DOCSLIB.ORG

AWS Deployment Guide for Openvpn Access Server

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
AWS Deployment Guide for Openvpn Access Server AWS Deployment Guide for OpenVPN Access Server April 7, 2020 Table of Contents 1 Introduction .................................................................................................................... 4 1.1 What is a Virtual Private Network (VPN)? ............................................................................ 4 1.2 What is OpenVPN Access Server .......................................................................................... 5 1.2.1 OpenVPN Access Server Functional Architecture ................................................................................. 6 1.2.2 OpenVPN Access Server Features ......................................................................................................... 8 1.3 OpenVPN Access Server Use Cases ...................................................................................... 9 1.3.1 Secure Remote Access .......................................................................................................................... 9 1.3.2 Site-to-site connections to bring networks together .......................................................................... 10 1.3.3 Multiple networks, subnets, gateways, and servers .......................................................................... 10 1.3.4 Secure Internet traffic or contact limited-access systems .................................................................. 11 1.3.5 Secure Access to Cloud-Based Systems .............................................................................................. 12 2 Deploying Access Server ................................................................................................ 12 2.1 Prerequisites and Requirements ........................................................................................ 12 2.2 Typical AWS Deployment ................................................................................................... 13 2.2.1 Deployment Assets ............................................................................................................................. 13 2.2.2 Recommended Deployment ............................................................................................................... 13 2.3 Installation from AWS Marketplace ................................................................................... 14 2.3.1 Installation of Access Server - BYOL .................................................................................................... 14 2.4 Using an external database ................................................................................................ 27 2.4.1 Change database backend to MySQL or Amazon RDS ........................................................................ 27 2.5 High Availability Cluster Configuration .............................................................................. 30 3 Security ......................................................................................................................... 37 3.1 Secure the root user account ............................................................................................. 37 3.2 Secure the openvpn administrative user account ............................................................... 38 3.3 Installing an SSL certificate on the web interface ............................................................... 40 3.4 Hardening the web server cipher suite string ..................................................................... 40 3.5 Going beyond recommended security procedures ............................................................. 41 4 Planning ........................................................................................................................ 41 4.1 Sizing ................................................................................................................................. 41 4.1.1 EC2 Instance sizing .............................................................................................................................. 41 4.1.2 RDS Sizing ............................................................................................................................................ 42 4.2 Costs ................................................................................................................................. 42 4.2.1 Access Server Software Costs ............................................................................................................. 42 4.2.2 Cost of AWS Resources ....................................................................................................................... 42 5 Operations .................................................................................................................... 42 5.1 Logging and Debugging ...................................................................................................... 42 5.1.1 Locating the client log files ................................................................................................................. 43 5.1.2 Locating the server log files ................................................................................................................ 43 2 5.1.3 Setting up log rotation for /var/log/openvpnas.log.* ........................................................................ 44 5.1.4 Logging to syslog instead of the standard log file ............................................................................... 45 5.1.5 Redirecting to an external syslog server ............................................................................................. 46 5.1.6 A list of debugging flags ...................................................................................................................... 46 5.2 Troubleshooting ................................................................................................................ 48 5.2.1 Authentication .................................................................................................................................... 48 5.2.2 VPN Connectivity ................................................................................................................................ 54 5.2.3 DNS Resolution ................................................................................................................................... 55 5.2.4 Clients cannot access the Internet through Access Server ................................................................. 