- Create a VPC with a large network (e.g.: 172.31.0.0/16). This will allow us room for trying other experiments in the future.
- Carve 2 subnets (e.g.: Private and VPN). Our VM will have a NIC in each one of these subnets.
- Create the OpenBSD VM with two NICs
- For each NIC disable source/dest check allowing packet forwarding
- Add the route to Azure (e.g.: 10.0.0.0/16)
- Allow traffic on the Security Groups (ports 500, 4500 UDP)
- For troubleshooting, also allow ICMP and SSH between the two networks.
- Attach an Elastic IP to the OpenBSD interface on the VPN subnet.
- Configure OpenIKED.
References:
- Click on the Services drop-down menu.
- and select VPC under the Networking & Content Delivery section
- Choose a name for your VPC
- Select a CIDR block. In our example: 172.31.0.0/16
- Click on Yes, Create
By default, a newly created VPC will not route traffic to the Internet. To allow the access to the Internet, we will create a new Internet Gateway and attach it to the VPC.
- Click on Internet Gateways.
- Click on the Create Internet Gateway button.
- Give the gateway a name (e.g.: internet-gw)
- Click on Yes, Create
Select the new Internet Gateway and click on Attach to VPC
- Click on Attack to VPC
- Select the VPC
- Click on Yes, Attach
The final result should look like this.
- Click on Subnets under the Virtual Private Cloud section on the left-side navigation bar.
- Click on the Create Subnets button
In this windows you can select all of the details of the subnets such as the:
- name of the subnet
- VPC to create the subnet
- Availability Zone and
- the CIDR
Repeat this process for the subnets for the following subnets and CIDRs.
| Name | CIDR | Nb of Hosts |
|---|---|---|
| VPN | 172.31.255.128/25 | 126 |
| Private | 172.31.0.0/19 | 8190 |
If you've executed the steps described on the Before You Begin section you should now have an OpenBSD AMI ready for consumption. Let's proceed by creating the instance.
- Click on the Services drop-down menu.
- and select EC2 under the Compute section
- Click on the EC2 Dashboard
- Click on Launch Instance
NOTE: Note that we are creating our resources in the Oregon region. If you are using a different region, please change that here.
- Click on My AMIs
- Select your OpenBSD image
From here, follow the rest of the configuration guide and choose an instance type (for testing purposes, I've used a t2.micro instance.)
- Select your instance size
- Click on Next: Configure Instance Details
- Select your VPC
- Select the subnet for the first (main) interface
- Add a new interface and select the subnet that it will be attached to.
- Click on Review and Launch
NOTE: If you are deploying this in production, I'd recommend you check the Enable termination protection option (the red arrow is pointing to that option). This is an extra safe mechanism that will prevent the accidental termination of your instance.
The last modification is to add rules to the Security Groups.
- Click on Edit security groups
- To add a new rule, click on Add Rule.
We need to create the following rules:
| Type | Protocol | Port Range | Source | Description |
|---|---|---|---|---|
| SSH | TCP | 22 | Custom: 0.0.0.0/0 | Note that you can lock this to your public IP if you wanted. We will lock this down with PF as well. |
| All ICMP - IPv4 | ICMP | 0-65535 | Custom: Azure CIDR | From Azure |
| Custom UDP | UDP | 500 | Custom: Azure CIDR | From Azure - IPsec |
| Custom UDP | UDP | 4500 | Custom: Azure CIDR | From Azure - IPsec |
When you are done with the rules here, go ahead and click on Review and Launch and finally, under the 7.Review section click on Launch.
The last step is to select a key pair or to create one if needed. If you already have a key, here's what you need to do:
- Click on Choose an existing key pair
- Select a key pair and acknowledge that you have the private key.
- Click on Launch Instances
After the instance is ready, return to the Instances section and put a meaningful name to the instance. This will help you to easily identify this instance later.
- Click on Instances
- Click on the pen icon to edit the name of the instance.
We will also add a name to our network interfaces.
- Click on the Network Interfaes under NETWORK & SECURITY
- Name the Primary network interface as ext_if
- Name the second interface as int_if.
- Click on the Services drop-down menu.
- and select EC2 under the Compute section
- Click on the Network Interfaces
- Select a network interface (e.g.: the external_if interface). Note that you must do this for both interfaces.
- Click on Change Source/Dest. Check under the Actions button.
When the Change Source/Dest. Check window appears:
- Select Disabled
- Click save.
Repeat this process for all interfaces that need to pass traffic.
- Click on the Elastic IPs under NETWORK & SECURITY
- Click on Allocate new address
- Next, click on Allocate
Back to the main Elastic IPs screen, right click on your newly allocated address and choose Associate address
- Right click on the new EIP and then click on Associate address
- Under Resource type select Network interface
- Click on the Network interface drop-down menu and select the ext_if interface
- Click on Associate
| Destination | Target | Notes |
|---|---|---|
| 172.31.0.0/16 | local | VPC CIDR |
| 0.0.0.0/0 | Internet Gateway | |
| 10.0.0.0/0 | xfn1 / OpenBSD | Route to Azure's VNET pointing to OpenBSD's internal NIC interface |
- Under the Virtual Private Cloud, select Route Tables
- Select the subnet which you want to add the route. In our example, we will select the
private-us-west-2aone. - Click ont he Routes tab
- and then click on Edit
Once inside of the route table
- Click on Add another route
- Under the Destination field, write Azure's VNet CIDR. In our exercise 10.0.0.0/16.
- Select OpenBSDs internal interface. You can either search for the name of the interface (e.g.: eni-XXXX) or search for a tag (e.g.: internal_if)
- Click on Save
Your route table should look like resemble this one:
Next: Setting up OpenBSD