MFA Client VPN for GCP using pfSense

In the previous post aws client vpn with multifactor authentication , I introduced how to deploy client vpn in aws using aws managed service. This time I introduce how to do “nearly” the same thing in GCP. However, GCP doesn’t have its own managed client vpn service, and the deployment steps are quite different.

What you can achieve after reading this post

  • Basic setup of pfSense in GCP to act as an openvpn server

What is the expected result

  • easy user management on pfSense
  • Multi-factor authentication client VPN to connect to GCP
  • All tunnel (once client is connected to vpn, all traffic passed through GCP, even the internet access)

Walkthrough chart

  1. Launch pfSense in GCP.
  2. pfSense basic setup.
  3. FreeRADIUS installation and setup on pfSense
  4. Authentication server setup on pfSense
  5. OpenVPN setup on pfSense
  6. OpenVPN client exporter install
  7. Firewall rule to allow OpenVPN
  8. Add remote user(s)
  9. Setup client vpn software and test

1. Launch pfSense in GCP

There is no pfSense image available in GCP marketplace. Hence you need to download the image from official site, and create an image in GCP.

Once you created an image, use it to launch an instance. When you create an instance, most of the parameter can be left as default, but be sure to make your network settings as in below image:

In Command line, it would look like this:

$ gcloud compute --project <project_name> disks create "pfsense" --size "20" --zone "us-central1-a" --source-snapshot "pfsense-245p1" --type "pd-standard"

$ gcloud beta compute --project=<project_name> instances create pfsense --zone=us-central1-a --machine-type=n1-standard-1 --subnet=default --address=<allocated_global_ip> --can-ip-forward --tags=openvpn-server --disk=name=pfsense,device-name=pfsense,mode=rw,boot=yes,auto-delete=yes

Next, we need to connect to serial interface of this instance to finish pre-configuration settings. Select the pfsense instance, and click “Edit”, then check “Enable connecting to serial ports”. Once checked and saved, you should be able to connect to serial port 1.

You will be asked several questions, select as in below image.

Soon after you will be greeted with pfSense menu. Select 8) Shell, and type ifconfig vtnet0 mtu 1460, otherwise you will not be able to access web interface, and the connection would be quite unstable.

As a last step, we configure GCP Firewall to allow WEB GUI interface acccess. Go to Firewall and allow tcp/443(https), and udp/1194(openvpn) for the target tags you allocated to pfSense. In command line, it would look like below:

gcloud compute --project=<project_name> firewall-rules create allow-openvpn-server --direction=INGRESS --priority=1000 --network=default --action=ALLOW --rules=tcp:22,udp:119 --source-ranges=0.0.0.0/0 --target-tags=openvpn-server

2. pfSense Basic Setup

Navigate to the pfsense URL at https://<your_external_ip>/, and you should be greeted with pfSense setup wizard.

Once you finished the wizard, now you are in pfsense console!


3. FreeRADIUS installation and setup on pfSense

Go to Paackage Manager, and search “freeradius”. Click “Install” and it will install freeradius along with all dependencies.

Navigate to “Services” > “FreeRADIUS” to open freeradius configuration page.

We have two parts to configure here:

  • Interfaces … this is to specify which interface this radius server serves the request. we will create one interface for authentication and another for accounting.
  • NAS/Clients … this is to specify how the server receives the authentication request.

First, go to interfaces, and create two interfaces as shown below:

Next, create a cclient as shown in below image, do remember client shared secret, this will be used later.


4. Authentication server setup on pfSense

Next we need to create an authentication settings so that pfSense sends request to radius server upon client connection.

Navigate to “System” > “User management” > “Authentication Server”. Fill in the field as shown below. This shared secret is the one you used to setup radius server:


5. OpenVPN setup on pfSense

Authentication system is ready and we are going to configure VPN server. Navigate to “VPN” > “Open VPN” > “Servers”, and click “+Add”.

Fill in the field as shown in below image:

Most of the parameter can be kept as default, and some parameters you need to change are as below:

  • Server mode: Remote Access (User Auth)
  • Backend for authentication: <authentication server you created in previous step>
  • IPv4 Tunnel Network: ANY network you are not using in your production network
  • Redirect IPv4 Gateway … All traffic including internet browsing will be passed through this pfsense once client is connected. This can be useful if client needs to use one static global ip for any other access. If you don’t need this, you can uncheck this, and you can specify which subnet to be injected into the client.

6. OpenVPN client exporter install

Configuring client one by one is tedious task. In pfSense, there is a package called OpenVPN Client exporter, and it can be installed through package manager.

