Blueprint: using OpenVPN for remote access to the … · Blueprint: Using OpenVPN for remote access...
Transcript of Blueprint: using OpenVPN for remote access to the … · Blueprint: Using OpenVPN for remote access...
Pure commitment.
Using OpenVPN for remote
access to the cloud
UKC-GEN-135
UKCloud Ltd 2
OVERVIEW
Secure remote access to the cloud is essential to
cloud adoption and use. UKCloud Compute-as-a-
Service comes with a dedicated vShield Edge
Gateway — a simple, easy-to-use solution that
supports IPSEC site-to-site VPNs and a limited
number of remote access client VPNs designed for
occasional use.
Customers who require a more flexible and scalable
solution can deploy their own choice of virtual
appliances (either open source solutions such as
OpenVPN or commercial solutions from a supplier
such as Cisco, F5 or Palo Alto) instead of using the
limited VPN service provided with the vShield Edge
Gateway appliance.
This Blueprint describes how to install and configure
the OpenVPN virtual appliance on our cloud platform
to support client access VPNs. OpenVPN is a
licensed product: without a license key, you're limited
to two concurrent VPN connections only. If you
require additional concurrent connections, you'll need
to obtain and install a license key.
IN THIS BLUEPRINT
Preparing your virtual data centre 3
Obtaining and deploying the OpenVPN
appliance 4
Performing initial and admin configuration 6
Logging in and connecting 9
Securing the appliance 10
For more help 12
About UKCloud 13
Blueprint: Using OpenVPN for remote access to the cloud 3
PREPARING YOUR VIRTUAL DATA CENTRE
The first step is to prepare your virtual data centre
(VDC). To secure your environment, we recommend
you deploy the OpenVPN appliance onto a new,
routed organisation VDC (Org VDC) network to
which, ideally, no other virtual machines (VMs) will
connect. This will enable you to tightly control access
from VPN clients to the VMs in your environment
using firewall rules on the vShield Edge Gateway.
However, if you are approaching the network
interface limit of your vShield Edge Gateway, it is
possible to deploy the OpenVPN appliance into an
existing Org VDC network.
Create a new Org VDC network
1. In vCloud Director, click the Administration
button.
2. Select your VDC, then click the Org VDC
Networks tab.
3. Click the green plus icon to add a new
network.
4. Choose the option to create a routed
network, and provide the network addressing
information.
Configure your Edge Gateway
Click the Edge Gateways tab, then right-click your
gateway and select Edge Gateway Services.
You'll need to create the following:
Source NAT rule to give the OpenVPN
appliance outbound access to the internet
Destination NAT rule to allow inbound
access from the internet to the OpenVPN
appliance
Firewall rule to allow inbound access from
the internet on port 443
Firewall rule(s) to allow users connected to
the OpenVPN appliance to access VMs on
other networks for administration purposes
— VPN users will be NATed to the IP
address of the OpenVPN appliance
Firewall rule(s) to allow access from trusted
environment(s) to the OpenVPN appliance
on the admin port — port 943 by default, but
this can be changed
UKCloud Ltd 4
OBTAINING AND DEPLOYING THE OPENVPN APPLIANCE
To ensure you're running the latest release of OpenVPN, we suggest you first download the latest version of the
appliance from the OpenVPN website. To do this:
1. Go to https://openvpn.net/index.php/access-server/download-openvpn-as-vm.html
2. Select the Virtual Appliance for VMware ESXi.
3. Download the OVA template.
To deploy the OpenVPN appliance:
1. Log on to the UKCloud portal.
2. Access vCloud Director.
3. Click the My Cloud button and select vApps.
4. Click the button Add vApp from OVF.
5. Select the OVA you downloaded. The appliance will be deployed as a single VM inside a vApp.
6. Give the vApp a name, then select the appropriate VDC and click Next.
7. Select the appropriate storage policy and click Next.
8. Give the VM a name, then click the Advanced Networking checkbox.
Blueprint: Using OpenVPN for remote access to the cloud 5
You'll now be able to select the appropriate network and change the IP assignment method. We suggest you
deploy the VPN appliance to its own network segment (as described in the section 'Preparing your virtual data
centre') and use the Static — IP Pool method of IP assignment.
Then continue through the wizard to the end. You don't need to make any other changes unless you wish to
customise settings to suit your environment.
Once the vApp has deployed and powered on, you will need to reset (reboot) the VM before logging in for the first
time. This will force the networking changes made during your VMware guest customisations to take effect before
you start configuring OpenVPN.
