The following is a step-by-step guide on how to utilize your SoftLayer Vyatta gateway device as your own personal VPN to access any server behind the Vyatta device with even more freedom than the SoftLayer VPN. In the following example, we will be using the built-in OpenVPN daemon that comes installed with Vyatta. This means you can upload large files to your servers that are behind the Vyatta device using the speed of your public interface, rather than trying to depend on the SoftLayer VPN’s speeds—which are throttled for management, not file transfer. You will also have more control over how your VPN behaves, which subnets your users can access, how you manage your VMware environment, and more.
What we will review in the following guide, however, are just the basics. This will give you a basic level VPN working in client/server mode and using SSL keys as authentication rather than passwords.
What you will need for this guide
- 1 Vyatta gateway device
- 1 Windows 7/8/10 computer or 1 Apple device running OS X 10.10+
- 1 portable private/28 subnet that is on a VLAN already associated and routed to your Vyatta (the smallest you can order is 16 portable private IPs from the portal)
- A little patience
OpenVPN Client/Server Implementation
The first thing you’ll need to do is to copy the easy-rsa folder to your /config/.
cp -r /usr/share/easy-rsa/ /config/easy-rsa
Then you’ll need to edit the vars file to personalize your certificates.
nano –w /config/easy-rsa/vars
# Increase this to 2048 if you
# are paranoid. This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
# In how many days should the root CA key expire?
# In how many days should certificates expire?
export KEY_ORG="IBMCloud "
Now you’ll need to load your variables from the vars file you just modified.
You’ll want to run the ./clean-all to start fresh in case there is something old lingering around in the directory.
Now build the certificate authority files. (Just press Enter to everything.)
Now build the Diffie-Hellman key exchange.
Now build the key file for the server. (Enter to everything again, enter password if asked, and Y to both questions.)
Next, you’ll need to copy the certificates and keys into the /config/auth/ folder.
sudo cp /config/easy-rsa/keys/ca.crt /config/auth/
sudo cp /config/easy-rsa/keys/dh2048.pem /config/auth/
sudo cp /config/easy-rsa/keys/my-server.key /config/auth/
sudo cp /config/easy-rsa/keys/my-server.crt /config/auth/
Now you can build the key for the client and distribute it to them. Use the ./build-key to generate a certificate that will connect to the VPN without a password, using an SSL key instead.
Answer all questions accordingly and be sure to answer YES to sign the certificate and when it asks you to commit.
Now copy the keys and certificates and create a configuration for the client. First, you’ll need to make the directory for the client, though, for easier tracking.
cp myname* myname/
cp ca.crt myname/
Next, you’ll need to create a client config that you will be using on your local machine later.
nano –w myname/myvpnserver.ovpn
remote 184.108.40.206 11994
From your local computer, you can download the config directory directly from your Vyatta.
This copies the client directory to the current directory on your local machine, so make sure you are in the directory you want to store the keys in.
Setting up the OpenVPN Server
The server subnet needs to be a different subnet from your LAN; for this example, we are using a portable private/28 (16 IPs on the 10.x.x. network), because it will assign an IP from that subnet to your clients as they login, giving them access to everything behind your Vyatta. You will also notice we are setting the resolvers to the SoftLayer DNS resolvers, as well as a Google DNS resolver. This ensures that your VPN-connected users still have full Internet access, as well as internal access.
You will also see that there is a push-route added for the other private subnets behind the Vyatta device. For this example, we wanted to give the users logged-in access to more than just the subnet from which it is assigning IPs. You will need to adjust the push-route lines to fit your environment, though.
We will also be assigning a non-standard port of 11994, due to many ISPs blocking port 1194, and changing the protocol to TCP because UDP is also blocked in many places.
set interfaces openvpn vtun0 mode server
set interfaces openvpn vtun0 server subnet 10.134.247.0/28
set interfaces openvpn vtun0 server name-server 220.127.116.11
set interfaces openvpn vtun0 server push-route 10.135.8.0/26
set interfaces openvpn vtun0 server push-route 10.134.198.80/28
set service dns forwarding listen-on vtun0
set interfaces openvpn vtun0 tls cert-file /config/auth/my-server.crt
set interfaces openvpn vtun0 tls key-file /config/auth/my-server.key
set interfaces openvpn vtun0 tls ca-cert-file /config/auth/ca.crt
set interfaces openvpn vtun0 tls dh-file /config/auth/dh2048.pem
set interfaces openvpn vtun0 local-port 11994
set interfaces openvpn vtun0 protocol tcp-passive
Now that the interface is set, we just need to open the firewall for it (note: you will need to adjust for the firewall name that you use so that it applies correctly).
set firewall name wan-local rule 40 action accept
set firewall name wan-local rule 40 destination port openvpn
set firewall name wan-local rule 40 protocol tcp
Install either program as directed by the installer, then simply open the .ovpn file you downloaded earlier via scp with that program and it will connect. If you are on OS X, the default firewall will block ping requests from your Vyatta and a few other things. For my personal use, I used Murus Lite and loaded the Murus Predefined Configuration to make it work correctly. Windows may need the Windows firewall adjusted to allow traffic to pass on TCP 11994 as well.
Congratulations! You now have a working OpenVPN setup connecting you to your SoftLayer environment. You can test it by pinging one of the servers behind your Vyatta on the private network.
If you need to create more than one client key, simply follow these steps.
cp newclient* newclient/
cp ca.crt newclient/
Then run the same scp command from earlier (but fix the path to the newclient) and you're set!