59 5.2.5 Recovering damaged database configuration files ............................................................................. 59 5.2.6 Troubleshooting License Activation .................................................................................................... 61 5.3 Backups & Recovery .......................................................................................................... 70 5.3.1 AWS Backup ........................................................................................................................................ 70 5.3.2 Access Server Configuration Backup ................................................................................................... 71 5.3.3 Recovering Access Server configuration from backup ........................................................................ 73 5.3.4 Backing up and recovering SSL certificates ......................................................................................... 74 6 Support ......................................................................................................................... 79 6.1 Getting support for the OpenVPN Access Server ................................................................ 79 6.2 OpenVPN Connect Client for Windows and macOS ............................................................ 80 6.3 OpenVPN Connect for iOS and Android ............................................................................. 81 7 Access Server Resources ................................................................................................ 81 3 Access Server AWS Deployment Guide 1 Introduction This section provides an introduction to terms such as private network, public network, virtual private network (VPN), VPN Server, and VPN Clients. It then delves deeper into the OpenVPN Access Server, its functional architecture, use cases, and typical AWS deployment. 1.1 What is a Virtual Private Network (VPN)? To understand the term Virtual Private Network, we first need to understand what a Private Network means. We are all well aware of the various services that we obtain from the Internet— world wide web, internet radio, social networking, instant messaging, and other services—these services are meant for public consumption. The servers on the Internet offering these services are meant to be accessed by anyone and are on the public-facing side of the service. While these servers are meant to serve legitimate users, their exposure to the Internet means that these servers on the public network are open to probing and attacks from malicious users. These malicious users probe Internet-accessible servers for security weaknesses and exploit them to access sensitive information. The best way to protect sensitive data and applications is to restrict access to them over public networks such as the Internet. The networks that connect the infrastructure that house sensitive data are isolated from the Internet, to keep them secure, by using a range of IP addresses
Load more

Recommended publications
  • TMS Xdata Documentation
    Overview TMS XData is a Delphi framework that allows you to create HTTP/HTTPS servers that expose data through REST/JSON. It is highly integrated into TMS Aurelius in a way that creating XData services based on applications with existing Aurelius mappings are just a matter of a few lines of code. XData defines URL conventions for adressing resources, and it specifies the JSON format of message payloads. It is heavily based on the OData standard. Such conventions, with the benefit of existing Aurelius mapping, allow building a full REST/JSON server with minimum writing of code. TMS XData uses TMS Sparkle as its core communication library. TMS XData product page: https://www.tmssoftware.com/site/xdata.asp TMS Software site: https://www.tmssoftware.com TMS XData is a full-featured Delphi framework that allows you to create REST/JSON servers, using server-side actions named service operations, and optionally exposing TMS Aurelius entities through REST endpoints. Consider that you have an Aurelius class mapped as follows: [Entity, Automapping] TCustomer = class strict private FId: integer; FName: string; FTitle: string; FBirthday: TDateTime; FCountry: TCountry; public property Id: Integer read FId write FId; property Name: string read FName write FName; property Title: string read FTitle write FTitle; property Birthday: TDateTime read FDateTime write FDateTime; property Country: TCountry read FCountry write FCountry; end; With a few lines of code you can create an XData server to expose these objects. You can retrieve an existing TCustomer
    [Show full text]
  • Near Real-Time Synchronization Approach for Heterogeneous Distributed Databases
    DBKDA 2015 : The Seventh International Conference on Advances in Databases, Knowledge, and Data Applications Near Real-time Synchronization Approach for Heterogeneous Distributed Databases Hassen Fadoua, Grissa Touzi Amel LIPAH FST, University of Tunis El Manar Tunis, Tunisia e-mail: [email protected], [email protected] Abstract—The decentralization of organizational units led to column is not available in the list of the existing relational database distribution in order to solve high availability and database management systems (RDBMS). This storage performance issues regarding the highly exhausting consumers unit’s variety holds the first problem discussed in this paper: nowadays. The distributed database designers rely on data data exchange format between the heterogeneous nodes in replication to make data as near as possible from the the same Distributed Database Management System requesting systems. The data replication involves a sensitive (DDBMS). The process of transforming raw data from operation to keep data integrity among the distributed architecture: data synchronization. While this operation is source system to an exchange format is called serialization. necessary to almost every distributed system, it needs an in The reverse operation, executed by the receiver side, is depth study before deciding which entity to duplicate and called deserialization. In the heterogeneous context, the which site will hold the copy. Moreover, the distributed receiver side is different from one site to another, and thus environment may hold different types of databases adding the deserialization implementation may vary depending on another level of complexity to the synchronization process. In the local DBMS. This data serialization is a very sensitive the near real-time duplication process, the synchronization task that may speed down the synchronization process and delay is a crucial criterion that may change depending on flood the network.