UKCloud Ltd 6
PERFORMING INITIAL AND ADMIN CONFIGURATION
Initial configuration
To perform the initial configuration, you'll need to connect to the VM console. To do this, log on to the VM with the
username root and password openvpnas
Once you've logged on, you'll need to answer the following questions:
Question Suggested answers
Licence agreement Select Yes to accept.
Will this be the primary Access Server node
Select Yes.
Network If the guest customisations were applied correctly, this will default to eth0 which should be configured with an IP address on the network you selected during deployment.
Admin web UI Accept the default 943 or choose your desired port number. A separate port for administration is recommended but not strictly needed.
TCP port for OpenVPN daemon We recommend you use the default of 443 if possible — using a non-standard port may cause problems when connecting from corporate networks.
Should client traffic be routed by default through VPN?
Selecting Yes will prevent client devices from accessing any other networks (eg your corporate network) while the VPN is connected. (This is sometimes referred to as split tunnelling.) For ease of use, we suggest you answer No to this question but you should refer to your security policy.
Should client DNS traffic be routed by default through VPN?
If you answered Yes to the previous question, all traffic will be routed through the VPN anyway, so your answer here will not matter. If you answered No to the previous question, you will probably want to answer No to this question as well, so that your DNS queries are answered by the usual servers.
Use local auth via internal DB Select Yes, unless you want to authenticate users from an existing directory service (Active Directory/LDAP).
Should private subnets be accessible to clients by default?
Select Yes to be able to access your cloud networks via the VPN.
Do you wish to log in to the admin UI as openvpn?
Select Yes to create a local user account named openvpn. If you answer No, you'll need to set up a different username and password.
License key Leave blank unless you've purchased a license, in which case enter the license key.
Blueprint: Using OpenVPN for remote access to the cloud 7
If you opted to use the default openvpn account, you
will need to set its password:
#passwd openvpn
While you're connected to the console, you can carry
out a few additional system configurations, described
below.
Check the DNS resolver configuration is in
place
During tests we discovered that this is not added by
the VMware guest customisations.
# pico /etc/network/interfaces
Use the arrow keys to scroll down. Below the line
specifying the default gateway, add the following:
dns-nameservers 8.8.8.8
Press ^O to save the file, then ^X to exit the text
editor.
For the change to take effect, you'll need to restart
the networking service:
# service networking restart
Configure the keyboard
The default configuration is for a US keyboard. To
reconfigure for the UK:
# dpkg-reconfigure keyboard-
configuration
Step through the wizard. There is no need to restart
anything once you've finished.
Apply updates
It is a good idea to apply the latest upgrades to the
system:
# apt-get update && apt-get
upgrade
You'll be prompted to approve the installation of
updates.
UKCloud Ltd 8
Install NTP
This is good practice, and is required if you intend to
use two-factor authentication via Google
Authenticator.
# apt-get install ntp
Once the NTP installation is complete, you'll need to
update the configuration file to point to UKCloud’s
NTP servers.
# pico /etc/ntp.conf
Use the arrow keys to scroll down until you reach the
lines beginning with ‘server.’
Change the first two lines to reflect the UKCloud
servers, and comment out the remaining two lines:
server 37.26.90.192
server 37.26.94.232
You can now press ^D to log off the console.
Configure admin options
To configure admin options, log on to the admin
interface at https://<ip_addr>/admin
Once you've logged on, you'll need to set the host
name. To do this:
1. Select Server Network Settings.
2. Set the host name to either a public IP
address or a fully qualified domain name
(FQDN) that your client will be able to
resolve.
3. Save settings on this page before moving on.
4. Under the Routing section, select the VPN
settings tab.
5. Add any additional subnets that your VPN
users should have access to. These will
usually be the IP subnets configured on all of
your Org VDC networks.
This is the minimum configuration required in order to
be able to establish a VPN connection.
Add Users
Under User Management select User Permissions to
create new local user accounts. To set the password
for each account, click the Show link in the More
Settings column. Use complex passwords.
Blueprint: Using OpenVPN for remote access to the cloud 9
LOGGING IN AND CONNECTING
You can download the VPN client software and
connection profiles directly from the appliance. To do
this, browse to https://<ip_addr>/ and log in with a
valid username and password.
When the client software and/or profile is
downloaded, a client certificate is included which is
required for authentication.
Once the client software and/or profile have been
installed, connections can be initiated directly from
the client.
UKCloud Ltd 10
SECURING THE APPLIANCE
We strongly suggest that you further secure the
appliance. The following changes are recommended.
Change default passwords
If you have not already done so, change the root
password to something more secure.
