Re: Remote Access VPN
1. Make sure you have the latest updates for Windows 10 (KB5010342) or have Windows11 2. Configure a register and reboot your laptop AssumeUDPEncapsulationContextOnSendRule as DWORD in “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent” and ser decimal value"two" (2) Outlook for Android<https://aka.ms/AAb9ysg> From: Christian Reichert Sent: Thursday, September 29, 2022, 11:11 AM To: 'users@cloudstack.apache.org' Subject: Remote Access VPN Hi All, we setup Remote Access VPN on a VPC like descript in the current documentation for 4.16.1.0 but our Windows Test Client is not connecting. Is there any way to debug the VPN configuration? Thanks and best regards, Christian
Remote Access VPN
Hi All, we setup Remote Access VPN on a VPC like descript in the current documentation for 4.16.1.0 but our Windows Test Client is not connecting. Is there any way to debug the VPN configuration? Thanks and best regards, Christian smime.p7s Description: S/MIME cryptographic signature
RE: [DISCUSS] Moving to OpenVPN as the remote access VPN provider
I would love to see OpenVPN as the client VPN. We consider the current Client VPN unusable. We use OpenVPN with OPNsense firewalls and it has been rock-solid. -Original Message- From: Rohit Yadav Sent: Friday, June 11, 2021 12:40 PM To: users@cloudstack.apache.org; d...@cloudstack.apache.org Subject: [DKIM Fail] Re: [DISCUSS] Moving to OpenVPN as the remote access VPN provider Hi PL, You can check the ikev2 support in 4.15+ here: https://github.com/apache/cloudstack/pull/4953 I think a generic VPN framework-provider feature is probably what we need (i.e. to let user or admin decide what VPN provider they want, supporting strongswan/ipsec and openvpn) so I'm not trying to defend OpenVPN here but your comments on OpenVPN are incorrect. It is widely used (in many projects incl. pfSense) and both server/clients are opensource and not proprietary afaik (GPL or AGPL license, I'm not sure about platform-specific clients (the GUI ones) but I checked the CLI clients are opensource): https://github.com/OpenVPN/openvpn https://github.com/OpenVPN/openvpn3 One key requirement for whatever VPN provider we support is that it should be free and opensource and available on Debian (for use in the systemvmtemplate) and OpenVPN fits that requirement. The package is available on Debian: https://packages.debian.org/buster-backports/openvpn Regards. From: Pierre-Luc Dion Sent: Friday, June 11, 2021 20:10 To: users@cloudstack.apache.org Cc: dev Subject: Re: [DISCUSS] Moving to OpenVPN as the remote access VPN provider Just to be sure, what CloudStack > v4.15 uses Strongswan/l2tp or strongswan/ikev2 ? Because l2tp became complicated to configure on native vpn clients on some OSes, kind of deprecated remote management VPN, compared to IKEv2. I'm a bit concerned about OpenVPN for the clients, what if binaries become subscription based availability or become proprietary ? For sure we need the option to select what type of VPN solution to offer when deploying a cloud. >From my perspective I cannot use/offer OpenVPN as a solution to my customers >because it involves forcing them to download third party software on their >workstations and I don't want to be responsible for a security breach on their >workstation because of a requirement for 3rd party software that we don't >control. On Fri, Jun 11, 2021 at 10:14 AM Rohit Yadav wrote: > Thanks all for the feedback so far, looks like the majority of people > on the thread would prefer OpenVPN but for s2s they may continue to > prefer strongswan/ipsec for site-to-site VPC feature. If we're unable > to reach consensus then a general-purpose provider-framework may be > more flexible to the end-user or admin (to select which VPN provider > they want for their network, we heard in this thread - openvpn, > strongswan/l2tp, wireguard, and maybe other providers in future). > > Btw, ikev2 is supported now with strongswan with this - > https://github.com/apache/cloudstack/pull/4953 > > My personal opinion: As user of most of these VPN providers, I > personally like OpenVPN which I found to be easier to use both on > desktop/laptop and on phone. With openvpn as the default I imagine in > CloudStack I could enable VPN for a network and CloudStack gives me an > option to download a .ovpn file which I can import in my openvpn > client (desktop, phone, cli...) click connect to connect to the VPN. > For certificate generation/storage, the CA framework could be used so > the openvpn server certs are the same across network restarts (with > cleanup). I think a process like this could be simpler than what we've > right now, and the ovpn download+import workflow would be easier than > what we'll get from either strongswan/current or wireguard. While I > like the simplicity of wireguard, which is more like SSH setup I > wouldn't mind doing setup on individual VMs (much like setting up ssh key) or > use something like TailScale. > > > Regards. > > > From: Gabriel Bräscher > Sent: Friday, June 11, 2021 19:28 > To: dev > Cc: users > Subject: Re: [DISCUSS] Moving to OpenVPN as the remote access VPN > provider > > I understand that OpenVPN is a great option and far adopted. > I am ++1 in allowing Users/Admins to choose which VPN provider suits > them best; creating an offering (or global settings) that would allow > setting which VPN provider will be used would be awesome. > > I understand that OpenVPN is a great option and far adopted; however, > I would be -1 if this would impact on removing support for Strongswan > -- which from what I understood is not the proposal, but saying anyway > to be sure. > > Thanks for raising this proposal/discussion, Rohit. > > Cheers, > Gabriel. > >
Re: [DISCUSS] Moving to OpenVPN as the remote access VPN provider
Hi PL, You can check the ikev2 support in 4.15+ here: https://github.com/apache/cloudstack/pull/4953 I think a generic VPN framework-provider feature is probably what we need (i.e. to let user or admin decide what VPN provider they want, supporting strongswan/ipsec and openvpn) so I'm not trying to defend OpenVPN here but your comments on OpenVPN are incorrect. It is widely used (in many projects incl. pfSense) and both server/clients are opensource and not proprietary afaik (GPL or AGPL license, I'm not sure about platform-specific clients (the GUI ones) but I checked the CLI clients are opensource): https://github.com/OpenVPN/openvpn https://github.com/OpenVPN/openvpn3 One key requirement for whatever VPN provider we support is that it should be free and opensource and available on Debian (for use in the systemvmtemplate) and OpenVPN fits that requirement. The package is available on Debian: https://packages.debian.org/buster-backports/openvpn Regards. From: Pierre-Luc Dion Sent: Friday, June 11, 2021 20:10 To: users@cloudstack.apache.org Cc: dev Subject: Re: [DISCUSS] Moving to OpenVPN as the remote access VPN provider Just to be sure, what CloudStack > v4.15 uses Strongswan/l2tp or strongswan/ikev2 ? Because l2tp became complicated to configure on native vpn clients on some OSes, kind of deprecated remote management VPN, compared to IKEv2. I'm a bit concerned about OpenVPN for the clients, what if binaries become subscription based availability or become proprietary ? For sure we need the option to select what type of VPN solution to offer when deploying a cloud. >From my perspective I cannot use/offer OpenVPN as a solution to my customers because it involves forcing them to download third party software on their workstations and I don't want to be responsible for a security breach on their workstation because of a requirement for 3rd party software that we don't control. On Fri, Jun 11, 2021 at 10:14 AM Rohit Yadav wrote: > Thanks all for the feedback so far, looks like the majority of people on > the thread would prefer OpenVPN but for s2s they may continue to prefer > strongswan/ipsec for site-to-site VPC feature. If we're unable to reach > consensus then a general-purpose provider-framework may be more flexible to > the end-user or admin (to select which VPN provider they want for their > network, we heard in this thread - openvpn, strongswan/l2tp, wireguard, and > maybe other providers in future). > > Btw, ikev2 is supported now with strongswan with this - > https://github.com/apache/cloudstack/pull/4953 > > My personal opinion: As user of most of these VPN providers, I personally > like OpenVPN which I found to be easier to use both on desktop/laptop and > on phone. With openvpn as the default I imagine in CloudStack I could > enable VPN for a network and CloudStack gives me an option to download a > .ovpn file which I can import in my openvpn client (desktop, phone, cli...) > click connect to connect to the VPN. For certificate generation/storage, > the CA framework could be used so the openvpn server certs are the same > across network restarts (with cleanup). I think a process like this could > be simpler than what we've right now, and the ovpn download+import workflow > would be easier than what we'll get from either strongswan/current or > wireguard. While I like the simplicity of wireguard, which is more like SSH > setup I wouldn't mind doing setup on individual VMs (much like setting up > ssh key) or use something like TailScale. > > > Regards. > > > From: Gabriel Bräscher > Sent: Friday, June 11, 2021 19:28 > To: dev > Cc: users > Subject: Re: [DISCUSS] Moving to OpenVPN as the remote access VPN provider > > I understand that OpenVPN is a great option and far adopted. > I am ++1 in allowing Users/Admins to choose which VPN provider suits them > best; creating an offering (or global settings) that would allow setting > which VPN provider will be used would be awesome. > > I understand that OpenVPN is a great option and far adopted; however, I > would be -1 if this would impact on removing support for Strongswan -- > which from what I understood is not the proposal, but saying anyway to be > sure. > > Thanks for raising this proposal/discussion, Rohit. > > Cheers, > Gabriel. > > > Em sex., 11 de jun. de 2021 às 08:46, Pierre-Luc Dion > > escreveu: > > > Hello, > > > > Daan, I agree we should provide capability to select the vpn solution to > > use, the question would be, should it be a global setting generic for > the > > whole region or per VPC? > > I think it should be a global setting to reduce the requirement > complexity > > of a region, but per VPC or customer(account or
