Using a SSL VPN to secure administrative access to your Enterprise in the Claranet VDC

Introduction

This post assumes the following:

  • You are using the pfSense firewall.
  • You are familiar with the Claranet VDC Platform.

Let’s imagine that you have been using the VDC platform for a while and have multiple virtual machines running in your account.

To gain access to your virtual machine you will either have:

  • Setup a jump box to proxy access

To access the virtual machines, you will first need to logon to the jump virtual machine (AKA a bastion host), and then logon to the destination virtual machine, this can be achieved for Windows by a terminal server session or for Linux using SSH. Configuration for this on the firewall is a single firewall rule for either SSH (Port 22) or MS RDP (port 3389) from outside to the jump virtual machine.

  • Setup multiple port forwarding rules on the firewall

To access virtual machines you will need to setup specific rules for each server to forward ports to backend servers. For example if we had 5 Linux machines that needed SSH access from the public internet and you only had 1 public IP address, you could setup port forwarding rules as follows to allow this:

  • WAN Address Port 8022 forwards to port 22 on virtual machine 1
  • WAN Address Port 8023 forwards to port 22 on virtual machine 2
  • WAN Address Port 8024 forwards to port 22 on virtual machine 3
  • WAN Address Port 8025 forwards to port 22 on virtual machine 4
  • WAN Address Port 8026 forwards to port 22 on virtual machine 5

The disadvantages of this, is that you will need to remember which port maps to which server.

  • Utilize multiple public IP addresses from the Shared Internet Access (SIA) range, and implement 1:1 NAT on each interface.

To access the virtual machines, you can configure multiple public SIA addresses on the pfSense firewall (instructions can be found at http://cloudhelp.claranet.com/content/getting-started-pfsense-firewall-image).

Each pfSense firewall can only have 8 interfaces, so if you have two VLANs in the private range where you deploy your virtual machines, then you are limited to 6 public IP addresses, 6 1:1 NAT rules, and 6 virtual machines that are directly accessible.

  • Use a routed DIA range

Using this method you can have a range of IP addresses allocated to you that can be mapped as a Virtual IP (VIP) address on your firewall and then 1:1 NAT can be achieved for as many public IP addresses you have purchased.

Unless there is no other way of achieving your business goal, this should not be used, this is due to the exhaustion of the IPV4 network range, see http://www.ripe.net/internet-coordination/ipv4-exhaustion/business-and-enterprise for information.

  • Use a MPLS connection with Claranet’s industry leading 3G network

Claranet have an industry leading wireless service that connects a 3G Dongle or 3G Router device directly into a secure private MPLS network (no traffic traverses the internet), see http://www.claranet.co.uk/networks/wireless-services.html for details.

This means that you can access virtual machines directly and securely from your PC or laptop.

  • Use an SSL VPN.

It’s a simple process to configure the pfSense firewall image to create a secure private tunnel directly into your VDC infrastructure. This can scale to many users and the users can directly access the virtual machines in your VDC account. This can be used in conjunction with many of the above methods to add flexibility, for example you could use a MPLS connection for users in static locations and use a SSL VPN connection for roaming users.

By far the easiest and most cost effective solution for a low number of users is to use an SSL VPN. This document describes the process of setting up a simple low cost SSL VPN (costs apply for resources used on the VDC platform for the pfSense firewall, which it is assumed you are already running to provide security for your cloud application).

Installing the pfSense Firewall VPN Edition

There is a special edition that includes the SSL VPN Client Export functionality that needs to be installed. This can be obtained from the following location http://www.sittingonthe.net/vdc/pfsense-vpn.vmdk , this will need to be imported into your VDC account.

Obtain the image at the above location, and using an FTP client upload to importer-uk-gsl2.cloud.claranet.com using your VDC account details as logon credentials.

After a few seconds the import process will complete and the image will appear in your application library, you may need to click on the refresh button highlighted in red below:

clip_image002

You will need to deploy the pfSense SSL VPN edition using the standard methods, making sure that the WAN interface is the first interface configured in the network section of the configuration.

The image has the following defaults:

  • 1 vCPU, 1024MB Memory, 8GB Disk Space.
  • Administrator Accounts:
    • Admin username – admin
    • Admin password – v1rtu4LDC
    • Superuser user name – superuser
    • Superuser password – v1rtu4LDC
    • Management interface accessible on WAN interface via HTTPS on port 9443
    • https://<WAN IP>:9443
    • Replace <WAN IP> with your WAN IP Address.

 

Configuring the pfSense Firewall

Logon to the firewall on the management interface (listed above) using an administrator’s account.

clip_image004

Select OpenVPN from the VPN dropdown menu.

clip_image006

The following web page will appear:

clip_image008

Click on the + icon on the right to add an OpenVPN Server.

