This article is about how you can create an easy, low-cost site-to-site VPN either between of two your sites or between your site and a cloud service. In the example below I show you the second scenario with Microsoft Azure cloud. Anyway, it is possible to use the same method between your two or more sites. The example is using static routing (but untangle supports OSPF and BGP dynamic routing as well).
Requirements:
- Untangle instance on your local site (can be a router, or a virtual machine which is running untangle)
- Untangle virtual machine instance in cloud (in my case it is running on a B1ms - 1vCPU + 2 GB RAM - sized virtual machine) with two network interfaces
- Virtual network with two subnets (one for DMZ, one for internal communication)
- Static public IP address in Azure connected to 1st network interface on untangle instance
This configuration does not require any special or additional untangle license. It can be covered by the free services. However, if some extra features are required, it is possible to add it later to any untangle instances.
Step 1: Create the cloud instance of untangle
Need to create a dedicated Resource group in Azure storing the components of Untangle cloud router.
Open the new resource group, and click to Add button to create a new resource. Here, in the search field type "untangle" and choose the "Untangle NG Firewall".
Configure the parameters of the virtual machine as you can see on the screenshot:
- Virtual machine: you need to choose something
- Region: you have to choose the region where all your other vms are located
- Image: Untangle NG Firewall BYOL
- Size: It depends on the amount of your users. (<30: B1ms is enough)
- Authentication type: I have choosen password. You can SSH with certificate, if you want. Up to you.
Click to Next - Disks.
Choose the disk type you would like to use. I used Standard HDD because its performance is enough for me. Click to Next - Networking
On the networking, it is important that the 1st network interface is always the WAN interface. You must have a public ip address for this which should be a static public ip address (the difference in Azure public and static IP address can be checked on the internet). In my case I have a virtual network Cloud_Network which has a subnet with name DMZ which ip range is 10.100.254.64/26. This small range is enough for the public S2S VPN connections. Click to Next - Management.
On the next screen I just added my common storage for bootdiagnostics option. This is the only monitoring option I have choosen here. It is possible to change the configuration as you wish. Click to Review + Create button (if you want, you can add other features on the Advanced tab, or you can configure Tags on the tab options).
Here you can review the final setup before the installation. If it is fine, just click to Create button.
Step 2: Change the virtual machine configuration
When the deployment is done, Stop your virtual machine.
Tick the checkbox when it is asking "Do you want to reserve the Public IP address?" after you clicked to Stop button. With this option, your public ip address will be reserved and will not be changed (as it is with dynamic ip address).
While it is stopping, create two new network interface: cloudgw_wan and cloudgw_lan
cloudgw_wan network interface
The virtual network and subnet must be the same what we used during the virtual machine creation. Click to Review + Create and then to Create button.
cloudgw_lan network interface
Configure the LAN interface. In this case I added my FW_GW network which can communicate with other internal virtual machines. It is important that the wan and lan network interfaces must be on the same virtual network. Click to Review + Create and then to Create button.
The virtual machine probably stopped and deallocated. Now open the public ip address (cloudgw-ip) and click to Dissociate button to remove it from the old network interface.
When the public ip address has been dissocated from your old network interface, click to Associate button. On the right side, select the Network Interface and choose your wan network interface. Then click Ok.
When the association finished, you can check if you have choosen your proper network interface.
In public IP address, navigate to Configuration and configure some DNS label. It will be required in order to you could properly setup the VPN connection. The DNS name will be: <yourlabel>.northeurope.cloudapp.azure.com
Now open your virtual machine and navigate to Networking part on the left side menu and click to Attach network interface and select your cloud_wan network interface. Click Ok and wait until it's finished.
When it saved the attachment, click to Detach network interface button and select your old network interface. Click to Ok and wait until it is finished.
Now click to Attach network interface button again and select your lan network interface. Click to Ok and wait until it is added.
Now you see the wan interface on the 1st place and lan interface on the 2nd place. This must be the correct order because always the wan interface must be on the 1st place.
Now navigate the Disks on the left side and click to your disk. It must be resized because its original size is only 3 GiB. Which is not so big. We must change it to bigger.
On the panel on the right side click to Configuration and change the size of the disk to a bigger one. Now I have choosen 32 GiB becuase it must be enough. Here you can also change the type of the disk if you want. Click to Save button and close this panel.
Now start the virtual machine.
Open the created network security group (cloudgw-nsg) and navigate to Inbound security rules section on the left side. Click to add button to create a new rule. This is required to deny all communication attempts coming from within your virtual network. In this case the virtual machines are not able to communicate with your untangle router via this subnet as per this is used only for internet communication.
- Source: Service Tag
- Source service Tag: VirtualNetwork
- Source port ranges: *
- Destination: Any
- Destination port ranges: *
- Protocol: Any
- Priority: 999
- Name: IN_VNET_Deny_All
Click to Add button.
Now check your public ip address using page https://whatismyipaddress.com/. Click to Add button in Inbound security rules again and configure full access to you.
Note: this is temporary rule only. It can remain only if you have a static public ip address because in this case it can grant access to you only.
