VPN-Cubed 2.x Cloud Only Lite Edition

Similar documents
VPN-Cubed 2.x Datacenter Connect SME Edition

VPN-Cubed 2.x Datacenter Connect Lite Edition

VPN-Cubed 2.1 UL for Terremark Datacenter Connect or Cloud Only

VPN-Cubed 2.x Datacenter Connect SME Edition

VPN-Cubed 2.x Datacenter Connect ElasticHosts

VPN-Cubed 2.x vpcplus Enterprise Edition

VPN-Cubed Datacenter Connect IBM Trial Edition v201102

VPN-Cubed 2.x vpcplus Free Edition

VNS3 3.x Trial Edition Configuration Instructions

VNS3 3.5 Upgrade Instructions

VNS3 Configuration. ElasticHosts

VNS3 version 4. Free and Lite Edition Reset Overlay Subnet

VNS3 4.0 Configuration Guide

VPN-Cubed Datacenter Connect API Guide v

AWS VPC Cloud Environment Setup

Microsoft Azure Configuration. Azure Setup for VNS3

VNS3 Configuration. Google Compute Engine

VNS3 Configuration. IaaS Private Cloud Deployments

CenturyLink Cloud Configuration. CenturyLink Setup for VNS3

VNS3 Configuration. Quick Launch for first time VNS3 users in Azure

PCoIP Connection Manager for Amazon WorkSpaces

Pexip Infinity and Amazon Web Services Deployment Guide

Pexip Infinity and Amazon Web Services Deployment Guide

Launch and Configure SafeNet ProtectV in AWS Marketplace

Cloud Security Best Practices

ElasterStack 3.2 User Administration Guide - Advanced Zone

VNS Administration Guide

Amazon Elastic Compute Cloud

Configuring the SMA 500v Virtual Appliance

Load Balancing Web Servers with OWASP Top 10 WAF in AWS

SSL VPN Service. Once you have installed the AnyConnect Secure Mobility Client, this document is available by clicking on the Help icon on the client.

Amazon AppStream 2.0: SOLIDWORKS Deployment Guide

CPM. Quick Start Guide V2.4.0

Immersion Day. Getting Started with Linux on Amazon EC2

Load Balancing FreePBX / Asterisk in AWS

PCoIP Connection Manager for Amazon WorkSpaces

Overlay Engine. VNS3 Plugins Guide 2018

Bitnami JRuby for Huawei Enterprise Cloud

How to Deploy the Barracuda NG Firewall in an Amazon Virtual Private Cloud

VII. Corente Services SSL Client

Load Balancing Nginx Web Servers with OWASP Top 10 WAF in AWS

Launch and Configure SafeNet ProtectV in AWS Marketplace

Amazon Web Services EC2 Helix Server

Immersion Day. Getting Started with Linux on Amazon EC2

Amazon Web Services Hands on EC2 December, 2012

EdgeConnect for Amazon Web Services (AWS)

How to Install Forcepoint NGFW in Amazon AWS TECHNICAL DOCUMENT

CloudLink Amazon Web Services Deployment Guide

Pexip Infinity and Google Cloud Platform Deployment Guide

User Manual. SSV Remote Access Gateway. Web ConfigTool

Immersion Day. Getting Started with Windows Server on. Amazon EC2. Rev

FUJITSU Cloud Service S5. Introduction Guide. Ver. 1.3 FUJITSU AMERICA, INC.

