Posts Tagged 'VPN'

August 29, 2016

Setting Up OpenVPN on a SoftLayer Vyatta Device

The following is a step-by-step guide on how to utilize your SoftLayer Vyatta gateway device as your own personal VPN to access any server behind the Vyatta device with even more freedom than the SoftLayer VPN. In the following example, we will be using the built-in OpenVPN daemon that comes installed with Vyatta. This means you can upload large files to your servers that are behind the Vyatta device using the speed of your public interface, rather than trying to depend on the SoftLayer VPN’s speeds—which are throttled for management, not file transfer. You will also have more control over how your VPN behaves, which subnets your users can access, how you manage your VMware environment, and more.

What we will review in the following guide, however, are just the basics. This will give you a basic level VPN working in client/server mode and using SSL keys as authentication rather than passwords.

What you will need for this guide

  • 1 Vyatta gateway device
  • 1 Windows 7/8/10 computer or 1 Apple device running OS X 10.10+
  • 1 portable private/28 subnet that is on a VLAN already associated and routed to your Vyatta (the smallest you can order is 16 portable private IPs from the portal)
  • A little patience

OpenVPN Client/Server Implementation

The first thing you’ll need to do is to copy the easy-rsa folder to your /config/.

cp -r /usr/share/easy-rsa/ /config/easy-rsa

Then you’ll need to edit the vars file to personalize your certificates.

nano –w /config/easy-rsa/vars


# Increase this to 2048 if you

# are paranoid.  This will slow

# down TLS negotiation performance

# as well as the one-time DH parms

# generation process.

export KEY_SIZE=2048


# In how many days should the root CA key expire?

export CA_EXPIRE=3650


# In how many days should certificates expire?

export KEY_EXPIRE=3650



export KEY_CITY="Houston"

export KEY_ORG="IBMCloud "

export KEY_EMAIL=""

Now you’ll need to load your variables from the vars file you just modified.

cd /config/easy-rsa

source ./vars

You’ll want to run the ./clean-all to start fresh in case there is something old lingering around in the directory.


Now build the certificate authority files. (Just press Enter to everything.)


Now build the Diffie-Hellman key exchange.


Now build the key file for the server. (Enter to everything again, enter password if asked, and Y to both questions.)

./build-key-server my-server

Next, you’ll need to copy the certificates and keys into the /config/auth/ folder.

sudo cp /config/easy-rsa/keys/ca.crt /config/auth/

sudo cp /config/easy-rsa/keys/dh2048.pem /config/auth/

sudo cp /config/easy-rsa/keys/my-server.key /config/auth/

sudo cp /config/easy-rsa/keys/my-server.crt /config/auth/

Now you can build the key for the client and distribute it to them. Use the ./build-key to generate a certificate that will connect to the VPN without a password, using an SSL key instead.

./build-key myname

Answer all questions accordingly and be sure to answer YES to sign the certificate and when it asks you to commit.

Now copy the keys and certificates and create a configuration for the client. First, you’ll need to make the directory for the client, though, for easier tracking.

cd /config/easy-rsa/keys

mkdir myname

cp myname* myname/

cp ca.crt myname/

Next, you’ll need to create a client config that you will be using on your local machine later.

nano –w myname/myvpnserver.ovpn


proto tcp

remote-cert-tls server


verb 2

dev tun0

cert myname.crt

key myname.key

ca ca.crt

remote 11994


From your local computer, you can download the config directory directly from your Vyatta.

scp –r vyatta@ .

This copies the client directory to the current directory on your local machine, so make sure you are in the directory you want to store the keys in.

Setting up the OpenVPN Server

The server subnet needs to be a different subnet from your LAN; for this example, we are using a portable private/28 (16 IPs on the 10.x.x. network), because it will assign an IP from that subnet to your clients as they login, giving them access to everything behind your Vyatta. You will also notice we are setting the resolvers to the SoftLayer DNS resolvers, as well as a Google DNS resolver. This ensures that your VPN-connected users still have full Internet access, as well as internal access.

You will also see that there is a push-route added for the other private subnets behind the Vyatta device. For this example, we wanted to give the users logged-in access to more than just the subnet from which it is assigning IPs. You will need to adjust the push-route lines to fit your environment, though. 

