VPN concentrator in the cloud

VPN connections without a public IP address: VPN concentrator in the cloud

New article: 05.2024

notempty

This article refers to a Resellerpreview

Preliminary remark

The following section deals with the problem that no location has a public IP address, but S2S and S2E connections should still be enabled.
The two scenarios differ only in the configuration of the second hardware UTM, so in both cases the general configuration must be carried out first and then the specific configuration for the Scenario S2S or the Scenario S2E.

General configuration

With the help of another UTM (in the example, a virtual UTM in the terra Cloud), this can act as a VPN concentrator to switch the packets between the clients and locations. The VPN concentrator has a public IP address.
For implementation, the Terra Cloud UTM is configured as SSL-VPN Site-to-Site Server and the hardware UTM of location A as SSL-VPN Site-to-Site Clients.
These IP addresses are used in the following:

Terra-Cloud UTM	öffentliche IP: 203.0.113.203
Standort A	internes Netz: 192.168.174.0/24
Standort B	internes Netz: 192.168.173.0/24

Terra-Cloud UTM as S2S server

Installation wizard

Step 1 Step 1 Terracloud UTM

In installation step 1 the connection type is selected, the following connections are available: Roadwarrior Server Site-to-Site Server Site-to-Site Client For the configuration of the Site-to-Site server this is selected.	Add SSL-VPN connection UTMuser@firewall.name.fqdnVPNSSL-VPN Installation step 1

Step 2 Step 2 Terracloud UTM
If a local IPv6 network is to be connected, the option Use IPv6 over IPv4: must be enabled Yes.	Installation step 2

Step 3 Terracloud UTM

Local settings for the site-to-site server

Caption	Value	Description	Installation step 3
Name:	S2S-server	Unique name
Protocol:	UDP	Choose desired protocol
Port:	1194	The Port is preset
Server certificate:	cs-ttt-point	Selection of the certificate with which the server authenticates itself If a server certificate does not yet exist, it can be created (and if necessary also a CA) in the certificate management. Open with Create a CA in the CA section using the + Add CA button Create a server certificate in the Certificates section using the + Add certificate button. Please note: Server certificate: enable Create the client certificate with the + Add certificate button Both certificates must be created with the same CA! The Client certificate and the associated CA are also needed to configure the remote terminal (client). They must be exported with the button. For use with a UTM as client, the PEM-format is required. Further notes in the Wiki article on the use of certificates.
Share server networks:	» 192.168.173.0/24	Local network of location B that is to be shared. (Enter by clicking in the click box and then using the keyboard).

Step 4 Terracloud UTM

In installation step 4, the transfer network for the site-to-site server is entered.

Caption	Value	Description	Installation step 4
Transfer network:	192.168.190.0/24	A network address must be specified that is not used in any network of the involved appliances.
Server tunnel address:	192.168.190.1/32	The server and client tunnel address is determined automatically.
IPv4 client tunnel address:	192.168.190.2/24

Step 5 Terracloud UTM

Caption	Value	Description	Installation step 5
Name:	S2S-client	Is automatically generated from the name defined in step 3
Client certificate:	ssl-vpn-ClientA	Certificate of the client network
Share client networks:	»192.168.174.0/24	Local network of location A that is to be shared. (Enter by clicking in the click box and then using the keyboard).
notempty The selected certificate should not be used with any other client / network.

UTM site A as S2S client

Installation wizard

Step 1 Step 1 Standort A

In installation step 1 the connection type is selected, the following connections are available:

Roadwarrior Server
Site-to-Site Server
Site-to-Site Client

For the configuration of the Site-to-Site Client this is selected.

UTM v12.6.2 Cloud Konzentrator Client Konfig Schritt 1-en.png

Installation step 1

Step 2 Standort A

If a local IPv6 network is to be connected, the option Use IPv6 over IPv4: must be enabled Yes.	Installation step 2

Step 3 Standort A

Local settings for the Site-to-Site Client can be made in step 3. Here you can enter a name for the connection, select protocol, choose a server certificate - by clicking the button with the window you can import a CA and a certificate.
Caption	Value	Description	Installation step 3
Name:	S2S-client	Unique name
Protocol:	UDP	Choose desired protocol It is necessary to select the same protocol as for the site-to-site server.
Client certificate:	ssl-vpn-ClientA	Selection of the certificate with which the client authenticates itself. The same certificate must be used here that was selected as the certificate of the remote terminal (client) for the site-to-site server in step 5. Open with Section CA Button Import CA Import CA from S2S server Section Certificates Button Import certificate Import the client certificate created on the S2S server .

