How to Set Up Bare Metal Cloud Remote Access VPN

Introduction

Any server type is manageable through a VPN. Setting up a remote access VPN from a desktop/mobile device is especially important when working with backend servers to secure server access.

In this article, you will learn how to set up remote access to phoenixNAP’s Bare Metal Cloud (BMC).

Bare metal cloud remote access.

The article covers the following scenarios:

  • Setting up a remote access VPN to phoenixNAP BMC (desktop/mobile device access).
    • Configuring Windows clients for remote access.
    • Configuring Ubuntu clients for remote access.
    • Configuring Mac clients for remote access.
  • Setting up VPN connection between two phoenixNAP BMC locations.
  • Setting up an IPSec VPN between phoenixNAP BMC and on-premises equipment.

Prerequisites

  • At least one Linux-based BMC server with public and private addressing (or two BMC servers required for a VPN between two locations).
  • At least one server requiring remote administration.
  • A remote office firewall in the case of on-premises scenario.

Note: If your remote access use is sporadic, VPN servers can be deprovisioned and reprovisioned as needed. Automating their configuration makes this process easier.

Tools

This article references third-party software. You can utilize VPN software of your choice. All the passwords and IP addresses are purely illustrative and should be changed.

The tools referenced in this article include:

  • Bare Metal Cloud Servers – physical servers deployed on the phoenixNAP Bare Metal Cloud (BMC) platform.
  •  Ansible – a software tool that facilitates cross-platform automation support. Ansible is utilized for configuration orchestration at various stages of a component’s lifecycle.
  • Ansible Galaxy – Ansible’s official hub for content sharing.
  • SoftEther – an open-source, ​cross-platform, multi-protocol VPN program. The SoftEther VPN Project was developed as an academic project from the University of Tsukuba, under the Apache License 2.0.
  • strongSwan – an open-source IPsec implementation used for the third scenario. strongSwan facilitates IPsec VPN connectivity with traditional hardware firewalls.
  • Tunnelblink – an open-source client. Tunnelblink is used to connect Mac hosts to edge VPN servers.

Setting Up Remote Access VPN to phoenixNAP BMC

The following scenario describes remote access VPN, showing how to access a BMC server from a desktop or mobile device via VPN.

It requires a bare metal cloud server with public and private addressing and a SoftEther edge server to provide the VPN service.

The configuration described below bridges remote access VPN sessions onto the same subnet as the servers. Using this method, the edge server can only be accessed via the public address from the VPN client side.

Bare Metal Cloud remote access VPN.

1. Establish a connection over SSH with the server where you wish to install SoftEther edge.

2. Next, install the ansible package by running one of the following commands:

sudo apt -y install ansible
  • To Install Ansible on CentOS:
sudo yum -y install ansible

3. Install the softasap.sa-vpn-softether Ansible role from Ansible Galaxy:

sudo ansible-galaxy install softasap.sa-vpn-softether

4. Create a working directory:

mkdir softether && cd softether

5. In the newly created working directory, create an ansible-playbook (vpn.yml) for SoftEther VPN:

---
- hosts: localhost
  vars:
  roles:
    - {
        role: "softasap.sa-vpn-softether",
        softether_init_script: "{{ playbook_dir }}/create_hub"
      }

6. Find the adapter name and subnet for the backend private network by running the command:

ip address

The output should be similar to the image below where the required information is highlighted in the green boxes.

Find adapter name and subnet for backend private network.

Note: Steps 7 to 14 are configuration assembly steps. You can skip to Step 14 to see the result.

7. Create an initial script (create_hub) for configuring SoftEther VPN. You need to create a virtual hub named vpn:

HubCreate vpn /PASSWORD:""
hub vpn

8. Bridge the virtual hub and physical adapter using the adapter name from step 6:

BridgeCreate vpn /DEVICE:bond0.1101 /TAP:False

9. Enable the Secure NAT feature for DHCP functionality:

SecureNatEnable
NatDisable

10. Assign the appropriate subnet in the DHCP parameters (according to the private network addressing collected in step 6):

DhcpSet /START:10.0.0.200 /END:10.0.0.250 /MASK:255.255.255.0 /EXPIRE:7200 /GW:none /DNS:none /DNS2:none /DOMAIN:none /LOG:yes /PUSHROUTE:none
SecureNatHostSet /MAC:none /IP:10.0.0.253 /MASK:255.255.255.0

Note: This configuration places VPN sessions on the same private subnet as your BMC servers. Be sure to avoid overlapping addresses.