Once installation succeeded, you will see a new tab “client export” in OpenVPN. In “Hostname Resolution” select other, and fill in your global ip address in “Host Name”, then click “Save as default”. Once you saved, click “inline cconfiguration” and it will download the ovpn configuration file.

7. Add Firewall rule to allow OpenVPN

We need to create rules as listed below:

  • Firewall rule to allow openvpn connectiion to the firewall from the internet
  • Firewall rule to allow openvpn client to connecct to somewhere else

For the first rule, ccrete the firewall as below:

For the second rule, it depends on the usage. I made a extremely egnerous rules here to allow any communication. This means any communication even the one to the internet will also be allowed.

8. Add remote user(s)

Now it’s time to add users. Navigate to “Services” > “FreeRADIUS”, and add users.

  • Username … user name of your choice
  • Password … <blank>
  • One-Time Password … checked
  • OTP Auth Method … Google-Authenticator
  • Init-Secret … Click “Generate OTP Secret”
  • PIN … PIN of your choice
  • QR Code … Click Generate QR Code, and ask user to scan this code to register this OTP on their phone.

8. Setup client vpn software and test

One you setup the client with the file you downloaded from the last step, you can use the credentiaal to connecct to VPN. Please note the password is PIN number followed by OTP.

If everything hasa been setup correctly, you should be able to communicte with the internal resources as well as you can connect to the internet through GCP.

How to run AWS Client VPN with Multi Factor Authentication

In the previous post, I introduced AWS Client VPN with Simple AD. On May 2020, AWS introduced a SAML federation. In this post, I will walkthrough the simplest deployment of AWS client VPN with SAML federation.

What you can achieve after reading this post

  • Basic setup of Okta to integrate with AWS Client VPN
  • Basic setup of AWS Client VPN using SAML federation

What is the expected result

  • easy user management on Okta and not in AWS nor separate AD
  • Multi-factor authentication on AWS Client VPN
  • Managed client VPN access to your VPC environment

Walkthrough chart

  1. Generate certs and keys using easy-rsa, and register them on ACM
  2. Deploy AWS resources as in here
  3. Setup Okta to integrate with AWS Client VPN
  4. Deploy AWS Client VPN Endpoint
  5. Install AWS-provided client onto PC and test
  6. Delete all test resources.

1. Generate Certificate and Keys

You need to generate certificate and keys for servers to process client vpn. You can follow the official steps here.

{
 git clone https://github.com/OpenVPN/easy-rsa.git
 cd easy-rsa/easyrsa3
 ./easyrsa init-pki
 ./easyrsa build-ca nopass
 ./easyrsa build-server-full lab_server nopass
 mkdir ~/temp_folder
 cp pki/ca.crt ~/temp_folder/
 cp pki/issued/lab_server.crt ~/temp_folder/
 cp pki/private/lab_server.key ~/temp_folder/
 cd ~/temp_folder/
 }

Once they are generated, register them into the AWS Certificate Manager(ACM). Please note you need to register these to the region you are going to have your VPN connection.

aws acm import-certificate --certificate file://lab_server.crt --private-key file://lab_server.key --certificate-chain file://ca.crt --region us-east-1

If it returns arn, you are successfully registered certificate/key on ACM.


2. Deploy test AWS resources

I have prepared terraform files here for you to setup the lab resources. Once you apply the configuration, it will apply below files to your environment:

  • 1x VPC
  • 1x t2.micro EC2 instance with preloaded web server on ubuntu18.04

Please change necessary parameters, especially those in providers.tf file to adjust to your needs.


3. Setup Okta to integrate with AWS Client VPN

If you don’t have Okta, you can start free trial here.

First, create an AWS ClientVPN integration. Click “Application”, then select “Create New App”.

And change the settings of AWS Client VPN app as in below image:

This step is optional, but if you like to have MFA, add the rule.

Next, I create a user in Okta. You need to assign AWS Client VPN app to this user either individually or via group.

In AWS, go to IAM and configure Okta as an identity provider.


4. Deploy AWS Client VPN Endpoint

In Create Client VPN Endpoint wizard, you need to specify IPv4 CIDR which should be different from your existing VPC.

  • Server certificate ARN … Select arn, which you received in step 1.
  • Authentication Options … Select “Use usesr-based authentication” > “Federated authentication”
  • SAML provider ARN … Select the identity provider ARN(Okta) you created in the previous step.
  • Enable split-tunnel … Enable.

Once Endpoint is created, it needs to be associated to the subnet. Select the VPN endpoint and click “Associate”. Note that you will be charged once you associate endpoint with subnet.

  • VPC … VPC you want to use this VPN Endpoint in
  • Subnet … Subnet you want to use this VPN Endpoint in

Now it’s associated with the subnet. And this is the last step to authrize the access to the network resources from VPN client. You can fine grain users access to specific resources based on user groups in Okta, but I simply “Allow access to all users” for now.