Release Notes. Dell SonicWALL SRA Release Notes

Application Note Startup Tool - Getting Started Guide

SAM 8.0 SP2 Deployment at AWS. Version 1.0

Installing and Configuring vcloud Connector

Pulse Connect Secure Virtual Appliance on Amazon Web Services

vcloud Director User's Guide 04 OCT 2018 vcloud Director 9.5

NetExtender for SSL-VPN

Aspera Connect Windows XP, 2003, Vista, 2008, 7. Document Version: 1

Grandstream Networks, Inc. GWN7000 OpenVPN Site-to-Site VPN Guide

Dell SonicWALL SonicOS 6.2

Application Note 3Com VCX Connect with SIP Trunking - Configuration Guide

vcloud Director User's Guide

Virtual Machine Connection Guide for AWS Labs

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

Release Notes. Dell SonicWALL SRA Release Notes

SafeConsole On-Prem Install Guide

Bitnami Dolibarr for Huawei Enterprise Cloud

Immersion Day. Getting Started with Windows Server on Amazon EC2. June Rev

Virtual Private Cloud. User Guide. Issue 03 Date

Symptom Condition / Workaround Issue Full domain name is not resolved by the RDP- ActiveX Client.

Bitnami Apache Solr for Huawei Enterprise Cloud

AppGate for AWS Step-by-Step Setup Guide. Last revised April 28, 2017

Securing VMware NSX-T J U N E 2018

NSX-T Data Center Migration Coordinator Guide. 5 APR 2019 VMware NSX-T Data Center 2.4

vcloud Director User's Guide

SonicWALL strongly recommends you follow these steps before installing Global VPN Client (GVC) 4.0.0:

Remote Support Web Rep Console

Installing and Configuring vcloud Connector

CIT 668: System Architecture

Remote Support 19.1 Web Rep Console

Upgrading from TrafficShield 3.2.X to Application Security Module 9.2.3

Securing VMware NSX MAY 2014

SonicWALL SSL VPN 2.5 Early Field Trial

SUREedge MIGRATOR INSTALLATION GUIDE FOR VMWARE

vcloud Director Tenant Portal Guide vcloud Director 8.20

Hollins University VPN

Cisco Unified Serviceability

HySecure Quick Start Guide. HySecure 5.0

AWS Remote Access VPC Bundle

Vidyo Server for WebRTC. Administrator Guide

Deploy the ExtraHop Discover Appliance in Azure

SonicWall Secure Mobile Access SMA 500v Virtual Appliance 8.6. Getting Started Guide

Bitnami Coppermine for Huawei Enterprise Cloud

Contents. Platform Compatibility. New Features. Secure Remote Access SonicWALL SSL VPN 2.5 Early Field Trial (EFT) for SSL-VPN 200

Amazon Virtual Private Cloud. Getting Started Guide

ACE Live on RSP: Installation Instructions

About This Document 3. Overview 3. System Requirements 3. Installation & Setup 4

Transcription:

VPN-Cubed 2.x Cloud Only Lite Edition v201107 1

Requirements You have an Amazon AWS account that CohesiveFT can use for enabling your access to the VPN-Cubed Manager AMIs. Ability to configure a client (whether desktop based or cloud based) to use OpenVPN client software. Ability to use the Amazon EC2 Command Line tools is preferred. 2

Getting Help with VPN-Cubed Take a look a our Support Terms and Conditions. Please send all support inquiries to: support@cohesiveft.com 3

Your Configuration Begins Here! 4

Firewall Considerations VPN-Cubed Manager instance uses the following TCP and UDP ports. - UDP 1194 For client VPN connections; must be accessible from all servers that will join VPN-Cubed topology as clients. - UDP 1195-1197 For tunnels between manager peers; must be accessible from all peers in a given topology. - TCP 8000 HTTPS admin interface; must be accessible from hosts where you will want to obtain runtime status or configure peering, also needs to be open to and from the managers at least for the peering process, and needs to be accessible when downloading credentials for installation on overlay network clients. 5

Remote Support Note that TCP 22 (ssh) is not required for normal operations. Each VPN-Cubed Manager is running a restricted SSH daemon, with access limited only to CohesiveFT for debugging purposes controlled by the user via the Remote Support toggle and key exchange generation. In the event CohesiveFT needs to observe runtime state of a VPN-Cubed Manager in response to a tech support request, we will ask you to open Security Group access to SSH from our support IP range and Enable Remote Support via the Web UI. CohesiveFT will send you an encrypted passphrase to generate a private key used by CohesiveFT Support staff to access your Manager. Access to the restricted SSH daemon is completely controlled by the user. Once the support ticket has been closed you can disable remote support access. 6