Re: [DISCUSS] Moving to OpenVPN as the remote access VPN provider
again my 2 cent(o)s: - strongswan to stay for S-2-S (supporting IKE2 explicitly now etc) - as it has been working great (with some recent, multiple-remote subnet issues resolved, with human-layer-8 problems will continue to exist - i.e. misconfiguration) - strongswan (L2TP/IpSec) remote VPN is pain and while universally supported natively in all OS-es today- it supports only 1 client behind a single public IP (a common issue when multiple users/humans sitting in the same office want to connect to the same VPC via Remote VPC) - no way to seed routes, either route everything through the tunnel (and have you internet dropped) or add routes manually (pain) For remote VPN - I prefer to use what is a: - de-facto industry standard (whatever that is) - has great/long-term support on all client devices (desktops and mobiles) Take a look at all major firewall/VPN concentrator devices, and you will see what they offer (OpenVPN most of the time) I understand some might like fancy and brand-new-nothing-simpler--than this VPN solutions - but we should tryi to keep things within industry standards IMO and leave fancy and not-yet-long-term-tested solutions out of the consideration. OpenVPN, as Rohit explained, has support for exporting you with the configuration file, which you import and use your username/password - and this works on all mobile devices and up (desktop OS-es) - and from what I can see (because have multiple VPNs using myself for various different customers) - it's 99,99% OpenVPN which is used < this kind information should bring some "help" while deciding what to use (btw, I'm not selling OpenVPN, nor preaching for it, nor have I ever "liked it" for that matter, but it seems to be among the best-supported solutions in every sense) Cheers, On Fri, 11 Jun 2021 at 17:04, Pierre-Luc Dion wrote: > btw, I like the idea of CloudStack offering OpenVPN as a solution ! > > On Fri, Jun 11, 2021 at 10:40 AM Pierre-Luc Dion > wrote: > > > Just to be sure, what CloudStack > v4.15 uses Strongswan/l2tp or > > strongswan/ikev2 ? > > > > Because l2tp became complicated to configure on native vpn clients on > some > > OSes, kind of deprecated remote management VPN, compared to IKEv2. > > I'm a bit concerned about OpenVPN for the clients, what if binaries > become > > subscription based availability or become proprietary ? > > > > For sure we need the option to select what type of VPN solution to offer > > when deploying a cloud. > > > > From my perspective I cannot use/offer OpenVPN as a solution to my > > customers because it involves forcing them to download third party > software > > on their workstations and I don't want to be responsible for > > a security breach on their workstation because of a requirement for 3rd > > party software that we don't control. > > > > > > > > On Fri, Jun 11, 2021 at 10:14 AM Rohit Yadav > > wrote: > > > >> Thanks all for the feedback so far, looks like the majority of people on > >> the thread would prefer OpenVPN but for s2s they may continue to prefer > >> strongswan/ipsec for site-to-site VPC feature. If we're unable to reach > >> consensus then a general-purpose provider-framework may be more > flexible to > >> the end-user or admin (to select which VPN provider they want for their > >> network, we heard in this thread - openvpn, strongswan/l2tp, wireguard, > and > >> maybe other providers in future). > >> > >> Btw, ikev2 is supported now with strongswan with this - > >> https://github.com/apache/cloudstack/pull/4953 > >> > >> My personal opinion: As user of most of these VPN providers, I > personally > >> like OpenVPN which I found to be easier to use both on desktop/laptop > and > >> on phone. With openvpn as the default I imagine in CloudStack I could > >> enable VPN for a network and CloudStack gives me an option to download a > >> .ovpn file which I can import in my openvpn client (desktop, phone, > cli...) > >> click connect to connect to the VPN. For certificate generation/storage, > >> the CA framework could be used so the openvpn server certs are the same > >> across network restarts (with cleanup). I think a process like this > could > >> be simpler than what we've right now, and the ovpn download+import > workflow > >> would be easier than what we'll get from either strongswan/current or > >> wireguard. While I like the simplicity of wireguard, which is more like > SSH > >> setup I wouldn't mind doing setup on individual VMs (much like setting > up > >> ssh key) or use something like TailScale. > >> > >> > >> Re
Re: [DISCUSS] Moving to OpenVPN as the remote access VPN provider
btw, I like the idea of CloudStack offering OpenVPN as a solution ! On Fri, Jun 11, 2021 at 10:40 AM Pierre-Luc Dion wrote: > Just to be sure, what CloudStack > v4.15 uses Strongswan/l2tp or > strongswan/ikev2 ? > > Because l2tp became complicated to configure on native vpn clients on some > OSes, kind of deprecated remote management VPN, compared to IKEv2. > I'm a bit concerned about OpenVPN for the clients, what if binaries become > subscription based availability or become proprietary ? > > For sure we need the option to select what type of VPN solution to offer > when deploying a cloud. > > From my perspective I cannot use/offer OpenVPN as a solution to my > customers because it involves forcing them to download third party software > on their workstations and I don't want to be responsible for > a security breach on their workstation because of a requirement for 3rd > party software that we don't control. > > > > On Fri, Jun 11, 2021 at 10:14 AM Rohit Yadav > wrote: > >> Thanks all for the feedback so far, looks like the majority of people on >> the thread would prefer OpenVPN but for s2s they may continue to prefer >> strongswan/ipsec for site-to-site VPC feature. If we're unable to reach >> consensus then a general-purpose provider-framework may be more flexible to >> the end-user or admin (to select which VPN provider they want for their >> network, we heard in this thread - openvpn, strongswan/l2tp, wireguard, and >> maybe other providers in future). >> >> Btw, ikev2 is supported now with strongswan with this - >> https://github.com/apache/cloudstack/pull/4953 >> >> My personal opinion: As user of most of these VPN providers, I personally >> like OpenVPN which I found to be easier to use both on desktop/laptop and >> on phone. With openvpn as the default I imagine in CloudStack I could >> enable VPN for a network and CloudStack gives me an option to download a >> .ovpn file which I can import in my openvpn client (desktop, phone, cli...) >> click connect to connect to the VPN. For certificate generation/storage, >> the CA framework could be used so the openvpn server certs are the same >> across network restarts (with cleanup). I think a process like this could >> be simpler than what we've right now, and the ovpn download+import workflow >> would be easier than what we'll get from either strongswan/current or >> wireguard. While I like the simplicity of wireguard, which is more like SSH >> setup I wouldn't mind doing setup on individual VMs (much like setting up >> ssh key) or use something like TailScale. >> >> >> Regards. >> >> >> From: Gabriel Bräscher >> Sent: Friday, June 11, 2021 19:28 >> To: dev >> Cc: users >> Subject: Re: [DISCUSS] Moving to OpenVPN as the remote access VPN provider >> >> I understand that OpenVPN is a great option and far adopted. >> I am ++1 in allowing Users/Admins to choose which VPN provider suits them >> best; creating an offering (or global settings) that would allow setting >> which VPN provider will be used would be awesome. >> >> I understand that OpenVPN is a great option and far adopted; however, I >> would be -1 if this would impact on removing support for Strongswan -- >> which from what I understood is not the proposal, but saying anyway to be >> sure. >> >> Thanks for raising this proposal/discussion, Rohit. >> >> Cheers, >> Gabriel. >> >> >> Em sex., 11 de jun. de 2021 às 08:46, Pierre-Luc Dion < >> pdion...@apache.org> >> escreveu: >> >> > Hello, >> > >> > Daan, I agree we should provide capability to select the vpn solution to >> > use, the question would be, should it be a global setting generic for >> the >> > whole region or per VPC? >> > I think it should be a global setting to reduce the requirement >> complexity >> > of a region, but per VPC or customer(account or domain) would be ideal. >> > >> > Hean, the current implementation from PR:2850 >> > <https://github.com/apache/cloudstack/pull/2850> that use strongswan >> does >> > support multiple users behind the same public IPs, but I don't recall >> for >> > Windows generic clients. >> > With OpenVPN, can you be connected to multiple VPN tunnels at the same >> time >> > ? We had the challenge a few times where we needed to be connected to 2 >> > VPCs at the same time. >> > >> > I think adding support to OpenVPN is a good idea, the more options >> > ava
