In Brocade Vyatta version VSE6.7R6, Brocade introduce a new feature called SSL VPN Client Bundler. This SSL VPN feature is based on OpenVPN.
Brocade SSL-VPN Client Bundler enables the Vyatta system to generate image bundles that facilitate the setup of SSL-VPN client connections. Bundles include the up-to-date SSL-VPN client configuration that is required to connect to the server, including the required Transport Layer Security (TLS) certificate authority (CA) certificate that is used by the server.
The bundle can be found in the folder:
- For Windows: /config/auth/vpn/ssl-vpn/client-bundle/vtunX/windows
- For Linux: /config/auth/vpn/ssl-vpn/client-bundle/vtunX/linux
Note: vtunX is openVPN tunnel interface.
Today, i will show you how to make use of this feature on Softlayer Vyatta gateway step by step.
Create the certificate for the SSL VPN using your CA and upload the CA certificate, DH file, SSL VPN certificate and private key to /config/auth/
vyatta@vyatta01:/config/auth$ ls -al
drwxrwsr-x 1 root vyattacfg 4096 May 26 11:47 .
drwxrwsr-x 1 root vyattacfg 4096 May 12 07:57 ..
-rw-r–r– 1 vyatta vyattacfg 1216 May 26 11:06 ca.crt
-rw-r–r– 1 vyatta vyattacfg 245 May 26 11:07 dh1024.pem
-rw-r–r– 1 vyatta vyattacfg 3885 May 26 11:46 sslvpn.crt
-rw-r–r– 1 vyatta vyattacfg 891 May 26 11:46 sslvpn.key
Step 1 (optional)
Service-User Web Portal allows end users to obtain the SSL-VPN client bundles by themselves. The portal is available by default from the following public-interface address of the Vyatta system:
You can enable Service-User Web Portal the CLI below:
vyatta@vyatta01# set services https service-user
Of course you can distribute the bundle to your end users if you prefer to do that. In this case, you don’t need to enable this Service-User Web Portal.
Step 2: Generate the Client Bundle.
In our configuration exampe, we use the following parameters for our VPN configuration:
Transport protocol: TCP
Transport port: 8443
SSL VPN Client IP: 172.16.10.0/24
We create the client bundle for windows, linux systems plus generic (this generic option will only create an OVPN file for you. You have to get the client by youself.)
set interfaces openvpn vtun10 client-bundle ‘generic’
set interfaces openvpn vtun10 client-bundle ‘linux’
set interfaces openvpn vtun10 client-bundle ‘windows’
set interfaces openvpn vtun10 ‘client-cert-not-required’
set interfaces openvpn vtun10 description ‘SSLVPN-test’
set interfaces openvpn vtun10 encryption ‘aes128’
set interfaces openvpn vtun10 hash ‘sha256’
set interfaces openvpn vtun10 local-host ‘x.x.x.x’
set interfaces openvpn vtun10 local-port ‘8443’
set interfaces openvpn vtun10 mode ‘server’
set interfaces openvpn vtun10 protocol ‘tcp-passive’
set interfaces openvpn vtun10 server subnet ‘172.16.10.0/24’
set interfaces openvpn vtun10 tls ca-cert-file ‘/config/auth/ca.crt’
set interfaces openvpn vtun10 tls cert-file ‘/config/auth/sslvpn.crt’
set interfaces openvpn vtun10 tls dh-file ‘/config/auth/dh1024.pem’
set interfaces openvpn vtun10 tls key-file ‘/config/auth/sslvpn.key’
Note: The client-cert-not-required variable must be set to allow SSL-VPN clients to connect using username and password without a TLS client certificate that is specific to an end user. Even if client certificates were created, they are not included in any SSL-VPN client bundles.
Step 3: Define SSL VPN users
Here I define a user call jojo
set resources service-users local user jojo auth plaintext-password xxxxxx
Step 4: Associate the user with the OpenVPN
set interfaces openvpn vtun10 auth local user ‘jojo’
Now you are able to begin to get your SSL VPN bundle and use SSL VPN.
You can go to the Service-User Web Portal (https://vyattaip/service). Login in the service-User Web Portal with your username and password
Download your bundle: here click windows in the download tab.
After the download is completed, accept the Securtiy warning and run the app
Install SSL VPN client (next then next)
After the client installtion is finised, Open SSL VPN client and type in your username/password
After youclick OK, you will be connected to the SSL VPN in a few of seconds like the below.
You can check the SSL VPN log of your SSL connection if you see any issue.