Configuring a VPN Appliance for Site to Site Connections


VPN Appliance Powered by OPNsense


The eApps VPN Appliance is powered by OPNsense, a leading open source network security platform based on FreeBSD. See https://www.opnsense.org. This powerful security platform will allow you to easily create a site to site VPN tunnel between one or more of your eApps Virtual Servers and an external end point that supports the IPsec protocol. The configuration of the VPN Appliance is done using the OPNsense user interface. Some configuration settings on your eApps Virtual Servers must be performed via the command line. This guide explains how to set up your site to site VPN. If you would like to have eApps perform the setup and configuration for you, contact sales@eapps.com.

Prerequisites


In order to configure a site to site VPN, you will need to have the following:
  • A Virtual Server built using the VPN Appliance (OPNsense) template
  • One or more eApps hosted Virtual Servers that will connect to the VPN tunnel
  • Additional private IP address for the OPNsense VPN Virtual Server (Purchased in Upgrade/Downgrade after the VS is built).
  • Additional private IP address for each Virtual Server (Purchased in Upgrade/Downgrade after the VS is built).


You will also need the following:
  • The public IP address, gateway, and CIDR netmask for the Virtual Server
  • The private IP address that you purchased for your OPNsense VPN VS along with the gateway and CIDR netmask
  • The private IP address that you purchased for the Virtual Server(s) that are connecting to the OPNSense VPN VS along with the gateway and CIDR netmask
  • The public IP address of the remote router that your OPNsense VPN will be connecting to. You will need to contact the owners/admins of the remote site for this information.
  • The private IP addresses and CIDR netmask of the remote services that your applications will be connecting to. You will need to contact the owners/admins of the remote site for this information.
  • The "shared-secret" password that both ends of the connection have to use for authentication. Either you will create this and provide it to the owners/admins of the remote site, or they will create it and provide it to you.
  • The values for ike-group and esp-group. You will need to contact the owners/admins of the remote site for this information.
  • Due to the nature of the eApps network, static routes and GRE tunnels will be necessary to establish communication between your OPNsense VPN Appliance and your backend eApps hosted Virtual Servers

Create Static Routes

Add a static route from each Virtual Server to the OPNsense VPN Appliance

You will need to use the Private IP you obtained for your OPNsense VPN Appliance in CIDR notation.

For Linux:
# ip route add OPNSENSE_PRIVATE_IP/CIDR via OPNSENSE_PRIVATE_IP_GATEWAY dev eth1

Next, you will need to restart the network. This depends on the OS you are using.

For CentOS 6 and 7:
# service network restart

For Debian 7, Ubuntu 14 and Ubuntu 16:
# service networking restart

For Windows Server, please see https://technet.microsoft.com/en-us/library/ff961510(v=ws.11).aspx

Add a static route from the OPNsense VPN Appliance to each Virtual Server

Log in to your OPNSense VPN Appliance's dashboard and navigate to System > Routes > All > Add Route and use the following settings:
Destination network: VIRTUAL_SERVER_PRIVATE_IP/CIDR

Gateway: Select GW_LAN from the dropdown

Description: Route to VIRTUAL_SERVER_HOSTNAME
Click Apply Changes

Create the IPSec VPN Tunnel

Create Phase 1 IPSec Tunnel in OPNsense VPN Appliance

In your OPNsense VPN Appliance dashboard, navigate to VPN > IPsec > Tunnel Settings. Click the + icon to add a new Phase 1 entry. Your settings may very depending on what was agreed with the remote end. For this example, we will use the following settings:
===General information===
Connection method: default
Key Exchange version: V2
Internet Protocol: IPv4
Interface: WAN
Remote Gateway: REMOTE_PEER_PUBLIC_IP
Description: VPN to REMOTE_PEER

===Phase 1 proposal (Authentication)===
Authentication method: Mutual PSK
Negotiation mode: Main
My identifier: My IP Address
Peer Identifier: Peer IP Address
Pre-Shared Key: PRE_SHARED_KEY

===Phase 1 proposal (Algorithms)===
Encryption algorithm: 3DES
Hash algorithm: SHA256
DH key group: 5 (1536 bit)
Lifetime: 28800

===Advanced Options===
Disable Rekey: Unchecked
Disable Reauth: Unchecked
NAT Traversal: Enable
Dead Peer Detection: Unchecked

