Skip to content

HyperCloud Gateway Appliance

Overview

The HyperCloud Gateway Appliance provides a high performance, lightweight appliance for the purpose of functioning as a router, firewall, or VPN endpoint in a small virtual machine. The intent is for the appliance to be used inside a tenant network where a virtual router / firewall / appliance such as the Cisco ASAv would normally be used.

High Level Features

  • Packet Forwarding (Routing) (IPv6 and IPv4)
  • Firewall (IPv6 and IPv4)
  • VPN Endpoint Compatible with the following clients:
    • OpenConnect
    • Cisco AnyConnect
  • NTP Daemon (Defaults to time.nist.gov, but can be updated using STARTUPSCRIPT)
  • Recursive DNS Service (Using configured name servers from Network Contextualization)
  • High availability using Virtual Router Redundancy Protocol when deployed in a pair
  • IPsec Tunnel Service

Supported VM Attributes and Usage

All of the below are optional attributes:

FQDN

Set to already-added DNS FQDN of a PUBLICLY REACHABLE IPv4 and/or IPv6 address if you want to use Let's Encrypt rather than a self-signed certificate for VPN access.

Info

Use the IP address of the static IP assigned to the appliance, not the floating IP if using high availability.

Each Appliance functions as an individual unit in VPN gateway mode. Either can be used as a VPN gateway and the VPN client can be configured to connect to both in a fail over configuration.

VPNUSERS

Set to base64-encoded, space-delimited, username:password of all VPN users. This attribute is reread and applied every one minute. Passwords cannot contain ":" or " " characters.

Example

kvanalstyne:P@$$word spercle:)(@#KDSL23l45 as a3ZhbmFsc3R5bmU6UEAkJHdvcmQgc3BlcmNsZTopKEAjS0RTTDIzbDQ1Cg==

STARTUPSCRIPT

Set to a base64 encoded script to run on boot. This can include anything, but examples include:

  • iptables / ip6tables rules to supplement the orchestrator's security groups.
  • Addition of SSH keys to /home/root/.ssh/authorized_keys for service accounts to scan the appliance.
  • Enabling IPv6 packet forwarding.
  • Creation of /etc/ocserv/ocpasswd embedding hashed passwords rather than clear text so that the administrator cannot read the obfuscated user passwords.
  • Creation of iptables / ip6tables NAT rules if using as a NAT router.
  • Configuration of RADIUS for VPN users rather than the local user database. (See SPECIAL NOTES below.)
  • Configuration of IPsec Tunnels, sometimes called Site-to-Site or LAN-to-LAN tunnels. (See SPECIAL NOTES below.)
  • Peer IPs
  • Set to a list of pair router IP addresses in space-delimited format if deployed in a high availability pair. Include static IPs of pair node's interfaces you want to configure VRRP for. Be sure to complete this on both nodes in the HA pair.

Ports and Protocols

  1. 22/tcp

    Required to be allowed inbound on public interface if SSH management desired.

  2. 53/tcp

    Required to be allowed on internal interfaces to allow for DNS resolution. MUST be BLOCKED on any external interfaces.

  3. 53/udp

    Required to be allowed on internal interfaces to allow for DNS resolution. MUST be BLOCKED on any external interfaces.

  4. 80/tcp

    Required to be allowed inbound on public interface if using Let's Encrypt for SSL certificate issuance.

  5. 123/udp

    Required to be allowed on internal interfaces to allow for NTP services. MUST be BLOCKED on any external interfaces.

  6. 443/tcp

    Required to be allowed inbound on public interface if using as VPN endpoint.

  7. 443/udp

    Required to be allowed inbound on public interface if using as VPN endpoint. (For DTLS tunnel.)

  8. ICMP

    Recommended to be allowed inbound on all interfaces to allow for network troubleshooting, path MTU discovery, etc.

  9. ICMPv6

    Recommended to be allowed inbound on all interfaces to allow for network troubleshooting, path MTU discovery, etc.

  10. ALL

    Required between high availability pair nodes to allow for the Virtual Router Redundancy Protocol (VRRP) to function properly.

  11. ALL

    Required from source IP addresses used for IPsec tunnels in order for IPsec to function properly.

Danger

Use extreme caution not to expose internal-only services such as NTP and recursive DNS to the internet!

The easiest way to accomplish this is to create a security group dedicated to outside traffic of both appliances and update to allow ALL traffic between only the IP address pairs assigned to the interfaces once instantiated.

System Requirements

  • 1 vCPU
  • 1 GB RAM
  • ~150 MB for OS Boot Disk
  • 1 GB Data Disk

Resource guidance

These are just a minimum. Scale RAM and CPU as needed for user base. Our guidance here is approximately 1 vCPU and 1 GB RAM per 100 users.

