Multi-Path Room - Connect to a VyOS Router
This article explains how to connect a private network that is managed by 'VyOS Router', a network operating system (OS), to a Tehama Multi-Path Room.
Overview
What is a Tehama Multi-Path Room?
A Multi-Path Room is a short way of referring to a Tehama Room that has network access type "Multi-Path". This network access type is capable of securely connecting to networks through IPSec. Multi-Path Rooms support many such connections.
See the Multi-Path Room Connectivity User Guide for more details about Multi-Path Rooms.
Currently, only Standard Rooms support the "Multi-Path" network access type. Domain Join Rooms do not, as yet, support it.
Find out what your Room's network access type is from the Room's connection page. See section View a Room's network access setting in the Room/Desktop Connectivity - Types, Status and Settings guide for details.
What is VyOS Router?
'VyOS Router', is an open source network OS that runs on a variety of hardware and cloud based systems. VyOS is a community fork of the discontinued Vyatta Core project. It provides an interface with which to enable communication between the network controlled by it and other networks. See the VyOS Router product page, https://vyos.io/products/#vyos-router for more information.
Assumptions
- You have a Tehama organization and are an Admin or Org Manager user in that organization.
- You provide access to your private network, that contains your company resources, data, etc., through VyOS Router, and you want to access, securely, these assets from a Tehama Room.
The process to connect a private network that is managed by 'VyOS Router' is divided into three parts:
- Create a Tehama Multi-Path Room
(optional - you can also make a connection to an existing Multi-Path Room.) - Add and Configure a New Connection
- Check the Status of the Connection
Create a Tehama Multi-Path Room
If you want to connect your private network to one of your existing Tehama Multi-Path Rooms, simply note the Room's name and skip to the next step.
Either:
- Create a new Tehama Multi-Path Room by following the steps found in the Getting Started with Tehama Room Creation guide, under section 'Create and connect a Standard Room', selecting 'Multi-Path' as the Room's Network Access type.
or
- Convert one of your existing Rooms with 'Tehama Gateway' or 'Internet-Only' network access to use 'Multi-Path' network access, by following the steps found in the Room/Desktop Connectivity - Types, Status and Settings guide, under section 'Change a Room's Network Access setting'.
Take note of your Multi-Path Room's name, for use in the creation of your connection.
Information gathered in this step:
- The name of your Multi-Path Room.
Add and Configure a New Connection
Add and configure a connection to your private network, through VyOS, from your Tehama Multi-Path Room as follows:
First, gather some information about your private network.
Next, add a connection between your Multi-Path Room and your VyOS Router.
- B) Tehama - Create a New Connection in Your Multi-Path Room
- C) VyOS - Create and Configure a New Connection in Your VyOS Router
Finally, update your Multi-Path Room's firewall rules (and optionally its DNS Filtering) to allow access to resources in your private network from your Room's Tehama Desktops.
Let's get started with step A.
A) Find Your Private Network Info
This step looks up your private network in the command line interface (CLI) for your VyOS router, to find the information needed to connect your network to your Multi-Path Room, its subnet value and its public IP address. You will need to know how to access your router's CLI. (Ask your IT dept for assistance, if necessary.)
Required information for this step:
- Your VyOS Router login info.
- Log in to your VyOS router, via the CLI, in Operational Mode.
See VyOS documentation on how to use its CLI at https://docs.vyos.io/. Be sure you are looking at the documentation for the version of VyOS you are using.
- Run the following command to get your private network's subnet value:
show ip route
- Run the following command to get your private network's public IP address (the VyOS router's external IP):
show ip interface
Information gathered/confirmed in this step:
- Your private network's subnet.
- Your private network's public IP address (the VyOS router's external IP).
B) Create a New Connection in Your Multi-Path Room
In this step, we create a new connection in your Multi-Path Room. This generates the pre-shared key for the connection. This key is needed for the next step, in the VyOS interface.
Required information for this step:
- Your Tehama corporate portal login info.
- Your Multi-Path Room's name.
- Your private network's subnet, from step A.
- Your private network's public IP address, from step A.
- A meaningful name for your new connection.
- A description for your new connection.
- Log in to the Tehama Web UI.
- Click on the ROOMS tab.
- Click on the name of the Multi-Path Room you want to connect to your VyOS Router. You will see the page for the Room.
- Click on the Room's CONNECTION tab, if you are not already on this tab.
- Click the ADD CONNECTION button. You will see the form for creating a new connection.
- In the new connection form:
- Name - enter a meaningful name for your new connection.
- Description (optional) - enter a description for your new connection.
- Target Subnet - enter your private network's subnet value, from step A.
The form allows you to enter more than one target subnet. Click on + Add more to bring up additional target subnet fields. - Public IP Address - enter your private network's public IP address (the VyOS router's external IP), from step A.
- Copy the Pre-shared key value.
- Copy the Room IP value.
- Copy the Room subnet value.
- Click CONNECT.