We will also be assigning a non-standard port of 11994, due to many ISPs blocking port 1194, and changing the protocol to TCP because UDP is also blocked in many places.

set interfaces openvpn vtun0 mode server

set interfaces openvpn vtun0 server subnet

set interfaces openvpn vtun0 server name-server

set interfaces openvpn vtun0 server push-route

set interfaces openvpn vtun0 server push-route

set service dns forwarding listen-on vtun0

set interfaces openvpn vtun0 tls cert-file /config/auth/my-server.crt

set interfaces openvpn vtun0 tls key-file /config/auth/my-server.key

set interfaces openvpn vtun0 tls ca-cert-file /config/auth/ca.crt

set interfaces openvpn vtun0 tls dh-file /config/auth/dh2048.pem

set interfaces openvpn vtun0 local-port 11994

set interfaces openvpn vtun0 protocol tcp-passive

Now that the interface is set, we just need to open the firewall for it (note: you will need to adjust for the firewall name that you use so that it applies correctly).

set firewall name wan-local rule 40 action accept

set firewall name wan-local rule 40 destination port openvpn

set firewall name wan-local rule 40 protocol tcp



That’s it! Your OpenVPN is set up on the Vyatta device. Now it’s time to install OpenVPN GUI on Windows or Tunnellblick on OS X.

Install either program as directed by the installer, then simply open the .ovpn file you downloaded earlier via scp with that program and it will connect. If you are on OS X, the default firewall will block ping requests from your Vyatta and a few other things. For my personal use, I used Murus Lite and loaded the Murus Predefined Configuration to make it work correctly.  Windows may need the Windows firewall adjusted to allow traffic to pass on TCP 11994 as well.

Congratulations! You now have a working OpenVPN setup connecting you to your SoftLayer environment. You can test it by pinging one of the servers behind your Vyatta on the private network.

If you need to create more than one client key, simply follow these steps.

source ./vars

./build-key newclient

cd /config/easy-rsa/keys

mkdir newclient

cp newclient* newclient/

cp ca.crt newclient/

Then run the same scp command from earlier (but fix the path to the newclient) and you're set!


August 30, 2011

Global Expansion: PoP into Asia - Japan

By the end of the year, SoftLayer's global network will include points of presence (PoPs) and data centers throughout Europe and Asia. As George explained in Globalization and Hosting: The World Wide Web is Flat, the goal is to bring SoftLayer's network within 40ms of everyone on the planet. One of the first steps in reaching that goal is to cross both of the "ponds" between our US facilities and our soon-to-open international facilities.

Global Network

The location and relative size of Europe and Asia on that map may not make them viable resources when planning travel (Seattle actually isn't geographically closer to Tokyo than it is to San Jose), but they illustrate the connections we'll make to extend our network advantages to Singapore and Amsterdam.

Since I'm currently on-site in Singapore, I can give you an inside look at our expansion into Asia. The data center is coming along very nicely, but before I share any of the activity from that construction process, I wanted to share a little about a stopover I had on my trip from Dallas to Singapore: Tokyo!

Last week, we began the process of installing and lighting our first Asian point of presence in Tokyo, Japan, and after a few long days of work, it's all racked and stacked. If you're familiar with SoftLayer, you're probably aware that we build our data centers in a pod concept for a number of reasons, and our network points of presence are no different ... One funny aspect of being so familiar with the infrastructure in all of our other locations is that when we walk out the door of the data center facility, we get inundated with culture shock all over again.

SoftLayer VP of Network Operations and Engineering Will Charnock just finished the process of building the network PoP in Hong Kong, and you might see a few (similar looking) pictures from Tokyo and Hong Kong in the near future when we're ready to open those new PoPs to customer traffic. And don't worry ... I'll be sure to sneak a few shots of the Singapore DC progress for you too.



February 15, 2011

Five Ways to Use Your VPN

One of the many perks of being a SoftLayer customer is having access to your own private network. Perhaps you started out with a server in Dallas, later expanded to Seattle, and are now considering a new box in Washington, D.C. for complete geographic diversity. No matter the distance or how many servers you have, the private network bridges the gaps between you, your servers, and SoftLayer's internal services by bringing all of these components together into a secure, integrated environment that can be accessed as conveniently as if you were sitting right in the data center.

As if our cutting-edge management portal and API weren't enough, SoftLayer offers complimentary VPN access to the private network. This often-underestimated feature allows you to integrate your SoftLayer private network into your personal or corporate LAN, making it possible to access your servers with the same security and flexibility that a local network can offer.

Let's look at a few of the many ways you can take advantage of your VPN connection:

1. Unmetered Bandwidth

Unlike the public network that connects your servers to the outside world, the traffic on your private network is unlimited. This allows you to transfer as much data as you wish from one server to another, as well as between your servers and SoftLayer's backup and network storage devices – all for free.

When you use the VPN service to tap into the private network from your home or office, you can download and upload as much data as you want without having to worry about incurring additional charges.

2. Secure Data Transfer

Because your VPN connection is encrypted, all traffic between you and your private network is automatically secure — even when transferring data over unencrypted protocols like FTP.

3. Protect Sensitive Services

Even with strong passwords, leaving your databases and remote access services exposed to the outside world is asking for trouble. With SoftLayer, you don't have to take these risks. Simply configure sensitive services to only listen for connections from your private network, and use your secure VPN to access them.

