Pure commitment.
Using OpenVPN for remote access to the cloud
UKC-GEN-135
OVERVIEW
Secure remote access to the cloud is essential to cloud adoption and use. UKCloud Compute-as-aService comes with a dedicated vShield Edge Gateway — a simple, easy-to-use solution that supports IPSEC site-to-site VPNs and a limited number of remote access client VPNs designed for occasional use. Customers who require a more flexible and scalable solution can deploy their own choice of virtual appliances (either open source solutions such as OpenVPN or commercial solutions from a supplier such as Cisco, F5 or Palo Alto) instead of using the limited VPN service provided with the vShield Edge Gateway appliance.
IN THIS BLUEPRINT Preparing your virtual data centre
3
Obtaining and deploying the OpenVPN appliance
4
Performing initial and admin configuration
6
Logging in and connecting
9
Securing the appliance
10
For more help
12
About UKCloud
13
This Blueprint describes how to install and configure the OpenVPN virtual appliance on our cloud platform to support client access VPNs. OpenVPN is a licensed product: without a license key, you're limited to two concurrent VPN connections only. If you require additional concurrent connections, you'll need to obtain and install a license key.
2
UKCloud Ltd
PREPARING YOUR VIRTUAL DATA CENTRE
The first step is to prepare your virtual data centre (VDC). To secure your environment, we recommend you deploy the OpenVPN appliance onto a new, routed organisation VDC (Org VDC) network to which, ideally, no other virtual machines (VMs) will connect. This will enable you to tightly control access from VPN clients to the VMs in your environment using firewall rules on the vShield Edge Gateway. However, if you are approaching the network interface limit of your vShield Edge Gateway, it is possible to deploy the OpenVPN appliance into an existing Org VDC network.
Create a new Org VDC network 1. In vCloud Director, click the Administration button.
Configure your Edge Gateway Click the Edge Gateways tab, then right-click your gateway and select Edge Gateway Services. You'll need to create the following:
Source NAT rule to give the OpenVPN appliance outbound access to the internet
Destination NAT rule to allow inbound access from the internet to the OpenVPN appliance
Firewall rule to allow inbound access from the internet on port 443
Firewall rule(s) to allow users connected to the OpenVPN appliance to access VMs on other networks for administration purposes — VPN users will be NATed to the IP address of the OpenVPN appliance
Firewall rule(s) to allow access from trusted environment(s) to the OpenVPN appliance on the admin port — port 943 by default, but this can be changed
2. Select your VDC, then click the Org VDC Networks tab. 3. Click the green plus icon to add a new network. 4. Choose the option to create a routed network, and provide the network addressing information.
Blueprint: Using OpenVPN for remote access to the cloud
3
OBTAINING AND DEPLOYING THE OPENVPN APPLIANCE
To ensure you're running the latest release of OpenVPN, we suggest you first download the latest version of the appliance from the OpenVPN website. To do this: 1. Go to https://openvpn.net/index.php/access-server/download-openvpn-as-vm.html 2. Select the Virtual Appliance for VMware ESXi. 3. Download the OVA template. To deploy the OpenVPN appliance: 1. Log on to the UKCloud portal. 2. Access vCloud Director. 3. Click the My Cloud button and select vApps. 4. Click the button Add vApp from OVF.
5. Select the OVA you downloaded. The appliance will be deployed as a single VM inside a vApp. 6. Give the vApp a name, then select the appropriate VDC and click Next. 7. Select the appropriate storage policy and click Next. 8. Give the VM a name, then click the Advanced Networking checkbox.
4
UKCloud Ltd
You'll now be able to select the appropriate network and change the IP assignment method. We suggest you deploy the VPN appliance to its own network segment (as described in the section 'Preparing your virtual data centre') and use the Static — IP Pool method of IP assignment.
Then continue through the wizard to the end. You don't need to make any other changes unless you wish to customise settings to suit your environment. Once the vApp has deployed and powered on, you will need to reset (reboot) the VM before logging in for the first time. This will force the networking changes made during your VMware guest customisations to take effect before you start configuring OpenVPN.
Blueprint: Using OpenVPN for remote access to the cloud
5
PERFORMING INITIAL AND ADMIN CONFIGURATION
Initial configuration To perform the initial configuration, you'll need to connect to the VM console. To do this, log on to the VM with the username root and password openvpnas Once you've logged on, you'll need to answer the following questions:
6
Question
Suggested answers
Licence agreement
Select Yes to accept.