If you forget to copy the values before initiating the connection, you can get to them from the CONNECTION page for the Room:
- Click on the name of your connection in the Connections table. You will see information page for the connection.
- Click the EDIT button. You will see the edit page for the connection.
- Copy the values.
Information gathered in this step:
- Your Multi-Path Room's new connection's pre-shared key.
- Your Multi-Path Room's Room IP.
- Your Multi-Path Room's Room subnet.
- The name of your new connection in your Multi-Path Room.
C) Create and Configure a New Connection in Your VyOS Router
In this step, you will create and configure a new VPN connection, using IPSec, in your VyOS Router to your Multi-Path Room.
Required information for this step:
- Your Multi-Path Room's Room subnet, from step B.
- Your Multi-Path Room's Room IP value, from step B.
- Your Multi-Path Room's new connection's Pre-shared key, from step B.
- Your private network's subnet, from step A.
- Your private network's public IP address (the VyOS router's external IP), from step A.
- Meaningful names for the VyOS site-to-site VPN configuration elements. (See legend below.)
- Log in to your VyOS router, via the Command Line Interface, in Configuration Mode.
See VyOS documentation on how to use its command line interface at https://docs.vyos.io/. Be sure you are looking at the documentation for the version of VyOS you are using.
- Create a site-to-site VPN connection, using IPSec, between your private network and your Multi-Path Room.
See VyOS VPN documentation for Site-to-Site and IPSec for a review of the necessary commands. Here are some relevant links from the latest stable version of VyOS:Set up your new site-to-site VPN to have the following configuration:
vpn { ipsec { esp-group tehama-esp { compression disable lifetime 10800 mode tunnel pfs enable proposal 1 { encryption aes256 hash sha256 } } ike-group tehama-ike { close-action none ikev2-reauth no key-exchange ikev2 lifetime 36000 proposal 1 { dh-group 14 encryption aes256 hash sha256 } } ipsec-interfaces { interface eth0 } site-to-site { peer BBBBBB { authentication { id EEEEEE mode pre-shared-secret pre-shared-secret CCCCCC remote-id BBBBBB } connection-type initiate ike-group tehama-ike ikev2-reauth inherit local-address 172.31.35.115 tunnel 0 { allow-nat-networks disable allow-public-networks enable esp-group tehama-esp local { prefix DDDDDD } remote { prefix AAAAAA } } } } } }
Legend:
- AAAAAA: Your Multi-Path Room's Room subnet.
- BBBBBB: Your Multi-Path Room's Room IP value.
- CCCCCC: Your Multi-Path Room's new connection's Pre-shared key.
- DDDDDD: Your private network's subnet.
- EEEEEE: Your private network's public IP address (the VyOS router's external IP).
- tehama-esp: An arbitrary name for the esp-group.
- tehama-ike: An arbitrary name for the ike-group.
Information gathered/confirmed in this step:
- N/A.
D) Update Firewall Rules/DNS Filtering
Finally, this last step is to update your Multi-Path Room's firewall rules to allow access to resources in your private network from your Room's Tehama Desktops.
If you wish to completely open access to everything in your private network, add custom firewall rules to your Multi-Path Room allowing access to the entire subnet for your private network. Otherwise, add more granular rules.
See instructions on how to add firewall rules in section Add Custom Firewall Rule in the Firewall Rules User Guide.
You can optionally add an extra layer of access control on top of firewall rules through the Room's DNS Filtering feature. See the DNS Filtering guide for more details.
Check the Status of the Connection
Check the Status of the VyOS VPN connection you configured between your private network and your Multi-Path Room.
- Check connection status in the Tehama Web UI
- Troubleshoot the connection status in the VyOS Router CLI
Check connection status in Tehama
Required information:
- Your Tehama corporate portal login info.
- Your Multi-Path Room's name.
- The name of your new connection in your Multi-Path Room, from step B.
- Your private network's public IP address (the VyOS Router's external IP) from step A.
- Log in to the Tehama Web UI.
- Click on the ROOMS tab.
- Click on the name of the Multi-Path Room you connected to your VyOS Router. You will see the page for the Room.
- Click on the Room's CONNECTION tab, if you are not already on this tab.
- Find the connection in the connection table, (identify by name, from step B, or by your private network's public IP address value, from step A).
- Verify that the connection status is green.
Troubleshoot connection status in Router
If the status in the Tehama Web UI is not green, you can view the router's logs for the connection through the VyOS Router CLI:
Required information for this step:
- Your VyOS Router login info.
- Your Multi-Path Room's Room IP value, from step B.
- Log in to your VyOS router, via the CLI, in Operational Mode.
See VyOS documentation on how to use its CLI at https://docs.vyos.io/. Be sure you are looking at the documentation for the version of VyOS you are using.
- To see the logs, run the following while the remote is initiating:
sudo swanctl --log
- To trigger a new connection attempt, run:
reset vpn ipsec-peer ##.##.##.##
where ##.##.##.## is your Multi-Path Room's Room IP, from step B.