OpenVPN Bastion Host with SmartOS on Joyent/SmartDataCenter

For my server deployment, everything runs on private vlans inaccessible to the internet. Obviously though, we still need some way to access the hosts for administration. For this purpose, I created a bastion host.

SDC/Joyent

If you're on the Joyent public cloud, you'll need to open a support request to enable IP spoofing on your private VLANs. Once they do that, your VPN client packets should start flowing to the VLANs, which should be visible with snoop -I <your private vlan interface>

I do not have access to an SDC environment, but you'll need to twiddle whatever bits Joyent does in your own install. Let me know if you know or find out exactly what this entails, and I'll update this post.

Bastion Host

A bastion host is essentially a machine that mediates and arbitrates connections between your private vlan(s) and the outside world.

OpenVPN

For our bastion host, we're going to use OpenVPN.

pkgin install openvpn

Once you have OpenVPN installed, you'll need a config file. There are many tutorials across the web that cover this well already, but here's my sample. Place your config in /opt/local/etc/openvpn/openvpn.conf and enable the openvpn service with svcadm enable openvpn. You may need to check the logs to correct issues, like the log folder not existing. You can find it at /var/svc/log/pkgsrc-openvpn:default.log.

IP Forwarding

You'll need to enable IP Forwarding on your bastion host. This is really simple.

routeadm -e ipv4-forwarding && routeadm -u

Packet Rewriting

If you do take a look at the packets using snoop you'll notice that the source IP is your VPN client's IP address, which is wrong. The other hosts on the network (that you're presumably trying to access) have no idea how to respond, so they just don't. For us to actually be able to communicate with the private VLAN hosts, we'll need to rewrite our packets source to be that of our bastion host, which will forward them back to us. Luckily SmartOS makes this a piece of cake.

To rewrite the packets (basically NAT), we'll need to create /etc/ipf/ipnat.conf

map * from 10.100.10.0/24 to any -> 0.0.0.0/32

This tells SmartOS to rewrite any packets from our VPN clients to look like they're coming from the bastion host, forwarding replies back to the mapped VPN client. You can get more specific here if your security or configuration requires it, this is just a basic rule.

Once you have that file created, we need to actually enable the IP Filtering functionality:

svcadm enable network/ipfilter

Clients

The client config is pretty standard OpenVPN stuff. There's nothing SmartOS specific here. Here's what I'm using.