Remote-access Guide

cloudstack setup remote access vpn

by Ronaldo Altenwerth Published 2 years ago Updated 2 years ago
image

To set up VPN for the cloud:

  • Log in to the CloudStack UI as an administrator or end user.
  • In the left navigation, click Global Settings.
  • Set the following global configuration parameters.
    • remote.access.vpn.client.ip.range - The range of IP addresses to be allocated to remote access VPN clients. The first IP in the range is used by the ...
    • remote.access.vpn.psk.length - Length of the IPSec key.
    • remote.access.vpn.user.limit - Maximum number of VPN users per account.

Configuring Remote Access VPN in VPC
  1. Log in as a user or administrator to the CloudStack UI.
  2. In the left navigation, click Network.
  3. In the Select view, select VPC. ...
  4. Click the Configure button of the VPC. ...
  5. In the Router node, select Public IP Addresses. ...
  6. Click Source NAT IP address.
  7. Click the Enable VPN button.

Full Answer

How do I set up a VPC in CloudStack?

Log in to the CloudStack UI as an administrator or end user. In the left navigation, choose Network. In the Select view, select VPC. Click Add VPC. The Add VPC page is displayed as follows: Name: A short name for the VPC that you are creating.

How do I set up a VPN connection on vpc1?

Navigate to VPC1, click “configure”, then click on the “Site to site VPN” pane. From the “select view” pulldown menu select “VPN connections” and click the “Create VPN connection” button. Next select the remote Customer VPN gateway – and do not tick the “active” tick box.

How do I grant remote access to a VPN Server?

Select the Grant access. Grant access if the connection request matches this policy option. c. Under Type of network access server, select Remote Access Server (VPN-Dial up) from the drop-down. In the Routing and Remote Access MMC, right-click Ports, and then select Properties.

How do I deploy a VPN on a Windows Server?

Select Deploy VPN only. The Routing and Remote Access Microsoft Management Console (MMC) opens. Right-click the VPN server, then select Configure and Enable Routing and Remote Access. The Routing and Remote Access Server Setup Wizard opens. In the Welcome to the Routing and Remote Access Server Setup Wizard, select Next.

image

What is VPN user database?

The VPN user database is shared across all the VPNs created by the account owner. All VPN users get access to all VPNs created by the account owner.

Does VPN go through all traffic?

Make sure that not all traffic goes through the VPN. That is, the route installed by the VPN should be only for the guest network and not for all traffic.

Can a VPN client be present outside the VPC?

On enabling Remote Access VPN on a VPC, any VPN client present outside the VPC can access VMs present in the VPC by using the Remote VPN connection. The VPN client can be present anywhere except inside the VPC on which the user enabled the Remote Access VPN service.

Introduction

Configuring connectivity between CloudStack hosted VPCs can be done by either using private gateways – which has to be configured by CloudStack root administrators to use dedicated network segments – or by using VPC-to-VPC connections, which can be configured by the CloudStack end user without admin input.

Networking overview

To be able to route traffic from a VM in one VPC to a VM in another VPC the IP ranges used in the two VPCs must be unique and can not overlap. If the same IP ranges were used the traffic from one side of the VPN tunnel to the other would not route over the tunnel itself, hence connectivity could not be established.

Terms used

The VPN gateway is the term used for the local VPN endpoint. This is simply enabled on the source-NAT IP address of the VPC virtual router – and it allows the local VR to accept incoming VPN connections.

Configuring the VPN tunnels

First of all configure the VPC networks at either end with the required VPC ACL lists.

Operation and troubleshooting

If the VPC-to-VPC connection doesn’t work as expected check the following:

Conclusion

We hope this article will clarify the terms used and the configuration steps required to configure a VPC-to-VPC VPN connection. As always we’re happy to receive feedback , so please get in touch with any comments, questions or suggestions.

About The Author

Dag Sonstebo is a Cloud Architect at ShapeBlue, The Cloud Specialists. Dag spends most of his time designing, implementing and automating IaaS solutions based on on Apache CloudStack.

What is CloudStack Virtual Private Cloud?

A VPC can have its own virtual network topology that resembles a traditional physical network. You can launch VMs in the virtual network that can have private addresses in the range of your choice, for example: 10.0.0.0/16. You can define network tiers within your VPC network range, which in turn enables you to group similar kinds of instances based on IP address range.

What is an ACL in a VPC router?

Define Network Access Control List (ACL) on the VPC virtual router to control incoming (ingress) and outgoing (egress) traffic between the VPC tiers, and the tiers and Internet. By default, all incoming and outgoing traffic to the guest networks is blocked. To open the ports, you must create a new network ACL. The network ACLs can be created for the tiers only if the NetworkACL service is supported.

What is a tier in a VPC?

Tiers are distinct locations within a VPC that act as isolated networks, which do not have access to other tiers by default. Tiers are set up on different VLANs that can communicate with each other by using a virtual router. Tiers provide inexpensive, low latency network connectivity to other tiers within the VPC.

What is static NAT?

A static NAT rule maps a public IP address to the private IP address of a VM in a VPC to allow Internet traffic to it. This section tells how to enable or disable static NAT for a particular IP address in a VPC.

How to install Remote Access Role in VPN?