Data disk is only required if using Let's Encrypt, to store certificate state data OR if retention of SSH key and/or log data is desired.

Usage

  1. Import appliance from HyperCloud Marketplace
  2. From the UI, navigate to Templates, then Virtual Routers, then select the appliance Virtual Router template and click "Update". Update resources for appliance based on system requirements above, being sure to attach a blank 1 GB disk if desired if not already done in the template.
  3. Create security groups for all networks that you want to protect -- these act as the firewall rules for the appliance. Note the ports and protocols above based on your usage.
  4. From the UI, navigate back to the template via the steps mentioned in step 2 and then click "+" and then click "Instantiate".
  5. Attach public network interface as the FIRST interface and all subsequent interfaces after the public interface, attaching the security groups created in step 3. Be sure to check the "Floating IP" box if deploying in an HA pair, otherwise HA will NOT work.

  6. Complete the "name" and "virtual machine name" fields. Be sure number of instances is set to "2" if deploying in an HA pair.

    Info

    Click the "Start on Hold" box to allow for attribute and DNS configuration prior to first boot.

  7. Deploy the Virtual Router

  8. Create VM attributes, based on VM attribute usage information above. None are included by default, as all are optional.
    1. If using Let's Encrypt, be sure to create DNS entries with the value of the FQDN attribute before deploying/releasing the VM from hold.
    2. If using as a virtual router for other networks, once instantiated be sure to notate the assigned IP address and update the other virtual networks with the appliance IP as the gateway address.
      • Be sure to populate the PEERIPS of each node before deploying/releasing the VM from hold.
    3. Be sure to check the STARTUPSCRIPT attribute if using appliance as a VPN endpoint or NAT router especially. You will very likely need to write a startup script and encode with with "base64".
  9. "Release" the VMs individually.

RADIUS Configuration

Add these to STARTUPSCRIPT:

