How to use pfSense to protect a private network created on the cloud, consisting of multiple Windows and Linux servers. Enable secure access with OpenVPN.
Professionals and companies that need to manage multiple servers on the cloud can create a private network between the various machines by publicly exposing only the services that must be able to overlook one or more public IP addresses.
How to Protect Cloud Servers With a Firewall And Manage Them via VPN
By taking some care, you can make sure that cloud servers can be managed via VPN, in a completely secure way, avoiding exposing ports and services whose use must remain private.
TheAruba Cloud PROservice allows you to set up a real virtualdata center: you can choose the cloud servers to use (Linux, Windows, FreeBSD) and put them in direct communication using avirtual switch.
Avirtual switch is the cloud equivalent of a traditional Ethernet switch that allows you to connect multiple devices through their respective network cards ensuring that data is routed only in the network segment for which it is intended.
Thevirtual switch can be used on the cloud to create private networks composed of two or more servers: the machines connected with the switch will be able to communicate with each other as if they were inside a LAN and will use their own private IP addresses, assigned in a manner dynamic (via DHCP) or statically (do not change over time).
Aruba Cloud also provides users with two famous firewall platforms :pfSenseandEndian. By connecting the firewall to thevirtual switch, itis possible to protect cloud servers connected downstream by exposing only the desired ports and services to the public IP.
The advantage of a tool like the one offered by Aruba Cloud is that each virtual server can be freely sized with the possibility, with a few clicks, to scale up or down when the workloads and the volume of data to be managed. should increase or decrease.
Not only. The manytemplates made available to Aruba Cloud customers allow you to set up and configure a new cloud server in a few minutes and, just as quickly, to create your own private network and manage an entire virtualdata center.
How to create a virtual network between cloud servers and protect it with the pfSense firewall: create the machines
Toprotect two or more cloud servers with the pfSense firewallwe suggest, first of all, to go to the Aruba Cloud page that allows the creation of a new virtual server.
By clicking on theCreate new serverbutton , you will have to choose “PRO”,VMware“, selectChoose template, typeFirewallin theSolutionssearch boxandthen selectpfSensein the left column.
A little further down, in the same server creation page, you will need to assign a name (for example FIREWALL ) and specify a password long and complex enough for the administration of pfSense.
As soon as the server that will act as a firewall (with pfSense pre-installed, thanks to the Aruba Cloudtemplate) is ready for use, its public IP address will appear in the administration panel: it is good to write it down because it will be needed soon.
In the meantime, you can click onVirtual switchin the left column of the Aruba Cloud panel and then click on theCreate new virtual switch button. Thevirtual switch will need to be given a name. In our case we have specified DC-SWITCH.
By clicking onManagement, immediately under the headingCloud server, you will return to the list of cloud servers created.
At this point we try to add an Ubuntu Linux server and a Windows Server 2019 machine.
By default, each cloud server will be assigned a public IP address.
Connect the cloud servers to the virtual switch
The next step is to click on theManage buttons to the right of the three newly created servers (in the example they are called FIREWALL, DC-UBUNTU and DC-WIN2019 ).
Scrolling through the configuration page of each cloud server, you will findNetwork adapters almost at the end. By default, the only active will be the first, associated with a public IP address.
By clicking on theConnect virtual switchbutton corresponding to ”Ethernet 2” (the second virtual network card), you will have to select and connect thevirtual switchcreated previously.
The operation will have to be repeated for all three cloud servers as well as for any other virtual machine that later connects to the private network.
We suggest to write down (perhaps with the help of a ”copy and paste” the MAC address of the second network card of each cloud server just created).
Configure the pfSense firewall
By copying and pasting the public IP associated with the cloud server containing pfSense into the browser address bar, you will access the firewall configuration.
The data transits via HTTPS but pfSense, by default, uses a self-generated digital certificate: when the error ”The connection is not private” appears, simply click on theAdvancedbutton and then onProceed to… (not secure).
When the pfSense login page appears, enter admin as the username and, in the field below, the password chosen when creating the server on Aruba Cloud.
Referring to theInterfacesbox at the top right, you will notice that the pfSense virtual server is actively using two interfaces: the first (WAN) to which the public IP is assigned; the second (LAN) on which the cloud server is connected to thevirtual switchthat manages the private network.
At this point, we suggest you click onLANand assign an address range other than the one you use within your local, home, or corporate network.
