While security groups are a good measure for locking down access to your network through firewall rules, in many cases it is necessary to configure a VPN between your Cloud-A Virtual Private Network and your office / individual computer. This can reduce the number of internet accessible resources and encrypt all of your traffic between sites.
We’re going to launch an Ubuntu 14.04 server and, using Cloud-Init, pre-configure it with the required packages to run your own VPN server. We’ll set up your VPC Firewall in a way to allow VPN traffic into your private network, and establish a connection from your VPN client.
Cloud-init enables you to leverage OpenStack’s metadata service to send instructions to your instance that will be executed upon launching. In this post, we’re going to leverage this functionality to have cloud-init install and configure our VPN for us on first boot. Here is what the final instruction set will look like:
- content: |
myvpnuser pptpd mypassword *
- content: |
net.ipv4.ip_forward = 1
- content: |
- [ 'iptables', '-t', 'nat', '-A', 'POSTROUTING', '-o', 'eth0', '-j', 'MASQUERADE' ]
- [ 'iptables-save' ]
- [ 'sysctl', '-p', '/etc/sysctl.d/98-ip-forward.conf' ]
The Cloud-Init configuration is driven through the cloud-config YAML file, which is marked by “#cloud-config” being the first line. There is a large section of examples in the Cloud-Init documentation. We’re going to walk through the different sections one at a time, explaining what each does and why it’s required to automate the deployment of your VPN server.
The first section “packages” will tell cloud-init what to pre-install for us. In this case, we’re going to use PPTP for our VPN connection, which
pptpd will handle.
Next, in the
write_files section, we’re providing configuration files that are required for our VPN to work. You should to change
mypassword to reflect the login credentials that you would like your VPN client(s) to use.
Also, we are creating a virtual network to be used for the VPN service. This is done via the
remoteip options in
/etc/pptpd.conf. Make sure that these values don’t overlap with your office / home network. Using obscure values like
192.168.183.x instead of
192.168.0.x may be a good idea.
runcmd is a list of commands that cloud-init will run late in the booting process. For our VPN, we need a simple iptables NAT rule and we need to enable IP forwarding in the Linux kernel, as it will be forwarding your traffic to your Cloud-A network.
Launching our Instance
The launch process is identical to launching a regular instance, with one final step at the end. So, we’re going to run through it quickly.
In our example, we’re going to create a new Ubuntu 14.04 server. Before launching, we’re going to go to the Cloud-Init tab and paste the instruction set that you’ve customized with your own values into the textbox. It will perform validation to ensure your formatting is still valid YAML when you create your VPN server.
At this point, we’re good to launch our instance! Once it has started, we need to allow PPTP traffic to pass through to the instance. There is a single TCP port (1723) that needs to be opened. In this example, we’re going to create a separate security group called ‘PPTP‘.
Next up, we just need to add the security group to our instance and associate a Public IP address. Check the docs for more info on creating and assigning Security Groups.
Connecting to your VPN
Configuring the client is relatively simple, especially if we wish to route all traffic through our VPN connection. However, we’re going to configure our client in “split-tunnel mode“. This means that only traffic that is local to the VPN network (IE your Cloud-A instances) will be routed over the PPTP connection, while all other traffic will route as usual.
Open your Network Preferences and click on the “+” button under the list of network connections. This will bring up a dialog box which allows you to create a new network connection. Here, we’re going to want to select PPTP VPN and give our new connection a name.
Now we simply need to fill in our Public IP address and our username, click ‘Connect’, apply your changes, and enter your password. You’re now connected to your VPN server!
Next, we’re going to configure split tunneling. Apple doesn’t provide a pretty UI to do this, so we’re going to have to open terminal to do so, running:
sudo route add -net 10.0.0.0/24 -interface ppp0
As you can see from your terminal, we’re adding a route to your Cloud-A network (10.0.0.0/24 by default) via the PPTP connection (ppp0). The
traceroute tests routing to the Cloud-A virtual router. NOTE: On OSX, the
sudo route add... command must be run every time we restart our machine. Otherwise, we will not have split routing into our remote Cloud-A network.
If you want to run office-to-cloud VPN, you’ll need to configure static PPTP on your internal network’s router. This way, you’re always connected to your Cloud-A VMs while you are in the office, and can act as if they’re on your local network. If you are running a router with DDWRT installed, there are some instructions here to get you started.
And there we have it! You have now securely connected into your virtual Cloud-A network. If you have any questions, or require assistance with anything VPN, drop us a message at firstname.lastname@example.org.