Rockhopper VPN (REMOTE ACCESS EXAMPLE)

VPN example: [IPv4 and IPv6] Remote Access VPN, Bridge, One-armed, Behind a NAT/NAPT and Pre-Shared Key(client)/certificate(gateway, PEM/Base64-encoded X.509).

The following image shows example network for this scenario.

Ubuntu is installed on VPN Gateway(Bridge/Remote Accss Server), Remote Access Client, Internal host/Internal DNS server, Router1(Source NAPT) and Router2(Destination NAPT or Port Forwarding).

Rockhopper VPN software is installed on Remote Access Client and VPN Gateway. VPN is connected between these two nodes. VPN Gateway works as a bridge between Remote Access Client and protected network(LAN, 192.168.0.0/24 and 2001:db8::/64) and is configured as a one-armed gateway.

Pre-Shared Key(PSK) is used as an authentication method for Remote Access Client and RSA-Signature(certificate) is used for VPN Gateway.

Remote Access Client and VPN Gateway are located behind a NAT(NAPT). Router1 and Router2 provide NAT/NAPT(Network Address Port Translation) service or Port Forwarding service for them.

Though the following configuration is for bridging, you can apply similar configuration for a Routing-based VPN confinguration.

sample0

rhpvif10 on Remote Access Client and VPN Gateway: A virtual interface(a Tunnel/TAP interface) to access internal network. "10" is the VPN realm ID. This interface is automatically created by Rockhopper VPN service and configured not by system tools like ifconfig command but by Rockhopper Web console.

br0 on VPN Gateway: A bridge interface linking eth0 and rhpvif10 interfaces as ports. This interface is managed by brctl command in the bridge-utils package. You need to manually link eth0 with br0 by brctl command, while rhpvif10 is automatically linked with br0 by Rockhopper VPN service.

eth0 and/or eth1 on each host: Real interfaces to access physical network.

A VPN realm is a security domain for group members to share the same security policy and VPN configuration. For instance, you can define the VPN realm "10" for a sales team and the other VPN realm "20" for a developing team.

Advance preparation:

- VPN Gateway(gateway1.example.com):

# sudo brctl addbr br0
# sudo brctl addif eth0
# sudo ip addr add 192.168.0.100/24 brd + dev br0
# sudo ip -6 addr add 2001:db8::100/64 dev br0

# sudo ip route add default via 192.168.0.10
# sudo ip -6 route add default via 2001:db8::10

Please see also "man 8 brctl" for more details to setup a bridge interface.
If you manually setup a bridge interface after configuring Rockhopper, please restart Rockhopper like this:
# sudo /etc/init.d/rockhopper restart
or
# sudo systemctl restart rockhopper

- Router1(Port Forwarding):

# sudo ip addr add 10.0.0.1/24 brd + dev eth0
# sudo ip -6 addr add 2001:db8:10::1/64 dev eth0
# sudo ip addr add 192.168.0.10/24 brd + dev eth1
# sudo ip -6 addr add 2001:db8::10/64 dev eth1
# sudo sysctl net.ipv4.ip_forward=1
# sudo sysctl net.ipv6.conf.all.forwarding=1

Forward packets destinated to 10.0.0.1:500(Router1) to 192.168.0.100:500(VPN Gateway).
# sudo iptables -t nat -A PREROUTING -p udp --dst 10.0.0.1 --dport 500 -j DNAT --to-destination 192.168.0.100:500
Forward packets destinated to 10.0.0.1:4500(Router1) to 192.168.0.100:4500(VPN Gateway).
# sudo iptables -t nat -A PREROUTING -p udp --dst 10.0.0.1 --dport 4500 -j DNAT --to-destination 192.168.0.100:4500

Forward packets destinated to [2001:db8:10::1]:500(Router1) to [2001:db8::1]:500(VPN Gateway).
# sudo ip6tables -t nat -A PREROUTING -p udp --dst 2001:db8:10::1 --dport 500 -j DNAT --to-destination [2001:db8::100]:500
Forward packets destinated to [2001:db8:10::1]:4500(Router1) to [2001:db8::1]:4500(VPN Gateway).
# sudo ip6tables -t nat -A PREROUTING -p udp --dst 2001:db8:10::1 --dport 4500 -j DNAT --to-destination [2001:db8::100]:4500

- Router2(Source NAPT):