    [Show full text]
  • Innodb Plugin 1.0 for Mysql 5.1 User's Guide Innodb Plugin 1.0 for Mysql 5.1 User's Guide
    InnoDB Plugin 1.0 for MySQL 5.1 User's Guide InnoDB Plugin 1.0 for MySQL 5.1 User's Guide Abstract This is the User's Guide for InnoDB Plugin 1.0.8 for MySQL 5.1. Starting with version 5.1, MySQL AB has promoted the idea of a “pluggable” storage engine architecture , which permits multiple storage engines to be added to MySQL. Beginning with MySQL version 5.1, it is possible for users to swap out one version of InnoDB and use another. The pluggable storage engine architecture also permits Innobase Oy to release new versions of InnoDB containing bug fixes and new features independently of the release cycle for MySQL. This User's Guide documents the installation and removal procedures and the additional features of the InnoDB Plugin 1.0.8 for MySQL 5.1. WARNING: Because the InnoDB Plugin introduces a new file format, restrictions apply to the use of a database created with the InnoDB Plugin with earlier versions of InnoDB, when using mysqldump or MySQL replication and if you use the InnoDB Hot Backup utility. See Section 1.5, “Operational Restrictions”. For legal information, see the Legal Notices. Document generated on: 2014-01-30 (revision: 37573) Table of Contents Preface and Legal Notices ........................................................................................................... vii 1 Introduction to the InnoDB Plugin ............................................................................................... 1 1.1 Overview .......................................................................................................................
    [Show full text]
  • A Fully In-Browser Client and Server Web Application Debug and Test Environment
    LIBERATED: A fully in-browser client and server web application debug and test environment Derrell Lipman University of Massachusetts Lowell Abstract ging and testing the entire application, both frontend and backend, within the browser environment. Once the ap- Traditional web-based client-server application devel- plication is tested, the backend portion of the code can opment has been accomplished in two separate pieces: be moved to the production server where it operates with the frontend portion which runs on the client machine has little, if any, additional debugging. been written in HTML and JavaScript; and the backend portion which runs on the server machine has been writ- 1.1 Typical web application development ten in PHP, ASP.net, or some other “server-side” lan- guage which typically interfaces to a database. The skill There are many skill sets required to implement a sets required for these two pieces are different. modern web application. On the client side, initially, the In this paper, I demonstrate a new methodology user interface must be defined. A visual designer, in con- for web-based client-server application development, in junction with a human-factors engineer, may determine which a simulated server is built into the browser envi- what features should appear in the interface, and how to ronment to run the backend code. This allows the fron- best organize them for ease of use and an attractive de- tend to issue requests to the backend, and the developer sign. to step, using a debugger, directly from frontend code into The language used to write the user interface code is backend code, and to debug and test both the frontend most typically JavaScript [6].
