Modern businesses are starting to move to the cloud. Many IT leaders want to move to the cloud in increments. While some want to keep the current servers they are running onsite, they also want to build new ones in the cloud. One aspect of setting up such a configuration is network connectivity. How are users going to access the systems without the knowledge they are in the cloud? Systems should act as if they are on-site for the users.
How to create a site-to-site tunnel virtual private network (VPN)
There are many different firewall/VPN solutions (e.g. appliance, virtual appliance solutions). For your on-site firewall you may have a commercial appliance or you may have built your own using software. Since there are so many solutions out there, I’m going to highlight one solution to keep this blog simple. The steps for setting up your site-to-site tunnel are going to be similar no matter what solution you choose. For the cloud side of the tunnel we will need a virtual appliance or a software install.
In the cloud, I’m going to use OPNsense. It’s an open-source firewall which has VPN capabilities. There are others, like pfSense, and ipfire. Commercial versions are also available like Cisco vASA.
Setting up our cloud networks
In ORock Cloud we need to set up two networks to create the VPN tunnel: a virtual external network and a virtual internal network. The virtual external network is used to by OpenStack to forward external IP addresses to. The virtual internal network is used for our private network and the landing point for our compute instances. The end goal is to have the on-site private network talking to the virtual internal network. We will use IPv4 addresses for the setup.
Virtual external network
We will use 10.254.254.0/24 for the virtual external network.
1. From the ORock console. Click ‘Networks’->’Networks’.
2. Click the button ‘+ Create Network’.
3. Network Name: ‘vpn-external’. Leave everything else the default.
4. Click Next.
5. Subnet Name: ‘vpn-external-sub’
6. Network Address: ’10.254.254.0/24’
7. Click ‘Next’ at the bottom of the window.
8. Allocation Pools: can be left blank. By default, OpenStack will use the entire range minus the first IP address (reserved for a router).
9. DNS Name Server: (We are going to use some public ones. You can use your corporate name servers if you like. These name servers are for getting updates for OPNsense.)
a. 1.1.1.1
b. 1.0.0.1
10. Click ‘Create’ button.
Virtual internal network
We will use 192.168.254.0/24 for the virtual internal network. You will want to use a network that is not currently used in your corporate environment so we can route traffic to the network.
1. From the ORock console. Click ‘Networks’->’Networks’.
2. Click the button ‘+ Create Network’.
3. Network Name: ‘vpn-internal’. Leave everything else the default.
4. Click Next.
5. Subnet Name: ‘vpn-internal-sub’
6. Network Address: ’192.168.254.0/24’
7. Click ‘Next’ at the bottom of the window.
8. Allocation Pools: can be left blank. By default, OpenStack will use the entire range minus the first IP address (reserved for a router).
9. DNS Name Server: (We are going to use some public ones. You should use your corporate internal name servers for name resolution on the compute instances.)
a. 1.1.1.1
b. 1.0.0.1
10. Click ‘Create’ button.
Create router
We are going to create a router to route external traffic to our vpn-external network. The router is needed to attach an internet accessible address to our OPNsense firewall/VPN.
1. From the ORock console. Click ‘Networks’->’Routers’.
2. Click the button ‘+ Create Router’.
3. Router Name: ‘OPNsense’
4. External Network: select ‘external-floating-ips’ from the drop down.
5. Click ‘Create Router’ button.
6. Click on the router name ‘OPNsense’.
7. Click on the ‘Interfaces’ tab.
8. Click on the ‘+ Add interface’ button.
9. Subnet: ‘vpn-external-sub’ from the drop down.
10. Click on the ‘Submit’ button.
Create ports for the Firewall/VPN instance
We need to create some special ports for our OPNsense firewall/VPN. OpenStack has port security enabled by default. Port security enabled tells OpenStack to monitor the IP addresses on the port to make sure they match what is in its database. Since our firewall is going to be routing traffic, we need to do one of two things. We need to turn port security off, or we need to tell OpenStack that compute addresses on the internal network are good. We are going to turn port security off. Afterall, it is a firewall, and we can control the IP addresses in the firewall itself.
1. From the ORock console. Click ‘Networks’->’Networks’.
2. Click on the network name ‘vpn-external’.
3. Click on the tab ‘Ports’.
4. Click on ‘+ Create Port’.
5. Leave everything default except these:
a. ‘Specify IP address or subnet’ click ‘Fixed IP Address’
b. ‘Fixed IP Address”: 10.254.254.254 (We will use this address in OPNsense)
c. Uncheck ‘Port Security’
6. Click ‘Create’ button.
7. Click ‘Networks’->’Networks’.
8. Click on the network name ‘vpn-internal’.
9. Click on the tab ‘Ports’.
10. Click on ‘+ Create Port’.
11. Leave everything default except these:
a. ‘Specify IP address or subnet’ click ‘Fixed IP Address’
b. ‘Fixed IP Address”: 192.168.254.1 (We will use this address in OPNsense)
c. Uncheck ‘Port Security’
12. Click ‘Create’ button.
Create the OPNsense instance.
We need to add an image of OPNsense to the cloud to create our instance from. From there, we will create the instance. We will handle the security of the VPN in the firewall itself instead of using OpenStack’s security.
1. Download OPNsense.
a. Goto: https://opnsense.org/download/
b. Choose ‘amd64’ for the system architecture.
c. Choose ‘nano’ for the boot. We want to use ‘nano’ because it will automatically expand the volume we create.
d. Select a Mirror near you.
e. Click the ‘Download’ button.
f. Extract the img file from the downloaded file. In windows I use 7-zip to extract it.
2. Upload the image file to ORock.
a. From the ORock console. Click ‘Compute->Images’.
b. Click ‘+ Create Image’
c. Image Name: ‘OPNsense’
d. Image Source: ‘File’
e. File: <browse to the extracted file>
f. Format: ‘Raw’
g. Visibility: ‘Private’
h. All others are the default settings.
i. Click ‘Create Image’ button.
3. Create a security group for our OPNsense instance.
a. From the ORock console. Click ‘Network->Security Groups’.
b. Click ‘+ Create Security Group’.
c. Name: OPNsense
d. Click ‘Create Security Group’
e. Click ‘+ Add Rule’
f. Rule: ‘All ICMP’
g. Click ‘Add’ button.
h. Repeat for ‘All TCP’ and ‘All UDP’
4. Create the OPNsesnse instance.
a. From the ORock console. Click ‘Compute->Instances’.
b. Click ‘Lanuch instance’ button.
c. Instance Name: OPNsense
d. Click ‘Next’ button.
e. Select Boot Source: ‘Image’
f. Volume Size (GB): 10
g. Find the OPNsense image in the ‘Available’ list and click the up-arrow button to the right of it.
h. Click ‘Next’ at the bottom of the window.
i. Click the up-arrow to the right of t1.medium. You may want a larger flavor if you plan on running a lot of traffic. This is the minimum for OPNsense.
j. Click ‘Next’ at the bottom of the window.
k. Click ‘Next’ at the bottom of the window. We will skip setting up the networks because we are going to use the ports we created.
l. Add the two ports in the ‘Available’ list by clicking the up-arrow.
m. Click ‘Next’ at the bottom of the window.
n. Click the down-arrow to the right of ‘Default’.
o. Click the up-arrow to the right of ‘OPNsense’.
p. Click ‘Launch Instance’ at the bottom of the window.
5. OPNsense basic configuration. We need to setup the basic configuration.
a. From the ORock console. Click ‘Compute->Instances’.
b. Click on ‘OPNsense’.
c. Click on ‘Interfaces’ tab.
d. Make a note of the MAC addresses. You will need to know which address is for the external and internal networks.
e. Click on the ‘Console’ tab.
f. You will need to log on to the console.
i. Login: root
ii. Password: opnsense
g. Type ‘1 (enter)’ to set the interfaces.
h. Type ‘(enter)’ to skip setting up VLANs. We will not use them.
i. Look at the listed interfaces. Find the MAC address of the external interface. Type the name of the interface. For me it is ‘vtnet0 (enter)’.
j. The other interface should be the LAN. For me I typed ‘vtnet1 (enter)’
k. Type ‘(enter)’ as we don’t have any other interfaces.
l. Type ‘y (enter)’.
m. Type ‘2 (enter)’. We need to assign static IP address to the LAN interface.
n. Type ‘1 (enter)’. We are going to work on the LAN interface.
o. Type ‘(enter)’. We don’t want to use DHCP.
p. Type ‘192.168.254.1 (enter)’.
q. Type ’24 (enter)’.
r. Type ‘(enter)’. We don’t want an upstream gateway as we will be the gateway.
s. Type ‘(enter)’. OPNsense will figure out IPv6 for us from the WAN.
t. Type ‘(enter)’. We do not want to setup DHCP. We will let OpenStack take care of that for us.
u. If you want to keep HTTPS then type ‘(enter)’. If you want to change to HTTP then type ‘y (enter)’. This depends on your certificate needs. OPNsense will create self-signed certificate. I type ‘(enter)’
v. Type ‘y (enter)’. I want a new certificate.
w. Type ‘y (enter)’. I want to reset the GUI defaults.
6. Associate a floating IP to the external connection
a. From the ORock console. Click ‘Compute->Instances’.
b. To the right of ‘OPNsesne’ you will find a drop down. Click on the down-arrow then on ‘Associate Floating IP’.
c. IP Address: Click on the down-arrow. If the list is empty then click on the ‘+’ button and follow the instruction to create one. Select an IP. Note it down for later.
The OPNsense basic setup is now done.
Create an instance to finish the configuration of OPNsense
We need to set up an instance with a web browser to finish the configuration of OPNsense.
1. Create a Windows instance.
a. From the ORock console. Click ‘Compute->Instances’.
b. Click ‘Lanuch instance’ button.
c. Instance Name: Windows
d. Click ‘Next’ button.
e. Select Boot Source: ‘Image’
f. Volume Size (GB): 150
g. Find a windows image in the ‘Available’ list and click the up-arrow button to the right of it. (Or any image that has a web browser)
h. Click ‘Next’ at the bottom of the window.
i. Click the up-arrow to the right of t1.medium. Once we have configured OPNsesne we can remove this instance.
j. Click ‘Next’ at the bottom of the window.
k. Click the up-arrow to the right of ‘vpn-internal’.
l. Click ‘Next’ at the bottom of the window.
m. Click ‘Next’ at the bottom of the window. We don’t need to add any ports.
n. Click the down-arrow to the right of ‘Default’.
o. Click the up-arrow to the right of ‘OPNsense’.
p. Click ‘Launch Instance’ at the bottom of the window.
q. Wait for the instance to “Start”.
r. Click on ‘Windows’.
s. Click on the ‘Console’ tab.
t. Follow the Windows instructions, until you get to the Windows desktop.
u. Open a web browser. Finish any setup that is needed there.
v. Goto https://192.168.254.1/ (or http://192.168.254.1 if you changed to http protocol). If using https, you will see some warnings because OPNsense is using a self-signed certificate. Use the needed actions to allow connection to the stie.
w. Log on to OPNsesne
i. User: root
ii. Password: opnsense
x. Follow steps in the “System: Wizard: General Setup” that comes up. Change what you would like. No need to change anything.
At this time, you should have internet access on the Windows instance. You can add or remove firewall rules as you see fit. However, you may want to make sure you can create the site-to-site tunnel and pass traffic.
Setup IPsec VPN
We need to have a unique LAN subnet for each side of our connection. In the ORock Cloud, we are using 192.168.254.0/24. On the other side, I am going to use 192.168.0.1/24.
Since we are using a private IP range on the external side of ORock, we will need to make a change to the firewall. This requires us to disable the default block rule on wan to allow private traffic. To do so, go to Interfaces ‣ [WAN] and uncheck “Block private networks”. (Don’t forget to save and apply)
We are going to use two OPNsense boxes for our site-to-site tunnel.
Firewall Rules on both sites – part 1
To allow IPsec Tunnel connections, we need to enable firewall rules on both sites. Do this for both firewalls.
• Protocol ESP
• UDP Traffic on Port 500 (ISAKMP)
• UDP Traffic on Port 4500 (NAT-T)
In the OPNsesnse GUI
1. Firewall -> Rules -> [WAN]
a. Click the orange ‘+’ button in the top right.
b. Change the following:
i. Protocol: ESP
ii. Destination: WAN Address
c. Click ‘Save’ button.
d. Click the orange ‘+’ button in the top right.
e. Change the following:
i. Protocol: UDP
ii. Destination: WAN Address
iii. Destination port range:
1. From: ISAKMP
2. To: ISAKMP
f. Click ‘Save’ button.
g. Click the orange ‘+’ button in the top right.
h. Change the following:
i. Protocol: UDP
ii. Destination: WAN Address
iii. Destination port range:
1. From: IPsec NAT-T
2. To: IPsec NAT-T
i. Click ‘Save’ button.
2. Click ‘Apply Changes’ button.
Note: you can further limit the traffic by the source IP of the networks.
ORock site – Phase 1
In the OPNsesnse GUI
1. VPN -> IPsec -> Tunnel Settings
a. Select the ‘Enable IPsec’
b. Click ‘Save’ button.
c. Click the orange ‘+’ button in the top right.
d. Change the following:
i. General information:
1. Remote gateway: <IP address of the on-site WAN>
ii. Phase 1 proposal (Authentication)
1. Pre-Shared Key: <create your own key>
2. My identifier:
a. IP address
b. <floating IP address> (We have to change the identifier to be the external floating address since that is what is expected on the on-site OPNsense)
iii. Advanced Options:
1. NAT Traversal: Disabled
e. Click ‘Save’ button.
ORock site – Phase 2
In the OPNsesnse GUI
1. Press the orange ‘+’ to the right of the newly created line. Mousing over the button it should show ‘add phase 2 entry’.
a. Change the following:
i. Remote Network:
1. Address: 192.168.0.0 24 (from the drop down)
b. Click ‘Save’ button at the bottom.
2. Click ‘Apply Changes’ button.
On-site – Phase 1
In the OPNsesnse GUI
1. VPN -> IPsec -> Tunnel Settings
a. Select the ‘Enable IPsec’
b. Click ‘Save’ button.
c. Click the orange ‘+’ button in the top right.
d. Change the following:
i. General information:
1. Remote gateway: <IP address of the ORock floating IP>
ii. Phase 1 proposal (Authentication)
1. Pre-Shared Key: <create your own key>
iii. Advanced Options:
1. NAT Traversal: Disabled
e. Click ‘Save’ button.
On-site – Phase 2
In the OPNsesnse GUI
1. Press the orange ‘+’ to the right of the newly created line. Mousing over the button it should show ‘add phase 2 entry’.
a. Change the following:
i. Remote Network:
1. Address: 192.168.254.0 24 (from the drop down)
b. Click ‘Save’ button at the bottom.
2. Click ‘Apply Changes’ button.
Firewall Rules on both sites – part 2
To allow traffic passing to your LAN subnet you need to add a rule to the IPsec interface
1. Firewall -> Rules -> IPsec
a. Click the orange ‘+’ button in the top right.
b. Change the following:
i. Destination: LAN net
c. Click ‘Save’ button at the bottom.
2. Click ‘Apply Changes’ button.
IPsec Tunnel Ready
The tunnel should now be up and routing both the networks.
1. VPN -> IPsec -> Status Overview.
a. Click the ‘i’ icon to see the details.
If you are having issues you can check the log files.
You should now have a site-to-site VPN setup. There are many settings and rules that can be added to lock down the firewall, create other types of VPN, IPsec settings, etc. This is just the starting point for a site-to-site VPN.
Dwane Pottratz
Senior Solutions Architect, ORock Technologies