SSL VPN
- John Hicks
Introduction
VMware NSX-T only supports site-to-site VPN. The SSL VPN-Plus feature that existed in NSX-V will no longer be permittable.
This limitation requires you to choose another solution depending on your requirements for features. Common products used are OpenVPN or Wireguard.
What is a site-to-site VPN?
As an alternative to SSL VPN, VMware NSX-T Data Center supports IPSec VPN and Layer 2 VPN
A site-to-site VPN is a connection between two or more networks using an encrypted tunnel. The primary usage is to connect networks in multiple physical locations where a dedicated, always-on, connection between the locations is required. This is typically set up as a permanent connection between networking equipment.
Internet Protocol Security (IPSec) VPN secures traffic flowing between two networks connected over a public network through IPSec gateways called endpoints.
With Layer 2 VPN (L2 VPN), you can extend Layer 2 networks across multiple sites on the same broadcast domain
How to install and configure OpenVPN to replace SSL VPN Plus
Prerequisites
Create a new VDC network
It is recommended that you deploy the OpenVPN appliance into a new, dedicated routed VDC network.
This allows you to more tightly control access from VPN clients to the virtual machines in your environment using firewall rules on the edge gateway. However it is possible to deploy the OpenVPN appliance into an existing network/shared with existing virtual machines.
Configuring the edge gateway
You will need to configure the edge gateway to control access to the VMs in your environment by creating:
A Source NAT rule to allow the OpenVPN appliance outbound access to the internet.
A Destination NAT rule to allow inbound access from the internet.
A Firewall Rule to allow inbound access from the internet on port 443
Deploying the OpenVPN appliance
Please note there is a version of the OpenVPN appliance already added to the Marketplace Catalog
To deploy the OpenVPN appliance:
Download the latest ova of OpenVPN
Select the VDC where you want to deploy the OpenVPN appliance
Under Compute, select vApps
Click New, then select Add vApp from OVF
Browse to the OpenVPN OVA that you downloaded then click Next
Â
Review the details then click Next
The appliance will be deployed as a VM inside a vApp. Provide a name and then click Next
Provide a host name and storage policy then click Next
Configure the network by selecting Switch to the advanced networking workflow
Select the Network adapter type, Network and IP pool assignment, assign a valid IP from within your range if set to Manual IP, then click Next
Select the number of vCPUs and memory this appliance will have then click Next
Review the details then click Finish to deploy the vApp
You may need to reboot the virtual machine once after deployment for networking changes to effect
Performing initial configuration
To perform initial configuration:
Under Compute, Virtual Machines, open the console for your OpenVPN VM
Log in to the VM as the root user.
To obtain the root password, click Details then select Guest OS Customization and Edit. Make a note of the generated root password
Â
You'll be prompted to answer:
License agreement:
Enter yes to accept
Will this be the primary Access Server node?
Enter yes
Please specify the network interface and IP address to be used by the Admin Web UI:
This should default to eth0, which should be configured with the IP address you selected/assigned during deployment
Please specify the port number for the Admin Web UI:
Enter your required port number, or accept the default of 943
Please specify the TCP port number for the OpenVPN Daemon:
Accept the default of 443
Should client traffic be routed by default through VPN?
We recommend you answer no to this question. Entering yes will prevent your client device from accessing any other networks while the VPN is connected
Should client DNS traffic be routed by default through the VPN?
Answer no to this question so your DNS queries are configured against the usual servers
Use local authentication via internal DB?
Enter yes unless you want to authenticate users from an existing directory service (Active Directory/LDAP)
Should private subnets be accessible to clients by default?
Answer yes to enable access to your VDC networks via the VPN
Do you wish to login to the Admin UI as "openvpn"?
Answer yes to create a local user account named openvpn. If you answer no you will need to set up a different account
Please specify your OpenVPN-AS license key
If you've purchased a license you may enter it now or leave it blank
When you've completed the setup wizard you will need to create user accounts and passwords on the local operating system (unless you configured an LDAP directory).
If you opted to use the default openvpn account, you'll need to configure its password:
#passwd openvpn
Apply updates
apply the latest upgrades to the system.
Enter the following:
# apt-get update && apt-get upgrade
Configure admin options
To configure admin options:
Log on to the admin interface at:
https://<ip_address>:943/admin
To set the hostname, under Configuration, select Network Settings and then set the Hostname or IP Address to either a public IP address or a fully qualified domain name (FQDN) that your client will be able to resolve
Save the settings
Under Configuration, select VPN settings
in the Routing section, add any additional subnets that your users should have access to. These will usually be the subnets configured in your VDC networks
To create new user accounts, go to User Management, select User Permissions.
Logging in as a user
You can download the VPN client software and connection profiles directly from the appliance by logging in with a valid user name and password:
https://<ip_address>/
The downloaded client software and profile includes what is required for authentication, including client certificate and connection properties