Re: [DISCUSS] Moving to OpenVPN as the remote access VPN provider
Just to be sure, what CloudStack > v4.15 uses Strongswan/l2tp or strongswan/ikev2 ? Because l2tp became complicated to configure on native vpn clients on some OSes, kind of deprecated remote management VPN, compared to IKEv2. I'm a bit concerned about OpenVPN for the clients, what if binaries become subscription based availability or become proprietary ? For sure we need the option to select what type of VPN solution to offer when deploying a cloud. >From my perspective I cannot use/offer OpenVPN as a solution to my customers because it involves forcing them to download third party software on their workstations and I don't want to be responsible for a security breach on their workstation because of a requirement for 3rd party software that we don't control. On Fri, Jun 11, 2021 at 10:14 AM Rohit Yadav wrote: > Thanks all for the feedback so far, looks like the majority of people on > the thread would prefer OpenVPN but for s2s they may continue to prefer > strongswan/ipsec for site-to-site VPC feature. If we're unable to reach > consensus then a general-purpose provider-framework may be more flexible to > the end-user or admin (to select which VPN provider they want for their > network, we heard in this thread - openvpn, strongswan/l2tp, wireguard, and > maybe other providers in future). > > Btw, ikev2 is supported now with strongswan with this - > https://github.com/apache/cloudstack/pull/4953 > > My personal opinion: As user of most of these VPN providers, I personally > like OpenVPN which I found to be easier to use both on desktop/laptop and > on phone. With openvpn as the default I imagine in CloudStack I could > enable VPN for a network and CloudStack gives me an option to download a > .ovpn file which I can import in my openvpn client (desktop, phone, cli...) > click connect to connect to the VPN. For certificate generation/storage, > the CA framework could be used so the openvpn server certs are the same > across network restarts (with cleanup). I think a process like this could > be simpler than what we've right now, and the ovpn download+import workflow > would be easier than what we'll get from either strongswan/current or > wireguard. While I like the simplicity of wireguard, which is more like SSH > setup I wouldn't mind doing setup on individual VMs (much like setting up > ssh key) or use something like TailScale. > > > Regards. > > > From: Gabriel Bräscher > Sent: Friday, June 11, 2021 19:28 > To: dev > Cc: users > Subject: Re: [DISCUSS] Moving to OpenVPN as the remote access VPN provider > > I understand that OpenVPN is a great option and far adopted. > I am ++1 in allowing Users/Admins to choose which VPN provider suits them > best; creating an offering (or global settings) that would allow setting > which VPN provider will be used would be awesome. > > I understand that OpenVPN is a great option and far adopted; however, I > would be -1 if this would impact on removing support for Strongswan -- > which from what I understood is not the proposal, but saying anyway to be > sure. > > Thanks for raising this proposal/discussion, Rohit. > > Cheers, > Gabriel. > > > Em sex., 11 de jun. de 2021 às 08:46, Pierre-Luc Dion > > escreveu: > > > Hello, > > > > Daan, I agree we should provide capability to select the vpn solution to > > use, the question would be, should it be a global setting generic for > the > > whole region or per VPC? > > I think it should be a global setting to reduce the requirement > complexity > > of a region, but per VPC or customer(account or domain) would be ideal. > > > > Hean, the current implementation from PR:2850 > > <https://github.com/apache/cloudstack/pull/2850> that use strongswan > does > > support multiple users behind the same public IPs, but I don't recall for > > Windows generic clients. > > With OpenVPN, can you be connected to multiple VPN tunnels at the same > time > > ? We had the challenge a few times where we needed to be connected to 2 > > VPCs at the same time. > > > > I think adding support to OpenVPN is a good idea, the more options > > available the better Cloudstack will be. > > > > I don't know if 4.15 still uses L2TP from strongswan but we've moved away > > from it a while ago because it was not reliable, connection kept > > dropping, support only one windows client at a time, issue configuring > > clients, no helpful connection logs.. > > > > An interesting improvement is made to remote access VPN, would be to > > optionally use dns resolution of the VR from VPN clients so a user > > connected to the VPN could use hostname to access VMs. I think iptabl
Re: [DISCUSS] Moving to OpenVPN as the remote access VPN provider
Thanks all for the feedback so far, looks like the majority of people on the thread would prefer OpenVPN but for s2s they may continue to prefer strongswan/ipsec for site-to-site VPC feature. If we're unable to reach consensus then a general-purpose provider-framework may be more flexible to the end-user or admin (to select which VPN provider they want for their network, we heard in this thread - openvpn, strongswan/l2tp, wireguard, and maybe other providers in future). Btw, ikev2 is supported now with strongswan with this - https://github.com/apache/cloudstack/pull/4953 My personal opinion: As user of most of these VPN providers, I personally like OpenVPN which I found to be easier to use both on desktop/laptop and on phone. With openvpn as the default I imagine in CloudStack I could enable VPN for a network and CloudStack gives me an option to download a .ovpn file which I can import in my openvpn client (desktop, phone, cli...) click connect to connect to the VPN. For certificate generation/storage, the CA framework could be used so the openvpn server certs are the same across network restarts (with cleanup). I think a process like this could be simpler than what we've right now, and the ovpn download+import workflow would be easier than what we'll get from either strongswan/current or wireguard. While I like the simplicity of wireguard, which is more like SSH setup I wouldn't mind doing setup on individual VMs (much like setting up ssh key) or use something like TailScale. Regards. From: Gabriel Bräscher Sent: Friday, June 11, 2021 19:28 To: dev Cc: users Subject: Re: [DISCUSS] Moving to OpenVPN as the remote access VPN provider I understand that OpenVPN is a great option and far adopted. I am ++1 in allowing Users/Admins to choose which VPN provider suits them best; creating an offering (or global settings) that would allow setting which VPN provider will be used would be awesome. I understand that OpenVPN is a great option and far adopted; however, I would be -1 if this would impact on removing support for Strongswan -- which from what I understood is not the proposal, but saying anyway to be sure. Thanks for raising this proposal/discussion, Rohit. Cheers, Gabriel. Em sex., 11 de jun. de 2021 às 08:46, Pierre-Luc Dion escreveu: > Hello, > > Daan, I agree we should provide capability to select the vpn solution to > use, the question would be, should it be a global setting generic for the > whole region or per VPC? > I think it should be a global setting to reduce the requirement complexity > of a region, but per VPC or customer(account or domain) would be ideal. > > Hean, the current implementation from PR:2850 > <https://github.com/apache/cloudstack/pull/2850> that use strongswan does > support multiple users behind the same public IPs, but I don't recall for > Windows generic clients. > With OpenVPN, can you be connected to multiple VPN tunnels at the same time > ? We had the challenge a few times where we needed to be connected to 2 > VPCs at the same time. > > I think adding support to OpenVPN is a good idea, the more options > available the better Cloudstack will be. > > I don't know if 4.15 still uses L2TP from strongswan but we've moved away > from it a while ago because it was not reliable, connection kept > dropping, support only one windows client at a time, issue configuring > clients, no helpful connection logs.. > > An interesting improvement is made to remote access VPN, would be to > optionally use dns resolution of the VR from VPN clients so a user > connected to the VPN could use hostname to access VMs. I think iptable > currently blocks dns query from the vpn. > > Cheers, > > On Fri, Jun 11, 2021 at 5:58 AM Hean Seng wrote: > > > If thinking of only Site-to-Site VPN , then OpenVPN and WireGuard is no > > much different , or even current one is gpod. Only only time setup at > > router. However if considering of Mobile Client, OpenVPN is more > > complicated. > > > > The only concern now is multiple people in the same public IP need to > > access the VPN. And this consideration will be OpenVPN or Wireguard to > > handle this requirement. And for this purpose of multiple people in > same > > public ip need to access to VPN, then we will have think of usability > and > > easy installation of VPN client. > > > > We are using OpenVPN for more then 5 years, but always there is new PC > > need to configure VPN Client, windows , android, ios, it is painful ( we > > are not using access server) . > > > > Currently we test on WireGuard, just forgot about performance or > > whatsoever, just the conveniences of implementation, that is very great > > and easy for client installation , eve
