?SD-WAN: Implementing OpenConnect VPN on Fusion SD-WAN
VPNs are an excellent tool to use for work from home. There are many commercial flavours and many alternatives. Some of those commercial flavours break the bank especially for a small business. We will discuss installing OpenConnect and using the OpenConnect server (OCSERV) running on a Fusion edge. OSERV has enterprise grade protection and features and is thus a suitable solution for work from home. Read about the technical implementation of OCSERV in this article: How the VPN works or view this video by Nikos Mavrogiannopoulos.
This article details on how we have integrated OCSERV in Fusion's SDWAN. It makes the VPN access to onprem infrastructure extremely reliable. The Illuminate product set provides full traffic analytics and visibility including security threats to LAN and VPN users. The architecture of the solution ensures that the VPN is installed separately in a DMZ and can be significantly better controlled than if it was firewall based.
The initial step is to configure a nspawn container on the SD-WAN edge using this recipe: Configuring containers on a SD-WAN edge. Nspawn is a systemd based solution for containers. Its containers that went to private school. In our deployment we are using debian buster.
After completing the above we have our base installed. The additional step withing the nspawn container is (NB: configure access to buster-packports for the edge):
# Add buster backports to /etc/apt/sources.list
deb https://deb.debian.org/debian buster-backports main contrib non-free
sudo apt-get -t buster-backports install ocserv
We are using the entry level edge that is a minimal system as displayed by neofetch. The system display is running the Fusion SD-WAN edge with a fibre link and two fixed wireless links. The container is up and OCSERV install and running. Even on this system the overhead is minimal as shown by bpytop:
The next step is to connect home users. On the Fusion aggregator hosted by Powercloud and installed in the Teraco Data centre we have another nspawn container that runs rportd. The SD-WAN edge runs rport which provides the ability to have a reverse tunnel from the agg to the edge that makes the OCSERV default TCP port of 443 available from the aggregator as TCP port 40444 (or any other selected port). If UDP is being used as well the add the UDP port as 40445 on the rportd server and the container.
We are using TCP for the VPN and have given the solution a performance boost by configuring the container with BBR.
sudo nano /etc/sysctl.d/10-custom-kernel-bbr.conf
Append the following two lines:
net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr
# To activeate use
sudo sysctl --system
# Double check IP forwarding is enabled
sudo sysctl net.ipv4.ip_forward
We apply the following settings to OCSERV.
sudo nano /etc/ocserv/ocserv.conf
# Use a password file with one time password support
auth = "plain[passwd=/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp]"
# Use certificates as an alternative means of authentication
enable-auth = "certificate"
# Disable UDP and only use TCP
tcp-port = 443
# Add the following UDP support
# udp-port = 40445
# The certificates created using Letsencrypt's certbot
server-cert = /etc/ocserv/fullchain.pem
server-key = /etc/ocserv/privkey.pem
# Self signed certificate CA for use for connecting clients
ca-cert = /etc/ocserv/ssl/ca-cert.pem
# Display banner when VPN connects
banner = "Fusion Broadband VPN - Visit www.fusionsdwan.co.za"
# Maximum number of VPN clients suported by the installed solution
max-clients = 512
# Use Path MTU discovery
try-mtu-discovery = true
# The domain being used
default-domain = claymore.amastelek.com
# The IP lease pool for the VPN
ipv4-network = 10.10.0.0
ipv4-netmask = 255.255.254.0
# Use the VPN's DNS for the client
tunnel-all-dns = true
# Set the DNS servers that will be used
dns = 9.9.9.9
dns = 1.1.1.2
# Route all RFC1918 IPs via the VPN
route = 192.168.0.0/16
route = 10.0.0.0/8
route = 172.16.0.0/12
If both UDP ports and TCP ports are enabled OCSERV will use both improving reliability. In the SD-WAN we have a DNS cache as well as a DNS intercept of all DNS queries to the cache. We also apply the features of DNSMASQ for extra filtering and making it rock solid.
Users are added as follows:
sudo ocpasswd -c /etc/ocserv/ocpasswd circuitbreaker
The OTP is added as follows:
sudo -i
ocpasswd -c /etc/ocserv/ocpasswd circuitbreaker
echo "HOTP/T30 circuitbreaker - $(head -c 16 /dev/urandom |xxd -c 256 -ps)" >> /etc/ocserv/users.otp
# This is the format of the file
cat /etc/ocserv/users.otp
HOTP/T30??????? circuitbreaker??? -?????? 2e430f2f55f78ead84684f908c294772
# We need to convert the secret to BASE32
echo 0x2e430f2f55f78ead84684f908c294772|xxd -r -c 256|base32
FZBQ6L2V66HK3BDIJ6IIYKKHOI======
# We need to install a QR code generator
apt-get install python3-qrcode python3-setuputils
# if python3-setuputils fails use python3-pip
# We now generate a QR code for the user
qr "otpauth://totp/Fusion:circuitbreaker?secret=FZBQ6L2V66HK3BDIJ6IIYKKHOI======&issuer=Fusion"
The QR code generated above is used to load as an account on Microsoft Authenticator (or alternatively, the one from google).
Last step is to add the VPN routes to the SD-WAN edge.
The VPN is now ready for users to connect and access servers on the SD-WAN. It can also be used a jump to systems that require access via predefined static IPs.
Certificates can be setup and used following this tutorial: Set up Certificate Authentication in OpenConnect VPN Server (ocserv)
Openconnect has Windows, MACOS, Linux, android and iphone clients. You can also use the Cisco AnyConnect client.
Additional neat tricks:
max-ban-score = 80
ban-reset-time = 1200
On a standalone container with no SD-WAN use where host0 is the public interface:
sudo iptables -t nat -A POSTROUTING -o host0 -j MASQUERADE
Using the VPN from an android with Anyconnect:
The Radius as a service from ITried is also supported by this OpenConnect solution and all the is required is to use these instructions.
* Ronald works connecting Internet inhabiting things at Fusion Broadband.