oo
Analytics Cloud
Commerce
DXP / Portal
Liferay Cloud
Reference
Configuring the Cloud Network

Configuring a VPN Server

The following scenario walks through how to set up an IPsec or OpenVPN VPN server. Once a VPN server is configured, a secure connection can be established between an internal network and the production environment on Liferay Cloud. This example uses Ubuntu Server 18.0.4 as a proof of concept. Please read the VPN Integration Overview article for an overview on Liferay Cloud’s Client-to-Site VPNs functionality.

warning

Configuration commands and values are subject to change and should be adapted for your specific environment.

EAP-TLS and EAP-MSCHAPV2 authentication protocols are both supported for VPN connections.

Basic Setup for an IPsec Server

To configure an IPsec test server:

  1. Save the following file as ~/ipsec.conf and replace the leftid value with your VPN server’s external IP.

    config setup
  charondebug="ike 1, knl 1, cfg 0"
  uniqueids=no

conn ikev2-vpn
  auto=add
  compress=no
  type=tunnel
  keyexchange=ikev2
  fragmentation=yes
  forceencaps=yes
  dpdaction=clear
  dpddelay=300s
  rekey=no
  left=%any
  leftid=18.188.145.101
  leftcert=server-cert.pem
  leftsendcert=always
  leftsubnet=0.0.0.0/0
  right=%any
  rightid=%any
  rightauth=eap-mschapv2
  rightsourceip=10.10.10.0/24
  rightdns=8.8.8.8,8.8.4.4
  rightsendcert=never
  eap_identity=%identity

    If you want to use the EAP-TLS protocol instead of only EAP-MSCHAPv2, add eap-tls to the rightauth line of the configuration:

    rightauth=eap-mschapv2,eap-tls!

  2. On your server, replace the SERVER_EXTERNAL_IP with your VPN server’s external IP and USERNAME/PASSWORD with your values:

    SERVER_EXTERNAL_IP="18.188.145.101"
USERNAME="myuser"
PASSWORD="mypassword"

  3. Install the necessary dependencies:

    sudo apt-get update
sudo apt install -y strongswan strongswan-pki
sudo apt install -y libstrongswan-extra-plugins

  4. Set up the security certificates and keys.

    If you want to use EAP-MSCHAPV2, then run these commands to generate the certificate:

    mkdir -p ~/pki/{cacerts,certs,private}
chmod 700 ~/pki
ipsec pki --gen --type rsa --size 4096 --outform pem > ~/pki/private/ca-key.pem
ipsec pki --self --ca --lifetime 3650 --in ~/pki/private/ca-key.pem \ --type rsa --dn "CN=VPN root CA" --outform pem > ~/pki/cacerts/ca-cert.pem

ipsec pki --gen --type rsa --size 4096 --outform pem > ~/pki/private/server-key.pem


ipsec pki --pub --in ~/pki/private/server-key.pem --type rsa \
|   ipsec pki --issue --lifetime 1825 \
  --cacert ~/pki/cacerts/ca-cert.pem \
  --cakey ~/pki/private/ca-key.pem \
  --dn "CN=$SERVER_EXTERNAL_IP" --san "$SERVER_EXTERNAL_IP" \
  --flag serverAuth --flag ikeIntermediate --outform pem \
>  ~/pki/certs/server-cert.pem

sudo cp -r ~/pki/* /etc/ipsec.d/

    Otherwise, to use EAP-TLS, run these commands:

    mkdir -p ~/pki/certs
chmod 700 ~/pki
cd ~/pki/certs

ipsec pki --gen --outform pem > caKey.pem
ipsec pki --self --in caKey.pem --dn "CN=VPN CA" --ca --outform pem > caCert.pem

openssl x509 -in caCert.pem -outform der | base64 -w0 ; echo

export PASSWORD="password"
export USER_NAME="client"

ipsec pki --gen --outform pem > "${USER_NAME}Key.pem"
ipsec pki --pub --in "${USER_NAME}Key.pem" \
| ipsec pki --issue --cacert caCert.pem \
  --cakey caKey.pem \
  --dn "CN=${USER_NAME}" \
  --san "${USER_NAME}" \
  --flag clientAuth \
  --outform pem \
> "${USER_NAME}Cert.pem"

openssl pkcs12 -in "${USER_NAME}Cert.pem" \
  -inkey "${USER_NAME}Key.pem" \
  -certfile caCert.pem \
  -export -out "${USER_NAME}.p12" \
  -password "pass:${PASSWORD}"

cd ..
sudo cp -r ./certs/* /etc/ipsec.d/

  5. If you are using EAP-TLS for your VPN connection, then add this to your /etc/ipsec.secrets file (using your VPN password):

    : P12 client.p12 'password' # key filename inside /etc/ipsec.d/private directory

  6. Configure StrongSwan (see the server.conf file described above).

    sudo cp ~/ipsec.conf /etc/ipsec.conf

  7. Configure the VPN server’s authentication.

    echo -e ": RSA \"server-key.pem\"\n$USERNAME : EAP \"$PASSWORD\"" | sudo tee /etc/ipsec.secrets

sudo systemctl restart strongswan

  8. Configure the OS kernel.

    sudo sed -i 's/#net\/ipv4\/ip_forward=1/net\/ipv4\/ip_forward=1/g' /etc/ufw/sysctl.conf
sudo sed -i 's/#net\/ipv4\/conf\/all\/accept_redirects/net\/ipv4\/conf\/all\/accept_redirects/g' /etc/ufw/sysctl.conf
echo "net/ipv4/conf/all/send_redirects=0" | sudo tee -a /etc/ufw/sysctl.conf
echo "net/ipv4/ip_no_pmtu_disc=1" | sudo tee -a /etc/ufw/sysctl.conf

  9. Configure the OS’s firewall.

    networkInterfaceName=$(ip link | awk -F: '$0 !~ "lo|vir|^[^0-9]"{print $2a;getline}' | head -1)
config="-A ufw-before-forward --match policy --pol ipsec --dir in --proto esp -s 10.10.10.0/24 -j ACCEPT"
config="$config\n-A ufw-before-forward --match policy --pol ipsec --dir out --proto esp -d 10.10.10.0/24 -j ACCEPT"
config="$config\nCOMMIT"
config="$config\n*nat\n-A POSTROUTING -s 10.10.10.0/24 -o $networkInterfaceName -m policy --pol ipsec --dir out -j ACCEPT"
config="$config\n-A POSTROUTING -s 10.10.10.0/24 -o $networkInterfaceName -j MASQUERADE"
config="$config\nCOMMIT"
config="$config\n*mangle"
config="$config\n-A FORWARD --match policy --pol ipsec --dir in -s 10.10.10.0/24 -o $networkInterfaceName -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360"
config="$config\nCOMMIT"
sudo sed -i "s/COMMIT//g" /etc/ufw/before.rules
echo -e $config | sudo tee -a /etc/ufw/before.rules

sudo ufw allow 500,4500/udp
sudo ufw allow OpenSSH
sudo ufw disable
sudo ufw enable

  10. Obtain a server certificate to use on the client.

    cat /etc/ipsec.d/cacerts/ca-cert.pem

The IPsec VPN server has been configured.

Basic Setup for an OpenVPN Server

Follow these steps if using an OpenVPN server:

  1. Create a ~/server.conf with the following values:

    #Port where the VPN server will answer requests
port 1194

#TCP or UDP - UDP is faster
proto udp

#This will create a routed IP tunnel instead of an ethernet tunnel
dev tun

#The VPN subnet range, all IPs that connected clients will have upon connection
#The Server will take the first IP (in this case, 10.10.20.1),
#and all other addresses are available to clients
server 10.10.20.0 255.255.255.0

#SSL root certificate (ca), certificate itself (cert) and private key (key)
#All clients use the same CA, but have their own cert and key.
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key

#Diffie Hellman parameters, this file can be generated with
#openssl dhparam -out dh2048.pem 2048
dh /etc/openvpn/keys/dh2048.pem

#Records the IP address of each client so clients can use the same IP address
#in case of reconnection
ifconfig-pool-persist ipp.txt

#Keeps connection alive, sends a ping every 10 seconds, and assume the connection is
#down if no ping is received in 120 seconds
keepalive 10 120

#Cryptographic cipher used. The Client must use the same cipher
cipher AES-256-CBC

#HMAC - Hashed Message Authentication Code - used to avoid UDP port flooding,
#must be the same on client and server
auth SHA256

#Enable compression on the VPN link
compress lz4-v2
push "compress lz4-v2"

#Allows username/password authentication via PAM (linux accounts, LDAP),
#if not provided, authentication is done via x509 certificates
plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so login

#Explicitly disables x509 certificate authentication
verify-client-cert none

#Try to avoid accessing certain resources on restart,
#since they may not be available
persist-key
persist-tun

#Notify all clients when the service is restarting,
#so they can try to reconnect automatically
explicit-exit-notify 1

#Short status file showing current connections, updated every minute
status openvpn-status.log

#Redirect log messages to a log file
log-append  /var/log/openvpn.log

#Log verbosity, 0 is silent, 9 is extremely verbose
verb 7

  2. Install the necessary dependencies:

    sudo apt-get update
sudo apt-get install -y openvpn easy-rsa

  3. Set up the certificates and keys.

    make-cadir ~/openvpn-ca
cd ~/openvpn-ca
source vars
./clean-all
ln -s openssl-1.0.0.cnf openssl.cnf
./build-ca
./build-dh
./build-key-server server
openvpn --genkey --secret keys/ta.key
sudo mkdir -p /etc/openvpn/keys/ && sudo cp ~/openvpn-ca/keys/* /etc/openvpn/keys/

  4. Use the OpenVPN server.conf file from above.

    sudo cp ~/server.conf /etc/openvpn/

  5. Configure the OS kernel.

    sudo sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf
sudo sysctl -p

  6. Configure the OS firewall

    networkInterfaceName=$(ip link | awk -F: '$0 !~ "lo|vir|^[^0-9]"{print $2a;getline}' | head -1)
echo -e "*nat\n:POSTROUTING ACCEPT [0:0]\n-A POSTROUTING -s 10.8.0.0/8 -o $networkInterfaceName -j MASQUERADE\nCOMMIT\n" | sudo tee -a /etc/ufw/before.rules
sudo sed -i 's/DEFAULT_FORWARD_POLICY="DROP"/DEFAULT_FORWARD_POLICY="ACCEPT"/g' /etc/default/ufw
sudo ufw allow 1194/udp
sudo ufw allow OpenSSH
sudo ufw disable
sudo ufw enable

  7. Start the VPN server service.

    sudo systemctl start openvpn@server

  8. Create the OS user to be used for authentication on the VPN.

    sudo adduser myuser

The OpenVPN server has been configured.

Capability:
Cloud
Deployment Approach:
Liferay PaaS
Feature:
Cloud Platform Administration
Cloud Platform Networking