How to use pfSense to protect a private network created on the cloud, consisting of multiple Windows and Linux servers.�Enable secure access with OpenVPN.
Professionals and companies that need to manage multiple servers on the cloud can create a private network between the various machines by publicly exposing only the services that must be able to overlook one or more public IP addresses.
- 1 How to Protect Cloud Servers With a Firewall And Manage Them via VPN
- 1.1 How to create a virtual network between cloud servers and protect it with the pfSense firewall: create the machines
- 1.2 Connect the cloud servers to the virtual switch
- 1.3 Configure the pfSense firewall
- 1.4 Ubuntu Linux server configuration
- 1.5 Network configuration of the Windows Server machine
- 1.6 Configure access via VPN to the private cloud network
- 1.7 Some final notes:
How to Protect Cloud Servers With a Firewall And Manage Them via VPN
By taking some care, you can make sure that�cloud servers can be managed via VPN, in a completely secure way, avoiding exposing ports and services�whose use must remain private.
The�Aruba Cloud PRO�service�allows you to�set up a real�virtual�data center�: you can choose the cloud servers to use (Linux, Windows, FreeBSD) and put them in direct communication using a�virtual switch.
A�virtual switch is the cloud equivalent of a traditional Ethernet switch that allows you to connect multiple devices through their respective network cards ensuring that data is routed only in the network segment for which it is intended.
The�virtual switch can be used on the cloud to create private networks composed of two or more servers: the machines connected with the switch will be able to communicate with each other as if they were inside a LAN and will use their own private IP addresses, assigned in a manner dynamic (via DHCP) or statically (do not change over time).
Aruba Cloud also�provides users with two famous�firewall�platforms�:pfSense�and�Endian.�By connecting the firewall to the�virtual switch, it�is possible to protect cloud servers connected downstream by exposing only the desired ports and services to the public IP.
The advantage of a tool like the one offered by Aruba Cloud is that each virtual server can be freely sized with the possibility, with a few clicks, to scale up or down when the workloads and the volume of data to be managed. should increase or decrease.
Not only.�The many�templates made available to Aruba Cloud customers allow you to set up and configure a new cloud server in a few minutes and, just as quickly, to create your own private network and manage an entire virtual�data center.
How to create a virtual network between cloud servers and protect it with the pfSense firewall: create the machines
To�protect two or more cloud servers with the pfSense firewall�we suggest, first of all, to go to the Aruba Cloud page that allows the creation of a new virtual server.
By clicking on the�Create new server�button�, you will have to choose �PRO�,�VMware��, select�Choose template�, type�Firewall�in the�Solutions�search box�and�then select�pfSense�in the left column.
A little further down, in the same server creation page, you will need to assign a name (for example FIREWALL�) and specify a password long and complex enough for the administration of pfSense.
As soon as the server that will act as a firewall (with pfSense pre-installed, thanks to the�Aruba Cloud�template�) is ready for use, its public IP address will appear in the administration panel: it is good to write it down because it will be needed soon.
In the meantime, you can click on�Virtual switch�in the left column of the Aruba Cloud panel and then click on the�Create new virtual switch button.�The�virtual switch will need to be given a name.�In our case we have specified�DC-SWITCH.
By clicking on�Management, immediately under the heading�Cloud server, you will return to the list of cloud servers created.
At this point we try to add an Ubuntu Linux server and a Windows Server 2019 machine.
By default, each cloud server will be assigned a public IP address.
Connect the cloud servers to the virtual switch
The next step is to click on the�Manage buttons to the right of the three newly created servers (in the example they are called FIREWALL, DC-UBUNTU and DC-WIN2019 ).
Scrolling through the configuration page of each cloud server, you will find�Network adapters almost at the end.�By default, the only active will be the first, associated with a public IP address.
By clicking on the�Connect virtual switch�button�corresponding to ��Ethernet 2�� (the second virtual network card), you will have to select and connect the�virtual switch�created previously.
The operation will have to be repeated for all three cloud servers as well as for any other virtual machine that later connects to the private network.
We suggest to write down (perhaps with the help of a ��copy and paste�� the MAC address of the second network card of each cloud server just created).
Configure the pfSense firewall
By copying and pasting the public IP associated with the cloud server containing pfSense into the browser address bar, you will access the firewall configuration.
The data transits via HTTPS but pfSense, by default, uses a self-generated digital certificate: when the error ��The connection is not private�� appears, simply click on the�Advanced�button and�then on�Proceed to� (not secure)�.