Re: [DISCUSS] Moving to OpenVPN as the remote access VPN provider
I understand that OpenVPN is a great option and far adopted. I am ++1 in allowing Users/Admins to choose which VPN provider suits them best; creating an offering (or global settings) that would allow setting which VPN provider will be used would be awesome. I understand that OpenVPN is a great option and far adopted; however, I would be -1 if this would impact on removing support for Strongswan -- which from what I understood is not the proposal, but saying anyway to be sure. Thanks for raising this proposal/discussion, Rohit. Cheers, Gabriel. Em sex., 11 de jun. de 2021 às 08:46, Pierre-Luc Dion escreveu: > Hello, > > Daan, I agree we should provide capability to select the vpn solution to > use, the question would be, should it be a global setting generic for the > whole region or per VPC? > I think it should be a global setting to reduce the requirement complexity > of a region, but per VPC or customer(account or domain) would be ideal. > > Hean, the current implementation from PR:2850 > <https://github.com/apache/cloudstack/pull/2850> that use strongswan does > support multiple users behind the same public IPs, but I don't recall for > Windows generic clients. > With OpenVPN, can you be connected to multiple VPN tunnels at the same time > ? We had the challenge a few times where we needed to be connected to 2 > VPCs at the same time. > > I think adding support to OpenVPN is a good idea, the more options > available the better Cloudstack will be. > > I don't know if 4.15 still uses L2TP from strongswan but we've moved away > from it a while ago because it was not reliable, connection kept > dropping, support only one windows client at a time, issue configuring > clients, no helpful connection logs.. > > An interesting improvement is made to remote access VPN, would be to > optionally use dns resolution of the VR from VPN clients so a user > connected to the VPN could use hostname to access VMs. I think iptable > currently blocks dns query from the vpn. > > Cheers, > > On Fri, Jun 11, 2021 at 5:58 AM Hean Seng wrote: > > > If thinking of only Site-to-Site VPN , then OpenVPN and WireGuard is no > > much different , or even current one is gpod. Only only time setup at > > router. However if considering of Mobile Client, OpenVPN is more > > complicated. > > > > The only concern now is multiple people in the same public IP need to > > access the VPN. And this consideration will be OpenVPN or Wireguard to > > handle this requirement. And for this purpose of multiple people in > same > > public ip need to access to VPN, then we will have think of usability > and > > easy installation of VPN client. > > > > We are using OpenVPN for more then 5 years, but always there is new PC > > need to configure VPN Client, windows , android, ios, it is painful ( we > > are not using access server) . > > > > Currently we test on WireGuard, just forgot about performance or > > whatsoever, just the conveniences of implementation, that is very great > > and easy for client installation , even mobile client on phone or > tablet. > > > > > > > > > > On Fri, Jun 11, 2021 at 5:04 PM Daan Hoogland > > wrote: > > > > > This is a potential religious debate, I think it makes the most sense > to > > > try and make the provider optional and let the operator or even the > > > end-user decide. I see how this is an extra challenge, but does it make > > > sense? > > > > > > On Thu, Jun 10, 2021 at 10:24 AM Rohit Yadav < > rohit.ya...@shapeblue.com> > > > wrote: > > > > > > > All, > > > > > > > > We've historically supported openswan and nowadays strongswan as the > > VPN > > > > provider in VR for both site-to-site and remote access modes. After > > > > discussing the situation with a few users and colleagues I learnt > that > > > > OpenVPN is generally far easier to use, have clients for most OS and > > > > platforms (desktop, laptop, tablet, phones...) and allows multiple > > > clients > > > > in the same public IP (for example, multiple people in the office > > > sharing a > > > > client-side public IP/nat while trying to connect to a VPC or an > > isolated > > > > network) and for these reasons many users actually deploy pfSense or > > > setup > > > > a OpenVPN server in their isolated network or VPC and use that > instead. > > > > > > > > Therefore for the point-to-point VPN use-case of remote access [1] > does > > > it > > > > make sense to switch
Re: [DISCUSS] Moving to OpenVPN as the remote access VPN provider
Hello, Daan, I agree we should provide capability to select the vpn solution to use, the question would be, should it be a global setting generic for the whole region or per VPC? I think it should be a global setting to reduce the requirement complexity of a region, but per VPC or customer(account or domain) would be ideal. Hean, the current implementation from PR:2850 <https://github.com/apache/cloudstack/pull/2850> that use strongswan does support multiple users behind the same public IPs, but I don't recall for Windows generic clients. With OpenVPN, can you be connected to multiple VPN tunnels at the same time ? We had the challenge a few times where we needed to be connected to 2 VPCs at the same time. I think adding support to OpenVPN is a good idea, the more options available the better Cloudstack will be. I don't know if 4.15 still uses L2TP from strongswan but we've moved away from it a while ago because it was not reliable, connection kept dropping, support only one windows client at a time, issue configuring clients, no helpful connection logs.. An interesting improvement is made to remote access VPN, would be to optionally use dns resolution of the VR from VPN clients so a user connected to the VPN could use hostname to access VMs. I think iptable currently blocks dns query from the vpn. Cheers, On Fri, Jun 11, 2021 at 5:58 AM Hean Seng wrote: > If thinking of only Site-to-Site VPN , then OpenVPN and WireGuard is no > much different , or even current one is gpod. Only only time setup at > router. However if considering of Mobile Client, OpenVPN is more > complicated. > > The only concern now is multiple people in the same public IP need to > access the VPN. And this consideration will be OpenVPN or Wireguard to > handle this requirement. And for this purpose of multiple people in same > public ip need to access to VPN, then we will have think of usability and > easy installation of VPN client. > > We are using OpenVPN for more then 5 years, but always there is new PC > need to configure VPN Client, windows , android, ios, it is painful ( we > are not using access server) . > > Currently we test on WireGuard, just forgot about performance or > whatsoever, just the conveniences of implementation, that is very great > and easy for client installation , even mobile client on phone or tablet. > > > > > On Fri, Jun 11, 2021 at 5:04 PM Daan Hoogland > wrote: > > > This is a potential religious debate, I think it makes the most sense to > > try and make the provider optional and let the operator or even the > > end-user decide. I see how this is an extra challenge, but does it make > > sense? > > > > On Thu, Jun 10, 2021 at 10:24 AM Rohit Yadav > > wrote: > > > > > All, > > > > > > We've historically supported openswan and nowadays strongswan as the > VPN > > > provider in VR for both site-to-site and remote access modes. After > > > discussing the situation with a few users and colleagues I learnt that > > > OpenVPN is generally far easier to use, have clients for most OS and > > > platforms (desktop, laptop, tablet, phones...) and allows multiple > > clients > > > in the same public IP (for example, multiple people in the office > > sharing a > > > client-side public IP/nat while trying to connect to a VPC or an > isolated > > > network) and for these reasons many users actually deploy pfSense or > > setup > > > a OpenVPN server in their isolated network or VPC and use that instead. > > > > > > Therefore for the point-to-point VPN use-case of remote access [1] does > > it > > > make sense to switch to OpenVPN? Or, are there users using > > > strongswan/ipsec/l2tpd for remote access VPN? > > > > > > A general-purpose VPN-framework/provider where an account or admin (via > > > offering) can specify which VPN provider they want in the network > > > (strongswan/ipsec, OpenVPN, Wireguard...). However, it may be more > > complex > > > to implement and maintain. Any other thoughts in general about VPN > > > implementation and support in CloudStack? Thanks. > > > > > > [1] > > > > > > http://docs.cloudstack.apache.org/en/latest/adminguide/networking_and_traffic.html#remote-access-vpn > > > > > > > > > > > > Regards. > > > > > > > > > > > > > > > > -- > > Daan > > > > > -- > Regards, > Hean Seng >