11. Generate a certificate for the VPN connection with your fully qualified domain name (FQDN):

ServerCertRegenerate vpn.yourdomain.com
ServerCertGet ./generated/cert.cer

12. Next, enable VPN support.

  • To enable support for Windows SSTP VPN clients run:
SstpEnable yes
  • To enable support for OpenVPN clients run:
OpenVpnEnable yes /PORTS:1194
OpenVpnMakeConfig ./generated/openvpn_config.zip

13. Define local VPN users:

UserCreate rauser /GROUP:none /REALNAME:none /NOTE:none
UserPasswordSet rauser /PASSWORD:sadigGjyt387

14. Define a SoftEther server management password:

ServerPasswordSet adskfnne44onkdasl

Note: Avoid leaving clear text passwords in the init script in a production environment. The ones shown above are for illustrative purposes only.

15. Create two files: vpn.yml and create_hub.

If required, change the:

  • Dhcpset start and end range
  • SecureNatHostSet IP address parameters
  • ServerCertRegenerate domain

If no changes are required, paste the following lines to the SoftEther server:

cat <<EOF > vpn.yml
---
- hosts: localhost
  vars:
  roles:
    - {
        role: "softasap.sa-vpn-softether",
        softether_init_script: "{{ playbook_dir }}/create_hub"
      }
EOF
cat <<EOF > create_hub
HubDelete DEFAULT
HubCreate vpn /PASSWORD:""
hub vpn
BridgeCreate vpn /DEVICE:bond0.1101 /TAP:False
SecureNatEnable
NatDisable
DhcpSet /START:10.0.0.200 /END:10.0.0.250 /MASK:255.255.255.0 /EXPIRE:7200 /GW:none /DNS:none /DNS2:none /DOMAIN:none /LOG:yes /PUSHROUTE:none
SecureNatHostSet /MAC:none /IP:10.0.0.253 /MASK:255.255.255.0
ServerCertRegenerate vpn.yourdomain.com
ServerCertGet ./generated/cert.cer
SstpEnable yes
OpenVpnEnable yes /PORTS:1194
OpenVpnMakeConfig ./generated/openvpn_config.zip
UserCreate rauser /GROUP:none /REALNAME:none /NOTE:none
UserPasswordSet rauser /PASSWORD:sadigGjyt387
ServerPasswordSet adskfnne44onkdasl
EOF

16. After creating the vpn.yml and create_hub files, you can start the ansible-playbook. The following command installs and configures the SoftEther VPN server:

sudo ansible-playbook vpn.yml

Now the configured SoftEther VPN server is ready to accept remote access client connections, allowing communication with backend addresses of servers within BMC.

Additional Configuration Options

For additional configuration options, you can use the SoftEther VPN Command Line Management Utility (vpncmd), used for managing multiple edge VPN servers.

For example, to set the SoftEther server, you would run:

/opt/vpnserver/vpncmd localhost /SERVER /CMD:ServerPasswordSet

To add VPN users, you would use the commands:

/opt/vpnserver/vpncmd localhost /SERVER /CMD:UserCreate
/opt/vpnserver/vpncmd localhost /SERVER /CMD:UserPasswordSet

Note: You might also be interested in our in-depth guide How to Install and Configure OpenVPN Access Server

Configuring Windows Clients

Configure VPN clients on Windows using SoftEther or the native MS SSTP.

Option 1: SoftEther Method

1. Download the SoftEther client for Windows.

2. After downloading and installing SoftEther client, follow the steps below to connect to the Phoenix edge server:

  • Select Add VPN Connection to open the new VPN setting properties.
  • Provide the Setting Name.
  • Specify the IP address, the port number, and the Virtual Hub Name.
  • Provide the user authentication information for connecting to the VPN server by providing a User Name and Password.
  • Click OK to confirm the setting properties.
Connect to Phoenix edge server using the SoftEther client for Windows.

Option 2: Windows SSTP Method

1. Download and install the certificate located on the SoftEther server in the path softether/generated/generated/cert.cer.

2. Once the Certificate window opens, click Install Certificate.

3. The Certificate Import Wizard appears. Select Current User for the Store Location and continue by clicking Next.

Install certificate for Windows SSTP VPN.

4. Next, configure the VPN endpoint on Windows. Open the VPN Settings and select Add a VPN.

5. Fill in the information required, making sure to select Windows (built-in) as the VPN provider and Secure Socket Tunneling Protocol (SSTP) as the VPN type.

