Developing a Cloud Gateway (CG) virtual machine that runs on an OpenStack network to expand the local resource and provision on premise compute-resources for seamless scaling of applications for peak workloads via an AWS Virtual Private Cloud (VPC).
License: Apache License 2.0
First, we need to setup such environment( tunnel with all ends in same subnet ). Then we need to search for solution and try to solve it.
Hint: One possible solution is to do a NAT at both side of the network.
How to setup up site-to-site VPN in aws using OpenSwan.
basically this vedio is correct, but dont follow it on the phase setting( that 3 lines of security setting).
$ sudo apt-get install openswan
$ sudo su
$ for path in /proc/sys/net/ipv4/conf/*;
$ do echo 0 > $path/accept_redirects;
$ echo 0 > $path/send_redirects;
$ done
$ sudo vim /etc/sysctl.confmodify the file as follow:
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
Above setting doesn't seem to work in ec2 instance. to enable ip_forward, you need to type following command line:
$ sudo su
$ echo 1 > /proc/sys/net/ipv4/ip_forward
$ exit$ sudo vim /etc/ipsec.conf
and modifi the file like
config setup
# Note: incorrect SElinux policies might prevent pluto writing the core
dumpdir=/var/run/pluto/
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=yes
# put all possible subnet here: %v(4/6)CIDR
virtual_private=%v4:10.0.0.0/8, %v4:172.31.0.0/16, %v4:192.168.0.0/16
# which IPsec stack to use. auto will try netkey, then klips then mast
protostack=netkey
conn connection_name
authby=secret
auto=start
type=tunnel
# Left security gateway, subnet behind it, nexthop toward right.
leftid=name_of_machine, can_be_your_public_id
left=ip_of_this_machine
leftsubnet=<subnet_of_this_machine>
leftnexthop=<ignore>
# Right security gateway, subnet behind it, nexthop toward left.
right=public_id_of_the_other_machine
rightsubnet=<you know>
rightnexthop=<ignore>
more information of ipsec.conf please check here.
$ sudo vim /etc/ipsec.secrets
and modifi the file like
<this_machines_id> <remote_id(default_isvalue_of_right)>: PSK "my secrets"
verify setup
# verify if setup is correct as
$ sudo ipsec verifythe output should be
perl: warning: Falling back to the standard locale ("C").
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.38/K3.13.0-74-generic (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
[OK]
[OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [WARNING]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]you can start you tunnel using
$ sudo service ipsec restart
# or up specify a channel
$ sudo ipsec auto --add connection_name
$ sudo ipsec auto --up connection_name
# check status by
$ sudo service ipsec status
sudo: unable to resolve host ip-10-0-1-88
IPsec running - pluto pid: 11574
pluto pid 11574
1 tunnels up
some eroutes exist
google for more detail
Sent a single udp package to ip/port
$ echo -n "foo"| nc -4u -w1 54.84.49.221 50
sniffing package of port of certian interface
$ sudo tcpdump -n -i eth0 esp or udp port 500 or udp port 4500
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
06:26:33.918387 IP 54.84.49.221.50640 > 10.0.1.88.4500: [|isakmp]
06:26:39.153992 IP 54.84.49.221.46341 > 10.0.1.88.4500: [|isakmp]
06:26:40.482219 IP 54.84.49.221.49448 > 10.0.1.88.4500: [|isakmp]
06:26:41.485620 IP 54.84.49.221.57306 > 10.0.1.88.4500: [|isakmp]
06:26:42.522311 IP 54.84.49.221.40383 > 10.0.1.88.4500: [|isakmp]
06:26:43.656389 IP 54.84.49.221.44336 > 10.0.1.88.4500: [|isakmp]
display the relationship of process, port, and status
$ sudo netstat -nap
(No info could be read for "-p": geteuid()=1000 but you should be root.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 476 10.0.1.88:22 65.96.153.200:63248 ESTABLISHED -
tcp6 0 0 :::22 :::* LISTEN -
udp 0 0 127.0.0.1:4500 0.0.0.0:* -
udp 0 0 10.0.1.88:4500 0.0.0.0:* -
udp 0 0 52.87.255.65:4500 0.0.0.0:* -
udp 0 0 127.0.0.1:500 0.0.0.0:* -
udp 0 0 10.0.1.88:500 0.0.0.0:* -
udp 0 0 52.87.255.65:500 0.0.0.0:* -
1.Try to set up VPN among MOC, AWS and maybe other PCs
2. Have a try on StrongSwan and tell the different between this and OpenSwan
Here're something we can do to further improve this project, listed as descending priority:
boto3 API instead of cloudformation to accelerate VCG deployment process.Since I need to prepare for algo final this week, whoever have time can try to implement one of this list and refer to your patch below. I will come back to this after final and every other things are settled down.
