Security and privacy are extremely important nowadays, so people are always in search of new ways to protect themselves while surfing the Internet.
A virtual private network (VPN) is one of the most common solutions used by companies and individuals to protect their connections and communications from cybersecurity threats with the help of strong encryption algorithms.
There are many commercial and even free services that offer VPN. However, the vast majority of them are using shared infrastructure, meaning that many customers are using the same encryption servers and IP addresses. Such an approach increases the risk of security breaches. Also, one fraud user can compromise the shared infrastructure and lead to blocking many IP addresses of the VPN service across popular public websites. In addition, the owners of the shared VPN services can potentially have access and analyze all your traffic. Thus a dedicated VPN server installation inside your own cloud environment provides a much higher level of security compared to the shared VPN services.
Below we describe how to establish a private and fully trusted VPN connection based on OpenVPN server software automatically installed inside Jelastic PaaS in order to cover the following use cases:
- Tunnel the traffic to the Internet to prevent threats from compromised networks
- Secure transmitting business data via VPN by specifying authorized domains
- Interconnect private networks across multiple sites and public clouds
- Prevent malware and phishing by restricting access to only trusted internet sources
- Enforce security of remote desktop sharing services
Within the article you’ll find out how to perform:
- OpenVPN Server Software Installation
- OpenVPN Client Software and Profiles
- VPN Connection
- VPN Tunnel Verification
- Change VPN Access Mode
- OpenVPN Custom Domain SSL Certificate
OpenVPN Server Software Installation
1. Sign in to the Jelastic account, open Marketplace and find the OpenVPN Access Server in the Dev & Admin Tools section.
2. Customize settings in the installation window:
- Secure Internet Access:
- Provides secured Internet access and prevents threats from rogue public Wi-Fi hotspots and untrusted networks
- Enforces corporate Internet usage policy by securely tunneling traffic
- The DNS queries are resolved by Google Public DNS that makes this mode applicable only for Internet browsing
- Secure Remote Access:
- Provides secure access for remote employees to your corporate resources and public cloud networks
- Strengthens and adds a layer of security to remote desktop protocol and other desktop screen sharing services
- The DNS queries are resolved by internal platform DNS servers. So, while accessing the Cloud LAN, environment and container hostnames are associated with their private IP addresses allowing to reach them as if the requests are coming within the same cloud region
- In case VPN server runs within an isolated environment group the VPN client will only have access to the environments of this group
- Install Let’s Encrypt free SSL with auto-renewal for OpenVPN Admin Web Server - this option installs the Let’s Encrypt Free SSL add-on on the VPS server and issues valid SSL certificate for the environment domain generated by the platform. Thus it ensures security of the web admin interface of the OpenVPN access server. In case you prefer using a custom domain, change it after installation.If required, change the environment name and destination region. Finally, click on the Install.
3. Once the success installation window appears follow the Client UI URL to access the Admin Web Server to get the connection profiles or change OpenVPN Access Server parameters.
In case you have no OpenVPN client software installed, choose an appropriate one for your OS.
OpenVPN Client Software and Profiles
From the user panel:
- follow the URLs to get the software most fit your device
- get a user-locked profile to connect to the VPN server. With this profile you must enter login credentials from successful installation window establishing a VPN connection
- get an autologin profile, that means no credentials are required to connect to the VPN server
- gain access to the OpenVPN Access Server Admin UI panel by pressing the Admin button. Use this panel to do fine server tuning. Find more info:
Follow the steps below to establish VPN connection:
1. Once client software is installed, download OpenVPN autologin profile to your device as file client.ovpn.
2. Import client.ovpn and invoke connection:
- For Ubuntu Linux:
- For Windows 10:
Once the file is imported choose a connect option like this:
- For MacOS:
3. Finally, the encrypted tunnel has been established to your cloud infrastructure and secure Internet connection through it as well.
VPN Tunnel Verification
Once the connection is established, proceed to the verification.
With the option of Secure Internet Access you can simply browse the Internet. And in case of the Secure Remote Access option, use the environment hostnames to reach the hosts in cloud LAN by their private IP addresses.
To do this let’s ping from the local computer two nodes that belong to the required environments, in our case these are DevOps Lab - GitLab Server and Kubernetes Cluster v1.18.10.
The nodes’ hostnames were resolved into respective private IP addresses and responded to the ping commands via VPN tunnel from the local user’s device.
Change VPN Access Mode
Despite the Access Mode was chosen upon VPN server installation you can change it at any time. Open the server Add-Ons tab.
Click on configuration button either to Change Mode and pick one required:
- Secure Internet Access
- Secure Remote Access
Here you can even Reset Password for the openvpn user account created by default.
OpenVPN Custom Domain SSL Certificate
If necessary, bind the custom domain to the Admin Web Server and issue a valid SSL certificate for it. To do this create an A record at your domain registrar using a public IP address that has been provisioned for VPN server node. Then click on the Configure button in Let’s Encrypt Free SSL add-on
and replace the platform domain, for example myvpn-gw.vip.jelastic.cloud
with a custom one for example vpn-gw.jele.website.
Right after successful certificate issuance open Admin Web Server UI using new domain name: https://vpn-gw.jele.website.
Now you know how to easily install OpenVPN Access Server and get secure on the Internet with Jelastic PaaS.