Re: [DISCUSS] Moving to OpenVPN as the remote access VPN provider
If thinking of only Site-to-Site VPN , then OpenVPN and WireGuard is no much different , or even current one is gpod. Only only time setup at router. However if considering of Mobile Client, OpenVPN is more complicated. The only concern now is multiple people in the same public IP need to access the VPN. And this consideration will be OpenVPN or Wireguard to handle this requirement. And for this purpose of multiple people in same public ip need to access to VPN, then we will have think of usability and easy installation of VPN client. We are using OpenVPN for more then 5 years, but always there is new PC need to configure VPN Client, windows , android, ios, it is painful ( we are not using access server) . Currently we test on WireGuard, just forgot about performance or whatsoever, just the conveniences of implementation, that is very great and easy for client installation , even mobile client on phone or tablet. On Fri, Jun 11, 2021 at 5:04 PM Daan Hoogland wrote: > This is a potential religious debate, I think it makes the most sense to > try and make the provider optional and let the operator or even the > end-user decide. I see how this is an extra challenge, but does it make > sense? > > On Thu, Jun 10, 2021 at 10:24 AM Rohit Yadav > wrote: > > > All, > > > > We've historically supported openswan and nowadays strongswan as the VPN > > provider in VR for both site-to-site and remote access modes. After > > discussing the situation with a few users and colleagues I learnt that > > OpenVPN is generally far easier to use, have clients for most OS and > > platforms (desktop, laptop, tablet, phones...) and allows multiple > clients > > in the same public IP (for example, multiple people in the office > sharing a > > client-side public IP/nat while trying to connect to a VPC or an isolated > > network) and for these reasons many users actually deploy pfSense or > setup > > a OpenVPN server in their isolated network or VPC and use that instead. > > > > Therefore for the point-to-point VPN use-case of remote access [1] does > it > > make sense to switch to OpenVPN? Or, are there users using > > strongswan/ipsec/l2tpd for remote access VPN? > > > > A general-purpose VPN-framework/provider where an account or admin (via > > offering) can specify which VPN provider they want in the network > > (strongswan/ipsec, OpenVPN, Wireguard...). However, it may be more > complex > > to implement and maintain. Any other thoughts in general about VPN > > implementation and support in CloudStack? Thanks. > > > > [1] > > > http://docs.cloudstack.apache.org/en/latest/adminguide/networking_and_traffic.html#remote-access-vpn > > > > > > > > Regards. > > > > > > > > > > -- > Daan > -- Regards, Hean Seng
Re: [DISCUSS] Moving to OpenVPN as the remote access VPN provider
This is a potential religious debate, I think it makes the most sense to try and make the provider optional and let the operator or even the end-user decide. I see how this is an extra challenge, but does it make sense? On Thu, Jun 10, 2021 at 10:24 AM Rohit Yadav wrote: > All, > > We've historically supported openswan and nowadays strongswan as the VPN > provider in VR for both site-to-site and remote access modes. After > discussing the situation with a few users and colleagues I learnt that > OpenVPN is generally far easier to use, have clients for most OS and > platforms (desktop, laptop, tablet, phones...) and allows multiple clients > in the same public IP (for example, multiple people in the office sharing a > client-side public IP/nat while trying to connect to a VPC or an isolated > network) and for these reasons many users actually deploy pfSense or setup > a OpenVPN server in their isolated network or VPC and use that instead. > > Therefore for the point-to-point VPN use-case of remote access [1] does it > make sense to switch to OpenVPN? Or, are there users using > strongswan/ipsec/l2tpd for remote access VPN? > > A general-purpose VPN-framework/provider where an account or admin (via > offering) can specify which VPN provider they want in the network > (strongswan/ipsec, OpenVPN, Wireguard...). However, it may be more complex > to implement and maintain. Any other thoughts in general about VPN > implementation and support in CloudStack? Thanks. > > [1] > http://docs.cloudstack.apache.org/en/latest/adminguide/networking_and_traffic.html#remote-access-vpn > > > > Regards. > > > > -- Daan
Re: [DISCUSS] Moving to OpenVPN as the remote access VPN provider
If would to change / add VPN protocol, I would suggest WiredGuard. OpenVPN is great, but key-based installation is much more difficult / painful to configure Windows Base Client. / Mobile Client (Android. IOS) OpenVPN easier deployment is on Access Server , which is paid services ( correct me if I am wrong ) On Thu, Jun 10, 2021 at 9:31 PM Stênio Firmino wrote: > OpenVPN support will be great. S2S > -- > Stênio Firmino Filho > Chefe de Seção Técnica - SCINT - CETiSP > Superintendência de Tecnologia da Informação > Universidade de São Paulo > Av. Prof. Luciano Gualberto, travessa 3, 71 > CEP 05.508-010 - São Paulo/SP > > > On Thu, Jun 10, 2021 at 8:46 AM Andrija Panic > wrote: > > > +1 > > > > as it's, these days, a de facto standard for every VPN device/provider - > > and there is great support with OpenVPN clients for all client Operating > > Systems. > > > > On Thu, 10 Jun 2021 at 11:24, Alex Mattioli > > > wrote: > > > > > +1 on OpenVPN, and then a framework later on. > > > > > > > > > > > > > > > -Original Message- > > > From: Rohit Yadav > > > Sent: 10 June 2021 10:25 > > > To: d...@cloudstack.apache.org; users@cloudstack.apache.org > > > Subject: [DISCUSS] Moving to OpenVPN as the remote access VPN provider > > > > > > All, > > > > > > We've historically supported openswan and nowadays strongswan as the > VPN > > > provider in VR for both site-to-site and remote access modes. After > > > discussing the situation with a few users and colleagues I learnt that > > > OpenVPN is generally far easier to use, have clients for most OS and > > > platforms (desktop, laptop, tablet, phones...) and allows multiple > > clients > > > in the same public IP (for example, multiple people in the office > > sharing a > > > client-side public IP/nat while trying to connect to a VPC or an > isolated > > > network) and for these reasons many users actually deploy pfSense or > > setup > > > a OpenVPN server in their isolated network or VPC and use that instead. > > > > > > Therefore for the point-to-point VPN use-case of remote access [1] does > > it > > > make sense to switch to OpenVPN? Or, are there users using > > > strongswan/ipsec/l2tpd for remote access VPN? > > > > > > A general-purpose VPN-framework/provider where an account or admin (via > > > offering) can specify which VPN provider they want in the network > > > (strongswan/ipsec, OpenVPN, Wireguard...). However, it may be more > > complex > > > to implement and maintain. Any other thoughts in general about VPN > > > implementation and support in CloudStack? Thanks. > > > > > > [1] > > > > > > http://docs.cloudstack.apache.org/en/latest/adminguide/networking_and_traffic.html#remote-access-vpn > > > > > > > > > > > > Regards. > > > > > > > > > > > > > > > > > > > -- > > > > Andrija Panić > > > -- Regards, Hean Seng
Re: [DISCUSS] Moving to OpenVPN as the remote access VPN provider
