External network gateway

The external network gateway (external_net) role provides connectivity between VPN and VxLAN tunnels and the local project. Client connections across these tunnels may access ports in the RG’s backend network (srv).

Components

OpenVPN

An OpenVPN gateway listens on the standard port (1194/udp) on the gateway’s frontend network (fe). The standard configuration requires two levels of authentication: both a certificate and a valid FC login must be presented on connection initiation. The certificate is fixed for all users of a given RG and is mostly used to keep out dictionary attackers. This authentication scheme requires that users connecting to the gateway have a valid login for this RG.

VxLAN

The external network gateway contains also provisions to interconnect the local RG with a remote network via VxLAN. Contact the Support for details.

mosh

As a courtesy, external network gateways run a mosh server by default.

Configuration

OpenVPN

An OpenVPN server needs correct DNS settings (forward and reverse names). Contact the Support to get this set up. Additional options (like address pools) can be set in /etc/local/openvpn/networks.json. The README file in the same directory contains a detailed description of available options.

By default, OpenVPN allocates client addresses from the pools 10.70.67.0/24 and fd3e:65c4:fc10::/48.

Note

Our OpenVPN servers push routes for the whole location (data center). This means that opening VPN connections to external network gateways in several RGs at once may not be a good idea.

VxLAN

A VxLAN tunnel is created if the file /etc/local/vxlan/config.json exists. See the accompanying README file for details.

Interaction

A default client configuration file (*.ovpn) is provided on OpenVPN gateways in the directory /etc/local/openvpn. Users in the login group can access the client configuration file. Import this configuration file into your OpenVPN client of choice. It will work with OpenVPN versions 2.4 and newer. Older clients (please upgrade!) must set the cipher option in the config file.

Monitoring

Currently, OpenVPN server processes are checked for liveness.