admin/3engines_doc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
faadd4e38dda6a2c55fb47bbf6a080438be50b03
3engines_doc/docs/networking/How-to-run-and-configure-Firewall-as-a-service-and-VPN-as-a-service-on-3Engines-Cloud.html.md
govardhan faadd4e38d brand changed
2025-07-04 09:34:25 +05:30

266 lines
9.7 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

How to run and configure Firewall as a service and VPN as a service on 3Engines Cloud[🔗](#how-to-run-and-configure-firewall-as-a-service-and-vpn-as-a-service-on-brand-name "Permalink to this headline")
===========================================================================================================================================================================================================
Note
This guide provides a sample process for configuring VPN as a service. It should not be considered the only way to configure this solution.
To start the VPN as a service, it is necessary to configure and start the Firewall as a service.
The sequence of steps will be described below.
**Creating FWAAS infrastruture**
**Creating and configuring local networks**
1. Log in to your 3Engines dashboard and choose **Network** tab, then choose **Networks** sub-label.
![screen1.png](../_images/screen1.png)
2. Click on the **“Create Network”** button.
![screen2.png](../_images/screen2.png)
3. Define your Network Name as “Gateway” and go to Subnet Tab.
4. Define your Subnet name as “Gateway\_subnet”. Network address: **10.100.100.0/24** and gateway IP **10.100.100.1**.
![screen3.png](../_images/screen3.png)
5. In Subnet Details keep **Enable DHCP** marked. Rest of fields leave blank and click **Create** button.
![screen4.png](../_images/screen4.png)
6. Repeat this procedure from points 2-5 using different data:
* Network Name: **“Internal”**
* Subnet Name: **“Internal\_subnet”**
* Network Address: **10.200.200.0/24**
* Gateway IP: **10.200.200.1**
7. Click on the **Create Router** button.
![screen5.png](../_images/screen5.png)
8. Name your device as for example **“Router\_Fwaas”**. Choose **external** network in **External Network** tab. Click **Create Router**.
![screen6.png](../_images/screen6.png)
9. Click on your newly created Router (e.g called “Router\_Fwaas”).
![screen7.png](../_images/screen7.png)
10. Choose **Interfaces** and **Add Interface** button.
![screen8.png](../_images/screen8.png)
11. Choose from **Subnet** menu the **Gateway** subnet and click **Submit** button.
![screen9.png](../_images/screen9.png)
12. Choosing **Network -> Network Topology** the network topology should looks like this.
![scrn10.png](../_images/scrn10.png)
**Creating and configuring the VM with installed Firewall client**
13. Open **Compute -> Instances** tab and choose **Launch instance**.
![screen11.png](../_images/screen11.png)
14. Name the VM instance (for example **Firewall\_VM**) and go to **Source** tab.
![screen12.png](../_images/screen12.png)
15. Find **opnsense** image and add it to your VM. Go to **Flavor** tab.
![screen13.png](../_images/screen13.png)
16. Choose the specification of your VM. Prequisities to launch Firewall:
* Minimal: CPU 1 Core, 2 GB RAM memory, 8GB SSD drive (eo1.xmedium flavor)
* Optimal: CPU 2 Core, 4 GB RAM memory, 16GB SSD drive (eo1.medium flavor)
Go to **Networks** tab.
![screen14.png](../_images/screen14.png)
17. Add created local networks in correct order:
1. Internal network
2. Gateway network
![screen15.png](../_images/screen15.png)
18. Delete all security groups and open Configuration tab.
![screen16.png](../_images/screen16.png)
19. Paste configuration script presented below:
```
#cloud-config
runcmd:
- |
address=$(curl http://169.254.169.254/latest/meta-data/local-ipv4)
first=$(echo "$address" | /usr/bin/cut -d'.' -f1)
second=$(echo "$address" | /usr/bin/cut -d'.' -f2)
third=$(echo "$address" | /usr/bin/cut -d'.' -f3)
sed -i '' "s/<ipaddr>192.168.*.*<\/ipaddr>/<ipaddr>$first.$second.$third.1<\/ipaddr>/" /conf/config.xml
sed -i '' '/<disablefilter>enabled<\/disablefilter>/g' /conf/config.xml
reboot
```
![screen17b.png](../_images/screen17b.png)
Choose **launch instance**.
20. After creating VM click its name in instances tab.
![screen18.png](../_images/screen18.png)
21. Choose **interfaces** tab and click **edit port** next to each port.
![screen19.png](../_images/screen19.png)
22. Disable **port security** and click **update**.
![screen20.png](../_images/screen20.png)
23. Go to **Network -> Floating IPs** menu and choose **Allocate IP to project**.
![screen21.png](../_images/screen21.png)
24. Choose **Allocate IP**.
![screen22.png](../_images/screen22.png)
25. Click **Associate** next to newly generated **Floating IP** and assign it to your **Firewall\_VM** port.
![screen23.png](../_images/screen23.png)
26. After creation the Firewall VM LAN address **vtnet0** should be 10.200.200.1 (you can check it using console on Horizon).