Thanks
For RSA authentication, here're two link:
#!/bin/bash
clear
# echo "Hello $USER"
# echo
# echo "Today's date is `date`, this is week `date +"%V"`."
# echo
# echo "These users are currently connected:"
# w | cut -d " " -f 1 - | grep -v USER | sort -u
# echo
# echo "This is `uname -s` running on a `uname -m` processor."
# echo
# echo "This is the uptime information:"
# uptime
# echo
echo "This script is provided by cloud-gateway team to configure your network for scaling to public clouds on peak workloads. Automation starts now."
# Q. Will I be needing any information from the user or from the user's environment?
# A. 5 : left IP,subnet and right IP,subnet and PSK
# Q. How will I store that information?
# A. Variables
# Q. Are there any files that need to be created? Where and with which permissions and ownerships?
# A. Everything here needs sudo priveledges
# Q. What commands will I use? When using the script on different systems, do all these systems have these commands in the required versions?
# A. https://github.com/BU-NU-CLOUD-SP16/cloud-gateway/issues/2#issuecomment-186081235
# Q. Does the user need any notifications? When and why?
# A. - Success on openswan install
# - Enabled Redirects
# - Sysctl configured
# - ipsec configured
# - Pre Shared Key created as "cloud-gateway"
# - Tunnel Started
# - Verifying tunnel status
# We can even prompt user but i don't think thats the way admins would like
# echo -n "Enter your LEFT IP and press [ENTER]: "
# read LEFT_IP
if [ $# -lt 5 ]; then
echo "Usage: ./automate.sh LEFT_IP LEFT_SUBNET RIGHT_IP RIGHT_SUBNET PSK"
exit 1
fi
# Below command is used to extract Left IP from a user's VM
# ifconfig | grep -A 1 enp0s3 | grep "inet addr:" | cut -d ":" -f2 | cut -d " " -f1
# ifconfig | grep -A 1 enp0s3 | grep "Bcast:" | cut -d ":" -f2 | cut -d " " -f1
LEFT_IP=$1
LEFT_SUBNET=$2
RIGHT_IP=$3
RIGHT_SUBNET=$4
PSK=$5
# Need to color these variables later on
echo "Your IP Address: $LEFT_IP"
echo "Your Subnet Address: $LEFT_SUBNET"
echo "Public Gateway IP Address: $RIGHT_IP"
echo "Public Gateway Subnet Address: $RIGHT_SUBNET"
echo "Pre Shared Key: $PSK"
echo "Installing openswan"
apt-get install openswan
echo "Enable Redirects"
for path in /proc/sys/net/ipv4/conf/*;
do echo 0 > $path/accept_redirects;
echo 0 > $path/send_redirects;
done
echo "Configuring Sysctl"
echo net.ipv4.ip_forward = 1 >> /etc/sysctl.conf
echo net.ipv4.conf.all.accept_redirects = 0 >> /etc/sysctl.conf
echo net.ipv4.conf.all.send_redirects = 0 >> /etc/sysctl.conf
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "Configuring ipsec"
# sed 's/^#.*id$/leftid=$LEFT_IP/' /etc/ipsec.conf
echo "Creating PSK"
cat $LEFT_IP $RIGHT_IP: PSK "cloud-gateway" >> /etc/ipsec.secrets
echo "Tunnel Started"
service ipsec restart
echo "Verifying tunnel status"
ipsec verify
echo "Tunnel status"
service ipsec status
Route all the traffic from public cloud to the private cloud if it belongs to a subnet in the public cloud that contains resources(machine's) connected to the private cloud through the VCG's.
I have two solutions for this so far:
Set the out-bound traffic rules in the public cloud route table to send the traffic to the private cloud based on the origin of the traffic.
Route all the traffic to our VCG on the public cloud side. Since there is already a tunnel, all traffic will be sent to the private cloud.
Instead of 0.0.0.0/0 (which implies Internet Gateway) we will add the default route as the address of our VCG in the VPC's route table
For now, solution 2 seems like a cleaner solution. I will be updating this issue with more details as I run into more information.
Possible technical solution for CloudGateway
After spending an afterternoon doing research, I think I have possible technical solution for CloudGateway. And here's my ideas and some materials(those hyper links) that may help.
Essentially what we are making is a VPN server, used to connect subnets in different clouds. According to WikiPedia, this is a [site-to-site VPN](VPN https://www.youtube.com/watch?v=CuxyZiSCSfc). More specifically, a site-to-site VPN running on tunnel mode.
Since the goal is clear, a simple research led to solution: how to implement site-to-site vpn. This article introduce people how to set up a VPN server using iptables and OpenSwan. Basically, OpenSwan provides a mature IPsec VPN technique, we only need to set up some configuration. And in iptables we will need to add some firewall rules to enable NAT and disable some other network traffic.
Some document from redhat may help you understand how iptable works:
I think the article about tunnel mode will give you a bref understanding about IPsec. Currently, there's two libraies provide IPsec funtionality: OpenSwan and StrongSwan. While StrongSwan seems to provide better documentation, OpenSwan does have an example about how to setup OpenSwan on EC2 instances, which might be useful.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.