Step 4 Standort A

This installation step is omitted for the site-to-site client.

Step 5 Standort A

In step 5, the public remote gateway IP address or SPDyn address of the site-to-site server is entered as the remote site. notempty The port address must be set with a colon after the IP address. If port 1194 is used, this specification can be omitted.	Installation step 5

Create network objects and packet filter rules

Network objects Standort A

A new network object can be created under Firewall Network Object Button Add Object.
Caption	Value	Description	Add Network Objects UTMuser@firewall.name.fqdnFirewallNetwork objects Network object for the tunnel network
Name:	sslvpn-S2S-ClientB-Network	Unique name
Type:	VPN network	If only a single host is to be shared in the server network, VPN host can also be selected here.
Address:	192.168.173.0/24	Local network of location B that is to be released. If several server networks have been shared, a separate network object must be created for each of these networks. The network objects can then be combined into a group.
Zone:	vpn-ssl-S2S-client	The zone on the S2S client through which the S2S server network is accessed.
Groups:		Optional

Packet filter rules Standort A

A new packet filter rule can be created under Firewall Packet filter Button Add rule.

#	Source	Destination	Service	NAT	Logging	Action	Active
	internal-network	sslvpn-S2S-ClientB-Network	default-internet		3/Min	Accept	On
	sslvpn-S2S-ClientB-Network	internal-network	default-internet		3/Min	Accept	On

Configuration scenario S2S

Customise Terracloud UTM configuration

Add second client Terracloud UTM

The second client must be created separately under VPN SSL-VPN Button Add SSL VPN client remote station, in the previously created connection.

Caption	Value	Description	Add SSL VPN client remote station UTMuser@firewall.name.fqdnVPNSSL-VPN Terracloud UTM
Name:	S2S-B-client	Unique name
Client certificate:	ssl-vpn-ClientB	Certificate of the client network
IPv4 tunnel address:	192.168.190.3/24	Enter a free IPv4 address that is located in the transfer network.
Share server networks:	»192.168.174.0/24	Local network of location A that is to be shared. (Enter by clicking in the click box and then using the keyboard).
Share client networks:	»192.168.173.0/24	Local network of location B that is to be shared. (Enter by clicking in the click box and then using the keyboard).
notempty The selected certificate should not be used with any other client / network.

Create network objects and packet filter rules

Network objects Terracloud UTM

A TUN interface was created when the connection was set up. It automatically receives the first IP from the transfer network configured in the connection and a zone "vpn-ssl-<servername>".
To be able to reach the client network of the remote terminal, a network object must be created under Firewall Network Objects Button + Add Object.
The TUN interface of the site-to-site client also receives an IP from this network. This serves as a gateway to the subnet of the site-to-site client. The subnet of the client must be created as a network object and is located in the zone on the associated TUN interface.

Caption	Value	Description	Add Network Object UTMuser@firewall.name.fqdnFirewallNetwork objects
Name:	sslvpn-S2S-ClientA-Network	Unique name
Type:	VPN-Netzwerk	If only a single host is to be shared in the client network, VPN host can also be selected here.
Address:	192.168.174.0/24	Local network of location A that is to be released If multiple client networks have been shared, a separate network object must be created for each of these networks. Subsequently, the network objects can then be combined into a group.
Zone:	vpn-ssl-S2S-server	The zone on the S2S server through which the S2S client network is accessed.
Groups:		Optional

Name:	sslvpn-S2S-ClientB-Network	Unique name	Add Network Object UTMuser@firewall.name.fqdnFirewallNetwork objects
Address:	192.168.173.0/24	Local network of location B that is to be released. If multiple client networks have been shared, a separate network object must be created for each of these networks. Subsequently, the network objects can then be combined into a group.

Packet filter rules Terracloud UTM

In order for the clients to be able to access the other network, this must now be permitted using packet filter rules. These can look as follows:

#	Source	Destination	Service	NAT	Logging	Action	Active
	sslvpn-S2S-ClientB-Network	sslvpn-S2S-ClientA-Network	default-internet		3/Min	Accept	On
	sslvpn-S2S-ClientA-Network	sslvpn-S2S-ClientB-Network	default-internet		3/Min	Accept	On

UTM site B as S2S client

Installation wizard

Installation wizard Location B

Step 1 Step 1

In installation step 1 the connection type is selected, the following connections are available:

Roadwarrior Server
Site-to-Site Server
Site-to-Site Client

For the configuration of the Site-to-Site Client this is selected.

