Hello, We've provided a PR for the remote management VPC to support IKEv2 using SSL cert to auth the server and username/password for users [1]. The problem with OpenVPN is that it requires a custom client for some OSes such as windows, compared to IKEv2; it's supported out of the box on Windows, OSx, Linux. Client configuration is rather simple too.
This PR uses hashicorp Vault to generate an SSL cert and CA for each customer, on a per domain basis if I remember correctly, that is push to the VR as the cert for the IKEv2 vpn server. then the UI and API allow you to download the CA so the client can trust the vpn server to proceed with the vpn connection. that way to get a connection you need to trust the CA and need a user/pass. this was done before Cloudstack had internal CA generation features so the PR would need some rework to support it I guess. This solution is working great so far, connection time is almost immediate, the tunnel is stable and reliable with a good performance compared to the old L2TP version. Another benefit with Stronswan + IKEv2 is user connection logs, we can get username and connections state from logs on the VRs, valuable for connections auditing. [1] https://github.com/apache/cloudstack/pull/2850 Cheers, On Thu, Jun 10, 2021 at 3:26 PM Wei ZHOU <ustcweiz...@gmail.com> wrote: > Yes, OpenVPN is proposed to implement the remote access vpn feature (it is > currently an IPSec/L2TP vpn server using Strongswan). > site-to-site vpn in vpcs (also using strongswan) will not be changed. > > -Wei > On Thu, 10 Jun 2021 at 18:51, Kristaps Cudars <kristaps.cud...@gmail.com> > wrote: > > > OpenVPN is SSL/TLS VPN and it has no support for IPSec. OpenVPN should > > coexist with Strongswan. OpenVPN is ment for vpn client connective many > to > > one. Strongswan is meant for P2P connectivity. > > > > On 2021/06/10 08:39:14, Rudraksh MK <rudra...@indiqus.com.INVALID> > wrote: > > > Hey! > > > > > > I’m personally a strong proponent of Wireguard. A couple years back, > > implementing a S2S or remote-access VPN with WG was complicated and it > > still is - but there’s definitely more tooling available these days. > There > > are clients for just about every major platform - desktop and mobile. > > > > > > In the long term though, I think a general-purpose VPN provider like > the > > one you outlined is far better - and I’d definitely like to take a stab > at > > it, although I’ll admit my Java skills are basically..zero. But even so > - a > > framework that allows users to select what platform they want - > Strongswan > > vs OpenVPN vs Wireguard - would be awesome. > > > > > > > > > Best! > > > > > > Rudraksh Mukta Kulshreshtha > > > Vice-President - DevOps & R&D > > > IndiQus Technologies > > > O +91 11 4055 1411 | M +91 99589 54879 > > > indiqus.com > > > > > > This message is intended only for the use of the individual or entity > to > > which it is addressed and may contain information that is confidential > > and/or privileged. If you are not the intended recipient please delete > the > > original message and any copy of it from your computer system. You are > > hereby notified that any dissemination, distribution or copying of this > > communication is strictly prohibited unless proper authorization has been > > obtained for such action. If you have received this communication in > error, > > please notify the sender immediately. Although IndiQus attempts to sweep > > e-mail and attachments for viruses, it does not guarantee that both are > > virus-free and accepts no liability for any damage sustained as a result > of > > viruses. > > > On 10 Jun 2021, 1:55 PM +0530, Rohit Yadav <rohit.ya...@shapeblue.com > >, > > wrote: > > > > All, > > > > > > > > We've historically supported openswan and nowadays strongswan as the > > VPN provider in VR for both site-to-site and remote access modes. After > > discussing the situation with a few users and colleagues I learnt that > > OpenVPN is generally far easier to use, have clients for most OS and > > platforms (desktop, laptop, tablet, phones...) and allows multiple > clients > > in the same public IP (for example, multiple people in the office > sharing a > > client-side public IP/nat while trying to connect to a VPC or an isolated > > network) and for these reasons many users actually deploy pfSense or > setup > > a OpenVPN server in their isolated network or VPC and use that instead. > > > > > > > > Therefore for the point-to-point VPN use-case of remote access [1] > > does it make sense to switch to OpenVPN? Or, are there users using > > strongswan/ipsec/l2tpd for remote access VPN? > > > > > > > > A general-purpose VPN-framework/provider where an account or admin > > (via offering) can specify which VPN provider they want in the network > > (strongswan/ipsec, OpenVPN, Wireguard...). However, it may be more > complex > > to implement and maintain. Any other thoughts in general about VPN > > implementation and support in CloudStack? Thanks. > > > > > > > > [1] > > > http://docs.cloudstack.apache.org/en/latest/adminguide/networking_and_traffic.html#remote-access-vpn > > > > > > > > > > > > > > > > Regards. > > > > > > > > > > > > > > > > > >