Later, in fact, we will set up the connection via VPN: to avoid conflicts, it is important that the private network on the cloud uses a different address range from the one used locally.
In our case, within theStatic IPv4 Configuration box, we have chosen to opt for 192.168.0.1/24 .
To continue, click on theSavebutton at the bottom and then onApply changesat the top right.
From theServices menu, DHCP Server, in correspondence with theRangeboxes , it will be necessary to enter a range of private IP addresses that can be assigned by the DHCP server that is compatible with the one just set (in our case we have set 192.168.0.100 – 192.168.0.199 ). The change must be saved by clicking on theSavebutton below.
Set static private IP addresses on the cloud servers connected with the virtual switch.
Using, in the case of Linux systems, an SSH client such asPuTTYandRemote Desktop Connectionto administer Windows Server, you will have to assign a static IP address to the second network card previously connected to thevirtual switch.
Ubuntu Linux server configuration
1) Establish a connection with PuTTY via SSH by entering the public IP address of the Ubuntu Linux cloud server created a little while ago with Aruba Cloud in theHost name (or IP address) field. After logging in withroot credentials, you will have to type apt update && apt upgrade -y to update all software on the server.
2) We install the Apache web server as a test with the command.
We then type the following to change the default page displayed by Apache when attempting to connect to the server via HTTP:
echo '<html> <head> <meta http-equiv = "Content-Language" content = "it"> <meta http-equiv = "Content-Type" content = "text / html; charset = windows-1252"> <title> Cloud server </title> </head> <body> Welcome! </body> </html> ' > /var/www/html/index.html
Writing the public IP of the Ubuntu Linux server in the address bar of the browser (preceded by http: // ), you will immediately see the message ”Welcome!“.
netmask 255.255.255.0
gateway 192.168.0.1
dns-nameservers 8.8.8.8 8.8.4.4
The file will need to be saved by pressing CTRL + O then CTRL + X to exit the editor.
By doing so, you will have assigned a static private IP (in the example 192.168.0.2 ) to the Ubuntu cloud server. As a final step, you can reboot the machine by typing reboot and pressing Enter.
4) By connecting to the Ubuntu server again, you can type the following to activate the incoming firewall rule:
ufw allow "Apache Secure"
ufw allow "OpenSSH"
ufw enable
systemctl reload apache2
reboot
Network configuration of the Windows Server machine
1) Start the softwareRemote Desktop Connectionfrom a Windows system then type the public IP of the Windows Server cloud server created earlier in theComputer field.
After clicking theConnectbutton , click onMore options, Use another account; enter administrator asUsernameand the password chosen when creating the server.
2) Once the connection via Remote Desktop has been established, we suggest setting – by way of example – at least the role of web server with IIS.
Just click onAdd roles and featuresthen always pressNextuntil theSelect server roleswindow appears . Here activateWeb Server (IIS)and click on theAdd featuresbutton .
PressNextrepeatedly thenInstallat the last step.
Also in this case, by typing the public IP address of the machine in the address bar of the browser (preceded by http: // ), the welcome message of the IIS web server will appear.
3) To configure the second network card on the Windows Server machine, you must finally right-click on the Start button, selectRunthen type ncpa.cpl and finally double-click on theLan 2 icon.
With a click on thePropertiesbutton , onInternet Protocol Version 4 (TCP / IPv4)then again onProperties, we suggest assigning a static private IP (in the example 192.168.0.3 ). The other boxes can be set as shown in the figure (i.e. 255.255.255.0 asSubnet mask; 192.168.0.1 asGateway; the more Google’s DNS can be introduced).
Opening the command prompt on the Windows Server machine and typing ping 192.168.0.2 and 192.168.0.1 , you will notice how both the Ubuntu server and the pfSense firewall connected to the same private network viavirtual switch willrespond correctly.
Configure access via VPN to the private cloud network
The pfSense firewall platform integrates, among other features, that ofOpenVPN server.
To configure it correctly also on the client side and establish a secure remote connection, we suggest first of all connecting to the pfSense administration panel by typing the corresponding public IP in the address bar of the browser then go toSystem, Package Manager, Available Packages.
By typing openvpn-client-export in the appropriate box, you will have to start the search and install the proposed package (Install, Confirmbuttons ).