Installation step 1

Step 2 Standort B

If a local IPv6 network is to be connected, the option Use IPv6 over IPv4: must be enabled Yes.	Installation step 2

Step 3 Standort B

Local settings for the Site-to-Site Client can be made in step 3. Here you can enter a name for the connection, select protocol, choose a server certificate - by clicking the button with the window you can import a CA and a certificate.
Caption	Value	Description	Installation step 3
Name:	S2S-client	Unique name
Protocol:	UDP	Choose desired protocol It is necessary to select the same protocol as for the site-to-site server.
Client certificate:	ssl-vpn-ClientB	Selection of the certificate with which the client authenticates itself. The same certificate must be used here that was selected as the certificate of the remote terminal (client) for the site-to-site server in step 5. Open with Section CA Button Import CA Import CA from S2S server Section Certificates Button Import certificate Import the client certificate created on the S2S server .

Step 4 Standort B

This installation step is omitted for the site-to-site client.

Step 5 Standort B

In step 5, the public remote gateway IP address or SPDyn address of the site-to-site server is entered as the remote site. notempty The port address must be set with a colon after the IP address. If port 1194 is used, this specification can be omitted.	Installation step 5

Create network objects and packet filter rules

Network objects Standort B

A new network object can be created under Firewall Network Object Button Add Object.
Caption	Value	Description	Add Network Objects UTMuser@firewall.name.fqdnFirewallNetwork objects Network object for the tunnel network
Name:	sslvpn-S2S-ClientA-Network	Unique name
Type:	VPN network	If only a single host is to be shared in the server network, VPN host can also be selected here.
Address:	192.168.174.0/24	Local network of location A that is to be released. If several server networks have been shared, a separate network object must be created for each of these networks. The network objects can then be combined into a group.
Zone:	vpn-ssl-S2S-client	The zone on the S2S client through which the S2S server network is accessed.
Groups:		Optional

Packet filter rules Standort B

A new packet filter rule can be created under Firewall Packet filter Button Add rule.

#	Source	Destination	Service	NAT	Logging	Action	Active
	internal-network	sslvpn-S2S-ClientA-Network	default-internet		3/Min	Accept	On
	sslvpn-S2S-ClientA-Network	internal-network	default-internet		3/Min	Accept	On

Configuration scenario S2E

Customise Terracloud UTM configuration

Create network objects and packet filter rules

Network objects Terracloud UTM

A TUN interface was created when the connection was set up. It automatically receives the first IP from the transfer network configured in the connection and a zone "vpn-ssl-<servername>".
To be able to reach the client network of the remote terminal, a network object must be created under Firewall Network Objects Button + Add Object.
The TUN interface of the site-to-site client also receives an IP from this network. This serves as a gateway to the subnet of the site-to-site client. The subnet of the client must be created as a network object and is located in the zone on the associated TUN interface.

Caption	Value	Description	Add Network Object UTMuser@firewall.name.fqdnFirewallNetwork objects
Name:	sslvpn-S2S-ClientA-Network	Unique name
Type:	VPN-Netzwerk	If only a single host is to be shared in the client network, VPN host can also be selected here.
Address:	192.168.174.0/24	Local network of location A that is to be released If multiple client networks have been shared, a separate network object must be created for each of these networks. Subsequently, the network objects can then be combined into a group.
Zone:	vpn-ssl-S2S-server	The zone on the S2S server through which the S2S client network is accessed.
Groups:		Optional

Name:	Roadwarrior-Network	Unique name	Add Network Object UTMuser@firewall.name.fqdnFirewallNetwork objects
Address:	192.168.173.0/24	Local network of location B that is to be released. If multiple client networks have been shared, a separate network object must be created for each of these networks. Subsequently, the network objects can then be combined into a group.

Packet filter rules Terracloud UTM

In order for the clients to be able to access the other network, this must now be permitted using packet filter rules. These can look as follows:

#	Source	Destination	Service	NAT	Logging	Action	Active
	Roadwarrior-Network	sslvpn-S2S-ClientA-Network	default-internet		3/Min	Accept	On
	sslvpn-S2S-ClientA-Network	Roadwarrior-Network	default-internet		3/Min	Accept	On

UTM location B as Roadwarrior

Installation wizard

Installation wizard Roadwarrior

Step 1 Step 1

In installation step 1, the connection type is selected.
The following connections are available.