6. Click Save to complete.

Configure VPN endpoint on Windows.

Configuring Ubuntu Clients

1. Install OpenVPN packages to use the OpenVPN client:

sudo apt install network-manager-openvpn network-manager-openvpn-gnome

2. After downloading and unzipping the openvpn_config.zip file, import the configuration:

  • Open Settings and navigate to Network.
  • Click the sign to add a VPN to your network.
  • Choose Import from file…
Add OpenVPN to networks on Ubuntu.

3. From the OpenVPN Sample Config package select the Phoenix edge OpenVPN remote access file. Click the Open button in the top right corner.

Import Phoenix edge remote access.

4. Provide the User name and Password for authentication. Click Add to continue.

Add VPN for Ubuntu clients.

5. Move to the IPv4 tab and select the setting Use this connection only for resources on its network. Click Apply.

Configure OpenVPN for Ubuntu client.

Configuring Mac Clients

You can use Tunnelblick to install the OpenVPN client on Mac.

1. Open Tunnelblick and select I have configuration files.

Add configuration files to Tunnelblick.

2. A window appears explaining how to install a configuration file.

Install configuration using Tunnelblick.

3. Drag and drop the configuration file to the TunnelBlink icon located in the menu bar.

Drag and drop the configuration file to Tunnelblick.

4. Connect to the newly added VPN by clicking on the Tunnelblick icon and selecing Connect phx-edge_openvpn_remote_access_l3.

Connect to newly added VPN using Tunnelblick.

5. Enter your VPN username and password. Then, click OK to log in.

Provide username and password to connect to OpenVPN.

Note: For all other platforms (Linux, Mac OS X, Android) any OpenVPN client can be used.

Setting Up VPN Connection Between Two phoenixNAP BMC Locations

You can interconnect two BMC locations over VPN. Such a connection is also known as Lan to Lan (L2L) or Site to Site (S2S).

Such a setup requires BMC Linux servers in each location. Both servers need to have public and private addressing. They act as the SoftEther edge server and one or more private BMC servers in the same backend private network.

In this example, we use the Phoenix and Ashburn locations. However, you can set up a VPN connection between any phoenixNAP BMC locations.

VPN between two phoenixNAP BMC locations.

1. If starting here, implement steps 1 through 6 & 15 through 16 from the first section. These are required to set up the Phoenix side.

2. Then, establish a connection over SSH to SoftEther edge in Ashburn, and install the ansible package:

  • For Ubuntu:
sudo apt -y install ansible
  • For CentOS:
sudo yum -y install ansible

3. Install softasap.sa-vpn-softether ansible role from Ansible Galaxy:

sudo ansible-galaxy install softasap.sa-vpn-softether

4. Take note of the adapter name and subnet for the backend private network using the command:

ip address

Note: Steps 5 to 10 are configuration assembly steps. You can skip to step 13 to see the result.

5. Create the two files: vpn.yml and create_hub.

If required, change the:

  • Dhcpset start and end range
  • SecureNatHostSet IP address parameters
  • ServerCertRegenerate domain

If no changes are required, paste the lines below into the SoftEther server:

cat <<EOL > vpn.yml
---
- hosts: localhost
  vars:
  roles:
    - {
        role: "softasap.sa-vpn-softether",
        softether_init_script: "{{ playbook_dir }}/create_hub"
      }
EOF
cat <<EOL > create_hub
HubDelete DEFAULT
HubCreate vpn /PASSWORD:""
hub vpn
BridgeCreate vpn /DEVICE:bond0.1100 /TAP:False
SecureNatEnable
NatDisable
DhcpSet /START:10.1.0.200 /END:10.1.0.250 /MASK:255.255.255.0 /EXPIRE:7200 /GW:none /DNS:none /DNS2:none /DOMAIN:none /LOG:yes /PUSHROUTE:none
SecureNatHostSet /MAC:none /IP:10.1.0.253 /MASK:255.255.255.0
ServerCertRegenerate vpn.yourdomain.com
ServerCertGet ./generated/cert.cer
SstpEnable yes
OpenVpnEnable yes /PORTS:1194
OpenVpnMakeConfig ./generated/openvpn_config.zip
UserCreate rauser /GROUP:none /REALNAME:none /NOTE:none
UserPasswordSet rauser /PASSWORD:sadigGjyt387
ServerPasswordSet adskfnne44onkdasl
EOF

6. After creating the vpn.yml and create_hub files, you can start ansible-playbook. Use the following command to install and configure the Ashburn SoftEther VPN server:

sudo ansible-playbook vpn.yml

At this point, you installed and configured the SoftEther servers in two locations (Phoenix and Ashburn).