At this point you will have to click on theVPNmenu, OpenVPN, chooseWizards, leaveLocal User Accessselected then clickNext.
On theCertificate Authority (CA) Certificate pageyou will have to assign a name in theDescriptive Namefield (for example MYVPN ) as well as in the nextCreate New Certificate.
The next screen will be set as in the figure in order to activate the OpenVPN connections on the WAN interface and TCP 1194 port on pfSense. It is essential to check both theTLS AuthenticationandGenerate TLS Keyboxes .
In theTunnel networkbox you can indicate 10.1.1.0/24 while in the underlyingLocal Network192.168.0.0/24 .
Also check theInter-Client Communication boxso as to allow direct dialogue between the systems connected to the virtual private network.
Once the configuration of the OpenVPN server is finished, you will have to click onSystem, User Manager andthen on theAddbutton . You will need to specify a username and password (they will be used to establish the connection via VPN) and – important – you will need to check theClick to create a user certificate box.
After saving the user account with a click onSave, you will have to click onVPN, OpenVPNthen click onClient Export.
Finally, by clicking on theMost Clientsbutton at the bottom of the page, you will get an .ovpn file that will allow you to establish the VPN connection from a client system.
To use it, for example from a Windows system, you need to download the latest version of the OpenVPN client (from this page) then copy the .ovpn file to the % programfiles% \ OpenVPN \ config folder .
By starting the OpenVPN client and clicking on the newly added .ovpn profile , finally selectingConnect, the system in use will be connected to the remote private network (specify the username and password of the account created in pfSense).
By typing the commands ping 192.168.0.1 , ping 192.168.0.2 and ping 192.168.0.3 you will receive a response from all previously configured cloud servers.
Not only. Typing http://192.168.0.2 in the address bar of the browser you will see the message ”Welcome!” Of the Apache server installed on Ubuntu Linux; writing http://192.168.0.3the IIS welcome screen returned from the Windows Server machine will appear.
At this point, you can go back to the Aruba Cloud administration panel, clickManage nextto the Ubuntu and Windows servers then clickRemove IPto the right of theEthernet 1network cards .
By doing so, the two servers will only be reachable after connecting to the VPN. To access the Ubuntu server via SSH and Windows Server via Remote Desktop you will have to connect to the VPN using the OpenVPN client from now on, then startPuTTYandRemote Desktop Connection respectively by specifying the IPs 192.168.0.2 and 192.168.0.3 in the relevant field to the host to reach.
From the pfSense administration interface, still reachable via public IP, you can finally disable connection requests on the WAN port by selecting the first rule shown and activating theDisable this rulebox (you will have to leave only the rule that allows connections on TCP 1194 from OpenVPN).
With a click onFirewall, NATand finally on theAddbutton , for example, you can create a new rule to allow access to the Windows Server HTTP server starting from a request received on the public IP of the pfSense firewall.
To proceed, just configure aport forwardingrule as shown in the figure:
As you can see, after indicating the use of the HTTP protocol (port 80),port forwardingis required on the same port on the IP corresponding to the private address of the Windows Server machine.
Typing http: // followed by the firewall’s public IP address will immediately respond to the Windows Server IIS web server.
The same operation can be done for Apache, on the Ubuntu server, or for any other service listening on any other port.
From the pfSense panel, going toSystem, Advanced, it is finally possible to change the value of theTCP portfield: in this way you will be able to reuse port 443 (HTTPS) for a web server installed in the private network.
In the example, we have chosen to use port 4343 for accessing the pfSense administration interface. To access it you will therefore need to connect via VPN from now on, then type the private IP of the pfSense server followed by : 4343 .
Some final notes:
The pfSense virtual server can also be created locally and then imported to Aruba Cloud thanks to upload via FTP. Just create the pfSense cloud server using the imported .VMDK template. See the articlepfSense, firewall and VPN all in one: how to try them with Virtualbox.
Alternatively, you can install pfSense by uploading the updated ISO file to the FTP area of your Aruba Cloud account then associate it with a virtual CD / DVD and use theAccess Consolebutton to oversee the entire installation and configuration procedure.
The VPN can possibly be configured on port 443 (instead of 1149) in such a way as to have the guarantee of being able to connect from any other network.
The private IPs have been assigned to the various cloud servers manually. In different configurations it could be useful to configure the servers in DHCP with static IP assignment (just use the MAC addresses noted previously).