  1. RADIUS_SERVER_IP=RADIUS.SERVER.IP.ADDRESS
  2. sed -i "s_localhost_${RADIUS_SERVER_IP}_g" /etc/radcli/radiusclient.conf
  3. echo "${RADIUS_SERVER_IP} SECRET" >> /etc/radcli/servers
echo 'eJyVW1tv27gSfmZ+BYE8bBeoUkvydYEFjms7bXYdx8d20t19U2Ta0Yks6eiS1ufXnxlSF8oaxW5QoI34cUh+MxzODNnrq2v+GG2dVGz5aPCp0/9k2jwNue+9ecE+ScPAiJ2tlyWGddMx+cH7byb85F+ul6RxGNwE/tX11TXbvHgJ33m+4G4YpI4XJHzruakXBk585GnsBInv4K+ACmMeOXEC0qFjLEBekibcCbZ8LwIRAyzY81gkEaBFcsP52PeVCMdVIpxYQFc3PERhAtMOd3ycprH3nKXi05PjZ4IvHS/GrpsXwd/kFwAJx33hToEECTDnJBKut/NAipPwMJC4Lgc6HJ4eIzk8SPS22icc/je5aqAA52rwjmH1bB66qUgTlBu9dZ3tNjZAlPrIvYAHIv0exq/8+ZjCMPFWxAraRygHKWb/EnQUi533w+BZhGo60+cjj/ws4aoP90WwT19QTpCKvYhhTNviz16acwQinr09F8HWcwIlgH948fYvSuIOOE1/he5oLZf0NXgiwB62QLMXuMg4/nQ6v8k//Mv95iPnfzgBkGzCv8zRoCN5nQXZAQ0BtCKFS8o52GIMX2CgFLSaJTCAtLjvXvqiWRv0fxrPH2dNqxNOcuTO9uAFaLyy4UaN98M5RH6u1PFms7r7/LiZMVA9CoJvRv2Hg7bwB1puY+cgtsYyDtPQDX3+O18ul/B9wNjv3GQfCqZF4IZbMBag70oOcxv6fvgdzQfXhiuK4jACZCC+8wCEguk9JrIlETjNal7wOTYWAGHMzG1Qa106SQJWsGXMajZOvo6XRoWwm4jFeG3cLY0x2KRIEsa6pTWfgJZhnBp3IKRXmJMGWIv4zXOFsYENw1ifQJwQx4CxVpA2nyE1nQq2EOnBSV7Z6B3YKszQxQB5HWpIz0+BXlyYSbCby7jfPEK71T7lCTgnnDDYGDNtAjcP916AU/4aJinIInlWoJxMAFFUK8xmspQaARDF9kpE/tG4hwk5exQ0JEzD8f1nx301FtnhWcQAGr0DQn6sTis/yDGMYxEmWCrrL9QW+itm2dTi16mDMpjVJebhO2iczOo1257AB4WxsVae3QVQvwlaK90YG+8gYK4AouzvbusLDTIkIBsRg0ORzsQYSx/ErBGBQ+Zg2bgohAJ/NkEfouBLDUZYodykWxGkeHSBqmyCZ9hZP45GTqJN7HRlOPPxpjQwm2C6Qi3CLUoiGK8wX+IwiwBEMJ7rfRyBp904/qsx94JXZr+z7StoYSg2pYEG+h84x5lNWO/YdVPJCEQz0jN1KQ8gUVPhO0epenCBZhvqLoiy1HiQBzDrUu5Awh6yVMdR7kBNLTdK3FxdQhcSNM7gSADNg2F3KX9QkyQX0KU8gjb/JWxoOTFKF/oCSiClBgksdoMwJg6c0KxLbQWJvM/81NNX3CO2g0SinYA/zQLYgr0zqvji7R082hLWO6cNDUopZPYGJEv+khSiAxiaInu2RydvPM3Hi7spYAi7vwsURh0s4LR6FM2aIHW09wgXLQ/+ZeyFsZeCcTrPPuAoL42n/OQFPU6A7r5PUFse4fkRTREr2+fewQPm+xSf1cZXZ0+fYnKTBYHwi3EIs84B9wLSjIPC9Qkvk8MmvoeamQXbKITBWJ/gPIeiXwPGKuigxcQK0SH8pXx4n6A/R1XhU5/yMatahDWgrBohtwLcEOgcIISDlxD0Y3CmuBj3DEhzRtRauBnaAwgiHYuOMaaQxbABoYNixsZKpDHKoqwdjpRDBGpmA8qj5OzBTtyFACG4BsTO22cq9DY24asI2IAgegZTLmOVAUFy3lj5QgdyAzYkuC50Fntv6JXk+WTAVh0SpOfYMbikfXBAI0MgcbSWQsVOxBDZCzYkzlfJfLkLgViV0bJhm2e/A0pj76D+hsSHDVv9e2mK0iEbc4whh5RStEgdTj4clQ0JzRTReIiR+JCKDl+ceC/Q4xjSC6noA6xuSKinvlNRScjkqF09+UYtkS0hTx6brzLwe2xEKOYh9vYyGIMQCo4NoWxxRBCu0py3fplYjHplLk4Eq6iRnQMJDRxUo/bgRkpcymSbjQZauk4E/oBUof9o+N7IiFPR9IhgujYuKs/sECzP4hgCYnUiA4Jy9bjl/hTHIq3slOTKZHV1O+mPTJPjOFUFJdGzUq5+IG4Se8zcdS7gu2nZsp2kRF9FoQ+zT9IyXawLazmBjyi4ZE4h0RTig3Q9zAS3rM1E6/AVwoy9dBKKCcsqbRGJWIDfKnP9sUYE22CernEj0/oskQULMJ4A3MCRPx9lpp/IBdRy+tmPyFN+kTHOYVCssei7HreGOkJBxVTYei+CjMlWyrVpWYoEAozMGaTpSimER1tnu7KZ2FN58I+txPE9iY9Rqp2MgCI2UnGIrGTaAhgqWJIeaAKIfYhnFVgrsTW+aFo0O1SytfYOEIQ6AWR3CXo1hHWpYgZ0jAy96tKxKc98Czo2Ni8w7v5Fgsi4e7vN465Qr2sAmgwLfwgXDW4PO0SKpE5LDWN8cyBYAxxByFcMgVBIt+RC7e67vEa10