How To Set Up A Vns3 Controller On An Ipad Or Ipad (For Ahem) On A Network With A Vlan (For An Ipa) On An Uniden Vns 3 Instance On A Vn3 Instance On

copyright 2015 1

ElasticHosts Setup for VNS3

2015

ElasticHosts

copyright 2015 2

Table of Contents

Introduction

3

ElasticHosts Deployment Setup

9

copyright 2015

Requirements

copyright 2015 4

Requirements

• You have an ElasticHosts account. 


(For Free ElasticHosts trials visit

http://www.elastichosts.com/cloud-servers/free-trial/)

• You agree to the following VNS3 Terms and Conditions (Free Edition | BYOL)

• Ability to configure a client (whether desktop based or cloud based) to use

OpenVPN client software.

• You have a compliant IPsec firewall/router networking device:

Preferred  Most models from Cisco Systems*, Juniper, Watchguard, Dell SONICWALL, Netgear, Fortinet,

Barracuda Networks, Check Point*, Zyxel USA, McAfee Retail, Citrix Systems, Hewlett Packard, D-Link,

WatchGuard, Palo Alto Networks, OpenSwan, pfSense, and Vyatta.

Best Effort  Any IPsec device that supports: IKE1 or IKE2, AES256 or AES128 or 3DES, SHA1 or MD5.

copyright 2015 5

Getting Help with VNS3

This guide covers a very generic VNS3 setup in an ElasticHosts cloud computing facility.

If you are interested in more custom use cases and would like Cohesive to advise and

help set up the topology, contact [email protected] for services pricing.

copyright 2015 6

Firewall Considerations

VNS3 Controller instance use the following TCP and UDP ports.

• UDP port 1194 


For client VPN connections; network cal or hypervisor access rule for the VNS3 Controller must allow UDP port 1194 from all servers that will join VNS3 topology as clients.

• UDP 1195-1197


For peering between VNS3 Controller peers; must be accessible from all peers in a given topology. Free Edition and Lite Edition will not require UDP ports 1195-1197 access as it is not licensed for Controller Peering (Single Controller Topologies).

• TCP port 8000 


HTTPS admin interface; must be accessible from hosts where you will want to obtain runtime status or configure your VNS3 topology, also needs to be open to and from the Controllers at least for the peering process, and needs to be accessible when downloading credentials for installation on overlay network clients.

• UDP port 500, and UDP port 4500


IPsec connections to Azure support only NAT-Traversal encapsulation (UDP 500 and UDP 4500). Azure does not support native IPsec connections into their cloud.

copyright 2015 7

Sizing Considerations

Image Size and Architecture

VNS3 Controller Images are available as 64bit images to allow the greatest flexibility for your use-case. We

recommend Controller instances be launched with at least 512MB of RAM. Smaller sizes are supported but

the performance will depend on the use-case.

Clientpack Key Size

VNS3 Controllers currently generate 1024 bit keys for connecting the clients to the overlay network via the

“clientpacks”. Smaller or larger encryption keys can be provided upon request (from 64 bit to 2048 bit).

copyright 2015 8

Remote Support

Note that TCP 22 (ssh) is not required for normal operations.

Each VNS3 Controller is running a restricted SSH daemon, with access

limited only to Cohesive for debugging purposes controlled by the user via the Remote Support toggle and key exchange generation.

In the event Cohesive needs to observe runtime state of a VNS3 Controller in response to a tech support request, we will ask you to open Security

Group access to SSH from our support IP range and Enable Remote Support via the Web UI.

Cohesive will send you an encrypted passphrase to generate a private key used by Cohesive Support staff to access your Controller. Access to the restricted SSH daemon is completely controlled by the user. Once the

copyright 2015

ElasticHosts Deployment Setup

copyright 2015 10

ElasticHosts Configuration: Select VNS3 Template

Login to your ElasticHosts (EH) account at the data center where you wish to run VNS3.

Below the “Control Panel” menu item there is a menu for “Add”. Click on “Add” and then select “Server (VM)”.

The “Add Server (VM)” dialogue menu will pop up.

Give your targeted VNS3 instance a name and at least 1gig of memory and 10gig of disk. Choose a type of “Pre-installed system” and then

click on the “Image” drop down menu you will find the free edition as well as the “UL” or bring-your-own-license edition.

copyright 2015 11

ElasticHosts Configuration: Public IP Access

In ElasticHosts (EH) an instance can have a public IP on eth0 and a private VLAN IP on

eth1. When you create a VLAN at EH you don’t define a specific subnet mask. Clients

launched with “eth1" connected to a VLAN must have addresses in the same subnet in

their local configurations. This is very different than most cloud implementations - but

incredibly flexible.

As a result VNS3 can be used as an Internet Gateway, sitting at a private VLAN edge,

providing NAT-ing and port forwarding for the other devices in the private VLAN.

copyright 2015 12

Create an ElasticHosts Private VLAN

From the “Create server” dialogue menu, scroll down to Network. select the “Connect” menu, selecting “to Private Network”.

Select the private network you require and click on save.

copyright 2015 13

Launch a VNS3 Controller

After creating your server your can then configure it.

On the server configuration page you can set the display name of the instance, in this case “MyVNS3Controller”.

You can select from your available static public IPs shown in the pop up menu, or choose “Dynamic IP - Assigned at Boot” to get a public IP that is not static.

In the lower right corner there are “Advanced Options”. In this section you pick the Private VLAN that you want to connect this VNS3

Controller instance to. In the section marked “VLAN” use the drop menu to pick the VLAN for use, in this case “MyFavoriteVLAN”

copyright 2015 14

VNS3 Controller Log in

Login to the VNS3 Web UI - https://<Controller IP>:8000 Default username: vnscubed. 