When the pfSense login page appears, enter�admin�as the username and, in the field below, the password chosen when creating the server on Aruba Cloud.
Referring to the�Interfaces�box�at the top right, you will notice that the pfSense virtual server is actively using two interfaces: the first (WAN) to which the public IP is assigned;�the second (LAN) on which the cloud server is connected to the�virtual switch�that manages the private network.
At this point, we suggest you click on�LAN�and assign an address range other than the one you use within your local, home, or corporate network.
Later, in fact, we will set up the connection via VPN: to avoid conflicts, it is important that the private network on the cloud uses a different address range from the one used locally.
In our case, within the�Static IPv4 Configuration box�, we have chosen to opt for�192.168.0.1/24�.
To continue, click on the�Save�button�at the bottom and then on�Apply changes�at the top right.
From the�Services menu, DHCP Server, in correspondence with the�Range�boxes�, it will be necessary to enter a range of private IP addresses that can be assigned by the DHCP server that is compatible with the one just set (in our case we have set�192.168.0.100 � 192.168.0.199�).�The change must be saved by clicking on the�Save�button�below.
Set static private IP addresses on the cloud servers connected with the virtual switch.
Using, in the case of Linux systems, an SSH client such as�PuTTY�and�Remote Desktop Connection�to administer Windows Server, you will have to assign a static IP address to the second network card previously connected to the�virtual switch.
Ubuntu Linux server configuration
1) Establish a connection with PuTTY via SSH by entering�the public IP address of the Ubuntu Linux cloud server created a little while ago with Aruba Cloud�in the�Host name (or IP address) field.�After logging in with�root credentials, you will have to type�apt update && apt upgrade -y�to update all software on the server.
2) We install the Apache web server as a test with the command.
We then type the following to change the default page displayed by Apache when attempting to connect to the server via HTTP:
Writing the public IP of the Ubuntu Linux server in the address bar of the browser (preceded by�http: //�), you will immediately see the message ��Welcome!��.
dns-nameservers 188.8.131.52 184.108.40.206
The file will need to be saved by pressing�CTRL + O�then�CTRL + X�to exit the editor.
By doing so, you will have assigned a static private IP (in the example�192.168.0.2�) to the Ubuntu cloud server.�As a final step, you can reboot the machine by typing�reboot�and pressing Enter.
4) By connecting to the Ubuntu server again, you can type the following to activate the incoming firewall rule:
ufw allow "Apache Secure"
ufw allow "OpenSSH"
systemctl reload apache2
Network configuration of the Windows Server machine
1) Start the software�Remote Desktop Connection�from a Windows system then type the public IP of the Windows Server cloud server created earlier in the�Computer field.
After clicking the�Connect�button�, click on�More options, Use another account�;�enter�administrator�as�Username�and the password chosen when creating the server.
2) Once the connection via Remote Desktop has been established, we suggest setting � by way of example � at least the role of web server with IIS.
Just click on�Add roles and features�then always press�Next�until the�Select server roles�window appears�.�Here activate�Web Server (IIS)�and click on the�Add features�button�.
Press�Next�repeatedly�then�Install�at the last step.
Also in this case, by typing the public IP address of the machine in the address bar of the browser (preceded by�http: //�), the welcome message of the IIS web server will appear.
3) To configure the second network card on the Windows Server machine, you must finally right-click on the Start button, select�Run�then type�ncpa.cpl�and finally double-click on the�Lan 2 icon.
With a click on the�Properties�button�, on�Internet Protocol Version 4 (TCP / IPv4)�then again onProperties, we suggest assigning a static private IP (in the example�192.168.0.3�).�The other boxes can be set as shown in the figure (i.e.�255.255.255.0�as�Subnet mask�;�192.168.0.1�as�Gateway�; the more Google�s DNS can be introduced).
Opening the command prompt on the Windows Server machine and typing�ping 192.168.0.2�and�192.168.0.1�, you will notice how both the Ubuntu server and the pfSense firewall connected to the same private network via�virtual switch will�respond correctly.
Configure access via VPN to the private cloud network
The pfSense firewall platform integrates, among other features, that of�OpenVPN server.
To configure it correctly also on the client side and establish a secure remote connection, we suggest first of all connecting to the pfSense administration panel by typing the corresponding public IP in the address bar of the browser then go to�System, Package Manager, Available Packages.
By typing�openvpn-client-export�in the appropriate box, you will have to start the search and install the proposed package (�Install, Confirm�buttons�).
