VPN Services#

For VPN services you will deploy OpenVPN and configure it for access to your VDC. We recommend you use the OpenVPN appliance you can find on the OpenVPN website: https://openvpn.net/downloads/openvpn-as-latest-vmware.ova.

How to install and Configure OpenVPN#

OpenVPN Remote Access uses the provided OVA that can be found in your content library. You will deploy this VM per the steps below and configure access for your client connections through the UI. For an OpenVPN Site-to-Site connection you will need to deploy a Linux VM first and then install the binaries for OpenVPN and configure.

Before you begin#

Before you begin, ensure that:

Best practice guidelines for configuring your VDC for OpenVPN#

  • Create a new routed VDC network dedicated for OpenVPN.

  • Configure the Edge Gateway:

    • Add a Source NAT to allow outbound access to the internet for the OpenVPN appliance.

    • Add a Destination NAT to allow inbound access from the internet to the OpenVPN appliance.

    • Add a firewall rule to allow inbound 443 traffic from the internet to the OpenVPN appliance.

    • Add firewall rules to allow NATed IP’s from the network created for the OpenVPN appliance to access VM’s on your desired networks.

    • Add firewall rules to allow access your target networks to the network created for OpenVPN.

How to deploy OpenVPN#

  1. Log in to the Rackspace Services for VMware Cloud portal.

  2. Select the VDC from which you want to deploy the OpenVPN appliance.

  3. Click Data Centers > Virtual Data Center.

  4. Click Compute > vApps > New > Add vApp from OVF.

  5. Choose the OpenVPN OVA and click Next.

  6. Review the details and click Next.

  7. Choose a vApp name and description if desired and click Next.

  8. Name the OpenVPN VM and choose the storage policy. Capacity is tier 2 storage and Standard is tier 1 storage. Select a storage policy and click Next.

  9. Configure the networking by checking the box next to Advanced Networking Workflow.

  10. Choose the OpenVPN network you created earlier and choose the IP Assignment Manual IP. Type the chosen IP address and click Next.

  11. On the Custom Properties page click Next.

  12. Choose vCPU, cores per socket and memory and click Next.

  13. Review your settings and click Finish. The OpenVPN and vApp will deploy.

How to Configure OpenVPN#

Complete the following tasks to configure OpenVPN.

Obtain the Password#

After the OpenVPN vApp is deployed you will need the generated password.

  1. Click Details on the OpenVPN vApp tile.

  2. Click General > Virtual Machines and then click on the OpenVPN VM.

  3. Click Guest OS Customization > Edit. The password will be shown in the Specify Password field.

Open a Console to the OpenVPN VM#

  1. Click Details on the OpenVPN vApp tile.

  2. Click General > Virtual Machines and then click on the OpenVPN VM.

  3. Verify the VM is powered on. If not, power on the VM.

  4. To open a console to the VM click All Actions > VM Console > Launch Web Console.

  5. Login with root for username and use the password you obtained in the steps above.

Configure OpenVPN#

  1. Once logged in the configuration process will start automatically.

  2. Type Yes to accept the License Agreement.

  3. Type Yes to accept this OpenVPN VM to be the primary access server.

  4. Type the number next to the correct network interface.

  5. Press Enter to accept the default port 943 for the Admin Web UI.

  6. Press Enter to accept the default port 443 for the OpenVPN daemon.

  7. “Should client traffic be routed by the default through the VPN?” – Choosing Yes will not allow VPN clients to access any other networks other than the OpenVPN network. It is advised to type No so users can access the other networks you permit.

  8. Since No was used above you should type No for the “Should client DNS traffic be routed by default through the VPN.”

  9. Type Yes to use local authentication.

  10. Type Yes to allow private subnets to be accessible to clients by default.

  11. Type Yes to create a local user account “openvpn”. Type No to change the username and password.

  12. Type your Activation key if you have obtained one already or leave blank to specify one later.

  13. Now the setup wizard will complete.

    When it is complete you can choose a password for the openvpn user by typing: # passwd openvpn

    Next you create local user accounts for all your VPN users and add their passwords.

Configure Admin Options#

This is where you change setting for the OpenVPN appliance and add user accounts.

  1. Login to the appliance administrator console: https://<ip_address>:943/admin.

  2. Set the Hostname click Configuration > Network Setting. From there you can set the Hostname and IP address or change to a fully qualified domain name or public IP address.

  3. To set additional subnets your VPN user can access click Configuration > VPN Settings > Routing.

  4. To create new users accounts click User Management > User Permissions.

  5. To enable two-factor authentication click Authentication > General > Enable Google Authenticator.

Download the OpenVPN Client#

  1. To download the OpenVPN client navigate to the OpenVPN appliance https://<OpenVPN_Appliance_IP>/.

  2. The client software includes a certificate that is required authentication.

  3. After installing the OpenVPN client you start the VPN connection from the client program.

To get more detailed information for advanced configurations of OpenVPN visit their website: https://openvpn.net.