Default password: vnscubed Reset your passwords:

• Reset the Web UI Password - Even though the instance id is unlikely to be “guessed”, please change it for security purposes.

• NOTE: Your VNS3 Controller answers to API calls on the same port 8000 as the web interface runs on. Ideally make a separate password for the API usage against the manager.

• Reset the API Password - Even though the instance id is unlikely to be “guessed”, please change it for security purposes, again making it a different password than the web interface is probably best.

• NOTE: Cohesive Networks does not have any key access or remote access to your VNS3 Controllers unless provided by you. If you forget these passwords we cannot recover them for you.

copyright 2015 15

Configure VNS3 for the VLAN

Before any other configuration steps of your VNS3 Controller you can configure it for the ElasticHosts (EH) Private VLAN.

Select the “Private VLAN” menu item under the “Admin” section.

(Remember - at ElasticHosts the VLAN is defined “collectively” by the addresses assigned to the instance in the VLAN.) Please note, the

instances in the VLAN should be configured to be in the same subnet mask.

In this case we are de facto making the VLAN a 192.168.10.0/24 subnet. This is done by setting an address for the VNS3 Controller’s private IP (192.168.10.1) and then setting a network mask for the entirety of the subnet (255.255.255.0, which translates to a /24).

copyright 2015 16

Configure EH Hosts to use VNS3 as Internet Gateway

WARNING

Do not configure EH VLAN hosts to use VNS3 as an Internet Gateway until the VNS3 instance is fully configured with Private VLAN settings and Firewall rules for NAT-ing installed. If you have public IPs temporarily assigned to your EH VLAN hosts, and create a route to the VNS3 as the gateway to

0.0.0.0/0, you will most likely lose connectivity until the VNS3 configuration is complete, including port forwarding information to SSH or RDP into the

VLAN host through the VNS3 Controller.

This following page at ElasticHosts website describes the process for configuring EH VLAN hosts: http://www.elastichosts.com/support/ tutorials/set-up-a-vlan/

copyright 2015 17

Configure EH Hosts to use VNS3 as Internet Gateway

WARNING

Do not configure EH VLAN hosts to use VNS3 as an Internet Gateway until the VNS3 instance is fully configured with Private VLAN settings and Firewall rules for NAT-ing installed. If you have public IPs temporarily assigned to your EH VLAN hosts, and create a route to the VNS3 as the route to

0.0.0.0/0, you will most likely lose connectivity until that configuration is complete, including port forwarding information to SSH or RDP into the VLAN host through the VNS3 Controller.

After bringing up the “eth1” interface and configuring the network

interface information, the networking can be restarted. In this instance, using Ubuntu, the command is the one used in the EH documentation. The setup will be comparable but a bit different on RedHat based

hosts.

copyright 2015 18

Configure VNS3 as Internet Gateway

In order to configure VNS3 as the Internet Gateway the following

Firewall rules need to be entered. (The example continues assuming the VLAN is 192.168.10.0/24)

# Allow traffic to/from the VLAN to this VNS3 Controller
 INPUT_CUST -s 192.168.10.0/24 -j ACCEPT


OUTPUT_CUST -d 192.168.10.0/24 -j ACCEPT

# NAT traffic from the VLAN that is using this VNS3 Controller as Internet Gateway


MACRO_CUST -o eth0 -s 192.168.10.0/24 -d 0.0.0.0/0 -j MASQUERADE

# Port forward traffic to my 192.168.10.2 host PREROUTING_CUST -i eth0 -p tcp -s 0.0.0.0/0 --dport 33 -j DNAT --to 192.168.10.2:22

Assuming your VLAN host is like the example, at 192.168.10.2, and is

accessible via SSH, then the firewall is now configured to NAT traffic for any VLAN host configured to use it as the Internet Gateway, and shows how to port forward traffic into the VLAN through the VNS3

copyright 2015 19

Configure EH Hosts Route to VNS3 Controller

WARNING

Do not configure EH VLAN hosts to use VNS3 as an Internet Gateway until the VNS3 instance is fully configured with Private VLAN settings and Firewall rules for NAT-ing installed. If you have public IPs temporarily assigned to your EH VLAN hosts, and create a route to the VNS3 as the route to 0.0.0.0/0, you will most likely lose connectivity until that configuration is complete, including port forwarding information to SSH or RDP into the VLAN host through the VNS3 Controller.

The last step after all the previous are complete is to enter a route on the EH VLAN host, pointing to the VNS3 Controller’s private ip as the gateway to the Internet.

On the EH host enter:


ip route add 0.0.0.0/0 via 192.168.10.1

(The address 192.168.10.1 us used because in this example that is the VNS3 Controller private IP.)

You should now be able to reach Internet resources even without a public IP attached to the EH host.

copyright 2015

VNS3 Configuration Document Links

copyright 2015 21

VNS3 Configuration Document Links

VNS3 Product Resources - Documentation | Add-ons

VNS3 Configuration Instructions


Instructions and screenshots for configuring a VNS3 Controller in a single or multiple Controller topology. Specific steps

include, initializing a new Controller, generating clientpack keys, setting up peering, building IPsec tunnels, and connecting client

servers to the Overlay Network. 


VNS3 Administration Document


Covers the administration and operation of a configured VNS3 Controller. Additional detail is provided around the VNS3

Firewall, all administration menu items, upgrade licenses, other routes and SNMP traps.


VNS3 Docker Instructions


Explains the value of the VNS3 3.5 Docker integration and covers uploading, allocating and exporting application containers.

VNS3 Troubleshooting