    [Show full text]
  • Alibaba Cloud Apsara Stack Enterprise
    Alibaba Cloud Apsara Stack Enterprise Technical Whitepaper Version: 1807 Issue: 20180731 2 | Introduction | Apsara Stack Enterprise Apsara Stack Enterprise Technical Whitepaper / Legal disclaimer Legal disclaimer Alibaba Cloud reminds you to carefully read and fully understand the terms and conditions of this legal disclaimer before you read or use this document. If you have read or used this document, it shall be deemed as your total acceptance of this legal disclaimer. 1. You shall download and obtain this document from the Alibaba Cloud website or other Alibaba Cloud-authorized channels, and use this document for your own legal business activities only. The content of this document is considered confidential information of Alibaba Cloud. You shall strictly abide by the confidentiality obligations. No part of this document shall be disclosed or provided to any third party for use without the prior written consent of Alibaba Cloud. 2. No part of this document shall be excerpted, translated, reproduced, transmitted, or disseminat ed by any organization, company, or individual in any form or by any means without the prior written consent of Alibaba Cloud. 3. The content of this document may be changed due to product version upgrades, adjustment s, or other reasons. Alibaba Cloud reserves the right to modify the content of this document without notice and the updated versions of this document will be occasionally released through Alibaba Cloud-authorized channels. You shall pay attention to the version changes of this document as they occur and download and obtain the most up-to-date version of this document from Alibaba Cloud-authorized channels.
    [Show full text]
  • Ask Bjørn Hansen Develooper LLC [email protected]
    If this text is too small to read, move closer! Real World Web Scalability Slides at http://develooper.com/talks/ Ask Bjørn Hansen Develooper LLC [email protected] r8 Hello. • I’m Ask Bjørn Hansen • Tutorial in a box 59 minutes! • 53* brilliant° tips to make your website keep working past X requests/transactions per T time • Requiring minimal extra work! (or money) • Concepts applicable to ~all languages and platforms! * Estimate, your mileage may vary ° Well, a lot of them are pretty good Construction Ahead! • Conflicting advice ahead • Not everything here is applicable to everything • Ways to “think scalable” rather than end- all-be-all solutions Questions ... • Did anyone see this talk at OSCON or the MySQL UC before? • ... are using Perl? PHP? Python? Java? Ruby? • ... Oracle? • The first, last and only lesson: • Think Horizontal! • Everything in your architecture, not just the front end web servers • Micro optimizations and other implementation details –– Bzzzzt! Boring! (blah blah blah, we’ll get to the cool stuff in a moment!) Benchmarking techniques • Scalability isn't the same as processing time • Not “how fast” but “how many” • Test “force”, not speed. Think amps, not voltage • Test scalability, not just performance • Use a realistic load • Test with "slow clients" Vertical scaling • “Get a bigger server” • “Use faster CPUs” • Can only help so much (with bad scale/$ value) • A server twice as fast is more than twice as expensive • Super computers are horizontally scaled! Horizontal scaling • “Just add another box” (or another thousand or ...) • Good to great ... • Implementation, scale your system a few times • Architecture, scale dozens or hundreds of times • Get the big picture right first, do micro optimizations later Scalable Application Servers Don’t paint yourself into a corner from the start Run Many of Them • For your application..
    [Show full text]
  • ALB-X User Guide Software Version 4.1.2 (Build 1644) IP Services
    ALB-X User Guide Software Version 4.1.2 (Build 1644) IP Services .................................................................................................................................................... 7 Virtual Services ..................................................................................................................................... 7 Create a new Virtual Service using a new VIP ................................................................................... 7 Example of a completed Virtual Service with 2 Real Servers ............................................................ 8 Create a new Virtual Service using the same VIP .............................................................................. 8 Changing the IP Address your Virtual Services ................................................................................. 9 Filtering and Sorting .......................................................................................................................... 9 Primary ............................................................................................................................................ 10 VIP Status - This will provide visual feedback for the status of the Virtual IP address and all asociated virtual services ......................................................................................................................... 10 Service Status - This will provide visual feedback for the status of each individual virtual service .................................................................................................................................................