On the VPN server, in Server Manager, select Manage and select Add Roles and Features. The Add Roles and Features Wizard opens. On the Before you begin page, select Next.

How to start remote access?

Select Start service to start Remote Access. In the Remote Access MMC, right-click the VPN server, then select Properties. In Properties, select the Security tab and do: a. Select Authentication provider and select RADIUS Authentication.

How to select a server from the server pool?

On the Select destination server page, select the Select a server from the server pool option. Under Server Pool, select the local computer and select Next. On the Select server roles page, in Roles, select Remote Access, then Next. On the Select features page, select Next. On the Remote Access page, select Next.

How many Ethernet adapters are needed for VPN?

Install two Ethernet network adapters in the physical server. If you are installing the VPN server on a VM, you must create two External virtual switches, one for each physical network adapter; and then create two virtual network adapters for the VM, with each network adapter connected to one virtual switch.

What is NAS in a network?

A NAS is a device that provides some level of access to a larger network. A NAS using a RADIUS infrastructure is also a RADIUS client, sending connection requests and accounting messages to a RADIUS server for authentication, authorization, and accounting. Review the setting for Accounting provider: Table 1.

Can you assign a VPN to a pool?

Additionally, configure the server to assign addresses to VPN clients from a static address pool. You can feasibly assign addresses from either a pool or a DHCP server; however, using a DHCP server adds complexity to the design and delivers minimal benefits.

Is RRAS a router or a server?

RRAS is designed to perform well as both a router and a remote access server because it supports a wide array of features. For the purposes of this deployment, you require only a small subset of these features: support for IKEv2 VPN connections and LAN routing.

Introduction

Configuring connectivity between CloudStack hosted VPCs can be done by either using private gateways – which has to be configured by CloudStack root administrators to use dedicated network segments – or by using VPC-to-VPC connections, which can be configured by the CloudStack end user without admin input.

Networking overview

To be able to route traffic from a VM in one VPC to a VM in another VPC the IP ranges used in the two VPCs must be unique and can not overlap. If the same IP ranges were used the traffic from one side of the VPN tunnel to the other would not route over the tunnel itself, hence connectivity could not be established.

Terms used

The VPN gateway is the term used for the local VPN endpoint. This is simply enabled on the source-NAT IP address of the VPC virtual router – and it allows the local VR to accept incoming VPN connections.

Configuring the VPN tunnels

First of all configure the VPC networks at either end with the required VPC ACL lists.

Operation and troubleshooting

If the VPC-to-VPC connection doesn’t work as expected check the following:

Conclusion

We hope this article will clarify the terms used and the configuration steps required to configure a VPC-to-VPC VPN connection. As always we’re happy to receive feedback , so please get in touch with any comments, questions or suggestions.

About The Author

Dag Sonstebo is a Cloud Architect at ShapeBlue, The Cloud Specialists. Dag spends most of his time designing, implementing and automating IaaS solutions based on on Apache CloudStack.

image

Introduction

Networking Overview

  • To be able to route traffic from a VM in one VPC to a VM in another VPC the IP ranges used in the two VPCs must be unique and can not overlap. If the same IP ranges were used the traffic from one side of the VPN tunnel to the other would not route over the tunnel itself, hence connectivity could not be established. As an example the two VPC networks could be configured as follows: …
See more on shapeblue.com

Terms Used

  • VPN gateway
    The VPN gateway is the term used for the local VPN endpoint. This is simply enabled on the source-NAT IP address of the VPC virtual router – and it allows the local VR to accept incoming VPN connections.
  • VPN customer gateway
    The VPN customer gateway is the remote endpoint we target when we configure the VPN connection. When we configure these we need to specify all the details for this VPN connection: 1. Name: user friendly name for the gateway 2. Gateway: the public facing IP address of the rem…
See more on shapeblue.com

Configuring The Vpn Tunnels

  • Create and configure the VPC networks
    First of all configure the VPC networks at either end with the required VPC ACL lists.
  • Create customer gateways
    Navigate to “Network” and select “VPN customer gateway” on the pulldown menu, the click the “Add VPN customer gateway” button. In this example we assume that VMs on both VPC1 tier 1 and 2 will consume resources on VPC2. Please note in this case we only configure the name, pu…
See more on shapeblue.com

Operation and Troubleshooting

  • If the VPC-to-VPC connection doesn’t work as expected check the following: 1. ACL lists: all VPC-to-VPC connections still adhere to the Access Control Lists set for each VPC tier, i.e. if a tier is configured to use e.g. “default_deny” then neither traffic on a different tier locally or traffic from remote VPCs will reach the VMs in question. 2. To check the VPN tunnels on the VPC virtual rout…
See more on shapeblue.com

Conclusion

  • We hope this article will clarify the terms used and the configuration steps required to configure a VPC-to-VPC VPN connection. As always we’re happy to receive feedback , so please get in touch with any comments, questions or suggestions.
See more on shapeblue.com

About The Author

  • Dag Sonstebo is a Cloud Architect at ShapeBlue, The Cloud Specialists. Dag spends most of his time designing, implementing and automating IaaS solutions based on on Apache CloudStack.
See more on shapeblue.com

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 2 3 4 5 6 7 8 9