VPNs
21 min
overview vpn provides a secure communications tunnel over a public network for remote user access and site to site connections (e g branch offices that need to collaborate and share resources) ipsec korgrid supports ipsec compatibility to allow for configuration of a vpn tunnel between your tenant and a third party ipsec peer (typically, an enterprise firewall) ipsec tunneling is an advanced configuration it's recommended to use wireguard docid\ ftydkxvkyy8bococibj6o when possible as it provides better performance and a simpler configuration create a vpn network docid\ ftydkxvkyy8bococibj6o assign public ip docid\ ftydkxvkyy8bococibj6o create a phase 1 configuration docid\ ftydkxvkyy8bococibj6o create a phase 2 configuration docid\ ftydkxvkyy8bococibj6o configure firewall & routing rules docid\ ftydkxvkyy8bococibj6o connect to peer docid\ ftydkxvkyy8bococibj6o create a vpn network from the top menu , click networks > + new vpn enter a name for the network (optional), enter a description layer 2 type , select none select interface network none \<font color="#2166ae">(recommended) \</font> to create a separate vpn network, where connections to other tenant networks is handled via layer 3 routing \[existing network] select an existing network to attach the vpn network directly to via layer 2 (e g , vlan50 ) ip address type , select static enter an ip address for the network (e g , 10 254 254 1 ) enter a network address (e g , 10 254 254 0/24 ) (optional), enter a hostname for the layer 3 routed interface click submit after creating the network, you must power it on for it to become active from the left menu , click power on assign public ip a public ip address must be reserved and assigned to allow external access to your tenant there are two ways korgrid can assign public ips single ip assignment (/32) a network block that contains a single ip address use the network block method multiple ip assignment (/29, /28, etc ) a network block that contains multiple ip addresses use the vip method ℹ️ please reach out to korgrid support to request public ips for your tenant determine ip address from the top menu , click networks > list select the external network from the left menu , click view from the left menu , click network blocks determine the public ip address you wish to use from the network block create vip from the top menu , click networks > list select the external network from the left menu , click view from the left menu , click ip addresses from the left menu , click new type , select virtual ip enter the public ip address from the network block (e g , 24 221 112 159 ) owner type , select network owner , select the newly created vpn network click submit apply rules after assigning an ip address to the vpn network you must apply the rules for the settings to take effect from the top menu , click networks > list select the newly created vpn network from the left menu , click apply rules from the top menu , click networks > list select the external network from the left menu , click view from the left menu , click network blocks select the desired network block from the left menu , click edit owner type , select network owner , select the newly created vpn network click submit after assigning an ip address to the vpn network you must apply the rules for the settings to take effect from the top menu , click networks > list select the newly created vpn network from the left menu , click apply rules phase 1 configuration from the top menu , click networks > list select the newly created vpn network from the left menu , click view from the left menu , click ipsec tunnels from the left menu , click new enter a name for the phase 1 configuration (optional), enter a description select key exchange version auto \<font color="#2166ae">(recommended)\</font> uses the ike version initiated by the remote peer ikev1 uses ikev1 ikev2 uses ikev2 enter the remote gateway ℹ️ the wan address of the ipsec remote peer configure phase 1 (encryption) algorithm aes 256 gcm is recommended key length varies depending on algorithm selected hash varies depending on algorithm selected dh group varies depending on algorithm selected lifetime auto expiration setting for sas configure phase 1 proposal (authentication) pre shared key can be manually entered or you may press ⭮ to generate a pre shared key for you negotiation mode main \<font color="#2166ae">(recommended)\</font> slower negotiation, but more secure aggressive faster negotiation but exposes identities identifier the identity presented to the remote peer during ike negotiation when left blank, the current ip is used typically, the tenants wan ip address should be entered as it's the source address from the remote peer's perspective peer identifier the identity to expect from the remote peer; typically can be left blank to use the address currently specified as the vpn remote gateway configure phase 1 advanced options connection behavior defines the behavior to occur at ipsec startup responder only loads connection but doesn't start on demand loads a connection and starts it if traffic is detected between the networks start loads and starts the connection immediately force udp encapsulation when enabled, udp encapsulation is forced, even when nat is not detected rekey can be disabled to prevent local initiation of renegotiating a connection about to expire; however, it doesn't affect renegotiation requests that come from the remote peer margintime defines the length of time to elapse before a replacement negotiation for expired keying channel/connection this setting is only relevant locally (remote peer does not need to match setting) dead peer detection defines the default action to perform on timeout clear closes the connection hold monitors for new traffic and renegotiates connection if traffic between the networks is detected restart tries to renegotiate the connection immediately none disables sending dpd messages dpd delay defines time internal r u there messages are sent to the peer only sent when there is no other traffic dpd failures defines the maximum number of failures before automatically deleting peer connections after inactivity (does not apply to ikev2) click submit phase 2 configuration from the top menu , click networks > list select the newly created vpn network from the left menu , click view from the left menu , click ipsec tunnels select the newly created phase 1 configuration from the left menu , click view p2s from the left menu , click new enter a name for the phase 2 configuration select mode (typically tunnel ) enter a local network , the subnet of ip addresses to include on this