VPN Service for Zadara Edge Clouds

The VPN Service for Zadara Edge Clouds enables remote access to a VPC.

The implementation uses OpenVPN technology for securing private connections between remote clients and Zadara Edge Cloud resources.

Introduction

Virtual Private Cloud (VPC)

A virtual private cloud (VPC) is a virtual network dedicated to your Zadara Edge Cloud account. It is logically isolated from other virtual networks. You can launch virtual machines running computing workloads into your VPC.

zCompute VPN Service for VPC

A VPN service for VPC enables secure access from remote clients to resources running on a VPC associated with Zadara Edge accounts. Zadara Edge Cloud uses the existing infrastructure of a VPC to create a VPC access GW, providing authentication and authorization services based on OpenVPN technology.

Leveraging zCompute capabilities, Zadara offers a self-managed VPN Service for VPC, based on the open-source pfSense software.

vpn-service-architecture

The VPN Service is based on the VPC GW image available in zCompute’s Marketplace, for deployment on instances allocated in the VPC. The VPC GW implements Firewall (FW) functions between the internal VPC subnet and the external public WAN. The VPC GW is attached to the internal VPC subnet and external WAN subnet. It has capabilities for managing access and pass-through rules over FW. The WAN interface of the VPC GW is associated with an Elastic IP (EIP) and used for OpenVPN deployment, and provides highly secured private access from clients to VPC resources.

The VPC GW image comes with a built-in easy installation for clients, to be applied on remote machines supporting various OSes.

VPC GW Deployment

The deployment workflow for the VPN Service is based on pfSense software.

Deployment Requirements

  • X86-64 Instance

  • 1 vCPU

  • 2GB RAM

  • 8 GB disk drive

  • 2 NICs (WAN and LAN)

  • EIP on WAN interface

  • A zCompute VPC configured with Public and Private Subnets.

    See Creating a VPC with the UI Wizard.

Deployment Workflow

Note

The initial deployment flow is identical for both VPC Peering for multiple Zadara Edge Clouds and for VPN Service for Zadara Edge Clouds.

The following workflow must be run on a VPC GW instance that is configured with:

  • Public and Private Subnets

  • A Security Group preconfigured for this deployment. See the section on Security Hardening at the end of this page.

A preloaded image is available in the zCompute Marketplace, and provides an easy to use pfSense OpenVPN deployment option.

Download the pfSense image from Marketplace

  1. In the zCompute UI, go to Machine Images > Marketplace and select the pfSense-CE (VPC Peering GW) image.

  2. Set the Scope to Project or Account, and download the image.

Create an instance based on the pfSense image

  1. In Machine Images > Images, select the VPC Peering GW (pfSense-CE) image.

    pfsense-image-launch

  2. Click Launch to create an instance with 2 subnets.

    One subnet is for the internal VPC LAN. The other subnet will be used for the public-facing WAN interface.

    pfsense-vm-instance-create

  3. In the Storage tab, accept the default settings. Click Next.

  4. In the Networking tab, configure the public subnet.

    On completion of the public subnet configuration, click Add to configure the private subnet.

    pfsense-vm-instance-networking

    Note

    The significance of first configuring the public subnet followed by the private subnet is so that the public subnet should be associated with eth0, and the private subnet associated with eth1.

Networking configuration for the pfSense instance

  1. Go to Compute > Instances and select the instance.

    1. In the instance’s lower pane, click the Networks tab.

    2. Attach an Elastic IP to the public subnet:

      1. Click the row of the public subnet.

      2. In the lower menu, select More > Attach Elastic IP. Attach an Elastic IP to the NIC attached to the WAN/public subnet, for example eth0.

        The Elastic IP will be used for the WAN interface on the VPC GW.

    3. For each of the eth0 and eth1 interfaces (both the public and private subnets), disable the Src/Dst Check:

      1. In the instance’s Networks tab in the lower pane, click the network interface row.

      2. Click Security Groups. In the Security Groups modal that opens, uncheck the Source/Destination checkbox, and save the configuration.

        pfsense-sg-src-dst

Networking setup on the pfSense VM

  1. Connect to the VM VNC to set up the networking configuration.

    Go to Compute > Instances > [VM instance name] > Connect.

    The VNC window opens, and the pfSense menu displays:

    vnc-pfsense-menu

  2. From the menu, select option 1: Assign interfaces:

    Note

    There is no need to set up VLANs.

    vnc-pfsense-assign-interfaces

    1. Set up vtnet0 for WAN (mapped to eth0 on the VM instance).

    2. Set up vtnet1 for LAN (mapped to eth1 on the VM instance).

    After assignment of the network interfaces, the pfSense menu reappears.

  3. From the menu, select option 2: Set interface(s) IP address.

    1. Setup the WAN to static IPv4.

      For example:

      vnc-pfsense-wan-ip

    2. Set up the LAN interface with IPv4 DHCP.

      For example:

      vnc-pfsense-lan-ip

    On completion of the IP setup, the updated WAN and LAN IP assignments display, followed by the pfSense menu.

    Note

    The deployment flow up to this step is identical for both VPC Peering for multiple Zadara Edge Clouds and for VPN Service for Zadara Edge Clouds.