5. Install AWS-provided client onto PC and test

You can download configuration file from AWS console.

Install AWS-provided VPN Client from here and install it on your PC. Previously I used tunnelblick, but it seems not working with federation as of June 2020.

After you installed AWS-Provided VPN Client, follow the manual to import the downloded VPN config.

Once you click “Connect”, it will automatically pops up default web browser and display okta authentication page.

If you didn’t use MFA, you will be connected to AWS now. If you do have MFA enabled in Okta, it will promt you to either:

  1. Setup MFA on the spot if this is user’s first time to connect
  2. Enter MFA token

If everything goes fine, you will be prompted “Authentication details received, processing details. You may close this window at any time”, and you should be able to access the internal web server directly from your PC.

Secure and Easy Remote Work with Sophos UTM

I’m going to walkthrough how to setup remote access vpn in sophos UTM. This post is intended for the minimum deployment and might not be as scalable, but baseline is as below:

  • Clientless – no need to install client software on PC
  • Secure – Multifactor authentication
  • Affordable – no need for extra service nor device

As the requirement of remote access increase, IT needs to setup environment quickly, and still in cost effectively.
Sophos UTM is one of the least expensive UTM in the market, which is ready for enterprise use.

In summary, the settings follow below:

  1. configure users
  2. configure OTP
  3. (optional)configure user portal
  4. configure HTML5 VPN

First, you need to create users. This username is used for remote users to login to the portal.

We use tOTP based token this time to use Multi Factor Authentication(MFA). You just need to enable it.

We need to create HTML5 VPN Portal for every users in this case. First add “network definition” for users PC at office, I’m using IP address here, but alternatively you can use DNS name. Second add remote user, which you created at step 1, into “Allowed users” so that only the user can access each PC. And that’s all for Sophos UTM setup.

Ask users to access the URL “https://”, and they should login with the reomte user name and password which you created at step 1.

Once users logged into the portal, it should prompt users to register OTP. Users can use any tOTP based applicaiton. In my case I used Google Authenticator, which is available via playstore/applestore for free. Scan the QR code, and it should now prompt the PIN.

Once done, users need to login again. But this time the password is “password you created at step 1” + “PIN on tOTP app”(eg. secretpassword123456). users should be able to see the user portal now.

Click “HTML5 VPN Portal”, and then click the PC name to connect to.

It pops up another window showing your PC desktop. Ask users not to shutdown the PC, and ask them simply logoff or close the window.


Some UTMs require separate subscription to use clientless VPN (eg. PaloAlto), while Sophos UTM comes with most of the function built-in the box.

Please drop me a message if you encounter any problem. THanks for reading!

AWS Client VPN with SimpleAD

In this post, I’m going to guide how to set up AWS client VPN from scratch including Simple AD deployment.

AWS Client VPN can be used to connect to private segment directly from your client. It is well documented here in official document “AWS Client VPN Administrator Guide“.

In VPN settings, there are two main part you need to consider first:

  • Authentication … AWS Client VPN supports two types:
    • Active Directory Authentication
    • Mutual (Certificate) Authentication
  • Authorization
    • Security Groups
    • Network-based Authorization (work with Active Directory Authentication)

In my opinion, Active Directory Authentication is more flexible and intuitive compared to Mutual Authentication. It doesn’t support MFA yet, but it provides user/password authentication as well as it allows specific groups of users in AD to be able to connect to SSLVPN, which is a requirement of most clients.

Setup procedure is below:

  1. Generate certs and keys using easy-rsa, and register them on ACM
  2. Procure Simple AD
  3. Create users and groups on Simple AD
  4. Procure Client VPN Endpoint
  5. (Option) Configure a web server for connection test
  6. Configure OpenVPN client

By the end of this guide, the test environment looks like below:


1. Generate Certificate and Keys

You need to generate certificate and keys for servers to process client vpn first. You can follow the official steps here. It is not required to generate client certificate/key because we use Active Directory Authentication.

{
 git clone https://github.com/OpenVPN/easy-rsa.git
 cd easy-rsa/easyrsa3
 ./easyrsa init-pki
 ./easyrsa build-ca nopass
 ./easyrsa build-server-full lab_server nopass
 mkdir /temp_folder
 cp pki/ca.crt /temp_folder/
 cp pki/issued/lab_server.crt /temp_folder/
 cp pki/private/lab_server.key /temp_folder/
 cd /temp_folder/
 }

Once they are generated, register them into the AWS Certificate Manager(ACM). Please note you need to register these to the region you are going to have your VPN connection.

aws acm import-certificate --certificate file://lab_server.crt --private-key file://lab_server.key --certificate-chain file://ca.crt --region eu-west-1

If it returns arn, you are successfully registered certificate/key on ACM.


