I connect to atlas and use the Access Control List, to prevent unwanted connections. I have successfully implemented a VPN server with OPenVPN image, but i don't know how I can route my kubernetes outgoing traffic through my OPenVPN server.
Is there any setup I need on the cluster, docker or application side (nodejs).
Related
I have a GCP VM instance running a NodeJS server and it has a Nginx reverse proxy configured that allows me to connect with the NodeJS server over HTTP. The server is also accessible through a domain name (The Domain was purchase from Google Domains and I did not explicitly buy a SSL certificate)
I want to configure HTTPS on this VM instance.
I tried to use certbot and follow the instructions here https://certbot.eff.org/lets-encrypt/ubuntubionic-nginx
but I still cannot connect to my NodeJS server over HTTPS.
Please note: HTTP traffic works fine when connecting through IP and domain name.
Fixed this.
Turns out, that the firewall was blocking connections to port 443.
For readers:
On GCP VM make sure firewalls are configured correctly at 3 places.
GCP Networking Firewall should be configured to allows http/https/SSH/etc
Your VM should be set with proper GCP Firewall tags so that your GCP Firewall configuration is applied to your VM.
Your OS Firewall should be configured to allow the traffic you want.
I am not a system administrator or network administrator thus I having hard time trying to figure it out a work around to support IPv6 on an Azure Service Fabric Cluster without using the Load Balancer.
From here: IPv6 support for Azure other than the load balancer thing
I have checked that IPv6 is only supported by that lb appliances but the entry point of my current cluster is an application gateway.
Is there a recommended work around for adding Ipv6 support for using a Azure App Gateway
Is there a recommended work around for adding Ipv6 support for using a Azure App Gateway
There is no nice way to do that, only work-arounds.
Anyway, you can do the following:
instanciate an Azure back-end server,
configure this server to establish an IPv6 over IPv4 tunnel to an IPv6 public tunnel broker,
install a reverse-proxy on your back-end server, listening to an IP address chosen inside the IPv6 prefix offered by your tunnel broker,
configure this reverse-proxy to translate the accepted IPv6 https connections into outgoing http or https IPv4 requests to your Azure app gateway (the connection stays inside the Azure network, so you may accept not to encrypt it, using http instead of https).
But this will not be very efficient because:
1- this is your back-end server that will terminate and decrypt ssl connections;
2- IPv6 packets from/to your servers in Azure will go through your tunnel broker and Azure, you will not have direct connections between the clients and Azure.
To find a free IPv6 tunnel broker, see for instance Hurricane Electric.
I have a windows server 2016 running in Azure with RRAS VPN + NAT.
I use this RRAS VPN to be able to RDP to my other VM's in the virtual network.
However, when I connect my client (windows 10) computer to the RRAS VPN, my internet will stop working on the client (because internet access is blocked on the RRAS VM).
How can I prevent the client from trying to use the internet that my RRAS VPN VM provides? I tried disabling the use-default-gateway checkbox, but then I can no longer connect to my other VM's in the virtual network.
Thanks!
According to this link it seems that when you disable the "use-default-gateway checkbox" that the default routes are not added to your machine. In specific:
If “User default gateway on remote network” is turned on, the VPN client on successful VPN tunnel connection adds the default route on VPN interface with highest precedence. This way all the IP packets (except those destined to local subnet) go to VPN server. If this parameter is turned off, the default route is not added on VPN tunnel. This scenario will require user to add specific network specific route on the VPN interface – in order to reach the corpnet resources
So, you are left with editing your routes manually to ensure that they work. You can do this pretty easily in windows by working with the route table. The following article gives the basics of how to set this.
Essentially you will want to run something like this:
route ADD <azure network> MASK <azure mask> <azure gw ip>
After you have done this, you should be able to use the internet (via your local configuration) and access to your Azure servers (via the route you created above).
I want to simulate a VPN traffic on my machine. I've set up VPN server which runs inside a docker image. I can successfully log in. The problem is that the docker image is running on my machine on the default docker's bridge - docker0.
There is no change if I do connect to machine using VPN or not. It is still reachable due to the bridge. I'm wondering machine should be on different (simulated) LAN. Is there some solution how to simulate a VPN connection in docker?
The client needs to be on a different subnet from that of docker0 otherwise you will always connect directly.
Think about the basics of setting up a VPN tunnel: you run a VPN so that you can connect a two endpoints and make it so that those two endpoints on the same subnet can talk to each other across a public net.
When both your client and your server VPN are running on the same subnet then, well there's not need to setup a VPN !
Hope it helps.
need some expert advice.
I've set up a Site to Site VPN connection between Azure and my on premise setup by following the guides below.
The Remote and Routing Access Server (RRAS) runs on top of a Windows Server 2012 VM.
A FW sits infront of the Internet, and routes all the traffic of a given Public IP address to this RRAS server.
The RRAS server has a ROUTE ADD setting added to direct 10.100.0.0/17 traffic to itself as the GW.
A secondary VM maps this RRAS server as the GW.
All connections worked, and the RRAS dialup is connected fine.
Now, my VM HyperV-Local1 is able to ping 10.100.0.4, same for my RRAS server.
But my VM-1 on Azure is unable to ping/access back to my on-premise servers.
View RRAS Setup Guide 1,
View RRAS Setup Guide 2
Ok fixed the issue.
Problem was I should not have added the route add for 10.100.0.0/17 to my RRAS server. The RRAS connection will insert that route by itself. Cos there's 2 interface on the machine (1) Ethernet, (2) the RRAS dialup. By manually inserting that route, it diverted traffic to the wrong interface.
Remember to check and enable ICMPv4 on Windows Firewall on both sides (RRAS VM and Azure VM)!
For other servers, they do not have to set their GW to the RRAS server. as long as you add a Route Add 10.100.0.0/17 to your RRAS server will do.
Some info on my setup environment:
My onpremise firewall has a public ip mapped to my internal VM (RRAS server)
Followed the guide on a new Windows Server 2012 setup without Remote Access installed.
Run the Azure powershell script as per the guide for VPN connection setup.