Now you need to connect these locations with a S2S VPN tunnel.

8. Edit the create_hub init script on both servers and create a new virtual hub named s2s.

HubCreate s2s /PASSWORD:""
hub s2s

9. Create a password for s2s VPN authentication.

UserCreate s2s /GROUP:none /REALNAME:none /NOTE:none
UserPasswordSet s2s /PASSWORD:bjdbsi9273jygUYGf6

10. To initiate the site to site VPN connection, add the following lines to the primary location (in this example it is Phoenix).

CascadeCreate s2s /SERVER:131.153.155.210:443 /HUB:s2s /USERNAME:s2s
CascadePasswordSet s2s /PASSWORD: bjdbsi9273jygUYGf6 /TYPE:standard
CascadeOnline s2s

This points the cascade connection to the public IP and s2s hub of SoftEther server in the Ashburn location.

11. To allow traffic between vpn and s2s hubs, you need to add a virtual router on both SoftEther servers.

Phoenix SoftEther server:

  • Create a virtual router named s2s:
RouterAdd s2s
  • Add an interface for each hub:
RouterIfAdd s2s /HUB:vpn 
/IP:10.0.0.254/255.255.255.0
RouterIfAdd s2s /HUB:s2s 
/IP:192.168.168.254/255.255.255.0
  • Add a static route for vpn hub on Ashburn location:
RouterTableAdd s2s /NETWORK:10.1.0.0/255.255.255.0 /GATEWAY:192.168.168.253 /METRIC:1
RouterStart s2s

Ashburn SoftEther server:

  • Creating a virtual router named s2s:
RouterAdd s2s
  • Add an interface for each hub:
RouterIfAdd s2s /HUB:vpn 
/IP:10.1.0.254/255.255.255.0
RouterIfAdd s2s /HUB:s2s 
/IP:192.168.168.253/255.255.255.0
  • Add a static route for vpn hub on Phoenix location:
RouterTableAdd s2s /NETWORK:10.0.0.0/255.255.255.0 /GATEWAY:192.168.168.254 /METRIC:1
RouterStart s2s

12. Next you need to allow users connected to Phoenix to establish a connection to servers in Ashburn, and vice versa. To do so, add a static route to the VPN client:

Phoenix SoftEther server:

DhcpSet /START:10.0.0.200 /END:10.0.0.250 
/MASK:255.255.255.0 /EXPIRE:7200 /GW:none 
/DNS:none /DNS2:none /DOMAIN:none /LOG:yes 
/PUSHROUTE:none
DhcpSet /START:10.0.0.200 /END:10.0.0.250 
/MASK:255.255.255.0 /EXPIRE:7200 /GW:none 
/DNS:none /DNS2:none /DOMAIN:none /LOG:yes 
/PUSHROUTE:10.1.0.0/255.255.255.0/10.0.0.254

Ashburn SoftEther server:

DhcpSet /START:10.1.0.200 /END:10.1.0.250 
/MASK:255.255.255.0 /EXPIRE:7200 /GW:none 
/DNS:none /DNS2:none /DOMAIN:none /LOG:yes 
/PUSHROUTE:none
DhcpSet /START:10.0.0.200 /END:10.0.0.250 
/MASK:255.255.255.0 /EXPIRE:7200 /GW:none 
/DNS:none /DNS2:none /DOMAIN:none /LOG:yes 
/PUSHROUTE:10.0.0.0/255.255.255.0/10.1.0.254

To sum up, the Phoenix SoftEther create_hub initial script should consist of the following content:

HubDelete DEFAULT
HubCreate vpn /PASSWORD:""
hub vpn
BridgeCreate vpn /DEVICE:bond0.1100 /TAP:False
SecureNatEnable
NatDisable
DhcpSet /START:10.1.0.200 /END:10.1.0.250 /MASK:255.255.255.0 /EXPIRE:7200 /GW:none /DNS:none /DNS2:none /DOMAIN:none /LOG:yes /PUSHROUTE: 10.0.0.0/255.255.255.0/10.1.0.254
SecureNatHostSet /MAC:none /IP:10.1.0.253 /MASK:255.255.255.0
ServerCertRegenerate vpn.yourdomain.com
ServerCertGet ./generated/cert.cer
SstpEnable yes
OpenVpnEnable yes /PORTS:1194
OpenVpnMakeConfig ./generated/openvpn_config.zip
UserCreate rauser /GROUP:none /REALNAME:none /NOTE:none
UserPasswordSet rauser /PASSWORD:sadigGjyt387
ServerPasswordSet adskfnne44onkdasl

