How to use pfSense to protect a private network created on the cloud, consisting of multiple Windows and Linux servers. Enable secure access with OpenVPN.
Professionals and companies that need to manage multiple servers on the cloud can create a private network between the various machines by publicly exposing only the services that must be able to overlook one or more public IP addresses.
How to Protect Cloud Servers With a Firewall And Manage Them via VPN
By taking some care, you can make sure that cloud servers can be managed via VPN, in a completely secure way, avoiding exposing ports and services whose use must remain private.
The Aruba Cloud PRO service allows you to set up a real virtual data center : you can choose the cloud servers to use (Linux, Windows, FreeBSD) and put them in direct communication using a virtual switch.
A virtual switch is the cloud equivalent of a traditional Ethernet switch that allows you to connect multiple devices through their respective network cards ensuring that data is routed only in the network segment for which it is intended.
The virtual switch can be used on the cloud to create private networks composed of two or more servers : the machines connected with the switch will be able to communicate with each other as if they were inside a LAN and will use their own private IP addresses, assigned in a manner dynamic (via DHCP) or statically (do not change over time).
Aruba Cloud also provides users with two famous firewall platforms :pfSense and Endian. By connecting the firewall to the virtual switch, it is possible to protect cloud servers connected downstream by exposing only the desired ports and services to the public IP.
The advantage of a tool like the one offered by Aruba Cloud is that each virtual server can be freely sized with the possibility, with a few clicks, to scale up or down when the workloads and the volume of data to be managed. should increase or decrease.
Not only. The many templates made available to Aruba Cloud customers allow you to set up and configure a new cloud server in a few minutes and, just as quickly, to create your own private network and manage an entire virtual data center.
How to create a virtual network between cloud servers and protect it with the pfSense firewall: create the machines
To protect two or more cloud servers with the pfSense firewall we suggest, first of all, to go to the Aruba Cloud page that allows the creation of a new virtual server.
By clicking on the Create new server button , you will have to choose “PRO”, VMware “, select Choose template , type Firewall in the Solutions search box and then select pfSense in the left column.
A little further down, in the same server creation page, you will need to assign a name (for example FIREWALL ) and specify a password long and complex enough for the administration of pfSense.
As soon as the server that will act as a firewall (with pfSense pre-installed, thanks to the Aruba Cloud template ) is ready for use, its public IP address will appear in the administration panel: it is good to write it down because it will be needed soon.
In the meantime, you can click on Virtual switch in the left column of the Aruba Cloud panel and then click on the Create new virtual switch button . The virtual switch will need to be given a name. In our case we have specified DC-SWITCH .
By clicking on Management , immediately under the heading Cloud server , you will return to the list of cloud servers created.
At this point we try to add an Ubuntu Linux server and a Windows Server 2019 machine .
By default, each cloud server will be assigned a public IP address.
Connect the cloud servers to the virtual switch
The next step is to click on the Manage buttons to the right of the three newly created servers (in the example they are called FIREWALL ,DC-UBUNTU and DC-WIN2019 ).
Scrolling through the configuration page of each cloud server, you will find Network adapters almost at the end . By default, the only active will be the first, associated with a public IP address.
By clicking on the Connect virtual switch button corresponding to ” Ethernet 2 ” (the second virtual network card), you will have to select and connect the virtual switch created previously.
The operation will have to be repeated for all three cloud servers as well as for any other virtual machine that later connects to the private network.
We suggest to write down (perhaps with the help of a ” copy and paste ” the MAC address of the second network card of each cloud server just created).
Configure the pfSense firewall
By copying and pasting the public IP associated with the cloud server containing pfSense into the browser address bar, you will access the firewall configuration.
The data transits via HTTPS but pfSense, by default, uses a self-generated digital certificate: when the error ” The connection is not private ” appears, simply click on the Advanced button and then on Proceed to… (not secure) .
When the pfSense login page appears, enter admin as the username and, in the field below, the password chosen when creating the server on Aruba Cloud.
Referring to the Interfaces box at the top right, you will notice that the pfSense virtual server is actively using two interfaces: the first (WAN) to which the public IP is assigned; the second (LAN) on which the cloud server is connected to the virtual switch that manages the private network.