Will this be the primary Access Server node
Select Yes.
Network
If the guest customisations were applied correctly, this will default to eth0 which should be configured with an IP address on the network you selected during deployment.
Admin web UI
Accept the default 943 or choose your desired port number. A separate port for administration is recommended but not strictly needed.
TCP port for OpenVPN daemon
We recommend you use the default of 443 if possible — using a non-standard port may cause problems when connecting from corporate networks.
Should client traffic be routed by default through VPN?
Selecting Yes will prevent client devices from accessing any other networks (eg your corporate network) while the VPN is connected. (This is sometimes referred to as split tunnelling.) For ease of use, we suggest you answer No to this question but you should refer to your security policy.
Should client DNS traffic be routed by default through VPN?
If you answered Yes to the previous question, all traffic will be routed through the VPN anyway, so your answer here will not matter. If you answered No to the previous question, you will probably want to answer No to this question as well, so that your DNS queries are answered by the usual servers.
Use local auth via internal DB
Select Yes, unless you want to authenticate users from an existing directory service (Active Directory/LDAP).
Should private subnets be accessible to clients by default?
Select Yes to be able to access your cloud networks via the VPN.
Do you wish to log in to the admin UI as openvpn?
Select Yes to create a local user account named openvpn. If you answer No, you'll need to set up a different username and password.
License key
Leave blank unless you've purchased a license, in which case enter the license key.
UKCloud Ltd
If you opted to use the default openvpn account, you will need to set its password:
#passwd openvpn
While you're connected to the console, you can carry out a few additional system configurations, described below.
For the change to take effect, you'll need to restart the networking service:
# service networking restart
Configure the keyboard The default configuration is for a US keyboard. To reconfigure for the UK:
Check the DNS resolver configuration is in place During tests we discovered that this is not added by the VMware guest customisations.
# pico /etc/network/interfaces
Use the arrow keys to scroll down. Below the line specifying the default gateway, add the following:
# dpkg-reconfigure keyboardconfiguration
Step through the wizard. There is no need to restart anything once you've finished.
Apply updates It is a good idea to apply the latest upgrades to the system:
dns-nameservers 8.8.8.8 # apt-get update && apt-get Press ^O to save the file, then ^X to exit the text editor.
upgrade
You'll be prompted to approve the installation of updates.
Blueprint: Using OpenVPN for remote access to the cloud
7
Install NTP
Configure admin options
This is good practice, and is required if you intend to use two-factor authentication via Google Authenticator.
To configure admin options, log on to the admin interface at https:///admin Once you've logged on, you'll need to set the host name. To do this:
# apt-get install ntp
Once the NTP installation is complete, you'll need to update the configuration file to point to UKCloud’s NTP servers.
1. Select Server Network Settings. 2. Set the host name to either a public IP address or a fully qualified domain name (FQDN) that your client will be able to resolve. 3. Save settings on this page before moving on.
# pico /etc/ntp.conf
Use the arrow keys to scroll down until you reach the lines beginning with ‘server.’ Change the first two lines to reflect the UKCloud servers, and comment out the remaining two lines:
server 37.26.90.192 server 37.26.94.232
You can now press ^D to log off the console.
8
4. Under the Routing section, select the VPN settings tab. 5. Add any additional subnets that your VPN users should have access to. These will usually be the IP subnets configured on all of your Org VDC networks. This is the minimum configuration required in order to be able to establish a VPN connection.
Add Users Under User Management select User Permissions to create new local user accounts. To set the password for each account, click the Show link in the More Settings column. Use complex passwords.
UKCloud Ltd
LOGGING IN AND CONNECTING
You can download the VPN client software and connection profiles directly from the appliance. To do this, browse to https:/// and log in with a valid username and password. When the client software and/or profile is downloaded, a client certificate is included which is required for authentication. Once the client software and/or profile have been installed, connections can be initiated directly from the client.
Blueprint: Using OpenVPN for remote access to the cloud
9
SECURING THE APPLIANCE
We strongly suggest that you further secure the appliance. The following changes are recommended.
Enable two-factor authentication via Google Authenticator
Change default passwords If you have not already done so, change the root password to something more secure. To do this, log on to the console as root with password openvpnas To change the password:
# passwd
You can do this using the OpenVPN Admin interface. 1. Browse to https:///admin and log on with the default account. 2. Select the Client Settings menu under Configuration 3. Click the checkbox to enable Google Authenticator support.