# sudo ip addr add 10.0.0.10/24 brd + dev eth0
# sudo ip -6 addr add 2001:db8:10::10/64 dev eth0
# sudo ip addr add 192.168.2.1/24 brd + dev eth1
# sudo ip -6 addr add 2001:db8:2::1/64 dev eth1
# sudo sysctl net.ipv4.ip_forward=1
# sudo sysctl net.ipv6.conf.all.forwarding=1

Exec NAPT for packets from private network(192.168.2.0/24).
# sudo iptables -t -nat -A POSTROUTING -o eth0 -j MASQUERADE --random -s 192.168.2.0/24

Exec NAPT for packets from private network(2001:db8:2::/64).
# sudo ip6tables -t -nat -A POSTROUTING -o eth0 -j MASQUERADE --random -s 2001:db8:2::/64

If you need DHCPv4 and IPv6 Router Advertisement services, install Dnsmasq and radvd for example.

# sudo apt-get install radvd
# sudo touch /etc/radvd.conf
# sudo vi /etc/radvd.conf

interface eth1
{
  AdvSendAdvert on;
  MaxRtrAdvInterval 60;
  prefix 2001:0db8:2::/64 { };
};

# sudo /etc/init.d/radvd restart

- Internal host/Internal DNS server:

# sudo ip addr add 192.168.0.101/24 brd + dev eth0
# sudo ip -6 addr add 2001:db8::101/64 dev eth0

Above configuration will be lost after you restart your computer. To setup permanent configuration, you can edit /etc/network/interface like this. This is an example for VPN Gateway(gateway1.example.com) on Ubuntu.

- /etc/network/interfaces (Ubuntu)

auto eth0
iface eth0 inet manual
up ip link set dev eth0 promisc on

auto br0
iface br0 inet static
address 192.168.0.100
network 192.168.0.0
netmask 255.255.255.0
gateway 192.168.0.10
broadcast 192.168.0.255
bridge_ports eth0
bridge_stp off
bridge_maxwait 10

iface br0 inet6 static
address 2001:db8::100
netmask 64
gateway 2001:db8::10

- A certificate file and a Private-Key file for VPN Gateway and a CA certificate file:
    - VPN Gateway(Bridge): gateway1.example.com-cert.pem (X.509, PEM/Base64-encoding)
    - VPN Gateway(Bridge): gateway1.example.com-pkey.pem (RSA Private Key, PEM/Base64-encoding)
    - CA: TestCa-cacert.pem (X.509, PEM/Base64-encoding)

   The certificate(X.509) for VPN Gateway includes a subjectAltName(Host name/FQDN).
   - gateway1.example.com (Host name/FQDN)

See "Documents/Tips: Managing certificates by XCA" to the create each PEM file. Of course, you can use a PKCS#12 file for VPN Gateway instead of PEM files. See "Documents/Bridge(Virtual Ethernet over IPsec) and certificate (PKCS#12/X.509, *.p12)."

Configuring VPN:

VPN Gateway(gateway1.example.com):

Open Rockhopper Web console on http://127.0.0.1:32501 (by default) by Firefox.
Login with administrator's name and password (by default, admin and secret).
If VPN Configuration tab is not shown, uncheck Hide configuration tabs checkbox.
Add a new VPN realm.
- VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]: Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

- Click Add VPN Realm button.

- Add a VPN Realm[Dialog]: Enter the following, then click OK button.

Realm ID: 10
Realm Name: "Example VPN"
Description: "Config for Example VPN."
Mode: Bridge
Setup VPN Interface.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Bridge)[Left-Tree]
> VPN Interface[Left-Tree]: Click this tree node and show VPN Tunnel/TAP Interface pane.

- Enter or select the following.

Internal Address Type: Unnumbered(for bridging)
Linked Bridge Name: br0

- If Remote Access Client communicates with hosts on other subnets like 192.168.1.0/24, enter the following router's addresses. VPN Gateway will forward decrypted packets destinated to other subnets to the router(192.168.0.1 and 2011:db8::1).

Internal Gateway's Address (optional) > IPv4: 192.168.0.1
Internal Gateway's Address (optional) > IPv6: 2001:db8::1
Setup Network Interface.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Bridge)[Left-Tree]
> Network Interface[Left-Tree]: Click this tree node and show Network Interface pane.

- Uncheck Use default route and enter the followings.
    Primary interface:
      - Name: Select br0 as a source interface and IPv4 and IPv6.