Sizing Considerations VPN-Cubed Lite Editions Managers are available as 32bit images. The Enterprise Edition provides 64bit images on request. Contact us at sales@cohesiveft.com for AMI information. VPN Cubed Managers currently generate 1024 bit keys for connecting the clients to the overlay network via the clientpacks. Smaller or larger encryption keys can be provided upon request (from 64 bit to 2048 bit). 7

Make a helpful worksheet! You will use this information to setup your VPN-Cubed managers. Your Amazon Account ID: (ex. 111122223333) Security Token Used during Manager Configuration: MGR1 EC2 Private IP: (ex. 10.10.23.140) EC2 Public DNS: EC2 InstanceID: (ex. ec2-67-11-22-33.compute-1.amazonaws.com) (ex. i-bb30x21c) MGR2 EC2 Private IP: (ex. 10.10.23.140) EC2 Public DNS: EC2 InstanceID: (ex. ec2-67-11-22-33.compute-1.amazonaws.com) (ex. i-bb30x21c) 8

Setting up the Amazon Security Groups Option 1: Use the Amazon EC2 command line tools Download the latest Amazon API tools from: http://aws.amazon.com/developertools/368?_encoding=utf8&jiveredirect=1 At a system command line (Mac examples shown here, see the API Doc for Windows): export JAVA_HOME=/usr (Set Java Home directory) export LAUNCH_HOME=/Users/me/Desktop/BYO/ec2 (Set the path to the directory where you unzipped the export) export EC2_HOME=$LAUNCH_HOME/ec2apitools export PATH=$PATH:$EC2_HOME/bin export EC2_PRIVATE_KEY=$LAUNCH_HOME/myexcellentkey.pem (point to where you have your EC2 private key stored) export EC2_CERT=$LAUNCH_HOME/myexcellentcert.pem (point to where you have your EC2 cert stored) 9

Setting up the Amazon Security Groups Option 1: Command Examples For US-East VPN-Cubed Manager: export EC2_URL=https://ec2.us-east-1.amazonaws.com ec2-add-group vpncubed-mgr -d "vpncubed managers" ec2-add-group vpncubed-client -d "vpncubed clients" ec2auth vpncubed-mgr -P udp -p 1194 -o vpncubed-client -u AWS_ACCOUNT ec2auth vpncubed-mgr -P udp -p 1195-1197 -o vpncubed-mgr -u AWS_ACCOUNT ec2auth vpncubed-mgr -P tcp -p 8000 -o vpncubed-mgr -u AWS_ACCOUNT ec2auth vpncubed-mgr -P tcp -p 8000 -s ip_address_of_your_firewall/32 For US-West VPN-Cubed Manager: export EC2_URL=https://ec2.us-west-1.amazonaws.com <ec2 commands from above> For EU-West VPN-Cubed Manager: export EC2_URL=https://ec2.eu-west-1.amazonaws.com <ec2 commands from above> For APAC-Southeast VPN-Cubed Manager: export EC2_URL=https://ec2.ap-southeast-1.amazonaws.com <ec2 commands from above> 10

Setting up the Amazon Security Groups Option 2: Use the AWS Console Select your desired region. Click Security Groups in the left column menu. Click Create Security Group in the Security Group window pane menu bar. Create a vpncubed-mgr group (for the VPN-Cubed Managers) and a vpncubedclient group (for the VPN-Cubed Overlay Connected Devices). Note the Security Group ID for the Client Group (sg-xxxxxxxx). 11