Create Phase 2 IPSec Tunnel in OPNsense VPN Appliance

In your OPNsense VPN Appliance dashbaord, navigate to VPN > IPsecTunnel Settings. Click on Show 0 Phase-2 entries, then click the + icon to add new Phase 2 entry. Your settings may very depending on what was agreed with the remote end. For this example, we will use the following settings:
===General information===
Mode: Tunnel IPv4
Description: Tunnel to REMOTE_PEER

===Local Network===
Type: Network
Address: VIRTUAL_SERVER_PUBLIC_IP/CIDR

===NAT/BINAT===
LEAVE DEFAULT

===Remote Network===
Type: Network
Address: REMOTE_PEER_ENDPOINT/CIDR

===Phase 2 proposal (SA/Key Exchange)===
Protocol: ESP
Encryption algorithms: AES 256
Hash algorithms: SHA256
PFS key group: off
Lifetime: 3600 seconds

===Advanced Options===
LEAVE DEFAULT

Click Apply Changes

Create GRE Tunnels

A Generic Routing Encapsulation (GRE) tunnel is necessary in order for the Virtual Servers behind your OPNsense appliance to be able to communicate with the network behind the VPN device at the remote end.

Create GRE Tunnel Default Gateway on VPN Appliance

In your OPNsense VPN Appliance dashboard, navigate to System > Gateways > All > +Add gateway and use the following settings:
Disabled: Unchecked
Interface: LAN
Address Family: IPv4
Name: GRE_GW
Gateway: You may select any private class B network. We use 172.31.1.2 for this example
Default Gateway: Unchecked
Far Gateway: Checked
Disable Gateway Monitoring: Checked
Monitor IP: Leave blank
Mark Gateway as Down: Unchecked
Advanced: Leave default
Description: Interface GRE Gateway
Click Save

Create GRE Tunnel on OPNsense VPN Appliance

In your OPNsense VPN Appliance dashboard, navigate to Interface > Other types > GRE > click Add and use the following settings:
Parent interface: LAN 
GRE remote address: VIRTUAL_SERVER_PRIVATE_IP
GRE tunnel local address: 172.31.1.1 # depends on the gateway you chose in the step above
GRE tunnel remote address: 172.31.1.2/24 # depends on the gateway you chose in the step above
Mobile tunnel: Unchecked
Route search type: Unchecked
WCCP version: Unchecked
Description: GRE tunnel to VIRTUAL_SERVER_HOSTNAME

Create GRE tunnel on each Virtual Server behind the OPNsense VPN Appliance

Create /etc/sysconfig/network-scripts/ifcfg-tun0 with the following contents:
DEVICE=tun0
BOOTPROTO=none
ONBOOT=yes
TYPE=GRE
PEER_OUTER_IPADDR=OPNSENSE_PRIVATE_IP
PEER_INNER_IPADDR=172.31.1.1
MY_INNER_IPADDR=172.31.1.2
MY_OUTER_IPADDR=VIRTUAL_SERVER_PRIVATE_IP
Note that MY_INNER_IPADDR is the same as GRE tunnel remote address in OPNsense , and PEER_INNER_IPADDR is the same as GRE tunnel local address in OPNsense. For each additional Virtual Server you configure with a GRE tunnel, you will have to increase MY_INNER_IPADDR by one. For example, on your second Virtual Server, MY_INNER_IPADDR would be 172.31.1.3.

Configure Servers to Use GRE Tunnels

Configure static route on Virtual Server to use GRE Tunnel

On each the endpoint Virtual Server create /etc/sysconfig/network-scripts/route-tun0 with the following contents:
REMOTE_PEER_PUBLIC_IP/CIDR via 172.31.1.1 dev tun0 src VIRTUAL_SERVER_PUBLIC_IP onlink
Bring the tunnel up:
# ifup tun0

Configure static route on OPNsense VPN Appliance to use the GRE Tunnel

In your OPNsense VPN Appliance dashboard, navigate to System > Routes > All > Add route and use the following settings:
Destination network: VIRTUAL_SERVER_PUBLIC_IP/CIDR
Gateway: Select GRE_Gateway from the dropdown
Disabled: Unchecked
Description: Static route to VIRTUAL_SERVER_HOSTNAME
Click Apply Changes

Test VPN Tunnel

To test the that the site to site VPN tunnel is working properly, try to reach a server located on the remote and from one of your eApps Virtual Servers behind your OPNsense VPN Appliance

Comments

Please login to comment