    Sign on to the pfSense web client to continue the specific deployment implementation.

  4. In a browser window, launch the pfSense web client using the Elastic IP assigned earlier to the public subnet. For example, https://10.41.31.5.

    The pfSense web client’s default credentials:

    • username: admin

    • password: pfsense

    Note

    The recommended best practice is to change the pfSense admin password at the first sign-on to the pfSense web client.

Certificate Authority setup

  1. In the pfSense web client, navigate to System > Certificates.

    pfsense-certificate-authority-list

  2. Under the Certificate Authorities list, click Add.

    In the Certificate Authorities input form, configure the following:

    pfsense-certificate-authority

    1. Descriptive name: Enter a meaningful name for the Certificate Authority.

    2. Method: Select Create an internal Cerificate Authority.

    3. Accept the other defaults and click Save.

      The new configuration is added to the Certificate Authorities list.

OpenVPN Access Server setup

  1. In the pfSense web client, navigate to System > Certificates. Click Certificates tab.

    pfsense-certificates

  2. Under the Certificates list, click Add to create a server certificate.

    In the Certificate input form, configure the following:

    pfsense-server-certificate

    1. Method: Select Create an internal Cerificate.

    2. Descriptive name: Enter a meaningful name for the certificate.

    3. Common Name: Enter a meaningful name, for example, OpenVPN-Server.

    4. Certificate Type: Select Server Certificate.

    5. Accept the other defaults and click Save.

      The new certificate is added to the Certificates list.

  3. In the pfSense web client, navigate to VPN > OpenVPN, and click the Wizards tab.

    In the OpenVPN Remote Access Server Setup wizard, accept the default settings, with the following exceptions:

    1. In step 7 of the wizard, select the server certificate created previously in Certificate Authority setup.

      pfsense-vpn-server-certificate

    2. In step 9 of the wizard, in the Tunnel Settings section:

      1. IPv4 Tunnel Network: Enter a unique CIDR.

      2. IPv4 Local Network: Enter the CIDR of the private subnet allocated for the instance.

        pfsense-vpn-tunnels

      The configured OpenVPN server will be added to the list of OpenVPN Servers.

      pfsense-openvpn-servers

Note

For more detailed information, the pfSense user guide provides a comprehensive step by step OpenVPN Remote Access Configuration Example.

OpenVPN Client setup

This workflow uses local user authentication. The following steps provide an example for adding a user for accessing the cloud from a remote client machine:

  1. In the pfSense web client, navigate to System > User Manager.

    1. Add a user for remote access.

    2. Click Save, and edit again to generate a user certificate with the certificate authority defined previously in Certificate Authority setup.

      pfsense-user-create

    3. In the pfSense web client navigate to VPN > OpenVPN > Client Export.

      At the bottom of the Client Export page, select the user, and the OS that will host the OpenVPN client.

      openvpn-client-export

      For example, by clicking Windows 64-bit, to download its OpenVPN installation package to the local client machine. The installation package includes the configuration and certificate required for the user to connect to the VPN from the specified OS.

      Important

      To export a user+OS of a new VPN to a client machine that already has an OpenVPN client and configuration for an existing VPN:

      • Select the user’s Bundled Configurations > Archive.

      The same procedure applies for configuring a new user who will access an existing VPN on the client machine.

  2. On the remote client machine:

    1. Install the OpenVPN client:

      • For a client machine that does not yet have an OpenVPN client installation:

        Install the OpenVPN client on the remote client machine, using the OpenVPN installation package downloaded in the previous step.

      • For a client machine that already has an OpenVPN client and configuration for an existing VPN:

        On the local client machine, open the zipped package into the OpenVPN configuration folder, for example, C:\\Program Files\\OpenVPN\\config.

    2. Configure the VPN:

      Edit the user’s OpenVPN client configuration file, for example, C:\\Program Files\\OpenVPN\\config\\<name>-<username>-config. For example:

      vpn-client-user-config

      In the user’s OpenVPN client configuration file, in the remote <private IP address> line, replace the private IP address with the Elastic IP address.

      Note

      This step applies to all scenarios for the client machine, whether it’s a first-time OpenVPN installation, or the addition of a new VPN, or the addition of a new user on an existing VPN configuration. #. Connect to the VPN:

    3. Connect to the VPN:

      1. On the remote client machine, launch the OpenVPN client GUI.

        openvpn-gui-launch

        On the first launch of the OpenVPN client GUI, the OpenVPN icon is added to the system tray:

        openvpn-gui-system-tray

      2. Right-click the OpenVPN icon in the system tray.

        The OpenVPN client menu opens.

        • If a single VPN is configured on the client machine, click Connect.

        • If there are multiple VPNs configured on the client machine, select the desired VPN and click Connect.

          openvpn-gui-multivpn

      3. Sign on using the user credentials that were defined earlier in the pfSense web client’s System > User Manager configurations.

        openvpn-gui-sign-on

Security hardening configuration

  1. Change default passwords to non-default ones.

  2. Update the VPC Security Group to block non-essential ports.

    The OpenVPN Service requires the following port for normal operations:

    • UDP port 1194 for OpenVPN access

      vpc-openvpn-sg-rule

    Additional ports might be needed for applications running on VPC VM instances.