Setting up the Amazon Security Groups Option 2: Add Exceptions to the vpncubed-mgr Group Configure the vpncubed-mgr group with the following exceptions. Add exceptions to your vpncubed-client group as needed based on your topology. UDP Exceptions: Custom UDP rule: ports 1194-1197 from Source vpncubed-client Security Group ID (sg-xxxxxxxx) TCP Exceptions: Custom TCP rule: port 8000 from Source vpncubed-client Security Group ID (sg-xxxxxxxx) Custom TCP rule: port 8000 from the IP address of your current location (http://whatismyip.com) to allow you to connect to the VPN-Cubed Manager UI Click Apply Rule Changes. 12

Launching VPN-Cubed Managers Option 1: From the CMD Line Use the AMI IDs provided by CohesiveFT. Below are some examples of the launch command. Launch your VPN-Cubed Manager in US region, in vpncubed-mgr security group: ec2run -U https://us-east-1.ec2.amazonaws.com AMI_ID_US -n 1 -g vpncubed-mgr OR Launch VPN-Cubed Manager in EU region: ec2run -U https://eu-west-1.ec2.amazonaws.com AMI_ID_EU -n 1 -g vpncubed-mgr 13

Launching VPN-Cubed Managers Option 2 : Via ElasticFox vpncubed-mgr 14

Running VPN-Cubed Manager Instance Details Once the Instance is running copy the Instance ID and Public IP Address to your worksheet. Double Click the Running Instance in ElasticFox for Details -or- Enter the following command: ec2-describe-instances instance_id Note: the instance_id would have been displayed after launching via the command line 15

Logging in and Configuring the Manager Login to the VPN-Cubed Web UI - https://<manager IP>:8000 In order to have an encrypted connection to the VPN-Cubed Manager, the web UI uses HTTPS with a self-signed certificate generated on each manager individually on boot. You may need to add a security exception in your browser. Log in with a username of vpncubed, password is the instance id of this EC2 instance (i-xxxxxxx). You can obtain instance id with ec2- describe-instances command line, ElasticFox or AWS Console. Three Configuration Options: - Upload License (choose this when launching the first Manager of a Customer Cloudlet) - Launch a new Manager using the default subnet or use a custom subnet. - Upload runtime snapshot (choose this when recovering from a Manager failure) - Launch a copy of an old manager using a locally stored snapshot to retain old client packs. - Fetch remote configuration (choose this when launching a second Manager of a Customer Cloudlet) - Launch a copy of an existing manager by grabbing configuration live. 16

Logging in and Configuring the Manager Option 1: Upload License Paste the encrypted VPN-Cubed license received from CohesiveFT in the first field. This license will configure the generic Manager. Enter a security token in the second field. This can be anything but must be the same for all Managers in the same topology. Click Submit and Reboot. The resulting screen allows you to choose between the subnet range that comes preconfigured with the license or a customer subnet defined by your specific topo needs. Click the Custom Radio button to specify a custom subnet range. In addition to selecting a custom subnet range you can specify linear addressing for your Overlay Connected Devices (OLNDs). In this example we use 172.31.10.0/24 for our custom subnet range. The Manager IPs are 172.31.10.1-3 and the Overlay Connected Device IPs are 172.31.10.4-53. Your specific license might allow for more or less OLNDs. Once you complete this step, the manager instance will reboot itself and will come up with your specified topology enabled and running. Click Submit and reboot. Skip to Generate Keys on VPN-Cubed Manager. 17

Logging in and Configuring the Manager Option 2: Upload runtime snapshot If this manager is a replacement for another manager in an existing topology and you have a recent runtime snapshot from the old manager, you can instantiate the manager by uploading the snapshot. Uploading a snapshot will configure the new Manager the same as the old including using the same Client Packs for the connected Overlay Network Devices. Once you have selected a locally stored snapshot, click Submit and reboot. Skip to Generate Keys on VPN-Cubed Manager. 18