HubCreate s2s /PASSWORD:""
hub s2s
UserCreate s2s /GROUP:none /REALNAME:none /NOTE:none
UserPasswordSet s2s /PASSWORD:bjdbsi9273jygUYGf6
RouterAdd s2s
RouterIfAdd s2s /HUB:vpn /IP:10.1.0.254/255.255.255.0
RouterIfAdd s2s /HUB:s2s /IP:192.168.168.253/255.255.255.0
RouterTableAdd s2s /NETWORK:10.0.0.0/255.255.255.0 /GATEWAY:192.168.168.254 /METRIC:1
RouterStart s2s

The Ashburn SoftEther create_hub initial script should consist of the following content:

HubDelete DEFAULT
HubCreate vpn /PASSWORD:""
hub vpn
BridgeCreate vpn /DEVICE:bond0.1101 /TAP:False
SecureNatEnable
NatDisable
DhcpSet /START:10.0.0.200 /END:10.0.0.250 /MASK:255.255.255.0 /EXPIRE:7200 /GW:none /DNS:none /DNS2:none /DOMAIN:none /LOG:yes /PUSHROUTE:10.1.0.0/255.255.255.0/10.0.0.254
SecureNatHostSet /MAC:none /IP:10.0.0.253 /MASK:255.255.255.0
ServerCertRegenerate vpn.yourdomain.com
ServerCertGet ./generated/cert.cer
SstpEnable yes
OpenVpnEnable yes /PORTS:1194
OpenVpnMakeConfig ./generated/openvpn_config.zip
UserCreate rauser /GROUP:none /REALNAME:none /NOTE:none
UserPasswordSet rauser /PASSWORD:sadigGjyt387
ServerPasswordSet adskfnne44onkdasl

HubCreate s2s /PASSWORD:""
hub s2s
UserCreate s2s /GROUP:none /REALNAME:none /NOTE:none
UserPasswordSet s2s /PASSWORD:bjdbsi9273jygUYGf6
CascadeCreate s2s /SERVER:131.153.155.210:443 /HUB:s2s /USERNAME:s2s
CascadePasswordSet s2s /PASSWORD:bjdbsi9273jygUYGf6 /TYPE:standard
CascadeOnline s2s
RouterAdd s2s
RouterIfAdd s2s /HUB:vpn /IP:10.0.0.254/255.255.255.0
RouterIfAdd s2s /HUB:s2s /IP:192.168.168.254/255.255.255.0
RouterTableAdd s2s /NETWORK:10.1.0.0/255.255.255.0 /GATEWAY:192.168.168.253 /METRIC:1
RouterStart s2s

14. Once the init scripts are ready, reconfigure both SoftEther VPN servers:

/opt/vpnserver/vpncmd localhost /SERVER /IN:create_hub

15. Add the static routes to servers using the VPN server private address to achieve connectivity between locations.

CentOS-Specific Settings

If you are running CentOS servers, follow the steps outlined for each server location.

Phoenix side BMC servers:

  • Add a static route on the server by running:
sudo ip route add 10.1.0.0/24 via 10.0.0.254 dev bond0.1101
  • To make the routes persistent, edit the network configuration file /etc/cloud/cloud.cfg.d/50-curtin-networking.cfg.
  • Add the routes information to the file:
type: vlan
mtu: 9000
name: bond0.1101
vlan_id: 1101
vlan_link: bond0
subnets:
- address: 10.0.0.12/24
type: static
routes:
- gateway: 10.0.0.254
network: 10.1.0.0/24

Ashburn side BMC servers:

  • Add a static route on the server by running:
sudo ip route add 10.0.0.0/24 via 10.1.0.254 dev bond0.1100
  • Make the routes persistent by editing the network configuration file /etc/cloud/cloud.cfg.d/50-curtin-networking.cfg.
  • Add a routes section to the file:
- type: vlan
    mtu: 9000
    name: bond0.1100
    vlan_id: 1100
    vlan_link: bond0
    subnets:
    - address: 10.1.0.12/24
      type: static
      routes:
      - gateway: 10.1.0.254
        network: 10.0.0.0/24

Ubuntu-Specific Settings

If you are running Ubuntu servers, follow the steps outlined for each location.