Select the “Wizards” tab, and the following page will appear.

clip_image010

Keep the Type of Server set at Local User Access, and select the “next” button.

The following web page will be displayed:

clip_image012

As in the example above, enter details for the following:

  • Descriptive Name: This is to identify the CA Cert
  • Keep the Key Length at 2048 bits
  • Leave the Life Time at approximately 10 Years
  • Insert your country code, state or province, city, organization and e-mail address.

Click the “Add new CA” button.

The following page will appear:

clip_image014

On this page you set up the server’s certificate, so you need to enter the fully qualified domain name, for this test I am using www2.sittingonthe.net, and as per the previous screen enter the remaining details.

Click the “Create new Certificate” button to create a self signed certificate.

On the next page we will configure the OpenVPN Server service:

clip_image016

In the top section of the page “General OpenVPN Server Information” make sure you select TCP as this is more reliable and doesn’t get screen by ISPs, and give the Service a name, in this case I chose “SSL VPN”.

In the next section “Cryptographic Settings” leave at the default settings:

clip_image018

In the next section you can configure “Tunnel Settings”.

clip_image020

In this section, the tunnel network is a spare network range that isn’t been used anywhere else in either your VDC or in any of the networks used to connect into the VDC. In this case I have chosen 10.0.10.0/24.

The local network is a route you can push to the OpenVPN client so that traffic for it is routed down the VPN Tunnel we are creating. If you have more than one range you want to route to, you will need to check the “Redirect Gateway” check box, if this is selected all traffic will be sent down the VPN tunnel and you will lose access to resources on the local network.

If you want to use compression check the “Compression” check box.

The remaining item in the “Client Settings” can be left blank or filled in as appropriate.

clip_image022

Click “Next”

On the next screen:

clip_image024

Make sure that the “Firewall Rule” and “OpenVPN Rule” check boxes are selected and then click the “Next” button

On the next screen:

clip_image026

Click the “Finish” button.

Configure Client Certificates

When you get back to the main screen:

clip_image028

Select System-> User Manager.

The following screen will appear:

clip_image030

Click the + icon as shown at the bottom right of the graphic above.

The following screen will appear:

clip_image032

Fill in relevant details, as shown below:

Make sure you select the “Certificate” check box and another section will appear on the screen:

clip_image034

A filled in screen will look like the following:

clip_image036

Click “Save”

Downloading the client software.

Click on the VPN->OpenVPN

clip_image038

Select the Client Export Tab

clip_image040

Make sure the “Quote Server CN” checkbox is selected.

At the bottom of the screen is a list of users with SSL Keys. Next to the user you want to export click on the 2.2 under the “Windows Installers:” section and save the file.

This file needs to be distributed to the end user.

Installing the client and connecting

When the end user has received the installation bundle, they will need to install it, this needs administration privileges.

clip_image042

Click “Next”

clip_image044

Click “I Agree” if you agree to the terms and conditions.

clip_image046

Click “Next”

clip_image048

Click “Install”

clip_image050

When the first part of the installation is complete click “Next”

clip_image052

Click “Finish”

Next the Clients configuration and keys are installed.

clip_image054

Click “Close”

In the Readme File that was opened during the install, it states that Windows 7 and Windows Vista users, and it is assumed that Windows 8 also needs this setting, needs to be run with administrative privileges.

To achieve this, right click on the “OpenVPN GUI” icon on your desktop:

clip_image056

And select “Properties” and select the “Compatibility” Tab.

clip_image058

Make sure that the “Run this program as an administrator” check box is selected, and then click the “Change Settings for all users”

clip_image060

Make sure the “Run this program as an administrator” is also selected on this window.

Click “Apply” and then “OK”.

Select the “Shortcut” Tab and then the “Advanced” button.

clip_image062

Make sure the “Run this program as an administrator” is also selected on this window.

Click on “OK” then click “Apply” and then “OK” again.

Now double click the “OpenVPN GUI” icon and select yes for the warning.

An icon will appear in the bottom right of your screen (Windows 7) clip_image064Right click it and select “Connect”

The following window will appear:

clip_image066

Enter your VPN username and password.

You should now be connected.

To confirm this, if you open a “Command Prompt” and type “netstat –nr”, it should show a route for the LAN range via the VPN network (10.0.10.5 in my case).

clip_image068

By Jay Fearn Google

If your interested in using the Claranet VDC product please fill in your contact details below:
[recaptcha_form]

2 thoughts on “Using a SSL VPN to secure administrative access to your Enterprise in the Claranet VDC

Leave a Reply