Logging in and Configuring the Manager Option 3: Fetch remote configuration Fetching remote configurations can speed the configuration of Managers you wish to Peer to an existing topology. Specify the IP address of the Manager from where you would like to fetch configuration. The security token is used for negotiation between Manager peers and must be the same for all Managers you intend to Peer with one another. Click Submit and reboot. Skip to Generate Keys on VPN-Cubed Manager. 19

Generate Keys on VPN-Cubed Manager The Manager is now configured to the License specs (how many managers it can peer with, how many clientpacks are available, and how many ipsec links are available). Click Generate New under SSL Certs and Keys in the left column. During key generation you can specify a Topology name to be displayed in the Manager UI for a given set of peered Managers. This can be changed at anytime by clicking on the Topology Name left column menu item. Click Generate keys link. Key generator will be started in the background, and you can refresh screen to observe progress. This process will generate the client credentials that will be loaded onto the devices you wish to connect to the VPN-Cubed overlay network. NOTE: The Client Packs generated will depend on your license and if you selected to a custom subnet. 20

Peering the Managers: Peering Manager 1 Click Setup Manager Peering. Managers connect to each other in a process called Peering. Peered Managers create a redundant, highly available and secure overlay network and share traffic load from the overlay network connected servers. The Peering Setup Page will display the number of Managers allowed to peer together in your topology as defined by the license file used to configure the Manager. For Manager #1 select "this instance" from drop down, instead of specifying its IP. To be valid, your form must have "this instance" value in one and only one drop-down. If your topology has unused Managers, leave the extra fields set to "not set. Enter the Public DNS address of the second Manager for Manager #2. Repeat this for each additional Manager in your topology. When done select Save Changes. You should then get a status page showing that this manager was able to reach the other launched manager instance. 21

Peering the Managers: Peering Manager 2, fetch the keyset from Manager 1 (do NOT regenerate) Log in to VPN-Cubed Manager UI on the second manager. Click Fetch Keyset. (Remember that keys must be generated only once per topology!) Type in private IP address of Manager1 (where keys were generated) and keys will be copied from Manager1 and set up locally. 22

Peering the Managers: Peering Manager 2 For Manager #1 enter the IP address of MGR1 For Manager #2 select "this instance" from drop down, instead of specifying its IP. To be valid, your form must have "this instance" value in one and only one dropdown. When done select Save Changes. You should then get a status page showing that this manager was able to reach the other launched manager instances. Verify that topology checksum on Manager1 corresponds to that of Manager2. 23

VPN-Cubed Manager Status The VPN-Cubed Manager is ready to setup an IPsec Tunnel. You should see all your peered Managers listed under the Links to Other Managers section on each Manager Runtime Status Page. Click IPsec under Peering left menu heading. On the resulting IPsec page note the Configuration Settings needed for configuration. Click Define new remote endpoint. 24

Client Configuration: Install Client Credentials In the context of VPN-Cubed, client means devices which will be configured as members of the overlay network. These network members will usually be servers running in EC2. In more advanced editions of VPN-Cubed this includes desktop based client machines. Note the Client Download username and password on Status screen on every manager (username is clientpack ). On any Manager go to Client Packs and pick a client pack. A client pack can run on a single client at a time. If you shut down or disconnect client from the topology, you can reuse its client pack. The number of client packs provided in your license depends on your purchased parameters. 25

Client Configuration: Security Group Exceptions Depending on what OS your cloud-based clients are running you will need to add access to the vpncubed-client security group via RDP Port 3389 (Windows) or SSH Port 22 (Linux) in order to add the clientpacks. Additionally Port 8000 access will need to be opened between the vpncubed-mgr and vpncubed-client security groups. For Linux Clients Configuration follow the steps on pages 27-31 For Windows Clients Configuration follow the steps on page 32-51 26