At this point, we suggest you click on LAN and assign an address range other than the one you use within your local, home, or corporate network.
Later, in fact, we will set up the connection via VPN: to avoid conflicts, it is important that the private network on the cloud uses a different address range from the one used locally.
In our case, within the Static IPv4 Configuration box , we have chosen to opt for 192.168.0.1/24 .
To continue, click on the Save button at the bottom and then on Apply changes at the top right.
From the Services menu , DHCP Server, in correspondence with the Range boxes , it will be necessary to enter a range of private IP addresses that can be assigned by the DHCP server that is compatible with the one just set (in our case we have set 192.168.0.100 – 192.168.0.199 ). The change must be saved by clicking on the Save button below.
Set static private IP addresses on the cloud servers connected with the virtual switch.
Using, in the case of Linux systems, an SSH client such as PuTTY and Remote Desktop Connection to administer Windows Server, you will have to assign a static IP address to the second network card previously connected to the virtual switch.
Ubuntu Linux server configuration
1) Establish a connection with PuTTY via SSH by entering the public IP address of the Ubuntu Linux cloud server created a little while ago with Aruba Cloud in the Host name (or IP address) field . After logging in with root credentials , you will have to type apt update && apt upgrade -y to update all software on the server.
2) We install the Apache web server as a test with the command.
We then type the following to change the default page displayed by Apache when attempting to connect to the server via HTTP:
echo '<html> <head> <meta http-equiv = "Content-Language" content = "it"> <meta http-equiv = "Content-Type" content = "text / html; charset = windows-1252"> <title> Cloud server </title> </head> <body> Welcome! </body> </html> ' > /var/www/html/index.html
Writing the public IP of the Ubuntu Linux server in the address bar of the browser (preceded by http: // ), you will immediately see the message ” Welcome! “.
dns-nameservers 220.127.116.11 18.104.22.168
The file will need to be saved by pressing CTRL + O then CTRL + X to exit the editor.
By doing so, you will have assigned a static private IP (in the example 192.168.0.2 ) to the Ubuntu cloud server. As a final step, you can reboot the machine by typing reboot and pressing Enter.
4) By connecting to the Ubuntu server again, you can type the following to activate the incoming firewall rule:
ufw allow "Apache Secure"
ufw allow "OpenSSH"
systemctl reload apache2
Network configuration of the Windows Server machine
1) Start the software Remote Desktop Connection from a Windows system then type the public IP of the Windows Server cloud server created earlier in the Computer field.
After clicking the Connect button , click on More options, Use another account ; enter administrator as Username and the password chosen when creating the server.
2) Once the connection via Remote Desktop has been established, we suggest setting – by way of example – at least the role of web server with IIS.
Just click on Add roles and features then always press Next until the Select server roles window appears . Here activate Web Server (IIS) and click on the Add features button .
Press Next repeatedly then Install at the last step.
Also in this case, by typing the public IP address of the machine in the address bar of the browser (preceded by http: // ), the welcome message of the IIS web server will appear.
3) To configure the second network card on the Windows Server machine, you must finally right-click on the Start button, select Run then type ncpa.cpl and finally double-click on the Lan 2 icon.
With a click on the Properties button , on Internet Protocol Version 4 (TCP / IPv4) then again onProperties, we suggest assigning a static private IP (in the example 192.168.0.3 ). The other boxes can be set as shown in the figure (i.e. 255.255.255.0 as Subnet mask ; 192.168.0.1 as Gateway ; the more Google’s DNS can be introduced).
Opening the command prompt on the Windows Server machine and typing ping 192.168.0.2 and 192.168.0.1 , you will notice how both the Ubuntu server and the pfSense firewall connected to the same private network via virtual switch will respond correctly.
Configure access via VPN to the private cloud network
The pfSense firewall platform integrates, among other features, that of OpenVPN server.
To configure it correctly also on the client side and establish a secure remote connection, we suggest first of all connecting to the pfSense administration panel by typing the corresponding public IP in the address bar of the browser then go to System, Package Manager, Available Packages.
By typing openvpn-client-export in the appropriate box, you will have to start the search and install the proposed package ( Install, Confirm buttons ).
At this point you will have to click on the VPN menu , OpenVPN , choose Wizards, leave Local User Access selected then click Next .