OpenVPN support will be great. S2S -- Stênio Firmino Filho Chefe de Seção Técnica - SCINT - CETiSP Superintendência de Tecnologia da Informação Universidade de São Paulo Av. Prof. Luciano Gualberto, travessa 3, 71 CEP 05.508-010 - São Paulo/SP On Thu, Jun 10, 2021 at 8:46 AM Andrija Panic wrote: > +1 > > as it's, these days, a de facto standard for every VPN device/provider - > and there is great support with OpenVPN clients for all client Operating > Systems. > > On Thu, 10 Jun 2021 at 11:24, Alex Mattioli > wrote: > > > +1 on OpenVPN, and then a framework later on. > > > > > > > > > > -Original Message- > > From: Rohit Yadav > > Sent: 10 June 2021 10:25 > > To: d...@cloudstack.apache.org; users@cloudstack.apache.org > > Subject: [DISCUSS] Moving to OpenVPN as the remote access VPN provider > > > > All, > > > > We've historically supported openswan and nowadays strongswan as the VPN > > provider in VR for both site-to-site and remote access modes. After > > discussing the situation with a few users and colleagues I learnt that > > OpenVPN is generally far easier to use, have clients for most OS and > > platforms (desktop, laptop, tablet, phones...) and allows multiple > clients > > in the same public IP (for example, multiple people in the office > sharing a > > client-side public IP/nat while trying to connect to a VPC or an isolated > > network) and for these reasons many users actually deploy pfSense or > setup > > a OpenVPN server in their isolated network or VPC and use that instead. > > > > Therefore for the point-to-point VPN use-case of remote access [1] does > it > > make sense to switch to OpenVPN? Or, are there users using > > strongswan/ipsec/l2tpd for remote access VPN? > > > > A general-purpose VPN-framework/provider where an account or admin (via > > offering) can specify which VPN provider they want in the network > > (strongswan/ipsec, OpenVPN, Wireguard...). However, it may be more > complex > > to implement and maintain. Any other thoughts in general about VPN > > implementation and support in CloudStack? Thanks. > > > > [1] > > > http://docs.cloudstack.apache.org/en/latest/adminguide/networking_and_traffic.html#remote-access-vpn > > > > > > > > Regards. > > > > > > > > > > > > -- > > Andrija Panić >
Re: [DISCUSS] Moving to OpenVPN as the remote access VPN provider
+1 as it's, these days, a de facto standard for every VPN device/provider - and there is great support with OpenVPN clients for all client Operating Systems. On Thu, 10 Jun 2021 at 11:24, Alex Mattioli wrote: > +1 on OpenVPN, and then a framework later on. > > > > > -Original Message- > From: Rohit Yadav > Sent: 10 June 2021 10:25 > To: d...@cloudstack.apache.org; users@cloudstack.apache.org > Subject: [DISCUSS] Moving to OpenVPN as the remote access VPN provider > > All, > > We've historically supported openswan and nowadays strongswan as the VPN > provider in VR for both site-to-site and remote access modes. After > discussing the situation with a few users and colleagues I learnt that > OpenVPN is generally far easier to use, have clients for most OS and > platforms (desktop, laptop, tablet, phones...) and allows multiple clients > in the same public IP (for example, multiple people in the office sharing a > client-side public IP/nat while trying to connect to a VPC or an isolated > network) and for these reasons many users actually deploy pfSense or setup > a OpenVPN server in their isolated network or VPC and use that instead. > > Therefore for the point-to-point VPN use-case of remote access [1] does it > make sense to switch to OpenVPN? Or, are there users using > strongswan/ipsec/l2tpd for remote access VPN? > > A general-purpose VPN-framework/provider where an account or admin (via > offering) can specify which VPN provider they want in the network > (strongswan/ipsec, OpenVPN, Wireguard...). However, it may be more complex > to implement and maintain. Any other thoughts in general about VPN > implementation and support in CloudStack? Thanks. > > [1] > http://docs.cloudstack.apache.org/en/latest/adminguide/networking_and_traffic.html#remote-access-vpn > > > > Regards. > > > > > -- Andrija Panić
RE: [DISCUSS] Moving to OpenVPN as the remote access VPN provider
+1 on OpenVPN, and then a framework later on. -Original Message- From: Rohit Yadav Sent: 10 June 2021 10:25 To: d...@cloudstack.apache.org; users@cloudstack.apache.org Subject: [DISCUSS] Moving to OpenVPN as the remote access VPN provider All, We've historically supported openswan and nowadays strongswan as the VPN provider in VR for both site-to-site and remote access modes. After discussing the situation with a few users and colleagues I learnt that OpenVPN is generally far easier to use, have clients for most OS and platforms (desktop, laptop, tablet, phones...) and allows multiple clients in the same public IP (for example, multiple people in the office sharing a client-side public IP/nat while trying to connect to a VPC or an isolated network) and for these reasons many users actually deploy pfSense or setup a OpenVPN server in their isolated network or VPC and use that instead. Therefore for the point-to-point VPN use-case of remote access [1] does it make sense to switch to OpenVPN? Or, are there users using strongswan/ipsec/l2tpd for remote access VPN? A general-purpose VPN-framework/provider where an account or admin (via offering) can specify which VPN provider they want in the network (strongswan/ipsec, OpenVPN, Wireguard...). However, it may be more complex to implement and maintain. Any other thoughts in general about VPN implementation and support in CloudStack? Thanks. [1] http://docs.cloudstack.apache.org/en/latest/adminguide/networking_and_traffic.html#remote-access-vpn Regards.
Re: [DISCUSS] Moving to OpenVPN as the remote access VPN provider
Hey! I’m personally a strong proponent of Wireguard. A couple years back, implementing a S2S or remote-access VPN with WG was complicated and it still is - but there’s definitely more tooling available these days. There are clients for just about every major platform - desktop and mobile. In the long term though, I think a general-purpose VPN provider like the one you outlined is far better - and I’d definitely like to take a stab at it, although I’ll admit my Java skills are basically..zero. But even so - a framework that allows users to select what platform they want - Strongswan vs OpenVPN vs Wireguard - would be awesome. Best! Rudraksh Mukta Kulshreshtha Vice-President - DevOps & R IndiQus Technologies O +91 11 4055 1411 | M +91 99589 54879 indiqus.com This message is intended only for the use of the individual or entity to which it is addressed and may contain information that is confidential and/or privileged. If you are not the intended recipient please delete the original message and any copy of it from your computer system. You are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited unless proper authorization has been obtained for such action. If you have received this communication in error, please notify the sender immediately. Although IndiQus attempts to sweep e-mail and attachments for viruses, it does not guarantee that both are virus-free and accepts no liability for any damage sustained as a result of viruses. On 10 Jun 2021, 1:55 PM +0530, Rohit Yadav , wrote: > All, > > We've historically supported openswan and nowadays strongswan as the VPN > provider in VR for both site-to-site and remote access modes. After > discussing the situation with a few users and colleagues I learnt that > OpenVPN is generally far easier to use, have clients for most OS and > platforms (desktop, laptop, tablet, phones...) and allows multiple clients in > the same public IP (for example, multiple people in the office sharing a > client-side public IP/nat while trying to connect to a VPC or an isolated > network) and for these reasons many users actually deploy pfSense or setup a > OpenVPN server in their isolated network or VPC and use that instead. > > Therefore for the point-to-point VPN use-case of remote access [1] does it > make sense to switch to OpenVPN? Or, are there users using > strongswan/ipsec/l2tpd for remote access VPN? > > A general-purpose VPN-framework/provider where an account or admin (via > offering) can specify which VPN provider they want in the network > (strongswan/ipsec, OpenVPN, Wireguard...). However, it may be more complex to > implement and maintain. Any other thoughts in general about VPN > implementation and support in CloudStack? Thanks. > > [1] > http://docs.cloudstack.apache.org/en/latest/adminguide/networking_and_traffic.html#remote-access-vpn > > > > Regards. > > >
[DISCUSS] Moving to OpenVPN as the remote access VPN provider
All, We've historically supported openswan and nowadays strongswan as the VPN provider in VR for both site-to-site and remote access modes. After discussing the situation with a few users and colleagues I learnt that OpenVPN is generally far easier to use, have clients for most OS and platforms (desktop, laptop, tablet, phones...) and allows multiple clients in the same public IP (for example, multiple people in the office sharing a client-side public IP/nat while trying to connect to a VPC or an isolated network) and for these reasons many users actually deploy pfSense or setup a OpenVPN server in their isolated network or VPC and use that instead. Therefore for the point-to-point VPN use-case of remote access [1] does it make sense to switch to OpenVPN? Or, are there users using strongswan/ipsec/l2tpd for remote access VPN? A general-purpose VPN-framework/provider where an account or admin (via offering) can specify which VPN provider they want in the network (strongswan/ipsec, OpenVPN, Wireguard...). However, it may be more complex to implement and maintain. Any other thoughts in general about VPN implementation and support in CloudStack? Thanks. [1] http://docs.cloudstack.apache.org/en/latest/adminguide/networking_and_traffic.html#remote-access-vpn Regards.
