Secure connection to Cloud Infrastructure by using VPN Tunnel – like we already said on our Secure Cloud Computing Guide, we pointed the importance of the connecting device. Practically it is a part of Comprehensive Cloud Security Strategy. It is obvious that, for this article; we have to take that the reader is used with the common computing terminologies like VPN (Virtual Private Network), Mobile Virtual Private Network, how you will setup VPN on Mac, Linux and Windows etcetera. Also, there is a more detailed article on VPN. If you have less knowledge or grasp on these basics, we will advice to read them first, indeed it is a good idea to buy some specific books to get more knowledge, otherwise the actual purpose of this article on secure connection to Cloud Infrastructure by using VPN Tunnel will remain as a theory to you. We basically can create a secure channel between our office or home and the cloud infrastructure through the creation of VPN Tunnel.
Why a Secure Connection to Cloud Infrastructure by VPN Tunnel is Thought as a Way ?
One of the major problems within the company, when discussing the ability to migrate the IT infrastructure from in-house to cloud computing services, is the communication channel used to exchange such data which are related to the security. With regard to the security of the stored data, you can use encryption systems; but, basically you have to have confidence in your service provider whose staff is the only one to actually have the tools to access your data in an almost transparent way.
With regard to the communication channel on which pass our data, it is not always possible to use protocols that make use of encryption (for example – SSL / TLS) and therefore, it is necessary to build a secure communication channel on which, transition of our data will take place. The problem arises, for example, if we want to mount a volume on our PC in the office on our server storage using NFS or CIFS. To overcome the above problem we can create a VPN tunnel between our cloud infrastructure and workstations physically present in our office : this is the crux of this article – Secure Connection to Cloud Infrastructure by VPN Tunnel.
---
Ways to Secure Connection to Cloud Infrastructure by VPN Tunnel
The reason why Dropbox get some much curse is practically to some extent for the desktop clients. These kind of service made the file transfer a bit easier but actually the user takes the shortcut to lack of security. Mounting is more intense work from networking point of view.
A VPN or Virtual Private Network is a private network, usually created between two points using a transmission system and public (Internet in this case) net, whose aim is to offer the same opportunities that you would have with a transmission line created in the private and hoc. Previously, when designing cloud infrastructure companies, they had expected the presence of a cloud server to act as a gateway to other servers that host the various services (web servers, mail servers, database servers, etc.), right on gateway can install PPTPD, or the daemon that allows you to create a VPN connection. Anyway, we can access via SSH to the gateway and install PPTPD simply using aptitude in case of Debian based Linux :
|
1 |
apt-get install -y pptpd bcrelay |
This will install bcrelay, ppp, pptpd. You might not need to use pptpd bcrelay, instead pptpd only (depending on the flavor). Now you just have time to configure the software, proceed by opening the file /etc/ppp/chap-secrets and enter the data related to users who want to give permission to connect to the VPN, use vi or nano to open that file :
|
1 |
myusernameabhishek pptpd mys3cr3tpass 11.12.0.2 |
|
1 |
myfriendsuserghosh pptpd hisp@ssword 14.15.0.3 |
With the above configuration it will give access to 2 users, each identified with a special password. We shall now proceed to configure PPTP, opening the main configuration file /etc/pptpd.conf, and choosing the IP range to be assigned to clients that will connect remotely to our cloud infrastructure:
|
1 |
localip 11.12.0.1 |
|
1 |
rackspaceip 72.73.0.2-10 |
Now you just have to configure the ip of the dns server that will be used by clients (you), open the file /etc/ppp/pptp-options and you will see there are commented lines like ms-dns, insert the ip of dns server 2 (you can use the dns of Google), MS-CHAP V2 PPTP VPN is never known to be safe but better than CHAP, make sure it looks like this (this the end of that file) :
|
1 |
ms-dns 8.8.8.8 |
|
1 |
#ms-dns 8.8.4.4 |
|
1 |
proxyarp |
|
1 |
nodefaultroute |
|
1 |
lock |
|
1 |
nobsdcomp |
|
1 |
mtu 1490 |
|
1 |
mru 1490 |
Restart pptpd :
|
1 |
/etc/ init.d/pptpd restart |
To access the private network to the cloud gateway server is offline, you must perform forwarding packets and then activate forwarding packets by adding the following line to /etc/sysctl.conf by uncommenting and making it true (0 to 1):
|
1 |
net.ipv4.ip_forward=1 |
sysctrl -p will restart the service after saving. We add the following rules to iptables firewall:
|
1 |
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE |
|
1 |
iptables -A FORWARD -i eth0 -o ppp0 -m state “state |
|
1 |
RELATED,ESTABLISHED -j ACCEPT |
|
1 |
iptables -A FORWARD -i ppp0 -o eth0 -j ACCEPT |
You will get the output like this (this is Ubuntu’s output) shown in my Github gist.
At this point the gateway server is ready to receive connections from the PC, you just have to configure their VPN client in your office. Obviously, you will need to configure VPN client (your computer for example to accept the handshake), typically for Debian like Linux, it will be :
|
1 |
apt-get install pptp-linux |
Now we just have to enter the user credentials needed to connect, as well as initially showed for the server, going to edit the file /etc/ppp/chap-secrets:
|
1 |
Abhishek VPNRackspace "passwordhere" * |
Now we just have to enter the user credentials needed to connect, as well as initially showed for the server, going to edit the file /etc/ppp/chap-secrets:
|
1 |
pty "pptp IP.RACK.SERVER.CLOUD --nolaunchpppd" |
|
1 |
name "Abhishek" |
|
1 |
remotename VPNRackspace |
|
1 |
require-mppe-128 |
|
1 |
usepeerdns |
|
1 |
file /etc/ppp/options.pptp |
Running the pon, poff command will simply connect to remote server. You can run man command to check pon / poff etc. details. The thing is basically same in OS X too. But we can use a GUI like written here : https://www.bol.ucla.edu/services/vpn/pptp/docs/macosx.html
We will not say about Microsoft Windows PC. For the most costly Operating System, there should be some official support. Plus there are so many Microsoft MVPs, they must know these basics – Microsoft’s way of ‘community participation’.
Tagged With are cloud base IP tunnels subject to FUSF