When your clouds or servers reside in a network that sits behind a restrictive firewall or use a private IP range, you will need to set up a Virtual Private Network between ClearGLASS and your network to be able to manage them through the ClearGLASS service.
ClearGLASS's VPN functionality is based on the OpenVPN protocol, which implements a Virtual Private Network (VPN) in order to create secure point-to-point connections to remote access areas. OpenVPN is capable of accessing private networks by traversing network address translators (NATs) and firewalls, while utilizing the exchange of keys in order to secure its VPN connections (or tunnels).
To set up a new VPN, visit the Tunnels section from your dashboard menu and click on the Add your tunnels button. Type in a name for your tunnel, and optionally a description. Then, on the CIDRs field, add the private IP range that the cloud that you want to manage resides in. ClearGLASS will choose two random IPv4 addresses for the endpoints of the VPN tunnel. If you want to exclude some of the addresses of the network to avoid IP conflicts, you can fill them in on the excluded CIDRs field. You also have the option to choose between UDP and TCP protocol
Once you’re done, click on the Add button. ClearGLASS will create the tunnel. Click on it, and ClearGLASS will provide you with a bash script that you’ll need to run on your VPN client - usually one of the machines or the router of your private network.
When deploying your VPN client, make sure that there are no firewall rules blocking incoming or forwarded Internet traffic. Your VPN client needs to allow incoming data and outgoing data to ClearGLASS. The UDP port that is used can be seen in the page above. Additionally, make sure that the machine where the VPN client resides can forward packets to your local VMs. Please, ensure your firewall and IPtables rules (if any) have been properly configured.
As soon as you have established your VPN tunnels, you can go ahead and add your infrastructure in ClearGLASS. Your private network IPs will be accessible for you by the ClearGLASS service as if they were public. Just go ahead and add your private clouds and perform actions on private VMs like you would normally do.
To confirm that the tunnel has been established on your VPN client, run ifconfig and make sure you can see the vpn-tunXYZ interface, where XYZ is a number. Example
#ifconfig ... vpn-tun114 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.105.191.176 P-t-P:10.105.191.177 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) …
The tunnel is up and we should be able to ping the P-t-P ip (in my case this is 10.105.191.177).
On the tunnel page we can also see the port on the remote side that is assigned for our VPN client. Make sure that outgoing traffic to this port is allowed (UDP to port 1319 in my case).
All VPN related actions have been also integrated into the ClearGLASS CLI, which can be installed by simply running pip install ClearGLASS. The available VPN related commands are:
You can retrieve a list of your established tunnels by invoking: ClearGLASS list-tunnels. You can optionally add the –pretty argument to the aforementioned command in order to print the output in a nicely formatted table.
In order to add a new tunnel you need to use the ClearGLASS add- tunnelcommand . The arguments accepted by the aforementioned command include:
name: a required parameter denoting the unique name of the tunnel
cidrs: a required list of the CIDRs to be routed over the particular VPN tunnel
exclude_cidrs: an optional parameter specifying a list of CIDRs that you may wish to be excluded from the tunnel establishment process in order to avoid potential routing conflicts due to the allocation of already locally existing IP addresses to the VPN endpoints
description: an argument to optionally add a description to the newly created tunnel
Now, let's see a couple of examples adding new VPN tunnels:
root@ubuntu:~ $ ClearGLASS add-tunnel --name MyTunnel --cidrs 192.168.2.0/24 192.168.3.0/24 --exclude-cidrs 172.16.150.0/24 --description 'This is just an example'
The first command requests the establishment of a VPN tunnel named “MyTunnel” via which the ClearGLASS service will be able to reach the private networks 192.168.2.0/24 and 192.168.3.0/24. Additionally, the network 172.16.150.0/24 has been specified as a network to be excluded from the allocation process of IP addresses for the two VPN endpoints in order to avoid routing conflicts. For example, the 172.16.150.0/24 CIDR could represent a network that is directly attached to your VPN client, thus you would like to avoid an existing 172.16.150.x IP to be allocated to your VPN interface, as well. Finally, the newly established tunnel comes with the description “This is just an example”. The description and exclude- cidrs fields are optional.
As soon as the newly requested VPN interface has been established on the server-side (the ClearGLASS side), the ClearGLASS add-tunnel command will return the configuration script that needs to be executed on the client-side in order for the tunnel establishment to be completed. At this point, the client-side configuration comes in two forms. Firstly, a bash script will be returned, which needs to be run on your VPN client and will take care of downloading the necessary dependencies, setting up the VPN configuration files and security key, and starting the OpenVPN service. All you have to do is copy and paste the bash script on your VPN client, make it executable, and run it.
The second option consists of a single curl command, which you can execute on you VPN client and will take care of automatically downloading and executing the configuration script.
Your VPN client can be any machine sitting in your private network, including your own router.
After the configuration's execution has been successfully completed, you should have a new interface up and running similar to:
vpn-tun1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr: 10.166.30.100 P-t-P: 10.166.30.101 Mask:255.255.255.255
inet addr is the IP address allocated to your VPN endpoint, while P-T-P is the server-side IP address.
The ClearGLASS CLI also allows you to edit an already established tunnel. The ClearGLASS edit-tunnel command allows you edit the name, description, and list of accessible CIDRs. However, you cannot edit the list of excluded CIDRs. For instance, let's edit tunnel “MyTunnel”:
root@ubuntu:~ $ ClearGLASS edit-tunnel e63fddace687u754aa9e66e4g56th257 --name EditedTunnel --cidrs 192.168.2.0/24 192.168.3.0/24 172.19.100.0/24 --description 'This is just an example'
The above command will edit the tunnel with tunnel ID e63fddace687u754aa9e66e4g56th257. Once you run it, the tunnel's name will be changed to “MyEditedTunnel” and ClearGLASS will also be able to access machines that sit in the 172.19.100.0/24 network.
All tunnel IDs can be retrieved by calling the ClearGLASS list-tunnels command. Tunnel IDs are required in order to perform actions on existing tunnels, such as editing, deleting, or retrieving a tunnel's configuration script.
For every already established tunnel you can explicitly request the corresponding VPN client's configuration script. All you need to provide is the tunnel's ID as follows:
root@ubuntu:~ $ ClearGLASS tunnel-script e63fddace687u754aa9e66e4g56th257
Similarly, you may request the corresponding curl command for a more automated deployment. Again, the tunnel's ID is all that needs to be provided to the shell command:
root@ubuntu:~ $ ClearGLASS tunnel-command e63fddace687u754aa9e66e4g56th257
Finally, you can tear down an existing VPN tunnel using the ClearGLASS delete-tunnel command, as follows:
root@ubuntu:~ $ ClearGLASS delete-tunnel e63fddace687u754aa9e66e4g56th257