    [Show full text]
  • Towards Web-Scale RDF
    Towards Web-Scale RDF Orri Erling (Program Manager, OpenLink Virtuoso) and Ivan Mikhailov (Lead Developer, OpenLink Virtuoso) oerling{at}openlinksw.com and imikhailov{at}openlinksw.com OpenLink Software, 10 Burlington Mall Road Suite 265 Burlington, MA 01803 U.S.A. http://www.openlinksw.com/ Table of Contents Abstract Introduction Database Engine Query Planning On Shared Memory, MP, and Latency On Networks and Latency 4 processes on 4 core SMP box 4 processes on 4 extra large AMIs on Amazon EC2 Partitioning vs Cache Fusion Latency-Tolerant Load and Query Execution Load Query Distributed Pipe and Map-Reduce Inference for the Web ? The Blessing and Bane of "sameAs" On Redundancy Some Metrics Load Query Linked Data Applications Future Directions Conclusions Appendix A ? Metrics and Environment References Abstract We are witnessing the first stages of the document Web becoming a data Web, with the implied new opportunities for discovering, re-purposing, "meshing up," and analyzing linked data. There is an increasing volume of linked open data, and the first data Web search engines are taking shape. Dealing with queries against the nascent data Web may easily add two orders of magnitude in computing power requirements on top of what a text search engine faces. Queries may involve arbitrary joining, aggregation, filtering, and so forth, compounded by the need for inference and on-the- fly schema mapping. This is the environment for which Virtuoso Cluster Edition is intended. This paper presents the main challenges encountered and solutions arrived at during the development of this software. We present adaptations of RDF load- and query-execution and query-planning suited for distributed memory platforms, with special emphasis on dealing with message latency and the special operations required by RDF.
    [Show full text]
  • Rethinking the Application-Database Interface Alvin K. Cheung
    Rethinking the Application-Database Interface by Alvin K. Cheung Submitted to the Department of Electrical Engineering and Computer Science in partial fulfillment of the requirements for the degree of Doctor of Philosophy in Computer Science and Engineering at the MASSACHUSETTS INSTITUTE OF TECHNOLOGY September 2015 © Massachusetts Institute of Technology 2015. All rights reserved. Author................................................................... Department of Electrical Engineering and Computer Science August 28, 2015 Certified by . Samuel Madden Professor Thesis Supervisor Certified by . Armando Solar-Lezama Associate Professor Thesis Supervisor Accepted by . Leslie A. Kolodziejski Chair, Department Committee on Graduate Students 2 Rethinking the Application-Database Interface by Alvin K. Cheung Submitted to the Department of Electrical Engineering and Computer Science on August 28, 2015, in partial fulfillment of the requirements for the degree of Doctor of Philosophy in Computer Science and Engineering Abstract Applications that interact with database management systems (DBMSs) are ubiquitous in our daily lives. Such database applications are usually hosted on an application server and perform many small accesses over the network to a DBMS hosted on a database server to retrieve data for pro- cessing. For decades, the database and programming systems research communities have worked on optimizing such applications from different perspectives: database researchers have built highly efficient DBMSs, and programming systems researchers have developed specialized compilers and runtime systems for hosting applications. However, there has been relative little work that exam- ines the interface between these two software layers to improve application performance. In this thesis, I show how making use of application semantics and optimizing across these layers of the software stack can help us improve the performance of database applications.
    [Show full text]
  • Benchmarking and Comparison of a Relational and a Graph Database in a CMDB Context Rasmus Berggren, Dennis Londögård
    MASTER’S THESIS 2020 Benchmarking and comparison of a relational and a graph database in a CMDB context Rasmus Berggren, Dennis Londögård ISSN 1650-2884 LU-CS-EX: 2020-45 DEPARTMENT OF COMPUTER SCIENCE LTH j LUND UNIVERSITY EXAMENSARBETE Datavetenskap LU-CS-EX: 2020-45 Benchmarking and comparison of a relational and a graph database in a CMDB context Rasmus Berggren, Dennis Londögård Benchmarking and comparison of a relational and a graph database in a CMDB context Rasmus Berggren Dennis Londögård [email protected] [email protected] July 8, 2020 Master’s thesis work carried out at Axis Communications Supervisors: Guido Gudios, [email protected] Lars Bendix, [email protected] Examiner: Per Andersson, [email protected] Abstract The IT company Axis has grown a lot in the past decade and they are now having trouble keeping track of everything eciently and hypothesize that they are in need of a CMDB, while also wondering what type of database it would be best implemented as. The goal of this thesis was to investigate what requirements Axis has for a CMDB, and use their requirements to analyse if it would be best implemented as a graph database or relational database. The work was done in two parts. The rst part consisted of making a re- quirement specication for Axis context, this was done with a combination of literature study, interviews as well as examining an old database used for CM pur- poses. A minimum viable product was created from the requirements to serve as a proof-of-work as well as a basis for the second part.
