Categories

ID #1099

How do I change the openVPN port used to access the cloud ?

How do I change the openVPN port used to access the cloud ?

 

By default, Cluster Extension (hybrid) cloudbursting uses UDP port 1194 to run a VPN tunnel between the head node and the cloud.

The port and protocol used can be changed with an AdvancedConfig directive in cmd.conf. The cmd.conf file and its standard directives are described in Appendix C of the admin manual.

 

An aside about the AdvancedConfig directive:

 

AdvancedConfig values are not part of the standard directives and are not normally documented for use by the Bright Cluster Manager administrator. AdvancedConfig directive values are added by appending them to any existing AdvancedConfig key/value pairs. Ie there can be only one AdvancedConfig line, which can hold a long list of values to do with a variety of configurations. The values are added as part of a comma-separated list to the file /cm/local/apps/cmd/etc/cmd.conf.

 

 

For VPN, the keys that can be set values are the port and the protocol. For example, the AdvancedConfig line that may be added to the cmd.conf could look like this for port 443, using the tcp/ip protocol:

 

AdvancedConfig = {"CloudVpnPorts=443", "CloudVpnProtocol=tcp"}

 

 

The CloudVpnPorts key can be multivalued, for example: "CloudVpnPorts=443,444,445", in which case the head node uses only the first port in the list, while the cloud nodes use a random choice out of the list to get around some openvpn cloud scalability issues. By default, the value set is "1194,1195,1196,1197".

 

After setting these values, the cloud node and cloud director instances must then be terminated. Powering them off is not enough---they really must be terminated.

To terminate an instance, the 'terminate' command is used in the "cloudsettings" mode of the node object. Example:

 

cloud-sles:/home # cmsh
[cloud-sles]%
[cloud-sles]% device cloudsettings us-east-1-director
[cloud-sles->device[us-east-1-director]->cloudsettings]% terminate



CMDaemon must then be restarted on the head node to reload the cmd.conf file.

The cloud instances that are started up from now on will use the new port and protocol.

To verify the changes are present on the cloud director, the "nextinstallmode" property of the cloud director node object can be set to "main". This makes the cloud director halt in the node-installer phase the next time it starts.
The following file on the cloud-director:


/etc/openvpn/vpn.0.conf

 

can then be looked at via ssh from the head node to the cloud director. This is the configuration file which is responsible for the openvpn on the cloud director's end. If all is good, the cloud director can have a 'power reset' carried out on it.

 

The ports and the protocol used by openVPN can be found in the

 

/etc/openvpn/client-tunX.conf

 

files on the headnode. There is one file for each amazon region defined by the admin The  file gets created/updated after the cloud director is started.

An example line in the file might be:
   remote 54.237.150.12 443 tcp
which means:
  remote <cloud-director-ip> <remote-port> <protocol>

 

The port and protocol here corresponds to the AdvancedConfig directives for CloudVpnPorts=443", "CloudVpnProtocol=tcp

Tags: -

Related entries:

You cannot comment on this entry