Phoenix side BMC servers:

  • Add a static route on the server by running:
sudo ip route add 10.1.0.0/24 via 10.0.0.254 dev bond0.1101
  • To make the routes persistent, edit the network configuration file /etc/cloud/cloud.cfg.d/50-curtin-networking.cfg.
  • Add the following information to the file:
bond0.1101:
      addresses:
      - 10.0.0.12/24
      id: 1101
      link: bond0
      mtu: 9000
      routes:
      - to: 10.1.0.0/24
        via: 10.0.0.254

Ashburn side BMC servers:

  • Add a static route on the server by running:
sudo ip route add 10.0.0.0/24 via 10.1.0.254 dev bond0.1100
  • Make the routes persistent by editing the network configuration file /etc/cloud/cloud.cfg.d/50-curtin-networking.cfg.
  • Add a routes section to the file:
bond0.1100:
      addresses:
      - 10.1.0.12/24
      id: 1100
      link: bond0
      mtu: 9000
      routes:
      - to: 10.0.0.0/24
        via: 10.1.0.254

Setting Up IPSec VPN Between phoenixNAP BMC and On-Premise Equipment

To illustrate the third scenario, we use our existing topology. Having two BMC locations is not mandatory. Connectivity to an on-premises data center, office, or remote-site all fit into this example. If this is your only required use-case, this section stands on it’s own.

As an on-premises endpoint, we use Cisco ASA configuration to create site-to-site IPsec VPN. Additionally, we use strongSwan server side to establish this tunnel. The traffic described can flow from remote access clients to both BMC nodes, as well as from a remote office to both BMC nodes. Remote access client connection through BMC to the remote site/office is not described.

IPSec VPN Between phoenixNAP BMC and On-Premise Equipment.

1. SSH to edge server and install the strongSwan package:

  • For Ubuntu:
sudo apt -y install strongswan
  • For CentOS:
sudo yum -y install strongswan

Depending on distribution, configuration files will be located in different paths.

  • On Ubuntu you can find it in: /etc/ipsec.*
  • On CentOS, the configuration file is located in: /etc/strongswan/ipsec.*

2. Edit the IPsec configuration file on the edge server at the Phoenix location:

#####Mandatory part of configuration setup#####
config setup
# strictcrlpolicy - Defines if a fresh CRL must be available in order for the peer authentication based on RSA signatures to succeed.
strictcrlpolicy=no
# uniqueids - Defines whether a particular participant ID must be kept unique, with any new IKE_SA using an ID deemed to replace all old ones using that ID.
uniqueids = yes
# charondebug - Defines how much charon debugging output must be logged.
    charondebug = "all"
conn vpn-to-asa
#####Per VPN configuration settings#####
# conn <name> - Defines a connection.
authby=secret
# authby - Defines how the peers must authenticate; acceptable values are secret or psk, pubkey, rsasig, ecdsasig.
left=%defaultroute
# left - Defines the IP address of the strongSwan's interface paricipating in the tunnel.
leftid=131.153.142.202
# leftid - Defines the identity payload for the strongSwan.
leftsubnet=10.0.0.0/24
# leftsubnet - Defines the private subnet behind the strongSwan, expressed as network/netmask.
right=185.28.188.0
# right - Defines the public IP address of the VPN peer.
rightid=192.168.0.254
# rightid - Defines the identity payload for the VPN peer.
rightsubnet=192.168.1.0/24
# rightsubnet - Defines the private subnet behind the VPN peer, expressed as network/netmask.
ike=aes256-sha1-modp1536
# ike - Defines the IKE/ISAKMP SA encryption/authentication algorithms. You can add a comma-separated list.
esp=aes256-sha1
# esp - Defines the ESP encryption/authentication algorithms. You can add a comma-separated list
keyingtries=%forever
# keyingtries - Defines the number of attempts that must be made to negotiate a connection.
leftauth=psk
rightauth=psk
keyexchange=ikev1
ikelifetime=1h
# ikelifetime - Defines the duration of an established phase-1 connection.
    lifetime=8h
dpddelay=30
# dpddelay - Defines the time interval with which R_U_THERE messages/INFORMATIONAL exchanges are sent to the peer.
dpdtimeout=120
# dpdtimeout - Defines the timeout interval, after which all connections to a peer are deleted in case of inactivity.
dpdaction=restart
# dpdaction - Defines what action needs to be performed on DPD timeout. Takes three values as paramters : clear, hold, and restart.
auto=start
# auto - Defines what operation, if any, must be done automatically at IPsec startup (start loads a connection and brings it up immediately).

