Product Documentation and Knowledge Base - HomeDocumentation


Charon-SSP


SSH VPN - Connecting Charon Host and Guest to Customer Network

Owned by W.Erber
Last updated: Aug 14, 2019Version comment
6 min read

Contents

Overview

If the connection between the Charon-SSP host system, including the configured Charon-SSP guest systems, and the rest of the customer’s network runs over a public network as is the case for Charon-SSP AWS instances, it is necessary to secure the traffic against unauthorized access.
The example in this section describes how to configure a bridged SSH-based VPN tunnel between the Charon-SSP AWS host and a remote Linux system across a public network. Topologies that are more complicated will require other, more sophisticated, solutions.

(warning) The customer is responsible for ensuring that any VPN solution meets the requirements of his or her company’s security guidelines. The example in this chapter is only for illustrative purposes.

(info) The advantage of a bridged connection is that L2 protocols are also supported.

Once the sample configuration has been set up, it can be used for

  • communication between host and guest system,
  • communication between customer network and guest system.

Prerequisites

The example shows how to use the Charon Manager on the Charon-SSP AWS host and a set of commands on the remote Linux System to create an SSH VPN tunnel. For this configuration to work, the following prerequisites must be met:

  • The remote Linux system must have access to the public IP address and the SSH port of the Charon-SSH AWS host.
  • The private key necessary to access the instance must be available on the remote Linux system. The key-pair required to access the AWS instance is created via the AWS EC2 dashboard and associated with the instance when it is created.
    (warning) The private key can be downloaded only once when the key is created. If it is lost, access to the instance may be permanently lost.
  • The bridge-utils and autossh packages must be installed on the remote Linux system.

Setting up the VPN Tunnel

The image below shows a sample setup. This section describes how to configure this sample setup.

Steps on the Charon-SSP Host System

Creating a VPN Bridge

To configure the SSH VPN connection, you must setup a private VPN bridge (called a virtual network in the Charon context) using the Charon Manager. Use the following steps to perform this task:

1. Open the Charon-SSP Manager and log in to the Charon-SSP host.

2. In the Charon Manager, open the Network Settings window by clicking on Tools > Network Settings. This will open the Network Settings window.

3. Click on Add and then on Virtual Network to open the virtual network configuration window. This will open the Add Virtual Network configuration window as shown below.

4. Enter the required information as shown below:

Perform the following steps to configure a VPN bridge,

  • Set Create for SSH VPN to ON.
  • Enter the Number of virtual adapters (TAP interfaces) required. These interfaces will be assigned to the emulated SPARC systems as Ethernet interfaces.
  • Configure the IP address for the bridge interface.
  • Set the Netmask.

(warning) This interface and the interface on the remote Linux system must be in the same IP subnet.

Click on OK to save your configuration.

To learn more about the virtual network configuration options, refer to section Host System Network Configuration

Assigning the Guest Ethernet Interface

One of the TAP interfaces created in the step above, must be assigned to the Solaris guest system to add it to the LAN that will be tunneled across SSH to the remote Linux system.

Perform the following steps:

1. Open the Charon-SSP Manager and log in to the Charon-SSP host.

2. In the Charon Manager, select the guest system and then the Ethernet configuration category on the left. Assign one of the created TAP interfaces to the guest (see example below).

Click on OK to save the configuration change.

(info) If the emulated instance is currently running, the guest must be shut down and the emulated instance must be restarted for the change to become active.

Steps on the Remote Linux System

(warning) The steps on the Charon-SSP host must be performed first.

As the user root on the remote Linux system, perform the following steps to set up the VPN tunnel according to the overview image above:

ActionCommand
Create TAP interface# ip tuntap add dev tap0 mod tap
Enable TAP interface# ip link set tap0 up
Create bridge# ip link add name br_vpn0 type bridge
Enable bridge interface# ip link set br_vpn0 up
Define IP address for bridge# ip addr add 192.168.0.1/24 dev br_vpn0
Add TAP interface to bridge# ip link set tap0 master br_vpn0

Start  the SSH tunnel

autossh is a program to start a copy of ssh and monitor it, restarting it
as necessary should it die or stop passing traffic.

Once started, you can move the program to the background.

# autossh -M 9876 -o ServerAliveInterval=60 -o Tunnel=ethernet \
  -w 0:0 -t -i <path-to-private-key> -NCT sshuser@<public-AWS-instance-IP>

-M defines the monitoring port autossh uses to monitor the connection
-o  sets SSH options (bridged tunnel and keepalive)
-i   denotes the path to the private key matching the public key copied to the host system.
-w denotes the number of the local and remote tunnel interfaces for tunnel device forwarding
     (e.g., the 0 in interface tap0). 
-N denotes that no remote command should be executed
-T disables pseudo-terminal allocation
-C requests data compression

Possible additional steps:

  • Enable IP forwarding on the remote Linux system if it is to act as a router between the tunnel connection and
    other systems in the customer network:
    # /sbin/sysctl -w net.ipv4.ip_forward=1
    (to make permanent: add the setting to /etc/sysctl.conf)
  • Add static or dynamic routes to distribute the tunnel subnet to other systems in the customer network that need to communicate with the Solaris guest system across the VPN..
  • Adapt the firewall on the remote Linux system as required to allow the VPN traffic to pass.



Steps on the Solaris Guest System

Set the IP address on the Ethernet interface to an address within the VPN subnet. To follow the example above, you would set the address to 192.168.0.33/24. To permanently change the IP address on the Solaris system, change the address in /etc/hosts for the hostname specified in /etc/<interfacename>.hostname
On Solaris 11, use the commands ipadm create-ip netX and ipadm create-addr -T static -a <ip-address>/<netmask> netX/v4.

Stopping the SSH Tunnel

To stop the SSH tunnel, perform the following steps on the remote Linux system:

ActionCommand
Terminate the autossh process# kill -9 <autossh-pid>
Terminate remaining SSH tunnel connections# kill -9 <tunnel-ssh-pid>
Delete the bridge# ip link delete br_vpn0
Delete the TAP interface# ip link delete tap0

Routing to/from Solaris Guest 

After following the description above, the Solaris guest system can be reached from the systems that are also connected to the virtual bridge (in the example: remote Linux system and host system). To enable the Solaris guest system to communicate with other systems in the customer network (or the Internet) over the VPN connection, perform the following steps:

  • Add the VPN address of the remote Linux system as the default gateway for the Solaris guest system.
  • Propagate the IP network used for the SSH VPN within the customer network, as required.
  • Enable IP forwarding on the remote Linux system and allow forwarded packages through the firewall.

The screenshot below illustrates the Solaris guest system behavior (after the VPN network has been made known within the customer LAN and the remote Linux host has been set up as a router):

  • The interface address shows that the Solaris system is in the 192.168.0.0/24 network using the ifconfig command.
  • The netstat -rn command shows the routing table without a default route.
  • The ping to an IP address outside the SSH VPN fails.
  • The route add default <gateway> command adds the remote Linux host as the default gateway.
  • The  netstat -rn command now shows the default route.
  • The ping to an IP address outside the SSH VPN succeeds.

To make the entry permanent 

  • on Solaris 10: use the route -p command (stores routes in /etc/inet/static_routes).
  • on older Solaris versions: add the address of the default gateway to /etc/defaultrouter


<Go to top>


© Stromasys, 1999-2024  - All the information is provided on the best effort basis, and might be changed anytime without notice. Information provided does not mean Stromasys commitment to any features described.