At this point you will have to click on the�VPN�menu�, OpenVPN�, choose�Wizards, leave�Local User Access�selected�then click�Next�.
On the�Certificate Authority (CA) Certificate page�you will have to assign a name in the�Descriptive Name�field�(for example�MYVPN�) as well as in the next�Create New Certificate�.
The next screen will be set as in the figure in order to activate the OpenVPN connections on the WAN interface and TCP 1194 port on pfSense. It is essential to check both the�TLS Authentication�and�Generate TLS Key�boxes�.
In the�Tunnel network�box�you can indicate�10.1.1.0/24�while in the underlying�Local Network�192.168.0.0/24�.
Also check the�Inter-Client Communication box�so as to allow direct dialogue between the systems connected to the virtual private network.
Once the configuration of the OpenVPN server is finished, you will have to click on�System, User Manager and�then on the�Add�button�.�You will need to specify a username and password (they will be used to establish the connection via VPN) and � important � you will need to check the�Click to create a user certificate box�.
After saving the user account with a click on�Save�, you will have to click on�VPN, OpenVPN�then click on�Client Export�.
Finally, by clicking on the�Most Clients�button�at the bottom of the page, you will get an�.ovpn�file�that will allow you to establish the VPN connection from a client system.
To use it, for example from a Windows system, you need to download the latest version of the OpenVPN client (�from this page�) then copy the�.ovpn�file�to the�% programfiles% \ OpenVPN \ config�folder�.
By starting the OpenVPN client and clicking on the�newly added�.ovpn�profile�, finally selecting�Connect�, the system in use will be connected to the remote private network (specify the username and password of the account created in pfSense).
By typing the commands�ping 192.168.0.1�,�ping 192.168.0.2�and�ping 192.168.0.3�you will receive a response from all previously configured cloud servers.
Not only.�Typing�http://192.168.0.2�in the address bar of the browser you will see the message ��Welcome!�� Of the Apache server installed on Ubuntu Linux;�writing�http://192.168.0.3the IIS welcome screen returned from the Windows Server machine will appear.
At this point, you can go back to the Aruba Cloud administration panel, click�Manage next�to the Ubuntu and Windows servers then click�Remove IP�to the right of the�Ethernet 1�network cards�.
By doing so, the two servers will only be reachable after connecting to the VPN.�To access the Ubuntu server via SSH and Windows Server via Remote Desktop you will have to connect to the VPN using the OpenVPN client from now on, then start�PuTTY�and�Remote Desktop Connection respectively by specifying the IPs 192.168.0.2 and 192.168.0.3 in the relevant field to the host to reach.
From the pfSense administration interface, still reachable via public IP, you can finally disable connection requests on the WAN port by selecting the first rule shown and activating the�Disable this rule�box�(you will have to leave only the rule that allows connections on TCP 1194 from OpenVPN).
With a click on�Firewall, NAT�and finally on the�Add�button�, for example, you can create a new rule to allow access to the Windows Server HTTP server starting from a request received on the public IP of the pfSense firewall.
To proceed, just configure a�port forwarding�rule�as shown in the figure:
As you can see, after indicating the use of the HTTP protocol (port 80),�port forwarding�is required�on the same port on the IP�corresponding to the private address of the Windows Server machine.
Typing�http: //�followed by the firewall�s public IP address will immediately respond to the Windows Server IIS web server.
The same operation can be done for Apache, on the Ubuntu server, or for any other service listening on any other port.
From the pfSense panel, going to�System, Advanced�, it is finally possible to change the value of the�TCP port�field: in this way you will be able to reuse port 443 (HTTPS) for a web server installed in the private network.
In the example, we have chosen to use port 4343 for accessing the pfSense administration interface.�To access it you will therefore need to connect via VPN from now on, then type the private IP of the pfSense server followed by�: 4343�.
Some final notes:
The pfSense virtual server can also be created locally and then imported to Aruba Cloud thanks to upload via FTP. Just create the pfSense cloud server using the imported .VMDK template.�See the article�pfSense, firewall and VPN all in one: how to try them with Virtualbox.
Alternatively, you can install pfSense by uploading the updated ISO file to the FTP area of your Aruba Cloud account then associate it with a virtual CD / DVD and use the�Access Console�button�to oversee the entire installation and configuration procedure.
The VPN can possibly be configured on port 443 (instead of 1149) in such a way as to have the guarantee of being able to connect from any other network.
The private IPs have been assigned to the various cloud servers manually. In different configurations it could be useful to configure the servers in DHCP with static IP assignment (just use the MAC addresses noted previously).