Configuring a VPN Server
The following scenario walks through how to set up an IPsec or OpenVPN VPN server. Once a VPN server is configured, a secure connection can be established between an internal network and the production environment on Liferay Cloud. This example uses Ubuntu Server 18.0.4 as a proof of concept. Please read the VPN Integration Overview article for an overview on Liferay Cloud’s Client-to-Site VPNs functionality.
Configuration commands and values are subject to change and should be adapted for your specific environment.
EAP-TLS
and EAP-MSCHAPV2
authentication protocols are both supported for VPN connections.
Basic Setup for an IPsec Server
To configure an IPsec test server:
-
Save the following file as
~/ipsec.conf
and replace theleftid
value with your VPN server’s external IP.config setup charondebug="ike 1, knl 1, cfg 0" uniqueids=no conn ikev2-vpn auto=add compress=no type=tunnel keyexchange=ikev2 fragmentation=yes forceencaps=yes dpdaction=clear dpddelay=300s rekey=no left=%any leftid=18.188.145.101 leftcert=server-cert.pem leftsendcert=always leftsubnet=0.0.0.0/0 right=%any rightid=%any rightauth=eap-mschapv2 rightsourceip=10.10.10.0/24 rightdns=8.8.8.8,8.8.4.4 rightsendcert=never eap_identity=%identity
If you want to use the
EAP-TLS
protocol instead of onlyEAP-MSCHAPv2
, addeap-tls
to therightauth
line of the configuration:rightauth=eap-mschapv2,eap-tls!
-
On your server, replace the
SERVER_EXTERNAL_IP
with your VPN server’s external IP andUSERNAME/PASSWORD
with your values:SERVER_EXTERNAL_IP="18.188.145.101" USERNAME="myuser" PASSWORD="mypassword"
-
Install the necessary dependencies:
sudo apt-get update sudo apt install -y strongswan strongswan-pki sudo apt install -y libstrongswan-extra-plugins
-
Set up the security certificates and keys.
If you want to use
EAP-MSCHAPV2
, then run these commands to generate the certificate:mkdir -p ~/pki/{cacerts,certs,private} chmod 700 ~/pki ipsec pki --gen --type rsa --size 4096 --outform pem > ~/pki/private/ca-key.pem ipsec pki --self --ca --lifetime 3650 --in ~/pki/private/ca-key.pem \ --type rsa --dn "CN=VPN root CA" --outform pem > ~/pki/cacerts/ca-cert.pem ipsec pki --gen --type rsa --size 4096 --outform pem > ~/pki/private/server-key.pem ipsec pki --pub --in ~/pki/private/server-key.pem --type rsa \ | ipsec pki --issue --lifetime 1825 \ --cacert ~/pki/cacerts/ca-cert.pem \ --cakey ~/pki/private/ca-key.pem \ --dn "CN=$SERVER_EXTERNAL_IP" --san "$SERVER_EXTERNAL_IP" \ --flag serverAuth --flag ikeIntermediate --outform pem \ > ~/pki/certs/server-cert.pem sudo cp -r ~/pki/* /etc/ipsec.d/
Otherwise, to use
EAP-TLS
, run these commands:mkdir -p ~/pki/certs chmod 700 ~/pki cd ~/pki/certs ipsec pki --gen --outform pem > caKey.pem ipsec pki --self --in caKey.pem --dn "CN=VPN CA" --ca --outform pem > caCert.pem openssl x509 -in caCert.pem -outform der | base64 -w0 ; echo export PASSWORD="password" export USER_NAME="client" ipsec pki --gen --outform pem > "${USER_NAME}Key.pem" ipsec pki --pub --in "${USER_NAME}Key.pem" \ | ipsec pki --issue --cacert caCert.pem \ --cakey caKey.pem \ --dn "CN=${USER_NAME}" \ --san "${USER_NAME}" \ --flag clientAuth \ --outform pem \ > "${USER_NAME}Cert.pem" openssl pkcs12 -in "${USER_NAME}Cert.pem" \ -inkey "${USER_NAME}Key.pem" \ -certfile caCert.pem \ -export -out "${USER_NAME}.p12" \ -password "pass:${PASSWORD}" cd .. sudo cp -r ./certs/* /etc/ipsec.d/
-
If you are using
EAP-TLS
for your VPN connection, then add this to your/etc/ipsec.secrets
file (using your VPN password):: P12 client.p12 'password' # key filename inside /etc/ipsec.d/private directory
-
Configure StrongSwan (see the
server.conf
file described above).sudo cp ~/ipsec.conf /etc/ipsec.conf
-
Configure the VPN server’s authentication.
echo -e ": RSA \"server-key.pem\"\n$USERNAME : EAP \"$PASSWORD\"" | sudo tee /etc/ipsec.secrets sudo systemctl restart strongswan
-
Configure the OS kernel.
sudo sed -i 's/#net\/ipv4\/ip_forward=1/net\/ipv4\/ip_forward=1/g' /etc/ufw/sysctl.conf sudo sed -i 's/#net\/ipv4\/conf\/all\/accept_redirects/net\/ipv4\/conf\/all\/accept_redirects/g' /etc/ufw/sysctl.conf echo "net/ipv4/conf/all/send_redirects=0" | sudo tee -a /etc/ufw/sysctl.conf echo "net/ipv4/ip_no_pmtu_disc=1" | sudo tee -a /etc/ufw/sysctl.conf
-
Configure the OS’s firewall.
networkInterfaceName=$(ip link | awk -F: '$0 !~ "lo|vir|^[^0-9]"{print $2a;getline}' | head -1) config="-A ufw-before-forward --match policy --pol ipsec --dir in --proto esp -s 10.10.10.0/24 -j ACCEPT" config="$config\n-A ufw-before-forward --match policy --pol ipsec --dir out --proto esp -d 10.10.10.0/24 -j ACCEPT" config="$config\nCOMMIT" config="$config\n*nat\n-A POSTROUTING -s 10.10.10.0/24 -o $networkInterfaceName -m policy --pol ipsec --dir out -j ACCEPT" config="$config\n-A POSTROUTING -s 10.10.10.0/24 -o $networkInterfaceName -j MASQUERADE" config="$config\nCOMMIT" config="$config\n*mangle" config="$config\n-A FORWARD --match policy --pol ipsec --dir in -s 10.10.10.0/24 -o $networkInterfaceName -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360" config="$config\nCOMMIT" sudo sed -i "s/COMMIT//g" /etc/ufw/before.rules echo -e $config | sudo tee -a /etc/ufw/before.rules sudo ufw allow 500,4500/udp sudo ufw allow OpenSSH sudo ufw disable sudo ufw enable
-
Obtain a server certificate to use on the client.
cat /etc/ipsec.d/cacerts/ca-cert.pem
The IPsec VPN server has been configured.
Basic Setup for an OpenVPN Server
Follow these steps if using an OpenVPN server:
-
Create a
~/server.conf
with the following values:#Port where the VPN server will answer requests port 1194 #TCP or UDP - UDP is faster proto udp #This will create a routed IP tunnel instead of an ethernet tunnel dev tun #The VPN subnet range, all IPs that connected clients will have upon connection #The Server will take the first IP (in this case, 10.10.20.1), #and all other addresses are available to clients server 10.10.20.0 255.255.255.0 #SSL root certificate (ca), certificate itself (cert) and private key (key) #All clients use the same CA, but have their own cert and key. ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/server.crt key /etc/openvpn/keys/server.key #Diffie Hellman parameters, this file can be generated with #openssl dhparam -out dh2048.pem 2048 dh /etc/openvpn/keys/dh2048.pem #Records the IP address of each client so clients can use the same IP address #in case of reconnection ifconfig-pool-persist ipp.txt #Keeps connection alive, sends a ping every 10 seconds, and assume the connection is #down if no ping is received in 120 seconds keepalive 10 120 #Cryptographic cipher used. The Client must use the same cipher cipher AES-256-CBC #HMAC - Hashed Message Authentication Code - used to avoid UDP port flooding, #must be the same on client and server auth SHA256 #Enable compression on the VPN link compress lz4-v2 push "compress lz4-v2" #Allows username/password authentication via PAM (linux accounts, LDAP), #if not provided, authentication is done via x509 certificates plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so login #Explicitly disables x509 certificate authentication verify-client-cert none #Try to avoid accessing certain resources on restart, #since they may not be available persist-key persist-tun #Notify all clients when the service is restarting, #so they can try to reconnect automatically explicit-exit-notify 1 #Short status file showing current connections, updated every minute status openvpn-status.log #Redirect log messages to a log file log-append /var/log/openvpn.log #Log verbosity, 0 is silent, 9 is extremely verbose verb 7
-
Install the necessary dependencies:
sudo apt-get update sudo apt-get install -y openvpn easy-rsa
-
Set up the certificates and keys.
make-cadir ~/openvpn-ca cd ~/openvpn-ca source vars ./clean-all ln -s openssl-1.0.0.cnf openssl.cnf ./build-ca ./build-dh ./build-key-server server openvpn --genkey --secret keys/ta.key sudo mkdir -p /etc/openvpn/keys/ && sudo cp ~/openvpn-ca/keys/* /etc/openvpn/keys/
-
Use the OpenVPN
server.conf
file from above.sudo cp ~/server.conf /etc/openvpn/
-
Configure the OS kernel.
sudo sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf sudo sysctl -p
-
Configure the OS firewall
networkInterfaceName=$(ip link | awk -F: '$0 !~ "lo|vir|^[^0-9]"{print $2a;getline}' | head -1) echo -e "*nat\n:POSTROUTING ACCEPT [0:0]\n-A POSTROUTING -s 10.8.0.0/8 -o $networkInterfaceName -j MASQUERADE\nCOMMIT\n" | sudo tee -a /etc/ufw/before.rules sudo sed -i 's/DEFAULT_FORWARD_POLICY="DROP"/DEFAULT_FORWARD_POLICY="ACCEPT"/g' /etc/default/ufw sudo ufw allow 1194/udp sudo ufw allow OpenSSH sudo ufw disable sudo ufw enable
-
Start the VPN server service.
sudo systemctl start openvpn@server
-
Create the OS user to be used for authentication on the VPN.
sudo adduser myuser
The OpenVPN server has been configured.