Open VPN

Cisco IPSEC VPN gives you access to vCloud Director so that you can manage your Virtual Machines, however, when you need to connect directly to your virtual machines from your own network, deploying an OpenVPN appliance is probably the best way to do it.

Below are the steps on how you can do this in about 5-10 minutes. Note: until you set up the firewall, in order to access OpenVPN via the web, you need to do it via another virtual machine in your cloud, as long as they are on the same VLAN (or on VLANs that can talk to one another).

Deploy an OpenVPN vApp from the Public Catalog

- log into vCloud Director
- click on the Catalogs tab
- click on Public Catalogs in the left menu
- click on vApp Templates tab
- right click on OpenVPN App and choose Add to My Cloud
- give the vApp a name (say: OpenVPN vApp), choose the vDC and click OK to deploy
- once the vApp is deployed, right click on it, go to Properties, and under Hardware tab set the IP address of this VM to one that was allocated to you
- power on the VM

In the VM Console (via vCloud Director) Enter the Configure Network Menu

- set no dhcp server
- set the ip address (_internalVmIP_), netmask, gateway, and dns of your VM
- set no for proxy
- confirm

Login

- Username: root
- Password: openvpnas

Change passwords for both root, openvpn and openvpn_as users

- passwd root
- passwd openvpn
- passwd openvpn_as

Add a new client user (for connecting via OpenVPN)

- adduser _clientUsername_ (set password and other details)

Appliance Admin Interface

→ lets you manage simple networking setup (just as the main console screen, nothing much here to see)

URL: https://_internalVmIP_:5480
Username: openvpn or openvpn_as
Password: _passwordYouSet_

OpenVPN Admin Interface (via another VM's browser)

→ lets you manage the OpenVPN settings, etc.

URL: https://_internalVmIP_:943/admin
Username: openvpn
Password: _passwordYouSet_
→ on first login you must accept terms of service
→ simply click Start the Server as soon as you log in - to start the OpenVPN server

Configuring the OpenVPN (via OpenVPN Admin Interface)

1) Go to "Server Network Settings"

- Make sure that Hostname / IP Address is set to one of your Public IPs you will use to let clients connect (this IP will have to be static-natted on the firewall to the _internalVmIP_ on this VM)
- All other settings you should leave as they are
- Save Settings at the bottom of the page

2) Go to "VPN Settings"

- Set your desired network for when clients are connecting (5.5.5.0 or something works fine here, or 10.10.10.0 - as long as it does not match any of your current subnets)
- Under Routing on the same page, set to “Yes, using NAT”, and in the field specify the subnets you would like the OpenVPN client to see (example 192.168.123.0/24)
- The next two settings are up to you (routing internet through the VPN, NO is fine), and if you want to allow connected clients access to network services on the VPN gateway IP address (probably YES would be a good choice)
- As for DNS - you can set what you want but probably leaving it at “Have clients use same DNS servers as the Access Server host” would be a good setting
- Save Settings at the bottom of the page

3) Go to "Advanced VPN"

- It's probably nice to allow clients to communicate with each other on the VPN IP Network - so you may change that setting here

4) Create a client account

- In one of the first steps above, you created a client account _clientUsername_
- Go to “User Permissions” and create a client here too with the same username
- Main thing is not to allow Admin checkbox, and you could allow the “Auto Login” piece

Users in OpenVPN are PAM backed - so all users you have Linux Accounts for - you can actually “provision” here as well if you want them to have access to the OpenVPN.

Under “Authentication” setting you can change this (to say LDAP, etc.) but I'd stick with PAM.

5) Jump to the "Status Overview" page and make sure the server is started

At this point you just need to configure the Firewall for outside access in

You need to create a static nat statement to allow one of the external IPs to route traffic on specific ports to your OpenVPN VM.
Please check out Managing Your Firewall: Cisco Firewall Service Module | Vyatta for more info on how to do this.

You need to open:

- 943 for administration
- 443 for web login interface (via https)
- and 1194 for OpenVPN traffic

For users to log in, they just have to hit your public IP for OpenVPN VM - via https::_yourPublicVmIP_ and follow the instructions.
Connecting is a breeze and not much different than Cisco's AnyConnect. User will be asked to log in, and once logged in - a package for OpenVPN connection will be downloaded and user will be connected to the cloud.

openvpn.txt · Last modified: 2011/09/08 14:16 by peconi
 
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 3.0 Unported
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki