How to connect VPN Network to CloudSigma Infrastructure

VPNs are in common usage these days and it’s no surprise with the various security threats that are out there. Sometimes you want them to connect to your company’s network securely, other times you may want to connect through a proxy network in order to anonymize your location. With the advent of cloud infrastructure many of our customers want to connect securely to their cloud infrastructure and potentially keep many of their cloud servers on private IP only without exposing them with public IP addresses.

In general, there are many situations where you want to use a VPN so in this post I outline how to quickly and easily get a VPN up and running to secure your cloud infrastructure with.

In this tutorial, you will learn how to connect your CloudSigma network to your own VPN network. This will make your servers available as if they were part of your home network from which you are accessing.

The pre-requisites are:

CentOS 7.
An internal network (LAN) at CloudSigma; with other servers connected to it.
Your own LAN.

Networks:

Remote private LAN: 192.168.0.0/24
Remote VPN server: 192.168.0.20
Your own LAN: 192.168.1.0/24
Local VPN server: 192.168.1.10

So, let’s start:

# setup libreswan
## install
yum -y install libreswan

## init
ipsec initnss

## start and enable
systemctl enable ipsec
systemctl start ipsec

## firewall
firewall-cmd --permanent --add-port=500/udp --add-port=4500/udp
firewall-cmd --permanent --add-rich-rule='rule protocol value=esp accept'
firewall-cmd --permanent --add-rich-rule='rule protocol value=ah accept'
firewall-cmd --reload


# site-to-site (run on both servers)
## keys
ipsec newhostkey --configdir /etc/ipsec.d --output /etc/ipsec.d/www.example.com.secrets
ipsec showhostkey --left # on local
ipsec showhostkey --right # on remote

## create /etc/ipsec.d/mysite.conf
## please, replace leftrsasigkey and rightrsasigkey accordingly
cat << 'EOF' > /etc/ipsec.d/mysite.conf
conn mysite
    leftid=@centos-docker-libreswan1.tbc.cloudsigma.com
    leftrsasigkey=your-left-key
    left=192.168.0.20
    leftsourceip=192.168.0.20
    leftsubnet=192.168.0.0/24
    rightid=@centos-docker-libreswan2.tbc.cloudsigma.com
    rightrsasigkey=your-right-key
    right=192.168.1.10
    rightsourceip=192.168.1.10
    rightsubnet=192.168.1.0/24
    authby=rsasig
    auto=start

EOF

## restart
systemctl restart ipsec

## add
ipsec auto --add mysite
ipsec auto --up mysite

# verify
ping -c 3 192.168.0.20
ping -c 3 192.168.1.10

# setup libreswan

## install

yum -y install libreswan

## init

ipsec initnss

## start and enable

systemctl enable ipsec

systemctl start ipsec

## firewall

firewall-cmd --permanent --add-port=500/udp --add-port=4500/udp

firewall-cmd --permanent --add-rich-rule='rule protocol value=esp accept'

firewall-cmd --permanent --add-rich-rule='rule protocol value=ah accept'

firewall-cmd --reload

# site-to-site (run on both servers)

## keys

ipsec newhostkey --configdir /etc/ipsec.d --output /etc/ipsec.d/www.example.com.secrets

ipsec showhostkey --left # on local

ipsec showhostkey --right # on remote

## create /etc/ipsec.d/mysite.conf

## please, replace leftrsasigkey and rightrsasigkey accordingly

cat << 'EOF' > /etc/ipsec.d/mysite.conf

conn mysite

leftid=@centos-docker-libreswan1.tbc.cloudsigma.com

leftrsasigkey=your-left-key

left=192.168.0.20

leftsourceip=192.168.0.20

leftsubnet=192.168.0.0/24

rightid=@centos-docker-libreswan2.tbc.cloudsigma.com

rightrsasigkey=your-right-key

right=192.168.1.10

rightsourceip=192.168.1.10

rightsubnet=192.168.1.0/24

authby=rsasig

auto=start

EOF

## restart

systemctl restart ipsec

## add

ipsec auto --add mysite

ipsec auto --up mysite

# verify

ping -c 3 192.168.0.20

ping -c 3 192.168.1.10

An ipsec/librewsan primer

In case you’re not familiar with ipsec/libreswan concepts, here’s a primer:

Left and right servers are only references for the servers connecting to each other. You can assign these terms arbitrarily. Yet, there is a convention. Usually, we call the local server “left” and right is, obviously, the remote server.

All routing will be taken care off by ipsec so no need to worry about it. If a ping doesn’t work, something is wrong with the configuration. Feel free to use:

ipsec status

1	ipsec status

To be able to read some cryptic output when you get these kinds of problems. Keep on reading it and paying attention. You will, eventually, understand some of it. 😉

Now, the definitive references are listed below. Read on. You will learn many interesting things about VPN networks and related stuff. For example, the LibreSwan wiki contains a ton of setups; including Cisco-specific ones, “road warrior” setup (watch US’ Netflix shows). host-to-host setups and many more.

The RHEL manual; one of my favorite sources of information, explains how to setup everything from the start, in a slow and well explained manner. It is definitely a good read and a great alternative to this HowTo.

About Renich

DevOps @ CloudSigma during the day, Creative Commons artist and producer on my free time... Yeah, that means going to play my guitar or piano on the streets sometimes. You can listen to my music in my personal project: Renich or my Rock project: introbella. And I'm sure I have a cover or two @ YouTube. I am, also, a Fedora and Funtoo maintainer and contributor. In fact, you can just google me "Renich" and you'll find my website and other stuff. I have a blog somewhere; where I write technical stuff as well. I am sure you can't imagine the blog's title 😉 On other matters, I've met Richard Stallman, started the local PHP and Ruby groups and contribute continuously to LinuxCabal.

How to Deploy your Virtual Infrastructure at CloudSigma with Terraform - March 15, 2021
Testing out rook/EdgeFS + NFS (RTRD) on Minikube - May 7, 2020
Automate LetsEncrypt SSL Certificate Renewals for NginX - May 22, 2017
A How-to Guide: Connect VPN Network to CloudSigma Infrastructure - July 15, 2016
HowTo: CGroups - December 29, 2015