Child pages
  • How to use Merlin in NAT networks
Skip to end of metadata
Go to start of metadata

Information

This article was written for version 6.3.0.1 of op5 monitor, it could work on both lower and higher version if nothing else is stated.

This article does not include configuration of iptables (firewall) though it is recommended to use it. In this article iptables is disabled.

Articles in the Community-Space are not supported by op5 Support.

Introduction 

When configuring distributed monitoring you sometimes want to tunnel the traffic between the peers/pollers and use a virtual private network (VPN). This can be useful in a scenario where one of the peers/pollers is behind NAT and isn't directly accessible.
This can be done by installing and configuring OpenVPN on the peers/pollers. OpenVPN uses OpenSSL to encrypt the traffic being exchanged between the devices. In this how to we will go through a scenario that can exist in real life. 

Prerequisites

  • Connection to the Internet
  • Updated operating system
  • Basic Linux/Unix knowledge. How to install packages, ssh, scp, copy files, execute scripts, read files, edit files, stop and start services.

Topology

In this scenario we have a Internet accessible monitor server. This master has to be able to reach the pollers that are behind a firewall configured with NAT (Network Address Translation). This creates an issue when reaching the pollers. The master can not pass by the firewall and reach the internal pollers and simultaneously differentiate between them. The master sees one public IP address to the pollers. 

Configure OpenVPN server on Master

  • Enable epel repository

    # rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
  • Install openvpn and easy-rsa

    # yum install -y openvpn easy-rsa 
  • Copy a sample server.conf file to /etc/openvpn

    # cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn
  • Edit /etc/server.conf and uncomment and change these lines as shown below:

    # vim /etc/openvpn/server.conf

     push "redirect-gateway def bypass-dhcp"
     push "dhcp-option DNS 8.8.8.8" (Could be another ip, DNS server must be able to reach internet)
     push "dhcp-option DNS 8.8.4.4" (Could be another ip, DNS server must be able to reach internet)
     dh dh2048.pem
     user nobody
     group nobody
     

  • Make a directory in /etc/openvpn called easy-rsa and copy config-files to it

    # mkdir -p /etc/openvpn/easy-rsa/keys
    # cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa
  • Edit /etc/openvpn/easy-rsa/vars file and change the following values. Note that these are only examples, change this to fit your environment. 

    # vim /etc/openvpn/easy-rsa/vars

    export KEY_COUNTRY="SE"
    export KEY_PROVINCE="Stockholm"
    export KEY_CITY="Stockholm"
    export KEY_ORG="DummyCompany AB"
    export KEY_EMAIL="support@dummycompany.org"
    export KEY_OU="ProfessionalServices"
    export KEY_CN="master.dummycompany.com" 

     

  • Copy and rename /etc/openvpn/easy-rsa/openssl-1.0.0.cnf to /etc/openvpn/easy-rsa/openssl.cnf

    # cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf

     

  •  Change directory and source the file /etc/openvpn/easy-rsa/vars and start building certificates and keys.

    # cd /etc/openvpn/easy-rsa 
    # source ./vars 
    # ./clean-all 
    # ./build-ca

    Answer yes to all.
     

  • Build a key

    # ./build-key-server server

    Answer yes to all, when prompted for password press enter, when promoted for y/n enter "y" and press enter. 
     

  • Generate Diffie Hellman key and copy the created keys and certificates to /etc/openvpn

    # ./build-dh
    # cd /etc/openvpn/easy-rsa/keys
    # cp dh2048.pem ca.crt server.crt server.key /etc/openvpn
  • Build keys for all clients (pollers). The file /etc/openvpn/easy-rsa/vars needs to be edited to reflect the client and then sourced again.

    # vim /etc/openvpn/easy-rsa/vars

    export KEY_CN="poller01.op5.com" 
    Save and exit

     

    # cd /etc/openvpn/easy-rsa 
    # source ./vars
    # ./build-key poller01

    Answer yes to all, when prompted for password press enter, when promoted for y/n enter "y" and press enter.
    Copy the generated keys to the remote clients(pollers) root directory. You can choose how to do this but keep in mind that the keys must be well protected. 
    The keys that need to be copied are in /etc/openvpn/easy-rsa/keys:
    ca.crt
    poller01.crt
    poller01.key
    Repeat this step for all your pollers.
     

  • Allow ip forwarding by editing /etc/sysctl.conf:

    # vim /etc/sysctl.conf 

    net.ipv4.ip_forward = 1
    Save and exit

    # sysctl -p


  • Start OpenVPN and make it start at boot

     # service openvpn start
     # chkconfig openvpn on
  • Verify that the tun0 interface exists

    # ifconfig
    tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
              inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
              UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
              RX packets:18085 errors:0 dropped:0 overruns:0 frame:0
              TX packets:18180 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:100 
              RX bytes:4244728 (4.0 MiB)  TX bytes:2421496 (2.3 MiB)
  • Remove the epel repository if you haven't been using it before this how to.

    # rm -f /etc/yum.repos.d/epel-*

Configuring OpenVPN client on pollers

  • Enable epel repository

    # rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
  • Install OpenVPN

    # yum install openvpn -y
  • Remove the epel repository if you haven't been using it before this how to.

    # rm -f /etc/yum.repos.d/epel-*
  • Copy a sample client.conf to /etc/openvpn

    # cp /usr/share/doc/openvpn-*/sample/sample-config-files/client.conf /etc/openvpn
  • Copy the keys that you transferred from the OpenVPN server to /etc/openvpn

    # cd /root/
    # cp poller01.crt poller01.key ca.crt /etc/openvpn
  • Edit /etc/openvpn/client.conf and change the lines as shown below:

    # vim /etc/openvpn/client.conf 

    remote (masters ip address) 1194 

    Note!

    This is NOT the OpenVPN address of the master, it is the eth0 address of the master

    user nobody
    group nobody
    ca ca.crt
    cert poller01.crt
    key  poller01.key
     

  • Start OpenVPN and make it start at boot

    # service openvpn start 
    # chkconfig openvpn on

    Note!

    You may need to restart the network

    # service network restart

 

  • Verify that the tun0 interface exists

 

# ifconfig
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.6  P-t-P:10.8.0.5  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:18085 errors:0 dropped:0 overruns:0 frame:0
          TX packets:18180 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:4244728 (4.0 MiB)  TX bytes:2421496 (2.3 MiB)
  • Try to ping to and from the master/peer with the ip addresses received from OpenVPN.

 

Configure static IP for clients

For merlin to work the pollers needs a static IP address. This configuration is done on the master.

  • Create the directory that contains the client configuration files

    # mkdir /etc/openvpn/ccd
  • Edit the file /etc/openvpn/server.conf so that the openVPN will look for the client configuration files. 
#  vim /etc/openvpn/server.conf

Add the following line:

client-config-dir ccd

Save and exit

  • Create a file named exactly as the clients pollers name that was used to create the clients certificate (in the command # ./build-key poller01), change poller01 to your pollers name in the steps below.

    # cd /etc/opentvpn/ccd
    # touch poller01
  • Edit the file and add the IP configuration. Change the IP in this example to the desired IP of the poller.

    # vim poller01
    ifconfig-push 10.8.0.100 10.8.0.101

    Save and exit.

     

  • Restart OpenVPN, do this on both the master and the poller.

    # service openvpn restart 

 

Continue to the page Distributed Monitoring to setup the master/poller. Remember to use the VPN ip addresses when configuring /etc/hosts.