To do this, log on to the console as root with
password openvpnas
To change the password:
# passwd
Lock down unused ports with iptables
The openvpn config utility adds the required ALLOW
entries to iptables automatically, so you just need to
deny all other traffic:
# iptables -A INPUT -j DROP
Enable two-factor authentication via Google Authenticator
You can do this using the OpenVPN Admin interface.
1. Browse to https://<ip_addr>/admin and log
on with the default account.
2. Select the Client Settings menu under
Configuration
3. Click the checkbox to enable Google
Authenticator support.
To enter/scan the Google Authenticator secret, users
will need to:
1. Log in to the client portal at https://<ip_addr>/
and select Login
2. Configure the secret.
3. Click the 'I scanned the QR code' button to
enforce two-factor authentication.
Blueprint: Using OpenVPN for remote access to the cloud 11
Disable root SSH login
If you're connecting via SSH, best practice is to
connect using a non-privileged account, then sudo to
root if needed. This prevents an attacker from brute-
forcing the root password.
# pico /etc/ssh/sshd_config
Use the arrow keys to scroll down the file, and
change the PermitRootLogin line to no
Disable the default account
During the initial setup, you will have created a
username and password to log in to the Admin web
interface. This account, whose default name is
openvpn, is configured to be always active,
disregarding its status in the User Permissions area.
In addition, if you configured two-factor authentication
via Google Authenticator, this is not enforced for the
default account.
To disable the default account:
# pico
/usr/local/openvpn_as/etc/as.conf
Use the arrow keys to scroll down the file until you
see entries starting with boot_pam_users
Comment out the entry that matches the username
you chose for the default account. This is usually the
boot_pam_users.0= entry.
For this change to take effect, you'll need to restart
the OpenVPN service:
# service restart openvpnas
UKCloud Ltd 12
FOR MORE HELP
Unfortunately, UKCloud Support cannot help you with
troubleshooting or modifying any of the scripts
provided in this document.
Please refer to online documentation for OpenVPN:
https://openvpn.net/howto.html.
If you need further advice or guidance regarding your
Secure Remote Access options, contact your
Account Director. UKCloud has a talented team of
cloud architects and a large number of partners who
may be able to assist you.
Blueprint: Using OpenVPN for remote access to the cloud 13
ABOUT UKCLOUD
UKCloud has developed a range of cloud services
designed specifically for the UK public sector, to help
increase efficiencies, reduce costs, significantly
improve procurement times and increase
transparency. Our services are easy to adopt, easy
to use and easy to leave to ensure that our
customers remain in complete control, with minimum
risk, reassured by the fact UKCloud's services are
Pan Government Accredited (PGA) up to IL3 and so
suitable for all data at OFFICIAL (including
OFFICIAL-SENSITIVE).
UKCloud’s full offering consists of IaaS, PaaS and
SaaS products:
1. IaaS – seven offerings around Compute and
Storage on demand
2. SaaS –offerings around messaging and
secure file synchronisation
3. PaaS – based upon open-source Digital
Application Platform and Hadoop
All of UKCloud’s UK sovereign cloud computing
services are hosted in one (or both) of our highly
resilient tier 3 UK data centres in Farnborough and
Corsham. UKCloud services are delivered with
leading technologies from UKCloud Alliance
Partners: QinetiQ, VMware, Cisco, EMC and Ark
Data Centres. The Cloud Alliance also provides a
collaborative resource which drives innovation and
technical product development, helping to continually
improve UKCloud’s offering to meet the needs of the
UK public sector.
UKCloud is focused on providing cloud services in a
more agile, secure and cost-effective manner. We
strive to deliver solutions that harness technology as
a way to facilitate the changes that are needed to
streamline processes and reduce costs to support
the UK public sector and, ultimately, UK citizens and
taxpayers.
MORE INFORMATION
For further information about UKCloud and how we can help you, please send an email to
UKCloud Ltd
A8 Cody Technology Park
Ively Road
Farnborough
Hampshire
GU14 0LX
+44 (0)1252 303300
www.ukcloud.com
Reasonable efforts have been made to ensure the accuracy of the information contained in this document. No advice given or statements or recommendations made shall in any circumstances constitute or be deemed to constitute a warranty by UKCloud Ltd as to the accuracy of such advice, statements or recommendations. UKCloud Ltd shall not be liable for any loss, expense, damage or claim howsoever arising out of the advice given or not given or statements made or omitted to be made in connection with this document.
No part of this document may be copied, reproduced, adapted or redistributed in any form or by any means without the express prior written consent of UKCloud Ltd.
© UKCloud Ltd 2016 All Rights Reserved.
UKC-GEN-135 • 07/16