Pure commitment.

Using OpenVPN for remote

access to the cloud

UKC-GEN-135

UKCloud Ltd 2

OVERVIEW

Secure remote access to the cloud is essential to

cloud adoption and use. UKCloud Compute-as-a-

Service comes with a dedicated vShield Edge

Gateway — a simple, easy-to-use solution that

supports IPSEC site-to-site VPNs and a limited

number of remote access client VPNs designed for

occasional use.

Customers who require a more flexible and scalable

solution can deploy their own choice of virtual

appliances (either open source solutions such as

OpenVPN or commercial solutions from a supplier

such as Cisco, F5 or Palo Alto) instead of using the

limited VPN service provided with the vShield Edge

Gateway appliance.

This Blueprint describes how to install and configure

the OpenVPN virtual appliance on our cloud platform

to support client access VPNs. OpenVPN is a

licensed product: without a license key, you're limited

to two concurrent VPN connections only. If you

require additional concurrent connections, you'll need

to obtain and install a license key.

IN THIS BLUEPRINT

Preparing your virtual data centre 3

Obtaining and deploying the OpenVPN

appliance 4

Performing initial and admin configuration 6

Logging in and connecting 9

Securing the appliance 10

For more help 12

About UKCloud 13

Blueprint: Using OpenVPN for remote access to the cloud 3

PREPARING YOUR VIRTUAL DATA CENTRE

The first step is to prepare your virtual data centre

(VDC). To secure your environment, we recommend

you deploy the OpenVPN appliance onto a new,

routed organisation VDC (Org VDC) network to

which, ideally, no other virtual machines (VMs) will

connect. This will enable you to tightly control access

from VPN clients to the VMs in your environment

using firewall rules on the vShield Edge Gateway.

However, if you are approaching the network

interface limit of your vShield Edge Gateway, it is

possible to deploy the OpenVPN appliance into an

existing Org VDC network.

Create a new Org VDC network

1. In vCloud Director, click the Administration

button.

2. Select your VDC, then click the Org VDC

Networks tab.

3. Click the green plus icon to add a new

network.

4. Choose the option to create a routed

network, and provide the network addressing

information.

Configure your Edge Gateway

Click the Edge Gateways tab, then right-click your

gateway and select Edge Gateway Services.

You'll need to create the following:

Source NAT rule to give the OpenVPN

appliance outbound access to the internet

Destination NAT rule to allow inbound

access from the internet to the OpenVPN

appliance

Firewall rule to allow inbound access from

the internet on port 443

Firewall rule(s) to allow users connected to

the OpenVPN appliance to access VMs on

other networks for administration purposes

— VPN users will be NATed to the IP

address of the OpenVPN appliance

Firewall rule(s) to allow access from trusted

environment(s) to the OpenVPN appliance

on the admin port — port 943 by default, but

this can be changed

UKCloud Ltd 4

OBTAINING AND DEPLOYING THE OPENVPN APPLIANCE

To ensure you're running the latest release of OpenVPN, we suggest you first download the latest version of the

appliance from the OpenVPN website. To do this:

1. Go to https://openvpn.net/index.php/access-server/download-openvpn-as-vm.html

2. Select the Virtual Appliance for VMware ESXi.

3. Download the OVA template.

To deploy the OpenVPN appliance:

1. Log on to the UKCloud portal.

2. Access vCloud Director.

3. Click the My Cloud button and select vApps.

4. Click the button Add vApp from OVF.

5. Select the OVA you downloaded. The appliance will be deployed as a single VM inside a vApp.

6. Give the vApp a name, then select the appropriate VDC and click Next.

7. Select the appropriate storage policy and click Next.

8. Give the VM a name, then click the Advanced Networking checkbox.

Blueprint: Using OpenVPN for remote access to the cloud 5

You'll now be able to select the appropriate network and change the IP assignment method. We suggest you

deploy the VPN appliance to its own network segment (as described in the section 'Preparing your virtual data

centre') and use the Static — IP Pool method of IP assignment.

Then continue through the wizard to the end. You don't need to make any other changes unless you wish to

customise settings to suit your environment.

Once the vApp has deployed and powered on, you will need to reset (reboot) the VM before logging in for the first

time. This will force the networking changes made during your VMware guest customisations to take effect before

you start configuring OpenVPN.

UKCloud Ltd 6

PERFORMING INITIAL AND ADMIN CONFIGURATION

Initial configuration

To perform the initial configuration, you'll need to connect to the VM console. To do this, log on to the VM with the

username root and password openvpnas

Once you've logged on, you'll need to answer the following questions:

Question Suggested answers

Licence agreement Select Yes to accept.

Will this be the primary Access Server node

Select Yes.

Network If the guest customisations were applied correctly, this will default to eth0 which should be configured with an IP address on the network you selected during deployment.

Admin web UI Accept the default 943 or choose your desired port number. A separate port for administration is recommended but not strictly needed.

TCP port for OpenVPN daemon We recommend you use the default of 443 if possible — using a non-standard port may cause problems when connecting from corporate networks.

Should client traffic be routed by default through VPN?

Selecting Yes will prevent client devices from accessing any other networks (eg your corporate network) while the VPN is connected. (This is sometimes referred to as split tunnelling.) For ease of use, we suggest you answer No to this question but you should refer to your security policy.

Should client DNS traffic be routed by default through VPN?

If you answered Yes to the previous question, all traffic will be routed through the VPN anyway, so your answer here will not matter. If you answered No to the previous question, you will probably want to answer No to this question as well, so that your DNS queries are answered by the usual servers.

Use local auth via internal DB Select Yes, unless you want to authenticate users from an existing directory service (Active Directory/LDAP).

Should private subnets be accessible to clients by default?

Select Yes to be able to access your cloud networks via the VPN.

Do you wish to log in to the admin UI as openvpn?

Select Yes to create a local user account named openvpn. If you answer No, you'll need to set up a different username and password.

License key Leave blank unless you've purchased a license, in which case enter the license key.

Blueprint: Using OpenVPN for remote access to the cloud 7

If you opted to use the default openvpn account, you

will need to set its password:

#passwd openvpn

While you're connected to the console, you can carry

out a few additional system configurations, described

below.

Check the DNS resolver configuration is in

place

During tests we discovered that this is not added by

the VMware guest customisations.

# pico /etc/network/interfaces

Use the arrow keys to scroll down. Below the line

specifying the default gateway, add the following:

dns-nameservers 8.8.8.8

Press ^O to save the file, then ^X to exit the text

editor.

For the change to take effect, you'll need to restart

the networking service:

# service networking restart

Configure the keyboard

The default configuration is for a US keyboard. To

reconfigure for the UK:

# dpkg-reconfigure keyboard-

configuration

Step through the wizard. There is no need to restart

anything once you've finished.

Apply updates

It is a good idea to apply the latest upgrades to the

system:

# apt-get update && apt-get

upgrade

You'll be prompted to approve the installation of

updates.

UKCloud Ltd 8

Install NTP

This is good practice, and is required if you intend to

use two-factor authentication via Google

Authenticator.

# apt-get install ntp

Once the NTP installation is complete, you'll need to

update the configuration file to point to UKCloud’s

NTP servers.

# pico /etc/ntp.conf

Use the arrow keys to scroll down until you reach the

lines beginning with ‘server.’

Change the first two lines to reflect the UKCloud

servers, and comment out the remaining two lines:

server 37.26.90.192

server 37.26.94.232

You can now press ^D to log off the console.

Configure admin options

To configure admin options, log on to the admin

interface at https://<ip_addr>/admin

Once you've logged on, you'll need to set the host

name. To do this:

1. Select Server Network Settings.

2. Set the host name to either a public IP

address or a fully qualified domain name

(FQDN) that your client will be able to

resolve.

3. Save settings on this page before moving on.

4. Under the Routing section, select the VPN

settings tab.

5. Add any additional subnets that your VPN

users should have access to. These will

usually be the IP subnets configured on all of

your Org VDC networks.

This is the minimum configuration required in order to

be able to establish a VPN connection.

Add Users

Under User Management select User Permissions to

create new local user accounts. To set the password

for each account, click the Show link in the More

Settings column. Use complex passwords.

Blueprint: Using OpenVPN for remote access to the cloud 9

LOGGING IN AND CONNECTING

You can download the VPN client software and

connection profiles directly from the appliance. To do

this, browse to https://<ip_addr>/ and log in with a

valid username and password.

When the client software and/or profile is

downloaded, a client certificate is included which is

required for authentication.

Once the client software and/or profile have been

installed, connections can be initiated directly from

the client.

UKCloud Ltd 10

SECURING THE APPLIANCE

We strongly suggest that you further secure the

appliance. The following changes are recommended.

Change default passwords

If you have not already done so, change the root

password to something more secure.

To do this, log on to the console as root with

password openvpnas

To change the password:

# passwd

Lock down unused ports with iptables

The openvpn config utility adds the required ALLOW

entries to iptables automatically, so you just need to

deny all other traffic:

# iptables -A INPUT -j DROP

Enable two-factor authentication via Google Authenticator

You can do this using the OpenVPN Admin interface.

1. Browse to https://<ip_addr>/admin and log

on with the default account.

2. Select the Client Settings menu under

Configuration

3. Click the checkbox to enable Google

Authenticator support.

To enter/scan the Google Authenticator secret, users

will need to:

1. Log in to the client portal at https://<ip_addr>/

and select Login

2. Configure the secret.

3. Click the 'I scanned the QR code' button to

enforce two-factor authentication.

Blueprint: Using OpenVPN for remote access to the cloud 11

Disable root SSH login

If you're connecting via SSH, best practice is to

connect using a non-privileged account, then sudo to

root if needed. This prevents an attacker from brute-

forcing the root password.

# pico /etc/ssh/sshd_config

Use the arrow keys to scroll down the file, and

change the PermitRootLogin line to no

Disable the default account

During the initial setup, you will have created a

username and password to log in to the Admin web

interface. This account, whose default name is

openvpn, is configured to be always active,

disregarding its status in the User Permissions area.

In addition, if you configured two-factor authentication

via Google Authenticator, this is not enforced for the

default account.

To disable the default account:

# pico

/usr/local/openvpn_as/etc/as.conf

Use the arrow keys to scroll down the file until you

see entries starting with boot_pam_users

Comment out the entry that matches the username

you chose for the default account. This is usually the

boot_pam_users.0= entry.

For this change to take effect, you'll need to restart

the OpenVPN service:

# service restart openvpnas

UKCloud Ltd 12

FOR MORE HELP

Unfortunately, UKCloud Support cannot help you with

troubleshooting or modifying any of the scripts

provided in this document.

Please refer to online documentation for OpenVPN:

https://openvpn.net/howto.html.

If you need further advice or guidance regarding your

Secure Remote Access options, contact your

Account Director. UKCloud has a talented team of

cloud architects and a large number of partners who

may be able to assist you.

Blueprint: Using OpenVPN for remote access to the cloud 13

ABOUT UKCLOUD

UKCloud has developed a range of cloud services

designed specifically for the UK public sector, to help

increase efficiencies, reduce costs, significantly

improve procurement times and increase

transparency. Our services are easy to adopt, easy

to use and easy to leave to ensure that our

customers remain in complete control, with minimum

risk, reassured by the fact UKCloud's services are

Pan Government Accredited (PGA) up to IL3 and so

suitable for all data at OFFICIAL (including

OFFICIAL-SENSITIVE).

UKCloud’s full offering consists of IaaS, PaaS and

SaaS products:

1. IaaS – seven offerings around Compute and

Storage on demand

2. SaaS –offerings around messaging and

secure file synchronisation

3. PaaS – based upon open-source Digital

Application Platform and Hadoop

All of UKCloud’s UK sovereign cloud computing

services are hosted in one (or both) of our highly

resilient tier 3 UK data centres in Farnborough and

Corsham. UKCloud services are delivered with

leading technologies from UKCloud Alliance

Partners: QinetiQ, VMware, Cisco, EMC and Ark

Data Centres. The Cloud Alliance also provides a

collaborative resource which drives innovation and

technical product development, helping to continually

improve UKCloud’s offering to meet the needs of the

UK public sector.

UKCloud is focused on providing cloud services in a

more agile, secure and cost-effective manner. We

strive to deliver solutions that harness technology as

a way to facilitate the changes that are needed to

streamline processes and reduce costs to support

the UK public sector and, ultimately, UK citizens and

taxpayers.

MORE INFORMATION

For further information about UKCloud and how we can help you, please send an email to

info@UKCloudcloud.com

UKCloud Ltd

A8 Cody Technology Park

Ively Road

Farnborough

Hampshire

GU14 0LX

+44 (0)1252 303300

info@ukcloud.com

www.ukcloud.com

Reasonable efforts have been made to ensure the accuracy of the information contained in this document. No advice given or statements or recommendations made shall in any circumstances constitute or be deemed to constitute a warranty by UKCloud Ltd as to the accuracy of such advice, statements or recommendations. UKCloud Ltd shall not be liable for any loss, expense, damage or claim howsoever arising out of the advice given or not given or statements made or omitted to be made in connection with this document.

No part of this document may be copied, reproduced, adapted or redistributed in any form or by any means without the express prior written consent of UKCloud Ltd.

© UKCloud Ltd 2016 All Rights Reserved.

UKC-GEN-135 • 07/16