2. Procure Simple AD

Simple AD is not available yet in all regions. You can check the availability here.

First, select “Simple AD”, and select your VPC and subnet you want this service.

Once created, wait for a ew minutes till Directory service is ready. Note the DNS address listed in Directory detail, this information is required later to have management server join this domain.


3. Create Users and Groups for VPN access

In order to manage this AD, I procure another Windows server(management server) in public subnet.

For DNS configuration, you can either change DHCP option of your subnet or set DNS server statically in the servers.

After restart, reconnect to the server, this time with domain administrator account – password is the one you set during Simple AD setup. Install RSAT.

Launch “Active Directory Users and Computers”. If you logged in with domain administrator account, you should be able to see your domain is listed. I created two users “shogo.kobayashi” and “john.smith”, and only “shogo.kobayashi” is a member of “SSLVPN_USERS” group.


4. Procure Client VPN Endpoint

In Create Client VPN Endpoint wizard, you need to specify IPv4 CIDR which should be different from your existing VPC.

  • Server certificate ARN … Select arn, which you received in step 1.
  • Authentication Options … Select “Use Active Directory authentication”
  • Directory ID … select Directory ID you created on step 2.
  • DNS Server 1/2 IP Address … Use DNS IP address of your Simple AD

Associate this endpoint with your subnet in order to use it. Note that you will be charged once you associate endpoint with subnet. I used private subnet for this.

  • VPC … VPC you want to use this VPN Endpoint in
  • Subnet … Subnet you want to use this VPN Endpoint in

This is to authorize which network is reachable for each group of users. In this lab, I created only one rule that allows VPN connection to communicate anyone in the network as long as the authenticated user is in “SSLVPN_USERS” AD security group.

  • Destination network to enable … Which network this group of users can access
  • Grant access to … Allow access to users in a specific Active Directory group
  • Active Directory Group ID … SID of the SSLVPN_USERS group in AD

5. (Optional) Setup web server for connection test

We are going to setup web server for connection test. We use VPC endpoint to retrieve httpd packages because we want this server to be in private subnet, and hence there is no direct internet connectivity.

And minimum setup to bootstrap web server.


6. Configure OpenVPN Client

You can download configuration file from AWS console.

Launch OpenVPN client of your choice, and use the configuration file you just downloaded. Note you need to have a root CA certificate, which you generate in step 1, in the same folder you have your configuration file.

Now you should …

  • Be able to access web server if you login with user who is a member of “SSLVPN_USERS”, and
  • Not be able to access web server if you login with user who is NOT a member of “SSLVPN_USERS”.

Terraform Basics – AWS / GCP / Aliyun

What is Terraform?

It’s a tool to create, manage infrastructure as a code. Infrastructure includes not only servers but also network resources –e.g. DNS, loadbalancer. The benefit you can get is as follows:

  • Versioning of your changes
  • Management of all services as a whole (orchestration)
  • Single management of multi-cloud platform
  • and so on …

Let’s Try

I make two compute instances and make modifications, and finally delete all resources to demonstrate how to use Terraform.

  • on AWS (amazon web service), GCP (Google cloud platform) and Aliyun (Alibaba cloud)
  1. Install Terraform
  2. Get credentials
  3. Create servers
  4. Modify servers
  5. Delete all procured resources
Continue reading “Terraform Basics – AWS / GCP / Aliyun”

What is difference – network automation / configuration management

There are lots of network automation tools around. But do you know what is the difference of each tools? I’m going to introduce what you can achieve with each tools.

First of all, I want to classify this network automation into three categories:

  1. Network Operation Automation … in the old days, you need to log in to each devices via ssh / telnet to change configuration. Tools in this category aims to automate these processes.
  2. Configuration Management … this includes not only version management(e.g. RANCID, Oxidized), but also host grouping(e.g. AS numbers)
  3. Service Management … In the previous categories, each configurations are stored separately. In this category, configuration is separated into each services(e.g. snmp-community, ntp server settings) rather than each device. You can control all the devices by services.
Continue reading “What is difference – network automation / configuration management”

Cisco NSO – Create Service

In NSO, service is defined in YANG model. And once YANG model is defined and compiled, it will then be encoded to XML. There are few variations to define encode, such as “template only” and “python and template”. As name suggests, template is the most basic pattern, and it directly map the YANG model to XML. While with python some arbitrary operation can be configured based on YANG model before passing any values for XML encode.


Continue reading “Cisco NSO – Create Service”