OpenVPN Site-to-Site Configuration#

Before you begin#

Before you begin, we assume the following:

  • You have an OpenVPN Access Server installation working.

  • That it is installed in your private network behind a router with Internet access and has a private IP address.

  • That it has port forwarding set up so that it can be reached from the outside, and with appropriate settings so that it is reachable with an OpenVPN client program from the outside.

In other words, that you have an OpenVPN Access Server installation that works and lets OpenVPN clients connect.

Best practice guidelines for configuring your VDC for OpenVPN#

  • Create a new routed VDC network dedicated for OpenVPN

  • Configure the Edge Gateway:

    • Add a Source NAT to allow outbound access to the internet for the OpenVPN Client Gateway VM.

    • Add a Destination NAT to allow inbound access from the internet to the OpenVPN Client Gateway VM appliance.

    • Add a firewall rule to allow outbound internet traffic from the OpenVPN Client Gateway VM.

    • Add static routes to the destination networks you will be accessing on the NSX Edge (T1) via the OpenVPN Client Gateway VM. (Ticket required for this step)

Configure the OpenVPN Access Server for Site-to-Site#

In this task you change settings for the OpenVPN appliance and add user accounts.

  1. Login to the appliance administrator console: https://<ip_address>:943/admin.

  2. Click Configuration > VPN Settings > Routing.

  3. In ‘Should VPN clients have access to private subnets (non-public networks on the server side)?’ set the selection to Yes, using routing (advanced).

  4. In ‘Specify the private subnets to which all clients should be given access (one per line):’ provide the OpenVPN Access Server subnet, and all source subnets that should be routed.

  5. Create a new site-to-site user.

  6. Click User Management.

  7. In User Permissions, create a new user and password.

  8. Click Advanced User Settings.

  9. Set VPN Gateway to Yes.

  10. Allow client to act as VPN gateway for these client-side subnets > Provide all client side subnets, including the OpenVPN Client Gateway VM subnet.

  11. Click Save Settings and Update the running server.

How to deploy OpenVPN Linux Gateway client#

  1. Choose Compute > vApps > NEW VAPP.

  2. Choose a vApp name and description.

  3. Select Power On, and then choose ADD VIRTUAL MACHINE.

  4. Name the OpenVPN Client VM and description, if desired.

  5. Select Type as Template, and then select the Ubuntu Template.

  6. Select the storage policy. Capacity is tier 2 storage and Standard is tier 1 storage. Choose storage policy and click Next.

  7. Configure the NICs, select VMXNET3 as the Network Adapter Type.

  8. Choose the OpenVPN network you created earlier and choose the IP Assignment “Static - IP Pool”, and the click OK.

  9. Click Create, and the OpenVPN Access Server VM and vApp will deploy.

How to Setup the OpenVPN Linux Gateway client VM#

Open a Console to the OpenVPN VM

  1. Click Details on the OpenVPN vApp tile.

  2. Click General > Virtual Machines and then click on the OpenVPN Client Gateway VM.

  3. Verify the VM is powered on. If not, power on the VM.

  4. To open a console to the VM click All Actions > VM Console > Launch Web Console.

  5. Login with “root” for username and use the password you obtained in the steps above.

Install and configure OpenVPN on the Client Gateway VM

  1. On Ubuntu, run the apt-get install openvpn command. With the client program now installed, it is going to check for any *.conf files in the /etc/openvpn/ directory and at system startup try to connect them and keep them connected.

  2. Enable IP forwarding on the OpenVPN Client Gateway VM.

  3. Open /etc/sysctl.conf with a text editor like nano, and uncomment the line #net.ipv4.ip_forward=1. Uncommenting means you remove the # character. Then exit and save the file.

  4. Reboot the OpenVPN Client Gateway VM operating system.

  5. Go to the OpenVPN Access Server’s client UI using a web browser. Enter the user name and password of the user account you created for site-to-site connectivity and click go. You will be presented with a list of files available for this user account. Locate the auto-login profile and download it. It will be called client.ovpn.

  6. Transfer this client.ovpn file to OpenVPN Client Gateway VM client system (with SCP or WinSCP or copying and pasting contents of the file in a text editor (like nano) and place it in the /etc/openvpn/ directory. Rename the file to something like headquarters.conf. The filename is not important, but the extension must end with .conf for the OpenVPN daemon to pick it up.

  7. Reboot the OpenVPN Client Gateway VM operating system.

  8. The OpenVPN Client Gateway VM should now automatically connect and you should be able to see this connection appear on the OpenVPN Access Server’s Current Users overview.

Static routes will be required on the T-1 Edge which must by applied by the RSVC-Infrastrcture Team in order to route the Client networks via the OpenVPN Access Server and/or Client Gateway.

All destination networks must be identified, and the OpenVPN - AS or OpenVPN – CG IP address must be provided in order to create these static routes. Configuring the OpenVPN Access Server for site-to-site connectivity: https://openvpn.net/vpn-server-resources/site-to-site-routing-explained-in-detail

To get more detailed information for advanced configurations of OpenVPN visit their website: https://openvpn.net