3. The IPSec pre-shared key is stored in a separate file: /etc/strongswan/ipsec.secrets

131.153.142.202 185.28.188.0 : PSK "ksdbk78823kdcs92kwehsfkphx"

4. Create strongSwan configs files (ipsec.conf and ipsec.secrets) after changing the necessary parameters. You can use the following configuration on the Phoenix edge server:

sudo cat <<EOF > /etc/strongswan/ipsec.conf
# mandatory configuration
config setup
strictcrlpolicy=no
uniqueids = yes
charondebug = "all"
# VPN to Cisco ASA
conn vpn-to-asa
authby=secret
left=%defaultroute
leftid=131.153.142.202
leftsubnet=10.0.0.0/24
right=185.28.188.0
rightid=192.168.0.254
rightsubnet=192.168.1.0/24
ike=aes256-sha1-modp1536
esp=aes256-sha1
keyingtries=%forever
leftauth=psk
rightauth=psk
keyexchange=ikev1
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=restart
auto=start
EOF
sudo cat <<EOT > /etc/strongswan/ipsec.secrets
131.153.142.202 185.28.188.0 : PSK "ksdbk78823kdcs92kwehsfkphx"
EOT

5. To avoid possible problems with SELinux, execute the next command on the CentOS edge server:

sudo /sbin/restorecon -R -v /etc/strongswan/ipsec.conf
sudo setsebool -P daemons_use_tty 1

6. Start the strongSwan service in Phoenix:

sudo systemctl enable --now strongswan

7. A similar procedure should be done on the Ashburn location. In this example the edge server OS in Ashburn is Ubuntu (not mandatory). Configuration files will be on a different path. After changing necessary parameters, paste the next lines to the edge server on the Ashburn location:

sudo cat <<EOF > /etc/ipsec.conf
# mandatory configuration
config setup
strictcrlpolicy=no
uniqueids = yes
charondebug = "all"
# VPN to Cisco ASA
conn vpn-to-asa
authby=secret
left=%defaultroute
leftid=131.153.155.210
leftsubnet=10.1.0.0/24
right=185.28.188.0
rightid=192.168.0.254
rightsubnet=192.168.1.0/24
ike=aes256-sha1-modp1536
esp=aes256-sha1
keyingtries=%forever
leftauth=psk
rightauth=psk
keyexchange=ikev1
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=restart
auto=start
EOF
sudo cat <<EOT > /etc/ipsec.secrets
131.153.155.210 185.28.188.0 : PSK "ksdbk78823kdcs92kwehsfkash"
EOT

8. Start the strongSwan service on Ashburn:

sudo systemctl enable --now strongswan

9. Add static routes on the edge servers to enable communication with the on-premises data center, office or remote-site:

CentOS-Specific Static Routes

The following configuration applies to CentOS servers.

Phoenix side BMC servers:

  • Add static route on server by running:
sudo ip route add 192.168.1.0/24 via 10.0.0.11 dev bond0.1101
  • To make the routes persistent, edit the network configuration file /etc/cloud/cloud.cfg.d/50-curtin-networking.cfg.
  • Add the following information to the file:
type: vlan
    mtu: 9000
    name: bond0.1101
    vlan_id: 1101
    vlan_link: bond0
    subnets:
    - address: 10.0.0.12/24
      type: static
      routes:
      - gateway: 10.0.0.11
        network: 192.168.1.0/24

Ashburn side BMC servers:

  • Add static route on server by running:
sudo ip route add 192.168.1.0/24 via 10.1.0.11 dev bond0.1100
  • Make the routes persistent by editing the network configuration file /etc/cloud/cloud.cfg.d/50-curtin-networking.cfg.
  • Add a routes section to the file:
type: vlan
    mtu: 9000
    name: bond0.1100
    vlan_id: 1100
    vlan_link: bond0
    subnets:
    - address: 10.1.0.12/24
      type: static
      routes:
      - gateway: 10.1.0.11
        network: 192.168.1.0/24

Ubuntu-Specific Static Routes

Use the following configuration on Ubuntu servers.

