Remote access to private cloud using OpenVPN and Iptables — Part1
Overview
As show in the figure, in the right side is virtual private network, which contains Ubuntu installed OpenVPN server acting as a connector on IP address 10.0.0.30, a certificate authorize server (CA-Server) for singing certificate and JumpHost server is to allow access other source from there. The AWS VPC is connected to internet by a firewall (Iptables) with Nat rules configured to allow the server in private network can connect to internet.
The following need to be done to allow traffic from private network can access internet:
1. Traffic outgoing internet from MGMT subnet & Trusted zone subnet need to route network interface of firewall (eth1)
2. Inside Iptables we need to config SNAT to change source IP of packet to the IP of WAN interface (eth0)
3. There is a route in public subnet to allow traffic to internet route to IGW, internet gateway.
To allow remote client VPN access resource inside private subnet, the following needs to be done:
1. Install OpenVPN and config key and cert for both client and server in OpenVPN, which need to be sign by CA server.
2. Config DNAT, destination network access translate, in firewall for incoming traffic from remote side to change destination IP address to the IP of OpenVPN server.
3. Config IP forward in OpenVPN server
4. Download client config file from OpenVPN server and start connect to private resource in cloud VPC
Setting up network infra structure
In this section we will go through creating VPC, subnets, route tables, and dual home firewall using Iptables
Creating virtual private network & internet gateway
From AWS console, go to Services => all services => choose VPC services
Go to Your VPCs then click into Create VPC
Put the information below then choose Create VPC
Name tag: external-vpc
IPv4 CIDR block: 10.0.0.0/24
After create VPC, we start create a internet gateway to allow traffic from VPC can access resource in internet.
From VPC console, choose Internet Gateway in the left side, then click Create Internet Gateway in the right corner. After that, type external-igw in name tag placeholder, then click into Create internet gateway button.
After creating Internet Gateway we need to attach it to external-vpc by click actions dropdown list then click attach VPC, then choose the VPC you want to attach to the IGW.
Create new subnets
From VPC console, choose Subnets in the left tab then click Create Subnet
Inside the subnet creation, choose VPC is external-vpc then add the following information to create subnets:
Subnet name: ex-untrusted-subnet
Availability Zone: ap-southeast-1
IPv4 CIDR block: 10.0.0.0/28
Then Click into add new subnet to add new subnet for trusted subnet
Subnet name: ex-trusted-subnet
Availability Zone: ap-southeast-1
IPv4 CIDR block: 10.0.0.16/28
Then Click into add new subnet to add new subnet for management
Subnet name: ex-trusted-subnet-mgmt
Availability Zone: ap-southeast-1
IPv4 CIDR block: 10.0.0.48/28
After fill all the information, click into Create Subnet button to create untrusted, trusted and management subnet
Provision a Dual-home firewall with two network interfaces
From the system design we need to create network address translate to allow traffic from private subnet access to internet and traffic from remote site can access resource in private cloud as well. It mean we will use static route to route traffic from private subnets to network interface of firewall => that’s why we should create firewall before create route tables. (you can create route table first then create firewall instance after that modify the rules)
Create Dual-home firewall:
Step1: Choose AMI — ubuntu 18.04 LTS (HVM)
Step2: Instance type t2.micro
Step3: Config instance detail
Network: external-vpc
Subnet: ex-untrusted-subnet
Auto-assign Public IP: Disable
Network Interface: add new device with subnet is in ex-trusted-subnet
Step 4: Storage leave default for now
Step 5: Tag
Add tag with Key: Name & Value: ex-dual-home-firewall
Step 6: Configure Security Group check “Create a new security group”
Name: ex-firewall-untrusted-sg
Description: Allow remote access and http(s) access WAN interface
Rule:
Note: We create two network interface, eth0 in untrusted subnet and the other (eth1) is in trusted subnet. The security group will be applied for both Eni, so for best practice after creating instance we will create new security group for eth1.
Step7: Click Review and Launch then choose Launch
Step8: Choose create new key pair or choose an existing key pair, then choose Launch instances
Note: If you do not have any key pair, you can choose “create a new key pair”, then download the key pair to local workstation for future use.
Create route tables for virtual private subnet
Requirements:
Route table name: ex-untrusted-rt
Subnet attachment: ex-untrusted-subnet
Route table name: ex-trusted-rt
Subnet attachment: ex-trusted-subnet & ex-trusted-subnet-mgmt
How to create route table:
From VPC Dashboard, at the left side choose Route tables then click Create route table. Specify name tab & choose the VPC to use for this route table. After that, click into Create button.
How to add new rule:
In the next part I will show you how to:
- Config OpenVPN to allow remote access to resources in Private Cloud
- Setting up Iptables firewall to allow packet forwarding from eth0 to eth1 vice versa.
- Config Network Address Translation to allow packet traverse from remote site & internet to private subnet or from private subnet can access internet resources by changing source or destination IP of IP packets.