    [Show full text]
  • Oracle Database Net Services Administrator's
    Oracle® Database Net Services Administrator’s Guide 10g Release 1 (10.1) Part No. B10775-01 January 2004 Oracle Database Net Services Administrator’s Guide, 10g Release 1 (10.1) Part No. B10775-01 Copyright © 2002, 2004 Oracle. All rights reserved. Primary Author: Jennifer Polk Contributing Author: Henry Abrecht Contributors: Robert Achacoso, Gaurav Agarwal, Omar Bellal, David Chen, Howard Cohen, Toby Close, Pramodini Gattu, Harvey Eneman, Stella Kister, Shuvayu Kanjila, Cynthia Kibbe, Vincent Lee, Catherine Luu, Scot McKinley, Ed Miner, Peter Povinec, Richard Smith, Deborah Steiner, Juliet Ta, Norman Woo, Jose Wong The Programs (which include both the software and documentation) contain proprietary information; they are provided under a license agreement containing restrictions on use and disclosure and are also protected by copyright, patent, and other intellectual and industrial property laws. Reverse engineering, disassembly, or decompilation of the Programs, except to the extent required to obtain interoperability with other independently created software or as specified by law, is prohibited. The information contained in this document is subject to change without notice. If you find any problems in the documentation, please report them to us in writing. This document is not warranted to be error-free. Except as may be expressly permitted in your license agreement for these Programs, no part of these Programs may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose. If the Programs are delivered to the United States Government or anyone licensing or using the Programs on behalf of the United States Government, the following notice is applicable: U.S.
    [Show full text]
  • An Elastic Middleware Platform for Concurrent and Distributed Cloud and Mapreduce Simulations
    An Elastic Middleware Platform for Concurrent and Distributed Cloud and MapReduce Simulations Pradeeban Kathiravelu Thesis to obtain the Master of Science Degree in Information Systems and Computer Engineering Supervisor: Doctor Lu´ısManuel Antunes Veiga arXiv:1601.03980v1 [cs.DC] 15 Jan 2016 Examination Committee Chairperson: Doctor Jos´eCarlos Alves Pereira Monteiro Supervisor: Doctor Lu´ısManuel Antunes Veiga Member of the Committee: Doctor Ricardo Jorge Freire Dias September 2014 Acknowledgements Cloud2Sim was a brain-child of Prof. Lu´ısManuel Antunes Veiga who proposed the topic and ac- cepted my interest to work on this topic. I would like to thank my supervisor for leading me through- out the project with his creative suggestions on making the thesis better and guidance throughout the thesis. His lectures and guidance were always motivating. I would like to thank Prof. Jo˜aoCoelho Garcia for his motivations and inspirations. Prof. Luis Rodrigues helped us at various occasions. I would also like to thank Prof. Johan Montelius for his leadership and guidance, during my third semester at KTH Royal Institute of Technology. I would like to thank all the professors who taught us at IST and KTH Royal Institute of Technology during my master studies. Erasmus Mundus offered us an opportunity to come from different countries and study at these wonderful institutes. I would like to extend my thanks to the Education, Audiovisual and Culture Executive Agency (EACEA) of the European Union, and EMDC consortium for selecting me for the scholarship. My thanks goes to all my friends who shared the same journey with me with Erasmus Mundus, making my studies a pleasant experience.
    [Show full text]