QpmskwlieZodcnVlayFsZPKjnJmCAPBNCTf3Apj0ZiyrKDJs89AdbldGguR/jPkDcXgPRo11iqCb+p4Y30aKk9TGQTlIgctIqu4RBgPgQ/H5JnVVJLZqB0K4YRwX1GHZ8TV18RM86qsVfLCf1U6bdTilssl0xTaaF/P7xBgtQIw9gGA3Qr4Ml5Mx/NbYz2/nwOy2wr86+/5w5e7yVoWjOS4vXYsRK0QlWtrzWt9XN4KNBZcVgIXWDFgrNPW/jkOna3ryEJdG2YOdEM822SlKcXIsbY2U61geLLjiIpiy3x1yJMTGH84bvichKo6CMydzl3HI71fhbOt7VICt04d15j/s2Zq9nLD8twKqzmfFC43wg9Eqs/4BLDy8Xfd5k4lwAomvnD02Z1A0KveA7uyINaCgVSVadZ20vrXjdUzluOp5iooxMZePqxZ5SPapmr8O/Nw1UMkSpWdTlTbKEjBv+NUp4FAhJFuZA3A2Mcdr1HQRLguVlMwSH4INB/2LnC3yxei+bamrZ5WqFbj6d3jurEgDTEPXch0ThekixCHMFULwjCrCmT4Q6SOqqInUYqdip0DZ7xueQRKzRIyNHkXiZPFUG+85mhSaoUfufPmeD4mQHgDZd/YN6a8s4TzEk7sQvhJVWWcHANXH/ykfa2azZbmu/V0oVNDNBtPptXRlE1DzI5m9CeQJy9OM6mCXgtieTe+XTPN4E/av07nk9ziIU3EhK6yqRMo7h/GqtOw0Sw9+Kil+cuNbdw6KgBtY3S6nmN7G6VjaDcmeDiZbbRKyPQeHIXZSms+ShunM7DeWHo8syf3DNg0L2ujXGZilElZDZPi1Q9VYMXvMjDNbVeDc/NiCVg+gN/i2INwT/uxfk5C7gF1CfbFEvSrFl1C92IJJ1c6Jb53sQQZNWGhRtSmwPs/LeE5DGsiBhdLkFYkE/baFPjwYgloi4QAPvopCYRB8WLXXSzilAYQcblVSiYewZ2ILcRHmojLzVKKgKRWQFytyzAvt0spYp0lkQhq0zB/xjBVjP4YVBteirjcMovAnp/8mJebpnQThF2Yl9sm1qtITzO8alZH2rLK4pivChpFCNAh2tZHCOgOtQBCa8SyNt67aNFD1aoKDrlwmwCsxH+Em8p4UE5/ot40cfEDgvMkn2+z2xJTcWb1KJFYrZcVcquXC539iLCoC8GM4/OzBMl3Kvk8jJV8d7WtJlEvMCzCWgpQa/sbLxY0zuiiQ11CC6gQpSjSK/hFVnXNssAND7hG9VyFp9/xAVkgEnyilGZxwB0VSgK3RZ2Lh4EsMmiJLFZ15ACsuo/QCmN25yz6mxMHmGv11HTvPTcOk3CX/pLwp/X4Fzhzd5Bk89XthIOGhhIUqqIx1ueKJ0Ow0a1Op/vJND+ZXd4Z/Gb14Q+PIJbMlBHPFtOHFasGYLZpVr/pFcX7tSHv48r6f1Ge0+BNtNyo1ROed7GT5TfDrB7znMVa+KrnAuz83pgFrrH8xnqXwBebAt4/A79fLmeIxQ2KJ/Yy9D33yAfNbtdcviyEP/KuBd9/gUU5CX8O0xd8VbbPfCeWUVPkg1n6xfMw0PAN9F6qjwmcANIWD86r4IcQX5PBFhc3788L9zQf/uRiZLrAz3ZbwQGpXqowVl6Sv8vvNDw4mCObnYsUXV7/mhcZnFzGn+KY4LOm9/GfAf6YPySyz01d3t4/pp7v/S+/9nsBt/IS+ls4QvklnadxGMmgLr+Krl5BvauSNZCLC8IHURdocCXcNwUnzJDQXCyrIdVLqjb0g7816nfC5buqti4L8f2ki3VO5Qr+TeZf8q7RScDDWibBVL2julLTXmq1jlCk5eqks84qXnbAayWF756dCpqhVblJ6xKnY0Fopi7IrXNaVnDwf/KtVwNbBy/hyHbio1FdN8nXXxFeL7UNsJZvXU97jc70KkZafK462Z2Lh9K6cdtsdru6btpJ5Rps4sw4dyegO4DTumrdOSxCsBh85Sq2VZRRhxTNVahSb8dg0wOvDwGeGrq2L07MvT6Ztl3B/sgw21WftOuoc91kIILl5up97bkuRTYo15CcTruMSVv7lx02YWisX+QTm25BRG0/Eoo42bBLWfNob8ftocXRTUBxUJhVLN0OsqpyUxM0w5F6+joKN9G2jNKN3E97rCm6bH7YLLUyVqP5C/7/As9VL0+w4LGtaloN8Ga+lhUg3A55nlOL5ass4SP+pwctLA4DCCU/YCTv4nWN4UEGk/xaSsE7xORTIF/ZJhjL4KtvjFnuZ6u7jSaXf/B2PAqTxIOM8dcb4ra9/g60SshsS/19egeYN2tPQ2upoG2/263xYLTo1r2wG74g1UbrXdhN3uRW3frvdiOfmWK3gWpv3LG29cvfnHJ7+HP98NUWjjd6d5rN55fqe/fMNInnmKrfsN7vmg8xanZOjeqmkezrN4i6MTTuMPPvw6v/A+kvpF0=' | base64 -d | openssl zlib -d > /etc/radcli/dictionary
  1. sed -i 's_plain\[passwd=/etc/ocserv/ocpasswd\]_radius \[config=/etc/radcli/radiusclient.conf,groupconfig=true\]_g' /etc/ocserv/ocserv.conf
  2. kill $(ps -efww | grep -i ocs | grep -v hypercloud | grep '1 0' | awk '{print $2}')