Phoenix side BMC servers:

  • Add static route on server by running:
sudo ip route add 192.168.1.0/24 via 10.0.0.11 dev bond0.1101
  • To make the routes persistent, edit the network configuration file /etc/cloud/cloud.cfg.d/50-curtin-networking.cfg.
  • Add the following information to the file:
bond0.1101:
      addresses:
      - 10.0.0.12/24
      id: 1101
      link: bond0
      mtu: 9000
      routes:
      - to: 192.168.1.0/24
        via: 10.0.0.11

Ashburn side BMC servers:

  • Add static route on server by running:
sudo ip route add 192.168.1.0/24 via 10.1.0.11 dev bond0.1100
  • Make the routes persistent by editing the network configuration file /etc/cloud/cloud.cfg.d/50-curtin-networking.cfg.
  • Add a routes section to the file:
bond0.1100:
      addresses:
      - 10.1.0.12/24
      id: 1100
      link: bond0
      mtu: 9000
      routes:
      - to: 192.168.1.0/24
        via: 10.1.0.11

10. The following step includes an on-premises Cisco ASA firewall IPSsec configuration. Your actual configuration may vary.

name 131.153.142.202 PHX-VPN-PEER
name 131.153.155.210 ASH-VPN-PEER
object-group network PHX-VPN-REMOTE
network-object 10.0.0.0 255.255.255.0
object-group network ASH-VPN-REMOTE
network-object 10.1.0.0 255.255.255.0
object-group network PHX-VPN-LOCAL
network-object 192.168.1.0 255.255.255.0
object-group network ASH-VPN-LOCAL
network-object 192.168.1.0 255.255.255.0
!
access-list PHXl2l_acl extended permit ip object-group PHX-VPN-LOCAL object-group PHX-VPN-REMOTE
access-list ASHl2l_acl extended permit ip object-group ASH-VPN-LOCAL object-group ASH-VPN-REMOTE
nat (inside,outside) source static PHX-VPN-LOCAL PHX-VPN-LOCAL destination static PHX-VPN-REMOTE PHX-VPN-REMOTE no-proxy-arp
nat (inside,outside) source static ASH-VPN-LOCAL ASH-VPN-LOCAL destination static ASH-VPN-REMOTE ASH-VPN-REMOTE no-proxy-arp
!
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 3600
!
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 10 match address PHXl2l_acl
crypto map outside_map 10 set peer PHX-VPN-PEER
crypto map outside_map 10 set ikev1 transform-set ESP-AES-256-SHA
crypto map outside_map 10 set security-association lifetime seconds 28800
crypto map outside_map 20 match address ASHl2l_acl
crypto map outside_map 20 set peer ASH-VPN-PEER
crypto map outside_map 20 set ikev1 transform-set ESP-AES-256-SHA
crypto map outside_map 20 set security-association lifetime seconds 28800
crypto map outside_map interface outside
crypto ikev1 enable outside
!
tunnel-group 131.153.142.202 type ipsec-l2l
tunnel-group 131.153.142.202 ipsec-attributes
ikev1 pre-shared-key ksdbk78823kdcs92kwehsfkphx
tunnel-group 131.153.155.210 type ipsec-l2l
tunnel-group 131.153.155.210 ipsec-attributes
ikev1 pre-shared-key ksdbk78823kdcs92kwehsfkahs

Conclusion

This article shows how to set up BMC remote access through a VPN. Additionally, it outlines the steps necessary for configuring Windows, Linux, and Mac clients for remote access. Finally, the article explains how to connect two BMC servers or on-premises equipment via VPN.

Damir Sajin, Network Engineer at phoenixNAP, created the first draft of this document and tested the configuration.

Denise Desira, UI Designer at phoenixNAP, produced images and assisted in writing this article.

Was this article helpful?
YesNo
Steve Scicluna
Steve Scicluna is a Network Architect at phoenixNAP. He strives to design modern, reliable, business-empowering networks. With over a decade of experience working in the networking field, this is where he feels most at home.
Next you should read
How to Access BMC Windows Server
December 15, 2020

Learn how to establish an SSH connection to your new Bare Metal Cloud Windows server using either a key pair...
Read more
How to Test Network Speed in Linux via CLI
November 25, 2020

This article shows you numerous ways to test network speed in Linux via CLI. Learn how to install and use 9...
Read more
How to Connect to a Server Using the BMC Remote Console Feature
August 28, 2020

This guide shows you how to use the Remote Console functionality in the Bare Metal Cloud Portal...
Read more
What is Bare Metal Cloud
May 20, 2020

This article provides answers to everything you wanted to know about Bare Metal Cloud and how it compares...
Read more