![screen23a.png](../_images/screen23a.png)
**Configuring VPN service**
Prerequisities: For configuring your VPN server using Graphical Interface you need a VM with preinstalled GUI (for example MINT, XFCE etc.) and connected to **Internal** network. Click here for instructions how to install GUI on Ubuntu 20.04 VM: [How to Use GUI in Linux VM on 3Engines Cloud and access it From Local Linux Computer](../cloud/How-to-use-GUI-in-Linux-VM-on-3Engines-Cloud-and-access-it-from-local-Linux-computer.html.md).
27. In your default WEB browser open IP **10.200.200.1**.
* User: **root**
* Password: **opnsense**
![screen24a.png](../_images/screen24a.png)
28. **Click VPN -> OpenVPN -> Servers** on the left. At the bottom of new page click the wand icon of **Use a wizard to setup a new server**.
![screen25a.png](../_images/screen25a.png)
29. On the Authentication Type Selection page, ensure Type of Server is set to **Local User Access** and click Next.
![screen26a.png](../_images/screen26a.png)
30. Set the fields in the following order:
* Decriptive name: **Name of your VPN Server Certificate** (eg. OPNsense-CA)
* Key lenght: **2048 bit**
* Lifetime: **Lifetime in days of your VPN Server certificate** (eg. 825)
* Country Code: **Two-letter ISO country code**
* State or Province: **Full State of Province name, not abbreviated**
* City: **City or other locality name**
* Organization: **Organization name, often the Company or Group name**
* Email: **E-mail address for the Certificate contact**
![screen27a.png](../_images/screen27a.png)
31. Click **Add new CA** to continue and **Add new Certificate** on the next page.
![screen28a.png](../_images/screen28a.png)
32. On the **Add a Server Certificate page**, set the **Descriptive name** to server, leave the Key length at **2048 bit** and set the Lifetime to **3650**.
![screen29b.png](../_images/screen29b.png)
33. Click **Create new Certificate** to continue.
34. The next page should be Server Setup, set the following:
* Set Interface to **WAN**
* Ensure Protocol is UDP and Port is **1194**
* Set a description, for example **“VPN Server”**
* Change DH Parameters Length to **4096**
* Change Encryption Algorithm to **AES-256-CBC (256 bit key, 128 bit block)**
* Change Auth Digest Algorithm to **SHA512 (512-bit)**
* In the IPv4 Tunnel Network field, enter **10.0.8.0/24**
* To allow access to machines on the local network, enter your local IP range in the Local Network setting. It should be **10.200.200.0/24**
* Set the Compression to **No Preference**
* Set DNS Server 1 to **10.0.8.1**
All other options can be left. Click Next.
![screen30b.png](../_images/screen30b.png)
35. On the Firewall Rule Configuration, tick both the **Firewall Rule** and **OpenVPN** rule checkboxes and click Next.
![screen31a.png](../_images/screen31a.png)
36. Now your VPN server is succesfully created.
![screen32a.png](../_images/screen32a.png)
**User Setup**
**Creating new User**
37. Click **System -> Access -> Users** on the left and choose **Add** icon on the left of Users page.
![screen33a.png](../_images/screen33a.png)
38. Enter a **Username**, **Password**, and tick the box Click to create a user certificate further down. Fill any other fields you would like, but they are not required. Choose **click to create a user certificate**.
![screen34a.png](../_images/screen34a.png)
39. You will be taken to a Certificates page. Select **Create an internal Certificate** in the Method drop down box. The page will re-arrange itself.
40. Ensure **Certificate Authority** is the name we created during the wizard which should be **OPNsense-CA**, and Type is **Client Certificate**.
![screen35a.png](../_images/screen35a.png)
41. Change Lifetime (days) of the certificate and click **Save**.
![screen36.png](../_images/screen36.png)
42. You will be taken back to the **Create User** page, **User Certificates** should now have an entry, click Save down the bottom again.
**Setting UP Open VPN Client**
For connect to your VPN server you need a VPN client. You can use one of the reccomended software like OpenVPN or Viscocity. Below you can find the insctructions how to use Open VPN client for connecting to VPN Server.
**Export Connection from OPNsense**
43. Click **VPN -> OpenVPN -> Client Export** on the left. Change hostname to Floating IP assigned to your VPN Server.
![scrn30.png](../_images/scrn30.png)
44. Click the cloud icon next to your username or server name to download certificate and configuration files.
![scrn28.png](../_images/scrn28.png)
45. Unpack downloaded configuration files and find Open VPN config file.
**For Windows PCs:**
46. Download and install the newest version of Open VPN. You can find it here: <https://openvpn.net/community-downloads/>
47. Save all the connfiguration files in **C:/Program Files/OpenVPN/config** and try to connect using pre-configured credentials.
**For Linux (Ubuntu) PCs**
48. Open the Terminal in folder which contains configuration files.
49. Use commands presented below:
```
sudo apt update
sudo nmcli connection import type openvpn file nameofyourovpnconffile.ovpn
```
50. Try to connect to VPN using Ubuntu configuration bar (right up corner) and apropriate credentials.
Reference in New Issue View Git Blame Copy Permalink