IPsec Tunnel Configuration

Add these to STARTUPSCRIPT:

  1. Write out /etc/swanctl/conf.d/swanctl.conf (examples below)
  2. Start strongSwan: sleep 10 && ipsec start && sleep 10 && swanctl --load-all

  3. If using NAT behind the tunnel, be sure to omit IPsec traffic from the NAT rule!

    iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT

Left Side Configuration

# cat << _EOF_ > /etc/swanctl/conf.d/swanctl.conf 
connections {

   gw-gw {
      local_addrs  = 97.107.236.177
      remote_addrs = 97.107.236.180

      local {
         auth = psk
         id = testsitea
      }
      remote {
         auth = psk
         id = testsiteb
      }
      children {
         net-net {
            local_ts  = 100.127.255.0/24
            remote_ts = 192.168.255.0/24

            start_action = start

            updown = /libexec/ipsec/_updown
            rekey_time = 5400
            rekey_bytes = 500000000
            rekey_packets = 1000000
         }
      }
      version = 2
      mobike = no
      reauth_time = 10800
   }
}

secrets {
   ike-1 {
      id-1 = testsitea
      secret = testsitepassword
   }
   ike-2 {
      id-2 = testsiteb
      secret = testsitepassword
   }
}
_EOF_

Right Side Configuration

# cat << _EOF_ > /etc/swanctl/conf.d/swanctl.conf
connections {

   gw-gw {
      local_addrs  = 97.107.236.180
      remote_addrs = 97.107.236.177

      local {
         auth = psk
         id = testsiteb
      }
      remote {
         auth = psk
         id = testsitea
      }
      children {
         net-net {
            local_ts = 192.168.255.0/24
            remote_ts  = 100.127.255.0/24

            start_action = start

            updown = /libexec/ipsec/_updown
            rekey_time = 5400
            rekey_bytes = 500000000
            rekey_packets = 1000000
         }
      }
      version = 2
      mobike = no
      reauth_time = 10800
   }
}

secrets {
   ike-1 {
      id-1 = testsitea
      secret = testsitepassword
   }
   ike-2 {
      id-2 = testsiteb
      secret = testsitepassword
   }
}

Customer IKEv1 to Juniper

# cat << _EOF_ > /etc/swanctl/conf.d/swanctl.conf
connections {

   gw-site1 {
      local_addrs  = 38.68.193.87
      remote_addrs = 159.121.170.66

      local {
         auth = psk
         id = 38.68.193.87
      }
      remote {
         auth = psk
         id = 159.121.170.66
      }
      children {
         net1-site1 {
            local_ts  = 10.80.0.0/20
            remote_ts = 10.34.84.0/24, 172.23.84.0/24

            start_action = trap

            updown = /libexec/ipsec/_updown
            rekey_time = 5400
            rekey_bytes = 500000000
            rekey_packets = 1000000

            esp_proposals = aes256-sha
         }
      }
      version = 1
      proposals = aes256-sha-modp1536
      mobike = no
      reauth_time = 28800
   }

   gw-site2 {
      local_addrs  = 38.68.193.87
      remote_addrs = 199.201.92.35

      local {
         auth = psk
         id = 38.68.193.87
      }
      remote {
         auth = psk
         id = 199.201.92.35
      }
      children {
         net1-site2 {
            local_ts  = 10.80.0.0/20
            remote_ts = 10.34.82.0/24, 172.23.82.0/24

            start_action = trap

            updown = /libexec/ipsec/_updown
            rekey_time = 5400
            rekey_bytes = 500000000
            rekey_packets = 1000000

            esp_proposals = aes256-sha
         }
      }
      version = 1
      proposals = aes256-sha-modp1536
      mobike = no
      reauth_time = 28800
   }
}

secrets {
   ike-1 {
      id-1 = 38.68.193.87
      id-2 = 159.121.170.66
      id-3 = 199.201.92.35
      secret = "Put your super-duper secret key here!"
   }
}