VPNs are in common usage these days and it’s no surprise with the various security threats that are out there. Sometimes you want them to connect to your company’s network securely, other times you may want to connect through a proxy network in order to anonymize your location. With the advent of cloud infrastructure many of our customers want to connect securely to their cloud infrastructure and potentially keep many of their cloud servers on private IP only without exposing them with public IP addresses.
In general, there are many situations where you want to use a VPN so in this post I outline how to quickly and easily get a VPN up and running to secure your cloud infrastructure with.
In this tutorial, you will learn how to connect your CloudSigma network to your own network. This will make your servers available as if they were part of your home network from which you are accessing.
The pre-requisites are:
- CentOS 7.
- An internal network (LAN) at CloudSigma; with other servers connected to it.
- Your own LAN.
- Remote private LAN:
- Remote VPN server:
- Your own LAN:
- Local VPN server:
So, let’s start:
# setup libreswan
yum -y install libreswan
## start and enable
systemctl enable ipsec
systemctl start ipsec
firewall-cmd --permanent --add-port=500/udp --add-port=4500/udp
firewall-cmd --permanent --add-rich-rule='rule protocol value=esp accept'
firewall-cmd --permanent --add-rich-rule='rule protocol value=ah accept'
# site-to-site (run on both servers)
ipsec newhostkey --configdir /etc/ipsec.d --output /etc/ipsec.d/www.example.com.secrets
ipsec showhostkey --left # on local
ipsec showhostkey --right # on remote
## create /etc/ipsec.d/mysite.conf
## please, replace leftrsasigkey and rightrsasigkey accordingly
cat << 'EOF' > /etc/ipsec.d/mysite.conf
systemctl restart ipsec
ipsec auto --add mysite
ipsec auto --up mysite
ping -c 3 192.168.0.20
ping -c 3 192.168.1.10
An ipsec/librewsan primer
In case you’re not familiar with ipsec/libreswan concepts, here’s a primer:
Left and right servers are only references for the servers connecting to each other. You can assign these terms arbitrarily. Yet, there is a convention. Usually, we call the local server “left” and right is, obviously, the remote server.
All routing will be taken care off by ipsec so no need to worry about it. If a ping doesn’t work, something is wrong with the configuration. Feel free to use:
To be able to read some cryptic output when you get these kinds of problems. Keep on reading it and paying attention. You will, eventually, understand some of it. 😉
Now, the definitive references are listed below. Read on. You will learn many interesting things about VPNs and related stuff. For example, the LibreSwan wiki contains a ton of setups; including Cisco-specific ones, “road warrior” setup (watch US’ Netflix shows). host-to-host setups and many more.
The RHEL manual; one of my favorite sources of information, explains how to setup everything from the start, in a slow and well explained manner. It is definitely a good read and a great alternative to this HowTo.
- Automate LetsEncrypt SSL Certificate Renewals for NginX - May 22, 2017
- A how-to guide: Connect your network to your CloudSigma infrastructure with a VPN - July 15, 2016
- HowTo: CGroups - December 29, 2015