- Uncheck Destination NAT Address (MOBIKE Responder) and enter the followings.
    Primary interface:
      Dest NAT IPv4 Address: 10.0.0.1 (Router1's global address[eth0])
      Dest NAT IPv6 Address: 2001:db8:10::1 (Router1's global address[eth0])

   By the above settings, a remote client is notified of a Router1's global address as a MOBIKE additional address.
Setup Service.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Bridge)[Left-Tree]
> Service[Left-Tree]: Click this tree node and show Service pane.

- Network Deployment: Select Hub(Concentrator) Node.

- Remote Configuration(IKEv2): Select Remote Configuration Server.
Setup Remote Config Server.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Bridge)[Left-Tree]
> Service[Left-Tree] > Remote Config Server[Left-Tree]:

Click this tree node and show Remote Config Server(IKEv2) pane.
Setup Remote Config Server - Internal Address Pool.

- Remote Config Server(IKEv2)[Pane] > Internal Address Pool[Tab]:
Click Add Address Pool button.

- Add a New Address Pool[Dialog]: Enter the following, then click OK button.

Address Type: IPv4 Address Range
IPv4 Address Range: 192.168.0.20 - 192.168.0.30

Similarly, add the following for IPv6.

Address Type: IPv6 Address Range
IPv6 Address Range: 2001:db8::20 - 2001:db8::2a
Setup Remote Config Server - Internal Route Map.

- Remote Config Server(IKEv2)[Pane] > Internal Route Map[Tab]:
Enter the following as Internal router's addresses.

Gateway Address > IPv4: 192.168.0.1
Gateway Address > IPv6: 2001:db8::1

- Click Add Destination Network button.
Add a New Internal Route[Dialog]: Enter the following, then click OK button.

IP Version: IPv4
Destination IPv4 Network: 192.168.1.0
Netmask: 255.255.255.0

Similarly, add the following internal route for IPv6.

IP Version: IPv6
Destination IPv6 Network: 2001:db8:1::
Prefix: 64
Setup Remote Config Server - Internal DNS.

- Remote Config Server(IKEv2)[Pane] > Internal DNS[Tab]:
Enter the following as Internal DNS server's addresses.

DNS Server's Address > IPv4: 192.168.0.101
DNS Server's Address > IPv6: 2001:db8::101

- Click Add DNS Suffix button.
Add a New DNS Suffix[Dialog]: Enter the following, then click OK button.

DNS Suffix: .example.com
Setup My Key Store.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Bridge)[Left-Tree]
> My Key Store[Left-Tree]: Click this tree node and show My Key Store pane.

- Enter the following.

Authentication Method: RSA Signature(RSA-Sig)
My ID Type: auto
Key Format: PEM(Base64-encoding) - File
My Certificate(X.509, *.pem): gateway1.example.com-cert.pem
RSA private key(*.pem): gateway1.example.com-pkey.pem
RSA Private Key's Password: himitsu
Setup Peers' Key Store.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Bridge)[Left-Tree]
> Peers' Key Store[Left-Tree]: Click this tree node and show Peers Key Store pane.

- Click Add Peer's Key/Password button.

Add a New Peer's Key[Dialog]: Enter the following, then click OK button.

Peer ID Type: IKEv2: Host Name(FQDN)
Peer ID: remoteclient1.example.com
Pre-Shared Key(PSK): 1234567890
Setup CA Certificate/CRL.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Bridge)[Left-Tree]
> CA Certificate/CRL[Left-Tree]: Click this tree node and show CA Certificate/Certificate Revocation List(CRL) pane.

- Enter the following.

Certificate/CRL Format: PEM(Base64-encoding) - File
CA Certificates(X.509, *.pem): TestCA-cacert.pem
Save this realm's configuration.
- VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]: Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

- Click Save Configuration button.

Remote Access Client(remoteclient1.example.com):

- Version: 0.2.b1-021 or later

Open Rockhopper Web console on http://127.0.0.1:32501 (by default) by Firefox.
Login with administrator's name and password (by default, admin and secret).
If VPN Configuration tab is not shown, uncheck Hide configuration tabs checkbox.
Add a new VPN realm.
- VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]: Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

- Click Add VPN Realm button.
Add a VPN Realm[Dialog]: Enter the following, then click OK button.

Realm ID: 10
Realm Name: "Example VPN"
Description: "Config for Example VPN."
Mode: Remote Client
Setup Destination.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Remote Client)[Left-Tree] > Destination[Left-Tree]: Click this tree node and show Destination (Concentrator / Gateway) pane.

- Enter the following. This expects a public DNS server to provide both IPv4 and IPv6 addresses as gateway1.example.com's addresses (Router1's global addresses). Also, you can edit /etc/hosts file.