Re: Remote access VPN
Brian, The link you sent is private. Have you seen any exceptions in the logs? either on the client or in the VR. On Tue, May 25, 2021 at 2:17 PM Brian Fitzpatrick < b.fitzpatr...@chester.ac.uk> wrote: > Hi all, > > I am trying to setup Remote Access VPN on an DefaultIsolatedSourceNAT > network > > I have created the VPN and a VPN user and pasted the shared key into a > Windows client but I am getting an error stating > > the L2TP connection attempt failed because the security layer encountered > a processing error > > I have looked through the documentation and have set > > Requires encryption > MS-CHAP v2 > PPP -> Enable LCP extensions > > I haven't however changed the CloudStack parameter > > remote.access.vpn.client.iprange setting from it's default, does this need > to be altered to match guest isolated network CIDR's? Not sure how the > virtual router sets up the VPN > > Or am I doing something else wrong? > > Thanks > > Brian > > < > http://10.250.0.23:8080/client/#/networkoffering/30c3e49d-164f-459a-a365-aa6713a8a213 > > > -- Daan
Re: Remote Access VPN
the next issue you will hit (after VPN is connected) is: - if you route all traffic over the remote gateway - your internet will stop working, but you will be able to access all your VMs - if you untick that option, then NO traffic is routed over the VPN - so you need to manually add routes for the remote network/VPC CIDR to be routed over your VPN gtw IP Best, On Wed, 26 May 2021 at 14:33, Brian Fitzpatrick wrote: > Thanks Andrija, > > I will look through the setup again, I think the default iprange is on a > separate network > > Thanks > > Brian > > -Original Message- > From: Andrija Panic andrija%20panic%20%3candrija.pa...@gmail.com%3e>> > Reply-To: users@cloudstack.apache.org<mailto:users@cloudstack.apache.org> > To: users users%20%3cus...@cloudstack.apache.org%3e>> > Subject: Re: Remote Access VPN > Date: Tue, 25 May 2021 23:30:46 +0200 > > > CAUTION ! > > > This email originated outside of the University of Chester. Do not click > links or open attachments unless you recognise the sender and know the > content is safe. > > > = > > > > Another thing to keep in mind - if you work from office - usually there can > > be only 1 IPSEC with L2TP connection from your office to outside/same IP - > > i.e. you and your colleague can not connect at the same time to the same > > public IP (i.e. to the same Remove VPN). > > > > On Tue, 25 May 2021 at 23:29, Andrija Panic < > > <mailto:andrija.pa...@gmail.com> > > andrija.pa...@gmail.com > > > wrote: > > > Hi Brian, > > > remote.access.vpn.client.iprange should be set to some subnet OUTSIDE > > your local network (where your laptop/PC is connected to / home/office) and > > the Isolated network - so it should be "3rd" network. > > > For Windows, you there was a nice link somewhere...: here is one for > > windows 8 - but same/identical is applicable for Windows 10: > > < > https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftheresnomon.co%2Fconnecting-to-cloudstack-vpn-from-windows-8-8807b41af700data=04%7C01%7Cb.fitzpatrick%40chester.ac.uk%7C363792b0184d4afe72df08d91fc46e91%7C18843e6e1846456ca05c500f0aee12f6%7C0%7C0%7C637575750798430384%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000sdata=v3RTii5lx4lS%2B%2FTXNYkht9BN%2FNUWRPyyjxxXoffU8HQ%3Dreserved=0 > > > > > https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftheresnomon.co%2Fconnecting-to-cloudstack-vpn-from-windows-8-8807b41af700data=04%7C01%7Cb.fitzpatrick%40chester.ac.uk%7C363792b0184d4afe72df08d91fc46e91%7C18843e6e1846456ca05c500f0aee12f6%7C0%7C0%7C637575750798430384%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000sdata=v3RTii5lx4lS%2B%2FTXNYkht9BN%2FNUWRPyyjxxXoffU8HQ%3Dreserved=0 > > > > Hope that helps > > > Best, > > > On Tue, 25 May 2021 at 22:34, Brian Fitzpatrick < > > <mailto:b.fitzpatr...@chester.ac.uk> > > b.fitzpatr...@chester.ac.uk > > > wrote: > > > **Apologies not sure this was originally posted** > > > Hi all, > > > I am trying to setup Remote Access VPN on an DefaultIsolatedSourceNAT > > network > > > I have created the VPN and a VPN user and pasted the shared key into a > > Windows client but I am getting an error stating > > > the L2TP connection attempt failed because the security layer encountered > > a processing error > > > I have looked through the documentation and have set > > > Requires encryption > > MS-CHAP v2 > > PPP -> Enable LCP extensions > > > I haven't however changed the CloudStack parameter > > > remote.access.vpn.client.iprange setting from it's default, does this > > need to be altered to match guest isolated network CIDR's? Not sure how the > > virtual router sets up the VPN > > > Or am I doing something else wrong? > > > Thanks > > > Brian > > > > > -- > > > Andrija Panić > > > > > -- > > > Andrija Panić > -- Andrija Panić
Re: Remote Access VPN
Thanks Andrija, I will look through the setup again, I think the default iprange is on a separate network Thanks Brian -Original Message- From: Andrija Panic mailto:andrija%20panic%20%3candrija.pa...@gmail.com%3e>> Reply-To: users@cloudstack.apache.org<mailto:users@cloudstack.apache.org> To: users mailto:users%20%3cus...@cloudstack.apache.org%3e>> Subject: Re: Remote Access VPN Date: Tue, 25 May 2021 23:30:46 +0200 CAUTION ! This email originated outside of the University of Chester. Do not click links or open attachments unless you recognise the sender and know the content is safe. = Another thing to keep in mind - if you work from office - usually there can be only 1 IPSEC with L2TP connection from your office to outside/same IP - i.e. you and your colleague can not connect at the same time to the same public IP (i.e. to the same Remove VPN). On Tue, 25 May 2021 at 23:29, Andrija Panic < <mailto:andrija.pa...@gmail.com> andrija.pa...@gmail.com > wrote: Hi Brian, remote.access.vpn.client.iprange should be set to some subnet OUTSIDE your local network (where your laptop/PC is connected to / home/office) and the Isolated network - so it should be "3rd" network. For Windows, you there was a nice link somewhere...: here is one for windows 8 - but same/identical is applicable for Windows 10: <https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftheresnomon.co%2Fconnecting-to-cloudstack-vpn-from-windows-8-8807b41af700data=04%7C01%7Cb.fitzpatrick%40chester.ac.uk%7C363792b0184d4afe72df08d91fc46e91%7C18843e6e1846456ca05c500f0aee12f6%7C0%7C0%7C637575750798430384%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000sdata=v3RTii5lx4lS%2B%2FTXNYkht9BN%2FNUWRPyyjxxXoffU8HQ%3Dreserved=0> https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftheresnomon.co%2Fconnecting-to-cloudstack-vpn-from-windows-8-8807b41af700data=04%7C01%7Cb.fitzpatrick%40chester.ac.uk%7C363792b0184d4afe72df08d91fc46e91%7C18843e6e1846456ca05c500f0aee12f6%7C0%7C0%7C637575750798430384%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000sdata=v3RTii5lx4lS%2B%2FTXNYkht9BN%2FNUWRPyyjxxXoffU8HQ%3Dreserved=0 Hope that helps Best, On Tue, 25 May 2021 at 22:34, Brian Fitzpatrick < <mailto:b.fitzpatr...@chester.ac.uk> b.fitzpatr...@chester.ac.uk > wrote: **Apologies not sure this was originally posted** Hi all, I am trying to setup Remote Access VPN on an DefaultIsolatedSourceNAT network I have created the VPN and a VPN user and pasted the shared key into a Windows client but I am getting an error stating the L2TP connection attempt failed because the security layer encountered a processing error I have looked through the documentation and have set Requires encryption MS-CHAP v2 PPP -> Enable LCP extensions I haven't however changed the CloudStack parameter remote.access.vpn.client.iprange setting from it's default, does this need to be altered to match guest isolated network CIDR's? Not sure how the virtual router sets up the VPN Or am I doing something else wrong? Thanks Brian -- Andrija Panić -- Andrija Panić
Re: Remote Access VPN