- Source: IP Addresses
- Source IP addresses/CIDR ranges: your public ip address
- Source port ranges: *
- Destination: Any
- Destination port ranges: *
- Protocol: Any
- Priority: 998
- Name: IN_MYPUBLIC_Allow_All
Click to Add button.
Now we must attach this NSG to the wan network interface of the untangle virtual machine. Navigate to Network Interfaces on the left side within the Network Security Group, and click to Associate button at the top and then click to your wan network interface (cloudgw_wan in my case). After that the network interface should be appeared on the list.
Step 3: Configuring Untangle (including password reset)
Password reset required only if the default password (untangle) is not working.
Unfortunately, there is a bug in the current (v14.2.2) version of untangle image on Azure. The administrator password is configured and it is not possible to start the installation wizard because the password is unknown.. In order to jump this over, it is required to remove the admin password.
Logon to the server using SSH and the public ip address. Username and password must be what we configured during the virtual machine installation.
Request root bash using the following command: sudo -i
Navigate to folder /usr/share/untangle/settings/untangle-vm and delete the admin.js file:
Restart the virtual machine using reboot command.
When it restarted, you can now open the page in Browser. http://<public_ip> and using username "admin" and password "passwd".
Now you can start the configuration.
- Select language as you desire. English in my case.
- Click to Run Setup Wizard and Agree the eula.
- Setup new password for account admin.
Now it identified that we have two network interface cards. Click to Internet Connection button.
Here you can see your private ip address coming from your DMZ network. You can test internet connectivity by clicking to Test connectivity button. Click to Internal Network button.
On the Azure portal, check what is the assigned internal ip address of your lan network interface. In my case it is 10.100.254.4. Select the proper network mask (depends on your subnet in Azure). If you have a cloud instance, do not enable the DHCP service. Enable DHCP if there is no other DHCP provider in your network.
Click to Auto Upgrades button. Then click to Finish button and Go to Dashboard button.
Now we have a fully installed untangle instance with its default setup.
On the first Dashboard login, it is suggested to register it in untangle cloud. In this case you can check its status from the global untangle command center.
When the registration completes, it is asking to install the default apps or not. In this case we do not want to the default apps get installed. We will do it manually later. So click to "No, I will install the apps manually."
The Apps section (appears immediately) install the OpenVPN and Firewall applications. These applications are free of charge.
Configure Hostname to be available from internet. Because of your instance here is behind NAT, the default connection ip in the OpenVPN configuration file is this ip, which is internal. This must be changed to your public DNS name.
Navigate to Config => Network => Hostname.
Write your hostname to your label configured in the public ip settings.
The domain should be rest of your whole address. Tick the radio "Use Hostname".
Step 4: Configure OpenVPN for Site-to-site VPN on your cloud instance
Open OpenVPN from Apps and click to Server tab.
- Tick checkbox Server Enabled
- Site Name: azure-NE-site
- Address Space: can be any network different from your cloud and on-premise networks. In my case. 172.16.240.0/24
Double check if your Site URL is correct and contains the proper public DNS name.
Click to Save button.
Click to Add button on the right side (Clients tab).
- Client Name: local-site (can be anything as you desire)
- Group: Default Group
- Type: Network
- Remote Networks: <your local network ranges>
Click to Done to save. Click Save button.
Click to image at the Download Client column and click to "Click here to download this client's configuration zip file for remote Untangle OpenVPN clients or other OS's" link.
Navigate to Exported Networks tab and click to Add button to add your cloud network ranges individually. These networks will be distribute to your local VPN instance.
Click to Save button at the bottom to Save your changes.
Now go to the Status tab of OpenVPN, and turn it on using the button.
Step 5: configure your local untangle OpenVPN
Logon to your local instance through browser.
Open OpenVPN from Apps. Click to Client and upload the previously downloaded configuration file.
If the upload was complete, you can see the configured site name.
Navigate to Status tab, and check if the connection established with your cloud instance. If the Connected cloumns shows "true" and the Rx Data and Tx Data are not 0, then the connection is working fine.
In order to your cloud untangle instance can properly communicate with your cloud subnets, a routing must be configured. Navigate to Config => Network => Routes section.
On the Static routes (left side) click to Add button.
- Description: name of your cloud subnet
- Network: Network IP
- Netmask: select the proper one
- Next hop: Select the gateway ip address of your LAN network interface. In my case it is 10.100.254.1 as per the lan ip address is 10.100.254.4
Repeat these steps with all your cloud subnets you want to add here.
Step 6: Configure cloud subnet to route all traffic via untangle
Create a new Route table into the resource group where your network is located with name Default_route.
Open the route table, navigate to Routes and click to Add button to create a new one.
- Name: Default
- Address prefix: 0.0.0.0/0
- Next hop type: Virtual appliance
- Next hop address: lan ip of your untangle (10.100.254.4 for me)
Click Ok to add.
Navigate to Subnets on the left side and click to Associate button.
Select your virtual network and the subnet you want to associate this route configuration. (I have error message it has already been associated.) Click to Ok button to configure it.
Now all your configuration should be done, and the communication should work properly between your two sites and between your two untangle instances.