side of the vpn (e g , 192 168 100 0/24 ) enter the remote network , the network of the remote peer in cidr format (e g , 10 128 1 0/24 ) select protocol esp \<font color="#2166ae">(recommended)\</font> encapsulating security payload ah authentication only select lifetime , the duration of the sa established during phase 2 configure phase 2 (encryption) algorithm aes 256 gcm is recommended key length varies depending on algorithm selected hash varies depending on algorithm selected dh group varies depending on algorithm selected click submit firewall & routing rules the following rules are automatically created on the new vpn network additional network configuration may be necessary for ipsec traffic beyond the default auto created network rules, depending on your specific network and ipsec design direction action protocol port incoming allow udp 500 incoming allow udp 4500 incoming allow esp incoming allow ah these rules can be modified to further restrict traffic from specific source ip's, where appropriate create nat translation from the top menu , click networks > list select the newly created vpn network from the left menu , click view from the left menu , click rules from the left menu , click new enter a name for the rule (e g , nat translation ) (optional), enter a description action , select translate protocol , select any direction , select incoming interface , select dmz pin , select top configure source type , select any / none configure destination \<font color="#2166ae">vip method\</font> type , select my ip addresses ip address , select the desired external ip address \<font color="#2166ae">network block method\</font> type , select network block network block , select the desired external ip address configure target type , select my router ip click submit ⚠️ click apply rules to apply the changes create outbound route from the top menu , click networks > list select the newly created vpn network from the left menu , click view from the left menu , click rules from the left menu , click new enter a name for the rule (e g , default route ) set action to route set protocol to any set direction to outgoing configure source type to any / none configure destination type to default configure target type to other network dmz ip target network to external click submit ⚠️ click apply rules to apply the changes create network route(s) perform these steps for each internal network you wish to route across the vpn tunnel from the top menu , click networks > list select the newly created vpn network from the left menu , click view from the left menu , click rules from the left menu , click new enter a name for the rule (e g , route vlan200 ) action , select route protocol , select any direction , select outgoing configure source type , select any / none configure destination type , select custom custom filter , enter the network subnet (e g , 192 168 200 0/24 ) configure target type , select other network dmz ip target network , select the desired network click submit ⚠️ click apply rules to apply the changes create nat exclusion(s) perform these steps for each internal network you wish to route across the vpn tunnel from the top menu , click networks > list select the newly created vpn network from the left menu , click view from the left menu , click rules from the left menu , click new enter a name for the rule (e g , nat exclusion vlan200 ) action , select translate protocol , select any direction , select outgoing interface , select dmz pin , select top configure source type , select other network dmz ip network , select the desired network (e g , vlan200 ) configure destination type , select custom custom filter , enter != followed by the ip address of the newly created vpn network (e g , !=10 254 254 1 ) configure target type , select other router ip target network , select the desired network (e g , vlan200 ) click submit ⚠️ click apply rules to apply the changes create internal network route(s) perform these steps on each internal network you wish to route across the vpn tunnel from the top menu , click networks > list select the desired network (e g , vlan200 , vlan210 , etc ) from the left menu , click view from the left menu , click rules from the left menu , click new enter a name for the rule (e g , route to vpn ) action , select route protocol , select any direction , select outgoing configure source type , select any / none configure destination type , select custom custom filter , enter the remote vpn subnet(s) (e g , 10 128 1 0/24 ) ℹ️ it's typically best practice to create separate rules for each subnet configure target type , select other network dmz ip target network , select the newly created vpn network click submit ⚠️ click apply rules to apply the changes create firewall rule(s) firewall rules must be configured in two places to allow traffic from the remote vpn network to reach your application vms vpn network controls traffic entering through the vpn and determines which internal networks it can reach internal networks control access to the vms themselves and define what application traffic is permitted on the vpn network, rules are typically broader, allowing traffic from the remote subnet to reach one or more internal networks using subnet based and any to any policies where appropriate on the internal networks, rules should be more granular, restricting traffic based on specific source and destination ip addresses, ports, or protocols to match the requirements of the applications hosted on those vms because application requirements vary widely between environments, there is no single rule set that applies to every scenario firewall policies should always be designed around the specific traffic flows and security requirements of each deployment connect to peer from the top menu , click networks > list select the newly created vpn network from the left menu , click view scroll to the ipsec connections section click the 🔌 button to initiate the connection to the remote peer click yes to confirm advanced configuration the following settings are available for advanced ipsec configurations, but are not typically necessary please contact korgrid support for assistance with these settings edit ipsec configuration from the top menu , click networks > list select the newly created vpn network from the left menu , click view from the left menu , click edit ipsec configuration mode normal \<font color="#2166ae">(recommended)\</font> this option is typically used and includes common ipsec fields advanced allows for extensive or out of the ordinary ipsec configuration through the use of configuration (conf) files unique ids yes