If you run Linux or BSD, securing your SSH daemon is as easy as adding the line ListenAddress a.b.c.d to your /etc/ssh/sshd_config file (replace a.b.c.d with the IP address assigned to your private network interface)

4. Lock Down Your Server in Case of Emergency

In the unfortunate event of a security breach or major software bug, SoftLayer allows you to virtually "pull the plug" on your server, effectively cutting off all communication with the outside world.

The difference with the competition? Because you have a private network, you can still access your server over the VPN to work on the problem – all with the peace of mind that your server is completely off-limits until you're ready to bring it back online.

5. Remote Management

SoftLayer's dedicated servers sport a neat IP management interface (IPMI) which takes remote management to a whole new level. From reboots to power supply control to serial console and keyboard-video-mouse (KVM) access, you can do anything yourself.

Using tools like SuperMicro's IPMIView, you can connect to your server's management interface over the VPN to perform a multitude of low-level management tasks, even when your server is otherwise unreachable. Has your server shut itself off? You can power it back on. Frozen system? Reboot from anywhere in the world. Major crash? Feeling adventurous? Mount a CD-ROM image and use the KVM interface to install a new operating system yourself.

This list is just the beginning. Once you've gotten a taste of the infinite possibilities that come with having out-of-band access to your hosted environment, you'll never want to go back.

Now, go have some fun!


December 9, 2009

SoftLayer - Unbelievable Control, Capabilities and Innovation

I have been working at SoftLayer for 2 + years now as a CSA and it has been quite the experience! Imagine working at a place where you get to put your hands on the latest technologies, where customers can manage servers as if they were in their own datacenter, and where innovation is a daily norm. Welcome to my job at SoftLayer. I have seen this company grow at an amazing rate, and to whom do we owe the credit? YOU – The customer! Everything that we do, offer and build is a testament to the customers that use our services. This helps make us a forerunner in the industry and allows the customers that use our services to grow and achieve anything that their business requires. I am going to list just a few of my favorite capabilities we offer below:

VPN – The ability to control your server through a private, secure connection and to use our backend services without incurring usage against bandwidth.

IPMI – Having the power of a local console attached and with some cards a virtual dvdrom to install any operating system of your choice.

OS Reloads – We offer several types of operating systems to choose from and keep up to date with the latest versions.

Secondary DNS – You can host your own DNS and allow zone transfers into the SoftLayer Portal and use our resolvers as secondary failovers.

Content Delivery Network – This Feature is awesome as you can deliver your site or video from the closest point to an end user geographically to ensure a great viewing experience.

Support – 24x7 support that truly cares about the customer’s needs. We love what we do and this attitude shows in everything we do.

This is just the tip of the iceberg and barely touches on what we offer our customers. If you are not yet a customer I would strongly encourage you to speak with one of our Sales representatives as they are here and ready to help and will guide you in building the platform you need to get the job done.

October 2, 2009

Is That a Real Computer?

Some mornings after work when the weather is nice I'll go to a local coffee shop on the way home to read or study for the CCNA exams. Sometimes I'll just end up pulling out the netbook and browse around online. There are times during these outings when I'll get asked the title question of this blog: is that a real computer? I guess the size that throws people but the answer is yes.

For those who are not familiar with the netbook class of systems here are the specs for mine:

  • 10.2 inch screen
  • 1 GB RAM
  • 1.6GHz Intel Atom processor
  • 160GB SATA hard drive
  • 3 USB ports
  • Card reader
  • Built-in Wifi
  • Built-in webcam
  • Windows XP (I've got plans for Windows 7)
  • 5 hour battery life
  • Light weight (I've got books that weigh more)

Netbooks are great for when you're just knocking around town and might want to do some light web work. This morning while at Starbucks I've checked e-mail several times, caught up on the daily news, and reviewed the game statistics from the Cowboys game I missed last night. Other mornings I've fired up a VPN connection into the office and been able to remotely help with tickets, work on documentation for our SSL product and tinker around with a NetScaler VPX Express virtual machine (an interesting bit of tech for a later article).

So how does this tie into server hosting?

You've probably had a time when your monitoring has indicated a service ceasing to respond on a server. If all you have is a cell phone the options are somewhat limited. With a fancy enough phone you might have an SSH or RDP client but do you really want to do anything on a PDA sized screen? I didn't think so. You can put in a ticket from your phone and our support can help out but the person best able to fix a service failure is still going to be you, the server administrator who knows where all the bodies are buried and how the bits tie together.

A small netbook can be a lightweight (and inexpensive) administration terminal for your servers hosted with us. Just find an Internet connection, connect up to the SoftLayer VPN and now you have complete access to work on your servers via a secure connection.

Through the wonders of the IPMI KVM this access even includes the console which opens up the possibility of doing a custom kernel build and install safely, while sitting under the stars, drinking a hot chocolate and watching the local nightlife.

Sounds like a pretty nice reality to me.

Subscribe to vpn