Linux Client Configuration: Add SSH Client Access In order to SSH into your cloud-based Linux client servers SSH access must be granted from your IP to TCP Port 22 in the vpncubed-client security group. Using the EC2 command line: ec2auth vpncubed-client -P tcp -p 22 -s your_physical_machine_ip/32 Once you have successfully downloaded the client key credentials from the manager to the client machines you can revoke this authorization. ec2revoke vpncubed-client -P tcp -p 22 -s your_physical_machine_ip/32 27

Linux Client Configuration: Add Port 8000 Access from Client to Manager Group To allow clients launched in the vpncubed-client security group to download their credentials via their command line, you need to MOMENTARILY enable port 8000 access between the vpncubed-mgr and the vpncubed-client groups. Or you download credentials from the VPN- Cubed Manager to an admin machine and then SCP them up to the client - where you would only need the SSH exception described on the previous page. Using the EC2 command line: ec2auth vpncubed-mgr -P tcp -p 8000 -o vpncubed-client -u AWS_ACCOUNT Once you have successfully downloaded the client key credentials from the manager to the client machines you can revoke this authorization. ec2revoke vpncubed-mgr -P tcp -p 8000 -o vpncubed-client -u AWS_ACCOUNT 28

Linux Client Configuration: Install Client Credentials TWO PHILOSOPHIES FOR INSTALLATION a) SSH Port 22 Exception Only - Have ssh access into a client server (if only for the duration of installation). Download credentials to your trusted admin machine via the VPN-Cubed Manager Client Packs link. SCP them into the client machines, and then SSH into the client machines to complete the configuration. b) Port 22 and Port 8000 Exception - Allow port 8000 and port 22 access as described on the previous pages to a Manager. SSH into the client machine and download the credentials from its command line using the following URL: wget --no-check-certificate https://clientpack:**password**@{manager_ip}:8000/credentials/{name_of_clientpack}.tar.gz Something like: wget --no-check-certificate https://clientpack:9c50eb1a78cabfa77663d0429bdd2930c4a3de12@204.51.99.6:8000/credentials/ 172_31_1_53.tar.gz NOTE: The clientpack:password combination is on the status screen of each of the VPN-Cubed Managers. 29

Linux Client Configuration: Install OpenVPN You can either install OpenVPN 2.1 on physical servers or virtual servers you already possess to connect those devices to the VPN-Cubed overlay network. For a quick test you might want to use the Elastic Server factory at http://elasticserver.com. You can quickly assemble a representative application stack for testing in the overlay network and easily deploy to the your Amazon account. Use the OpenVPN for VPN-Cubed 2.1 bundle in your servers for a ready-made VPN-Cubed client. You will still have to install a client pack on that device once launched locally or in the EC2 cloud, and configure the file /etc/openvpn/vpncubed.conf. Extract clientpack contents to /etc/openvpn directory (consult OpenVPN documentation for your OS if not found). Edit the vpncubed.conf add the managers you want this client to connect to in priority at the bottom of the file: remote MANAGER_DNS_ADDRESS 1194 Use the public DNS URL of the Manager for the remote entry. In multiple Manager topologies the order of remote commands matters - client will try to connect to the first remote endpoint, if not successful - to the second, and so on. You may want to evenly distributed clients among managers by varying the order of "remote" commands on each client. 30

Linux Client Configuration: Launch OpenVPN Start openvpn. On Linux OSs this is done using the /etc/init.d/openvpn start command. Your client will get a virtual IP address that corresponds to the clientpack it received. WARNING: If you accidentally give the same client credentials to 2 different devices you will notice the two clients popping off and on the overlay network inside the VPN-Cubed manager Status screen. Only one device can have a set of credentials in the same topology at a time. Adjust local firewall on the client if necessary (on Linux, your tunnel device name will be tun0). Verify connectivity by pinging 172.31.10.1, 172.31.10.2 (the IPs we setup for our Managers on page 15) for manager MGR1 and MGR2, respectively. Usually, the manager whose "remote" line appears first in /etc/openvpn/vpncubed.conf will be pingable first, other managers will become pingable once they learn about new client. 31