Roadwarrior Server
Site to Site Server
Site to Site Client

For the configuration of the Roadwarrior Server this one is selected.

UTM v12.6.2 Cloud Konzentrator RW Konfig Schritt 1-en.png

Setup step 1

Step 2 Roadwarrior

If IPv6 is to be used in the source and destination network, this must be enabled here.

UTM v12.6.2 Cloud Konzentrator RW Konfig Schritt 2-en.png

Setup step 2

Step 3 Roadwarrior

Caption	Value	Description	Setup step 3
Name:	Roadwarrior	Unique name
Protocol	UDP	Choose desired protocol
Port:	1194	The Port is preset
Server certificate:	Roadwarrior	Selection of the certificate with which the server authenticates itself If a server certificate does not yet exist, it can be created (and if necessary also a CA) in the certificate management. Open with Create a CA in the CA section using the + Add CA button Create a server certificate in the Certificates section using the + Add certificate button. Please note: Server certificate: enable Create the client certificate with the + Add certificate button Both certificates must be created with the same CA! The Client certificate and the associated CA are also needed to configure the remote terminal (client). They must be exported with the button. For use with a UTM as client, the PEM-format is required. Further notes in the Wiki article on the use of certificates.
Share server networks	»192.168.173.0/24	Local network of location A that is to be shared. (Enter by clicking in the click box and then using the keyboard).

Step 4 Roadwarrior

In installation step 4, the transfer network for the Roadwarrior is entered.
The transfer network can be freely selected, but must be otherwise unused on the UTM.

UTM v12.6.2 Cloud Konzentrator RW Konfig Schritt 4-en.png

Setup step 4

Step 5 Roadwarrior

The user authentication is selected in the last step.
After that, the setup wizard can be completed.

None = Authentication only via the certificates.
Local = Local users and AD groups.
Radius = Radius Server.

UTM v12.6.2 Cloud Konzentrator RW Konfig Schritt 5-en.png

Setup step 5

Regelwerk

Implied rules Roadwarrior

The protocol used for the connection can be activated under Firewall Implied rules Area VPN.

In the example On SSL-VPN UDP ➊

This implied rule releases the ports that are used for SSL-VPN connections on all interfaces. Packet filter rules instead of implied rules can regulate this individually for individual interfaces.
If the user is to download the client from the user interface, this must also be enabled here:
On User Interface Portal ➋

UTM v12.6.2 Cloud Konzentrator RW Implizite Regeln-en.png

If necessary, the user interface must be placed on a different port, if port 443 has been forwarded to an internal server.

Network objects Roadwarrior

A tun interface was created when the connection was set up. It automatically receives the first IP address from the transfer network configured in the connection and a zone "vpn-ssl-<servername>".

The Roadwarrior clients will receive an IP address from this network and will be located in this zone.
To grant the roadwarriors access to your own network, a network object must be created.

Caption	Value	Description	Add Network Objects UTMuser@firewall.name.fqdnFirewallNetwork objects Network object for the tunnel network
Name:	SSL-VPN-RW-Network	Unique name
Type:	VPN network	Choose the right type
Address:	192.168.192.0/24	The network IP that was specified as the tunnel pool in step 4.
Zone:	vpn-ssl-Roadwarrior	The zone on the Roadwarrior through which the S2S Server network is accessed.
Groups:		Optional


Caption	Value	Description	Add Network Objects UTMuser@firewall.name.fqdnFirewallNetwork objects Network object for the tunnel network
Name:	sslvpn-S2S-ClientA-Network	Unique name
Type:	VPN network	If only a single host is to be shared in the server network, VPN host can also be selected here.
Address:	192.168.174.0/24	Local network of location A that is to be released. If several server networks have been shared, a separate network object must be created for each of these networks. The network objects can then be combined into a group.
Zone:	vpn-ssl-Roadwarrior	The zone on the Roadwarrior through which the S2S Server network is accessed.
Groups:		Optional

Packet filter rules Roadwarrior

A packet filter rule is required that allows the RW clients to access the internal-network, as well as two others that allow access from location A:

#	Source	Destination	Service	NAT	Logging	Action	Active
	SSL-VPN-RW-Network	internal-network	ms-rdp		3/Min	Accept	On
	internal-network	sslvpn-S2S-ClientA-Network	default-internet		3/Min	Accept	On
	sslvpn-S2S-ClientA-Network	internal-network	default-internet		3/Min	Accept	On