Lock down unused ports with iptables The openvpn config utility adds the required ALLOW entries to iptables automatically, so you just need to deny all other traffic:
# iptables -A INPUT -j DROP
To enter/scan the Google Authenticator secret, users will need to: 1. Log in to the client portal at https:/// and select Login 2. Configure the secret. 3. Click the 'I scanned the QR code' button to enforce two-factor authentication.
10
UKCloud Ltd
Disable root SSH login If you're connecting via SSH, best practice is to connect using a non-privileged account, then sudo to root if needed. This prevents an attacker from bruteforcing the root password.
# pico /etc/ssh/sshd_config
Use the arrow keys to scroll down the file, and change the PermitRootLogin line to no
Disable the default account During the initial setup, you will have created a username and password to log in to the Admin web interface. This account, whose default name is openvpn, is configured to be always active, disregarding its status in the User Permissions area. In addition, if you configured two-factor authentication via Google Authenticator, this is not enforced for the default account.
Blueprint: Using OpenVPN for remote access to the cloud
To disable the default account:
# pico /usr/local/openvpn_as/etc/as.conf
Use the arrow keys to scroll down the file until you see entries starting with boot_pam_users Comment out the entry that matches the username you chose for the default account. This is usually the boot_pam_users.0= entry. For this change to take effect, you'll need to restart the OpenVPN service:
# service restart openvpnas
11
FOR MORE HELP
Unfortunately, UKCloud Support cannot help you with troubleshooting or modifying any of the scripts provided in this document. Please refer to online documentation for OpenVPN: https://openvpn.net/howto.html. If you need further advice or guidance regarding your Secure Remote Access options, contact your Account Director. UKCloud has a talented team of cloud architects and a large number of partners who may be able to assist you.
12
UKCloud Ltd
ABOUT UKCLOUD
UKCloud has developed a range of cloud services designed specifically for the UK public sector, to help increase efficiencies, reduce costs, significantly improve procurement times and increase transparency. Our services are easy to adopt, easy to use and easy to leave to ensure that our customers remain in complete control, with minimum risk, reassured by the fact UKCloud's services are Pan Government Accredited (PGA) up to IL3 and so suitable for all data at OFFICIAL (including OFFICIAL-SENSITIVE).
All of UKCloud’s UK sovereign cloud computing services are hosted in one (or both) of our highly resilient tier 3 UK data centres in Farnborough and Corsham. UKCloud services are delivered with leading technologies from UKCloud Alliance Partners: QinetiQ, VMware, Cisco, EMC and Ark Data Centres. The Cloud Alliance also provides a collaborative resource which drives innovation and technical product development, helping to continually improve UKCloud’s offering to meet the needs of the UK public sector.
UKCloud’s full offering consists of IaaS, PaaS and SaaS products:
UKCloud is focused on providing cloud services in a more agile, secure and cost-effective manner. We strive to deliver solutions that harness technology as a way to facilitate the changes that are needed to streamline processes and reduce costs to support the UK public sector and, ultimately, UK citizens and taxpayers.
1. IaaS – seven offerings around Compute and Storage on demand 2. SaaS –offerings around messaging and secure file synchronisation 3. PaaS – based upon open-source Digital Application Platform and Hadoop
MORE INFORMATION For further information about UKCloud and how we can help you, please send an email to
[email protected]
Blueprint: Using OpenVPN for remote access to the cloud
13
UKCloud Ltd A8 Cody Technology Park Ively Road Farnborough Hampshire GU14 0LX +44 (0)1252 303300
[email protected] www.ukcloud.com Reasonable efforts have been made to ensure the accuracy of the information contained in this document. No advice given or statements or recommendations made shall in any circumstances constitute or be deemed to constitute a warranty by UKCloud Ltd as to the accuracy of such advice, statements or recommendations. UKCloud Ltd shall not be liable for any loss, expense, damage or claim howsoever arising out of the advice given or not given or statements made or omitted to be made in connection with this document. No part of this document may be copied, reproduced, adapted or redistributed in any form or by any means without the express prior written consent of UKCloud Ltd. © UKCloud Ltd 2016 All Rights Reserved. UKC-GEN-135 • 07/16