Windows Client Configuration: Add RDP Client Access In order to RDP into your cloud-based Windows client servers RDP access must be granted from your IP to TCP Port 3389 in the vpncubed-client security group. Using the EC2 command line: ec2auth vpncubed-client -P tcp -p 3389 -s your_physical_machine_ip/32 Once you have successfully downloaded the client key credentials from the manager to the client machines you can revoke this authorization. ec2revoke vpncubed-client -P tcp -p 3389 -s your_physical_machine_ip/32 32

Windows Client Configuration: Add Port 8000 Access from Client to Manager Group To allow clients launched in the vpncubed-client security group to download their credentials via IE, you need to enable port 8000 access between the vpncubed-mgr and the vpncubed-client groups. Using the EC2 command line: ec2auth vpncubed-mgr -P tcp -p 8000 -o vpncubed-client -u AWS_ACCOUNT Once you have successfully downloaded the client key credentials from the manager to the client machines you can revoke this authorization. ec2revoke vpncubed-mgr -P tcp -p 8000 -o vpncubed-client -u AWS_ACCOUNT 33

Windows Client Configuration: Install Client Credentials RDP into the Windows Machine using the Administrator credentials specified when launching the server. Navigate to https://<public Manager IP>:8000 in IE. Login using the default vpncubed for the password and username or the password you changed on your first login. Click Client Packs on the left menu. Download the appropriate client pack zip file to the Windows machine. 34

Windows Client Configuration: Install OpenVPN Install OpenVPN 2.1 on physical servers or virtual servers you already possess to connect those devices to the VPN-Cubed overlay network. On Vista you will need to have admin privileges to install the software. You will have to install a client pack on the Windows desktop machine and put the client pack files in \Program Files\OpenVpn\config\ RENAME vpncubed.conf to vpncubed.ovpn!!!! Edit the vpncubed.ovpn and add the managers you want this client to connect to in priority at the bottom of the file: remote MANAGER_DNS_ADDRESS 1194 Use the public DNS URL of the Manager for the remote entry. In multiple Manager topologies the order of remote commands matters - client will try to connect to the first remote endpoint, if not successful - to the second, and so on. You may want to evenly distributed clients among managers by varying the order of "remote" commands on each client. 35

Windows Client Configuration: Launch OpenVPN Start openvpn. On Windows XP and Vista this can be done through the Services tool or via the command line openvpn vpncubed.ovpn. On Vista if you run it from the command line you will need to know how to start a command line with administrative privileges. Details here: http:// www.howtogeek.com/howto/windows-vista/run-a-command-as-administratorfrom-the-windows-vista-run-box/ Alternatively, start the OpenVPN service from the Services tool. On Vista and Win2k servers OpenVPN also has a graphical tool - OpenVPN GUI. Your client will get a virtual IP address that corresponds to the clientpack it received. WARNING: If you accidentally give the same client credentials to 2 different devices you will notice the two clients popping off and on the overlay network inside the VPN-Cubed manager Status screen. Only one device can have a set of credentials in the same topology at a time. Adjust local firewall on the client if necessary. Verify connectivity by pinging 172.31.10.1 or 172.31.10.2 (the IPs we setup for our Managers on page 16) for manager ID1, ID2,respectively. Usually, the manager whose "remote" line appears first in /etc/openvpn/vpncubed.conf will be pingable first, other managers will become pingable once they learn about new client. 36

Windows Client Configuration: Launch OpenVPN 37

Windows Client Configuration: Windows 2008 RegEdit Consideration When setting up OpenVPN as a Service on Windows2008 there can be an issue with the machine resolving IPv6 instead of IPv4. Follow the steps below to fix the problem. 1. Go to "regedit" 2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\tcpip\parameters 3. Double-click the ArpRetryCount value, type 0, and then click OK. If it does not exist create a new REG_DWORD, rename to ArpRetryCount, and set the value to 0. 4. Reboot the machine 38