Another thing to keep in mind - if you work from office - usually there can be only 1 IPSEC with L2TP connection from your office to outside/same IP - i.e. you and your colleague can not connect at the same time to the same public IP (i.e. to the same Remove VPN). On Tue, 25 May 2021 at 23:29, Andrija Panic wrote: > Hi Brian, > > remote.access.vpn.client.iprange should be set to some subnet OUTSIDE > your local network (where your laptop/PC is connected to / home/office) and > the Isolated network - so it should be "3rd" network. > > For Windows, you there was a nice link somewhere...: here is one for > windows 8 - but same/identical is applicable for Windows 10: > https://theresnomon.co/connecting-to-cloudstack-vpn-from-windows-8-8807b41af700 > > Hope that helps > > Best, > > On Tue, 25 May 2021 at 22:34, Brian Fitzpatrick < > b.fitzpatr...@chester.ac.uk> wrote: > >> **Apologies not sure this was originally posted** >> >> Hi all, >> >> I am trying to setup Remote Access VPN on an DefaultIsolatedSourceNAT >> network >> >> I have created the VPN and a VPN user and pasted the shared key into a >> Windows client but I am getting an error stating >> >> the L2TP connection attempt failed because the security layer encountered >> a processing error >> >> I have looked through the documentation and have set >> >> Requires encryption >> MS-CHAP v2 >> PPP -> Enable LCP extensions >> >> I haven't however changed the CloudStack parameter >> >> remote.access.vpn.client.iprange setting from it's default, does this >> need to be altered to match guest isolated network CIDR's? Not sure how the >> virtual router sets up the VPN >> >> Or am I doing something else wrong? >> >> Thanks >> >> Brian >> > > > -- > > Andrija Panić > -- Andrija Panić
Re: Remote Access VPN
Hi Brian, remote.access.vpn.client.iprange should be set to some subnet OUTSIDE your local network (where your laptop/PC is connected to / home/office) and the Isolated network - so it should be "3rd" network. For Windows, you there was a nice link somewhere...: here is one for windows 8 - but same/identical is applicable for Windows 10: https://theresnomon.co/connecting-to-cloudstack-vpn-from-windows-8-8807b41af700 Hope that helps Best, On Tue, 25 May 2021 at 22:34, Brian Fitzpatrick wrote: > **Apologies not sure this was originally posted** > > Hi all, > > I am trying to setup Remote Access VPN on an DefaultIsolatedSourceNAT > network > > I have created the VPN and a VPN user and pasted the shared key into a > Windows client but I am getting an error stating > > the L2TP connection attempt failed because the security layer encountered > a processing error > > I have looked through the documentation and have set > > Requires encryption > MS-CHAP v2 > PPP -> Enable LCP extensions > > I haven't however changed the CloudStack parameter > > remote.access.vpn.client.iprange setting from it's default, does this need > to be altered to match guest isolated network CIDR's? Not sure how the > virtual router sets up the VPN > > Or am I doing something else wrong? > > Thanks > > Brian > -- Andrija Panić
Remote Access VPN
**Apologies not sure this was originally posted** Hi all, I am trying to setup Remote Access VPN on an DefaultIsolatedSourceNAT network I have created the VPN and a VPN user and pasted the shared key into a Windows client but I am getting an error stating the L2TP connection attempt failed because the security layer encountered a processing error I have looked through the documentation and have set Requires encryption MS-CHAP v2 PPP -> Enable LCP extensions I haven't however changed the CloudStack parameter remote.access.vpn.client.iprange setting from it's default, does this need to be altered to match guest isolated network CIDR's? Not sure how the virtual router sets up the VPN Or am I doing something else wrong? Thanks Brian
Remote access VPN
Hi all, I am trying to setup Remote Access VPN on an DefaultIsolatedSourceNAT network I have created the VPN and a VPN user and pasted the shared key into a Windows client but I am getting an error stating the L2TP connection attempt failed because the security layer encountered a processing error I have looked through the documentation and have set Requires encryption MS-CHAP v2 PPP -> Enable LCP extensions I haven't however changed the CloudStack parameter remote.access.vpn.client.iprange setting from it's default, does this need to be altered to match guest isolated network CIDR's? Not sure how the virtual router sets up the VPN Or am I doing something else wrong? Thanks Brian <http://10.250.0.23:8080/client/#/networkoffering/30c3e49d-164f-459a-a365-aa6713a8a213>
Re: Where is Remote Access vpn settings.
On 17.02.2014 20:35, Jason Villalta wrote: It is almost like my UI is behind even though I upgraded to 4.1.1 a few months ago so I would except this UI to be there. I do not know when the VPN feature was introduced, but you certainly are behind, the current version is 4.2.1 and 4.3 is not very far. -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro
RE: Where is Remote Access vpn settings.
AFAIK, one of the features introduced in 4.3 is remote access VPNs for VPCs. The VR in a VPC is slightly different to the VR for non-VPC usage so you may need to upgrade to 4.3. Official release seems fairly imminent (http://markmail.org/thread/3nnroif5fqr3c2q6) but could still be blocked if a major bug is discovered. -Original Message- From: Nux! [mailto:n...@li.nux.ro] Sent: 18 February 2014 08:41 To: users@cloudstack.apache.org Subject: Re: Where is Remote Access vpn settings. On 17.02.2014 20:35, Jason Villalta wrote: It is almost like my UI is behind even though I upgraded to 4.1.1 a few months ago so I would except this UI to be there. I do not know when the VPN feature was introduced, but you certainly are behind, the current version is 4.2.1 and 4.3 is not very far. -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro
Re: Where is Remote Access vpn settings.
OK thanks but here is the next problem with that I am getting a SQL script error when trying to upgrade to 4.2.1. The problem is with the schema410to420.SQL script. Have you seen issues with that before? I will get the exact table later. On Feb 18, 2014 3:41 AM, Nux! n...@li.nux.ro wrote: On 17.02.2014 20:35, Jason Villalta wrote: It is almost like my UI is behind even though I upgraded to 4.1.1 a few months ago so I would except this UI to be there. I do not know when the VPN feature was introduced, but you certainly are behind, the current version is 4.2.1 and 4.3 is not very far. -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro
Where is Remote Access vpn settings.
Hello, I am trying to setup remote access vpn in cloudstack for users to vpn into their VPC but I do not see the option to enable remote access vpn. Where is it located. Site-to-Site vpn is currently working fine. http://cloudstack.apache.org/docs/en-US/Apache_CloudStack/4.0.2/html/Installation_Guide/vpn.html -- -- *Jason Villalta* Co-founder [image: Inline image 1] 800.799.4407x1230 | www.RubixTechnology.comhttp://www.rubixtechnology.com/
Re: Where is Remote Access vpn settings.
On 17.02.2014 19:00, Jason Villalta wrote: Hello, I am trying to setup remote access vpn in cloudstack for users to vpn into their VPC but I do not see the option to enable remote access vpn. Where is it located. Site-to-Site vpn is currently working fine. http://cloudstack.apache.org/docs/en-US/Apache_CloudStack/4.0.2/html/Installation_Guide/vpn.html -- HAve you tried e.g. https://support.getcloudservices.com/entries/22002407-CloudStack-Configure-VPN-and-VPN-Users ? -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro
Re: Where is Remote Access vpn settings.
Yes I have gone there both though the VPC interface and the guest network. Under Guest Network however it does not list the source NAT ip under view addresses. I am running Cloudstack 4.1.1 I am also missing the interface to add static routes because my Plan B was to setup a Vyatta instance with l2tp installed. That went ok and I can connect but I cannot route to the l2tp private vpn client addresses. Thanks for your help. On Mon, Feb 17, 2014 at 2:17 PM, Nux! n...@li.nux.ro wrote: On 17.02.2014 19:00, Jason Villalta wrote: Hello, I am trying to setup remote access vpn in cloudstack for users to vpn into their VPC but I do not see the option to enable remote access vpn. Where is it located. Site-to-Site vpn is currently working fine. http://cloudstack.apache.org/docs/en-US/Apache_CloudStack/ 4.0.2/html/Installation_Guide/vpn.html -- HAve you tried e.g. https://support.getcloudservices.com/entries/ 22002407-CloudStack-Configure-VPN-and-VPN-Users ? -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro -- -- *Jason Villalta* Co-founder [image: Inline image 1] 800.799.4407x1230 | www.RubixTechnology.comhttp://www.rubixtechnology.com/