On the Certificate Authority (CA) Certificate page you will have to assign a name in the Descriptive Name field (for example MYVPN ) as well as in the next Create New Certificate .
The next screen will be set as in the figure in order to activate the OpenVPN connections on the WAN interface and TCP 1194 port on pfSense. It is essential to check both the TLS Authentication and Generate TLS Key boxes .
In the Tunnel network box you can indicate 10.1.1.0/24 while in the underlying Local Network 192.168.0.0/24 .
Also check the Inter-Client Communication box so as to allow direct dialogue between the systems connected to the virtual private network.
Once the configuration of the OpenVPN server is finished, you will have to click on System, User Manager and then on the Add button . You will need to specify a username and password (they will be used to establish the connection via VPN) and – important – you will need to check the Click to create a user certificate box .
After saving the user account with a click on Save , you will have to click on VPN, OpenVPN then click on Client Export .
Finally, by clicking on the Most Clients button at the bottom of the page, you will get an .ovpn file that will allow you to establish the VPN connection from a client system.
To use it, for example from a Windows system, you need to download the latest version of the OpenVPN client ( from this page ) then copy the .ovpn file to the % programfiles% \ OpenVPN \ config folder .
By starting the OpenVPN client and clicking on the newly added .ovpn profile , finally selecting Connect , the system in use will be connected to the remote private network (specify the username and password of the account created in pfSense).
By typing the commands ping 192.168.0.1 , ping 192.168.0.2 and ping 192.168.0.3 you will receive a response from all previously configured cloud servers.
Not only. Typing http://192.168.0.2 in the address bar of the browser you will see the message ” Welcome! ” Of the Apache server installed on Ubuntu Linux; writing http://192.168.0.3the IIS welcome screen returned from the Windows Server machine will appear.
At this point, you can go back to the Aruba Cloud administration panel, click Manage next to the Ubuntu and Windows servers then click Remove IP to the right of the Ethernet 1 network cards .
By doing so, the two servers will only be reachable after connecting to the VPN. To access the Ubuntu server via SSH and Windows Server via Remote Desktop you will have to connect to the VPN using the OpenVPN client from now on, then start PuTTY and Remote Desktop Connection respectively by specifying the IPs 192.168.0.2 and 192.168.0.3 in the relevant field to the host to reach.
From the pfSense administration interface, still reachable via public IP, you can finally disable connection requests on the WAN port by selecting the first rule shown and activating the Disable this rule box (you will have to leave only the rule that allows connections on TCP 1194 from OpenVPN).
With a click on Firewall, NAT and finally on the Add button , for example, you can create a new rule to allow access to the Windows Server HTTP server starting from a request received on the public IP of the pfSense firewall.
To proceed, just configure a port forwarding rule as shown in the figure:
As you can see, after indicating the use of the HTTP protocol (port 80), port forwarding is required on the same port on the IP corresponding to the private address of the Windows Server machine.
Typing http: // followed by the firewall’s public IP address will immediately respond to the Windows Server IIS web server.
The same operation can be done for Apache, on the Ubuntu server, or for any other service listening on any other port.
From the pfSense panel, going to System, Advanced , it is finally possible to change the value of the TCP port field: in this way you will be able to reuse port 443 (HTTPS) for a web server installed in the private network.
In the example, we have chosen to use port 4343 for accessing the pfSense administration interface. To access it you will therefore need to connect via VPN from now on, then type the private IP of the pfSense server followed by : 4343 .
Some final notes:
The pfSense virtual server can also be created locally and then imported to Aruba Cloud thanks to upload via FTP. Just create the pfSense cloud server using the imported .VMDK template. See the article pfSense, firewall and VPN all in one: how to try them with Virtualbox.
Alternatively, you can install pfSense by uploading the updated ISO file to the FTP area of your Aruba Cloud account then associate it with a virtual CD / DVD and use the Access Console button to oversee the entire installation and configuration procedure.
The VPN can possibly be configured on port 443 (instead of 1149) in such a way as to have the guarantee of being able to connect from any other network.
The private IPs have been assigned to the various cloud servers manually. In different configurations it could be useful to configure the servers in DHCP with static IP assignment (just use the MAC addresses noted previously).