Client Configuration: Clients in the overlay network The key elements of the display to look for are the connections to that managerʼs peer, both showing the local processes are running and the link as up. You should see the clients listed in the client table at the bottom, connected to the appropriate manager. If this is not the case please check the items listed on the Troubleshooting page of this document. 39

VPN-Cubed Firewall Tool 40

VPN-Cubed Firewall VPN-Cubed Firewall is controlled using IPTables syntax. For more information - http://linux.die.net/man/8/iptables. Look for PARAMETERS section and below. In general, you write a specification of a packet to match and what to do with this packet. Customer rules are applied in the middle of overall rules on the manager. If customer rules don't reject a packet, it will be allowed. Order of rules matters - rules are applied from top to bottom up to the first match. If not match is found, packet is allowed. "-j ACCEPT" allows a packet. "-j DROP" drops a packet. "-j REJECT" sends an appropriate notification to sender saying such and such packet was rejected (depends on protocol). Basic examples: * Drop all packets from 1.1.1.1 to 2.2.2.2 -s 1.1.1.1 -d 2.2.2.2 -j DROP * Drop all traffic from 192.168.3.0/24 (entire subnet) except 192.168.3.11: -s 192.168.3.11 -j ACCEPT -s 192.168.3.0/24 -j DROP 41

Change Username and Password 42

Change Username and Password Username and Password can be changed via the Left Column Menu Items. 43

Save Manager Configuration with Runtime Snapshots 44

Runtime Snapshots save the Manager Configuration Once your VPN-Cubed Managers and Clients are configured and running, save the configuration with Runtime Snapshots. Snapshots can be used to reconfigure a new Manager with the same SSL Certificates and Keyset with just one file upload. Click the Runtime Snapshots link to take a new snapshot or view/ download available snapshots. Download the snapshot to your local network. In the event of a Manager failure or re-provisioning event, you can upload the snapshot file to a new VPN-Cubed Manager. The new Manager will retain all the configuration settings as your saved snapshot. If you are utilizing Elastic IPs, once the Elastic IP is transferred to the new Manager, your overlay network devices will automatically connect back with the Managers. Save time on both Manager and client configuration. 45

Save and Download a Snapshot Click the Take New Snapshot Now button to generate a new Snapshot. The resulting screen will have the snapshot download link. Download the Snapshot and save locally. 46

Upload a Snapshot To use a Snapshot to configure a Manager click the Import Runtime Snapshot link. Browse for your saved Snapshot and upload. The Manager will reboot with the updated configuration. The same client packs will be used to redistribution of the credentials to each Overlay Network Device (OLNDs) is not necessary. A slight configuration change on each OLND is necessary if you have not assigned Elastic IPs to your Manager. The OpenVPN configuration file (vpncubed.ovpn) on each OLND needs the new IP of the new Manager referenced in the remote commands section. To automate this step, you can assign an Elastic IP (see AWS billing for rates) to the Manager and reference the Elastic IP in each OLNDʼs OpenVPN configuration file. 47

Troubleshooting 48

Troubleshooting and FAQ for theec2 Managers Client appears to be hopping on and off the network. This is usually the result of the same client keys being installed on two client machines in the network. Only one client machine can use a set of credentials at a given time. Fetch Keyset appears to hang or not work. Check to see if the Amazon security group is correct for port 8000 between the manager you are getting the keyset from and the manager you are do the fetch from. If they are separated across Amazon USA and Amazon EU you will need to have thier security group reference the public IP addresses. When you do the Fetch Keyset command use the managers public IP address. Manager IDs seem correct, EC2 security groups seem correct, but managers, especially ones launched via separate launch commands will not peer. Review your worksheet and your launch commands. Ensure that the managers were all launched with the same security token. 49

End 50

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback