:remote MANAGER_DNS_ADDRESS 1194

Use the public DNS URL of the Manager for the remote entry. In multiple Manager topologies the order of remote commands matters - client will try to connect to the first remote endpoint, if not successful - to the second, and so on. You may want to evenly distributed clients among managers by varying the order of "remote" commands on each client.

41


http://openvpn.net/index.php/open-source/downloads.html


http://elasticserver.com

http://elasticserver.com

cfffff


Linux Client Configuration:Launch OpenVPN

Start openvpn. On Linux OSs this is done using the /etc/init.d/openvpn start command.

Your client will get a virtual IP address that corresponds to the clientpack it received.WARNING: If you accidentally give the same client credentials to 2 different devices you will notice the two clients popping off and on the overlay network inside the VPN-Cubed manager Status screen. Only one device can have a set of credentials in the same topology at a time.

Adjust local firewall on the client if necessary (on Linux, your tunnel device name will be tun0).

Verify connectivity by pinging 172.31.10.1, 172.31.10.2 (the IPs we setup for our Managers on page 15) for manager MGR1 and MGR2, respectively. Usually, the manager whose "remote" line appears first in /etc/openvpn/vpncubed.conf will be pingable first, other managers will become pingable once they learn about new client.

42


cfffff


Windows Client Configuration:Add RDP Client Access

In order to RDP into your cloud-based Windows client servers RDP access must be granted from your IP to TCP Port 3389 in the vpncubed-client security group.

Using the EC2 command line:ec2auth vpncubed-client -P tcp -p 3389 -s your_physical_machine_IP/32

Once you have successfully downloaded the client key credentials from the manager to the client machines you can revoke this authorization. ec2revoke vpncubed-client -P tcp -p 3389 -s your_physical_machine_IP/32

43


cfffff


Windows Client Configuration:Add Port 8000 Access from Client to Manager Group

To allow clients launched in the vpncubed-client security group to download their credentials via IE, you need to enable port 8000 access between the vpncubed-mgr and the vpncubed-client groups.

Using the EC2 command line:ec2auth vpncubed-mgr -P tcp -p 8000 -o vpncubed-client -u AWS_ACCOUNT

Once you have successfully downloaded the client key credentials from the manager to the client machines you can revoke this authorization. ec2revoke vpncubed-mgr -P tcp -p 8000 -o vpncubed-client -u AWS_ACCOUNT

44


cfffff


Windows Client Configuration:Install Client Credentials

RDP into the Windows Machine using the Administrator credentials specified when launching the server.

Navigate to https://<Public Manager IP>:8000 in IE.

Login using the default vpncubed for the password and username or the password you changed on your first login.

Click Client Packs on the left menu.

Download the appropriate client pack zip file to the Windows machine.

45


cfffff


Windows Client Configuration:Install OpenVPN

Install OpenVPN 2.1 on physical servers or virtual servers you already possess to connect those devices to the VPN-Cubed overlay network.

On Vista you will need to have admin privileges to install the software. You will have to install a client pack on the Windows desktop machine and put the client pack files in \Program Files\OpenVpn\config\RENAME vpncubed.conf to vpncubed.ovpn !!!!

Edit the vpncubed.ovpn and add the managers you want this client to connect to in priority at the bottom of the file: remote MANAGER_DNS_ADDRESS 1194

Use the public DNS URL of the Manager for the remote entry. In multiple Manager topologies the order of remote commands matters - client will try to connect to the first remote endpoint, if not successful - to the second, and so on. You may want to evenly distributed clients among managers by varying the order of "remote" commands on each client.

46




cfffff


Windows Client Configuration:Launch OpenVPN

Start openvpn. On Windows XP and Vista this can be done through the Services tool or via the command line “openvpn vpncubed.ovpn”.

On Vista if you run it from the command line you will need to know how to start a command line with administrative privileges. Details here: http://www.howtogeek.com/howto/windows-vista/run-a-command-as-administrator-from-the-windows-vista-run-box/

Alternatively, start the OpenVPN service from the Services tool. On Vista and Win2k servers OpenVPN also has a graphical tool - OpenVPN GUI.

Your client will get a virtual IP address that corresponds to the clientpack it received. WARNING: If you accidentally give the same client credentials to 2 different devices you will notice the two clients popping off and on the overlay network inside the VPN-Cubed manager Status screen. Only one device can have a set of credentials in the same topology at a time.

Adjust local firewall on the client if necessary.

Verify connectivity by pinging 172.31.10.1 or 172.31.10.2 (the IPs we setup for our Managers on page 16) for manager ID1, ID2,respectively. Usually, the manager whose "remote" line appears first in /etc/openvpn/vpncubed.conf will be pingable first, other managers will become pingable once they learn about new client.

47


http://www.howtogeek.com/howto/windows-vista/run-a-command-as-administrator-from-the-windows-vista-run-box/






cfffff


Windows Client Configuration:Launch OpenVPN

48


cfffff


Windows Client Configuration:Windows 2008 RegEdit Consideration

49

When setting up OpenVPN as a Service on Windows2008 there can be an issue with the machine resolving IPv6 instead of IPv4. Follow the steps below to fix the problem.

1. Go to "regedit"

2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters

3. Double-click the ArpRetryCount value, type 0, and then click OK. If it does not exist create a new REG_DWORD, rename to ArpRetryCount, and set the value to 0.

4. Reboot the machine


cfffff


Client Configuration: Clients in the overlay network

50

The key elements of the display to look for are the connections to that managerʼs peer, both showing the local processes are running and the link as up. You should see the clients listed in the client table at the bottom, connected to the appropriate manager.

If this is not the case please check the items listed on the “Troubleshooting” page of this document.



VPN-Cubed Firewall Tool

51


cfffff


VPN-Cubed Firewall

52

VPN-Cubed Firewall is controlled using IPTables syntax. For more information - http://linux.die.net/man/8/iptables. Look for PARAMETERS section and below.

In general, you write a specification of a packet to match and what to do with this packet. Customer rules are applied in the middle of overall rules on the manager.

If customer rules don't reject a packet, it will be allowed.

Order of rules matters - rules are applied from top to bottom up to the first match. If not match is found, packet is allowed.

"-j ACCEPT" allows a packet. "-j DROP" drops a packet. "-j REJECT" sends an appropriate notification to sender saying such and such packet was rejected (depends on protocol).

Basic examples:

* Drop all packets from 1.1.1.1 to 2.2.2.2 -s 1.1.1.1 -d 2.2.2.2 -j DROP

* Drop all traffic from 192.168.3.0/24 (entire subnet) except 192.168.3.11: -s 192.168.3.11 -j ACCEPT -s 192.168.3.0/24 -j DROP


http://linux.die.net/man/8/iptables

http://linux.die.net/man/8/iptables


Change Username and Password

53


cfffff


Change Username and Password

54

Username and Password can be changed via the Left Column Menu Items.



Save Manager Configuration with Runtime Snapshots

55


cfffff


Runtime Snapshots save the Manager Configuration

56

Once your VPN-Cubed Managers and Clients are configured and running, save the configuration with Runtime Snapshots. Snapshots can be used to reconfigure a new Manager with the same SSL Certificates and Keyset with just one file upload.

Click the “Runtime Snapshots” link to take a new snapshot or view/download available snapshots.

Download the snapshot to your local network. In the event of a Manager failure or re-provisioning event, you can upload the snapshot file to a new VPN-Cubed Manager. The new Manager will retain all the configuration settings as your saved snapshot.

If you are utilizing Elastic IPs, once the Elastic IP is transferred to the new Manager, your overlay network devices will automatically connect back with the Managers. Save time on both Manager and client configuration.


cfffff


Save and Download a Snapshot

57

Click the “Take New Snapshot Now” button to generate a new Snapshot.

The resulting screen will have the snapshot download link. Download the Snapshot and save locally.


cfffff


Upload a Snapshot

58

To use a Snapshot to configure a Manager click the “Import Runtime Snapshot” link.

Browse for your saved Snapshot and upload. The Manager will reboot with the updated configuration. The same client packs will be used to redistribution of the credentials to each Overlay Network Device (OLNDs) is not necessary.

A slight configuration change on each OLND is necessary if you have not assigned Elastic IPs to your Manager. The OpenVPN configuration file (vpncubed.ovpn) on each OLND needs the new IP of the new Manager referenced in the remote commands section.

To automate this step, you can assign an Elastic IP (see AWS billing for rates) to the Manager and reference the Elastic IP in each OLNDʼs OpenVPN configuration file.



Troubleshooting

59


cfffff


Troubleshooting and FAQ for theEC2 Managers

Client appears to be “hopping” on and off the network. This is usually the result of the same client keys being installed on two client machines in the network. Only one client machine can use a set of credentials at a given time.

Fetch Keyset appears to hang or not work. Check to see if the Amazon security group is correct for port 8000 between the manager you are getting the keyset from and the manager you are do the fetch from. If they are separated across Amazon USA and Amazon EU you will need to have thier security group reference the public IP addresses. When you do the “Fetch Keyset” command use the managers public IP address.

Manager IDs seem correct, EC2 security groups seem correct, but managers, especially ones launched via separate launch commands will not “peer”. Review your worksheet and your launch commands. Ensure that the managers were all launched with the same security token.

60



End

61


vpn-cubed 2.x datacenter connect lite edition · launch openvpn start openvpn. on windows xp and...

Documents