Destination Address: Host Name(FQDN) and gateway1.example.com

Of course, you can specify an VPN Gateway's IPv4 or IPv6 address (Actually, it is a Router1's public IPv4 or IPv6 address).
Setup My Key Store.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Remote Client)[Left-Tree]
> My Key Store[Left-Tree]: Click this tree node and show My Key Store pane.

- Enter the following.

Authentication Method: Pre-Shared Key(PSK)
My ID Type: Host Name(FQDN)
My ID: remoteclient1.example.com
Pre-Shared Key(PSK): 1234567890
Setup CA Certificate/CRL.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Remote Client)[Left-Tree]
> CA Certificate/CRL[Left-Tree]:
Click this tree node and show CA Certificate/Certificate Revocation List(CRL) pane.

- Enter the following.

Imported Certificate/CRL Format: PEM(Base64-encoding) - File
CA Certificates(X.509, *.pem): TestCA-cacert.pem
Save this realm's configuration.
- VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

- Click Save Configuration button.

- Advanced Settings

Open Rockhopper Web console on http://127.0.0.1:32501 (by default) by Firefox.
Login with administrator's name and password (by default, admin and secret).
If VPN Configuration tab is not shown, uncheck Hide configuration tabs checkbox.
Add a new VPN realm.
- VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]: Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

- Click Add VPN Realm button.
Add a VPN Realm[Dialog]: Enter the following, then click OK button.

Realm ID: 10
Realm Name: "Example VPN"
Description: "Config for Example VPN."
Mode: Remote Client

- Check Advanced Settings. (Version: 0.2.b1-021 or later)
Setup VPN Interface.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Remote Client)[Left-Tree]
> VPN Interface[Left-Tree]: Click this tree node and show VPN Tunnel/TAP Interface pane.

- Enter the following.

Internal Address Type: Auto(IKEv2 Configuration)
Setup Network Interface.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Remote Client)[Left-Tree]
> Network Interface[Left-Tree]: Click this tree node and show Network Interface pane.

- Check Use default route.
or
- Uncheck Use default route and enter the followings.
Primary interface:
- Name: Select eth0 as a source interface.
Setup Service.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Remote Client)[Left-Tree]
> Service[Left-Tree]: Click this tree node and show Service pane.

- Network Deployment: Select Spoke Node/Other.

- Remote Configuration(IKEv2): Select Remote Access Client.
Setup My Key Store.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Remote Client)[Left-Tree]
> My Key Store[Left-Tree]: Click this tree node and show My Key Store pane.

- Enter the following.

Authentication Method: Pre-Shared Key(PSK)
My ID Type: Host Name(FQDN)
My ID: remoteclient1.example.com
Pre-Shared Key(PSK): 1234567890
Setup Peers.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Remote Client)[Left-Tree]
> Peers[Left-Tree]: Click this tree node and show Peers pane.

- Click Add Peer button.
Add a New Peer[Dialog]: Enter the following, then click OK button.

Peer ID Type: IKEv2: Host Name(FQDN)
Peer ID: gateway1.example.com
Setup the Peer's information.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Remote Client)[Left-Tree]
> Peers[Left-Tree] > gateway1.example.com(FQDN)[Left-Tree]:
Click this tree node and show Peer: gateway1.example.com(FQDN) pane.

- Enter the following.

Peer's Address: IPv6 and 2001:db8:10::1 (Router1's global address[eth0])
Secondary IP Address: IPv4 and 10.0.0.1 (Router1's global address[eth0])

This peer's Network Deployment: Hub(Concentrator) Node
Setup CA Certificate/CRL.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Remote Client)[Left-Tree]
> CA Certificate/CRL[Left-Tree]:
Click this tree node and show CA Certificate/Certificate Revocation List(CRL) pane.

- Enter the following.

Imported Certificate/CRL Format: PEM(Base64-encoding) - File
CA Certificates(X.509, *.pem): TestCA-cacert.pem
Save this realm's configuration.
- VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

- Click Save Configuration button.

Connecting VPN (remoteclient1.example.com):

Open Remote Access Client's Web console on http://127.0.0.1:32501 (by default) by Firefox.
Login with administrator's name and password (by default, admin and secret).
Top [Tab] > 10:Example VPN[Left-Tree] > gateway1.example.com(FQDN)[Left-Tree]: Click this tree node and show 10: gateway1.example.com(FQDN) pane.
Click Connect VPN button.