keep particular participant ids unique (e g , replace) never will ignore initial contact notify, will not replace old ike sas no will replace ike sas only upon initial contact notify propose ipcomp compressions utilizes a special protocol designed to compress the payload of ip packets must be supported by the remote peer exclude my network this setting should typically be enabled cisco extensions this setting should remain disabled unless specifically needed to support configuration of the remote ipsec peer unencrypted id and hash payloads it's generally recommended to keep this option disabled transmitting id and hash payloads unencrypted during initial exchange introduces several security vulnerabilities mss clamp in some situations, mss clamping can improve performance in ipsec tunnels however, it's critical to thoroughly understand your network to calculate and set mss accurately an incorrect setting can lead to suboptimal performance and/or packet loss strict crl policy a strict crl (certificate revocation list) policy will not accept revoked certificates during authentication make before break new sas are established while old ones are still active; removing old sas only when the new ones are ready click submit wireguard wireguard is a modern, open source vpn software and tunnel protocol that provides fast communication, utilizing state of the art cryptography wireguard has been integrated directly into our platform for the implementation of secure tunnels with minimal setup effort these secure tunnels can be used for both remote user access and site to site connectivity interface configuration wireguard is attached to one network this should be a network that has access to all networks which the wireguard vpn should reach from the top menu , click networks > list select the desired network from the left menu , click view from the left menu , click wireguard (vpn) from the left menu , click new interface enter a name for the vpn interface (optional), enter a description enter an ip address defines the ip/network address for the interface ℹ️ this should be a unique address space that has been specifically set aside for the vpn and will not conflict with addressing on participating networks within the tenant or vpn peers example internal network that uses an addressing scheme of 192 168 0 1/24 and a peer that uses an addressing scheme of 10 10 100 0/24 could have a wireguard interface that uses 172 16 1 1/24 (optional), specify a listen port , can typically be left to the default 51820 enter a private key , can typically be left blank to allow the key pair to auto generate, however, a specific private key can be entered if desired ⚠️ wireguard requires base64 encoded public and private keys any manually entered private key must be a complete base64 key random base64 generator https //www convertsimple com/random base64 generator/ (optional), enter an endpoint ip the external address to which a peer will connect (optional), toggle configure firewall \<font color="#2166ae">(recommended)\</font> automatically configure pat rules on the external network (optional), toggle auto apply firewall rules \<font color="#2166ae">(recommended)\</font> automatically apply new firewall rules on the wireguard network and the external network click submit create peer definition(s) a peer definition must be created for each entity that will connect to your wireguard instance for example, to create a site to site vpn implementation, each side would have a wireguard interface and configure the other as a peer using the public key from the other side in the peer record to create a remote access system for users, a peer record is created for each user that will connect, each with a different public key from the top menu , click networks > list select the desired network from the left menu , click view from the left menu , click wireguard (vpn) from the left menu , click new peer enter a name for the peer (optional), enter a description toggle auto generate peer configuration \<font color="#2166ae">(recommended)\</font> creates a configuration file to be used by the remote access users enter an endpoint the external facing ip or hostname of the peer; the address from which this system would access the peer (optional), specify a listen port , can typically be left to the default 51820 enter a peer ip the ip address that routes the traffic here; typically, this is the internal address assigned to the local interface on this peer enter a public key the base64 public key from the peer (optional), enter a preshared key can be entered to provide an extra layer of security select configure firewall site to site creates firewall rules for a site peer remote user creates firewall rules for a remote user peer don't create rules doesn't auto generate any firewall rules; rules must be configured manually set keepalive by default this is set to 0 , which means keepalives are disabled it's not generally necessary to change this value configure allowed ips one or more ip address segments, in cidr format (e g , 10 1 2 0/24 ) click submit ⚠️ click apply rules to apply the changes create cluster to cluster tunnel on cluster 1 create an interface configuration docid\ ftydkxvkyy8bococibj6o copy the generated public key (for the interface) for later use on cluster 2 create an interface configuration docid\ ftydkxvkyy8bococibj6o create peer definition docid\ ftydkxvkyy8bococibj6o set public key to the generated public key you copied from cluster 1 set allowed ips to include the address of the wireguard interface from cluster 1 copy the generated public key for later use on cluster 1 create peer definition docid\ ftydkxvkyy8bococibj6o set public key to the generated public key you copied from cluster 2 set allowed ips to include the address of the wireguard interface from cluster 2 on cluster 1 & cluster 2 ⚠️ click apply rules to apply the changes create remote user access tunnel create an interface configuration docid\ ftydkxvkyy8bococibj6o from the left menu , click new peer enter a name for the peer, such as the remote user's name (optional), enter a description toggle auto generate peer configuration enter the endpoint for the peer, the external facing ip address, hostname, or url this tunnel will use to communicate with the peer set configure firewall to remote user click submit configure client on the peer record, download the configuration file by clicking the ⭳ download button install wireguard software https //www wireguard com/install/ on the client machine after installation, launch wireguard client click add tunnel open the configuration file you downloaded earlier click activate