Applies to Product: | USM Appliance™ | LevelBlue OSSIM® |
If there is no connection between the VPN server and the client, which is often the case in an MSSP (Managed Security Service Provider) environment, an error occurs when you try to configure the client:
Building the VPN node configuration...
Restarting OpenVPN server...
Retrieving the local vpn server ip...
Trying to deploy the VPN configuration on the remote AlienVault appliance...
An error occurred while establishing the vpn tunnel:
Currently there is no connectivity with the remote AlienVault appliance. The steps to deploy the VPN client manually are the following:
* A new VPN configuration file has been created for the remote AlienVault appliance at: /etc/openvpn/nodes/[client_IP].tar.gz.
* Copy this configuration file to the remote AlienVault appliance
* Extract the configuration file: /bin/tar zxf [client_IP].tar.gz -C /tmp/
* Move the VPN client configuration file to the OpenVPN folder: cp -arf /tmp/etc/openvpn/nodes/* /etc/openvpn/; mv /etc/openvpn/[client_IP]/*.conf /etc/openvpn/
* Fire the configuration triggers: dpkg-trigger --no-await alienvault-network-vpn-net-client; dpkg --pending --configure
* Clean up: rm -rf /tmp/etc
* Finally, once the VPN connection has been established, please add the remote AlienVault appliance from the Configuration > Deployment menu option on the web UI
Press [Enter] to continue
This creates a configuration file instead. And you must configure the VPN client manually, as described here.
To configure the VPN client through the command line
-
Transfer the VPN configuration file to the VPN client manually:
- On the VPN server, go to the LevelBlue Setup Main menu and select Jailbreak System, press Enter twice to confirm.
- Go to /etc/openvpn/nodes/ and locate the <client_IP>.tar.gz file, where <client_IP> is the VPN client IP address you specified in step 4 when creating the VPN client.
- Using scp, or a similarly secure copy method, transfer the <client_IP>.tar.gz file to the VPN client and place it in /etc/alienvault/network/.
- Type Exit to return to the LevelBlue Setup main menu.
-
Configuring the tunnel on the VPN client:
- SSH to the VPN client.
- In the LevelBlue Setup menu, select System Preferences > Configure Network > Setup VPN > Configure VPN client from file, and press Enter (<OK>).
- Select the entry with the correct IP address for the VPN client, press Enter (<OK>).
-
Confirm that the configuration file is the correct one, the file copied in Step 3 of this procedure, then press Enter (<Yes>).
The system extracts from the configuration file to build a tunnel.
Additional Step When the VPN server and VPN client Reside in Different Networks
Please be aware that if the VPN client and VPN server are in different private networks and the connection from the VPN client to the VPN server is only allowed through their public IP addresses, you need to change the IP address in the configuration file manually.
Let's consider the following example, where the VPN server and VPN client have different private the public IP addresses:
VPN server | VPN client | |
---|---|---|
Private IP | 192.168.0.1 | 172.16.20.56 |
Public IP | 88.132.33.11 | 145.156.44.33 |
When configuring the VPN client, enter the public IP address for the client, in this case 145.156.44.33. Extract the resulting /etc/openvpn/nodes/145.156.44.33.tar.gz file and locate the VPN client configuration file, 145.156.44.33.conf. Observe that the private IP address of the VPN server (192.168.0.1) is added instead of the public IP address, as indicated in line 4 below:
client
dev tun
proto tcp
remote 192.168.0.1 33800
resolv-retry infinite
nobind
user nobody
group nogroup
verb 3
ca /etc/openvpn/145.156.44.33/ca.crt
cert /etc/openvpn/145.156.44.33/145.156.44.33.crt
key /etc/openvpn/145.156.44.33/145.156.44.33.key
script-security 2 system
up "/etc/init.d/fprobe stop || true"
comp-lzo
persist-key
persist-tun
This causes the VPN tunnel not be established. Changing the IP address to 88.132.33.11 in the file above resolves this issue.