search

kasmtech / workspaces-issues

18 stars 3 forks source link

VPN Tunnel between Kasm Server and the office network #513

Open afroz1 opened 4 months ago

afroz1 commented 4 months ago

Hi,

I have deployed a single server running Kasm, and I am able to access the Kasm portal from the internet. It's working perfectly for me.

However, my requirement is a bit different. I would like to install Kasm VDI from my office's private network, but I don't have internet access from that network.

The Kasm server is deployed on a cloud Ubuntu 20 machine with a public IP address. The Kasm bridge network is configured as 172.18.0.0/16, and all the containers (VDIs) are assigned IPs from this bridge subnet created by Docker.

I've configured a VPN tunnel between the Kasm server and the office network. While I can reach the Kasm private IP from my office's private network, the Kasm bridge subnet IP cannot communicate with any IP in the office's private subnet. I would like bidirectional communication.

Could you please guide me on whether I need to enable any firewall rules to allow traffic on the Kasm server from the Kasm server to pass through the office firewall (Sophos) VPN tunnel?"

Kasm Server

Public IP: x.x.x.x Private IP: 172.18.0.0/16 VPN Tool: Strongswan/IPsec Sysctl: Forwarding is already enabled, and ipsec.conf and ipsec.secret are configured.

Sophos Firewall (Office)

Public IP: x.x.x.x Private Subnet: 192.168.4.0/23

Tunnels are already established in both directions.

How can I access IP addresses in the 192.168.4.0/23 subnet from IP addresses in the 172.18.0.0/16 subnet?"

afroz1 commented 4 months ago

root@kasm1703312441:~# tcpdump -i any host 192.168.4.36 tcpdump: data link type LINUX_SLL2 tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes 09:35:22.766033 enp3s0 Out ARP, Request who-has 192.168.4.36 tell kasm1703312441, length 28 09:35:22.766141 vethe99c526 P IP 172.18.0.10 > 192.168.4.36: ICMP echo request, id 98, seq 971, length 64 09:35:22.766141 br-9e6af45fe73e In IP 172.18.0.10 > 192.168.4.36: ICMP echo request, id 98, seq 971, length 64 09:35:23.788862 enp3s0 Out ARP, Request who-has 192.168.4.36 tell kasm1703312441, length 28 09:35:23.788941 vethe99c526 P IP 172.18.0.10 > 192.168.4.36: ICMP echo request, id 98, seq 972, length 64 09:35:23.788941 br-9e6af45fe73e In IP 172.18.0.10 > 192.168.4.36: ICMP echo request, id 98, seq 972, length 64 09:35:24.812940 vethe99c526 P IP 172.18.0.10 > 192.168.4.36: ICMP echo request, id 98, seq 973, length 64 09:35:24.812940 br-9e6af45fe73e In IP 172.18.0.10 > 192.168.4.36: ICMP echo request, id 98, seq 973, length 64 09:35:24.812981 enp3s0 Out ARP, Request who-has 192.168.4.36 tell kasm1703312441, length 28 09:35:25.836783 enp3s0 Out ARP, Request who-has 192.168.4.36 tell kasm1703312441, length 28 09:35:25.836884 vethe99c526 P IP 172.18.0.10 > 192.168.4.36: ICMP echo request, id 98, seq 974, length 64 09:35:25.836884 br-9e6af45fe73e In IP 172.18.0.10 > 192.168.4.36: ICMP echo request, id 98, seq 974, length 64 09:35:26.866418 enp3s0 Out ARP, Request who-has 192.168.4.36 tell kasm1703312441, length 28 09:35:26.866572 vethe99c526 P IP 172.18.0.10 > 192.168.4.36: ICMP echo request, id 98, seq 975, length 64 09:35:26.866572 br-9e6af45fe73e In IP 172.18.0.10 > 192.168.4.36: ICMP echo request, id 98, seq 975, length 64 09:35:27.896304 vethe99c526 P IP 172.18.0.10 > 192.168.4.36: ICMP echo request, id 98, seq 976, length 64 09:35:27.896304 br-9e6af45fe73e In IP 172.18.0.10 > 192.168.4.36: ICMP echo request, id 98, seq 976, length 64 09:35:27.896406 enp3s0 Out ARP, Request who-has 192.168.4.36 tell kasm1703312441, length 28 09:35:28.912751 enp3s0 Out ARP, Request who-has 192.168.4.36 tell kasm1703312441, length 28

Kasm server is sending the request to the internet. but my requirement is to send the traffic to my office VPN tunnel configured in the Sophos Firewall and from other hand the Sophos firewall VPN traffic is coming in the KASM vpn Tunnel and i am able to ping the Kasm VDI ip (172.18.0.10) from the office private network IP (192,168.4.36).

Here is my routing table config:

root@kasm1703312441:~# ip route show default via 172.93.53.1 dev enp3s0 proto static 172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 172.18.0.0/16 dev br-9e6af45fe73e proto kernel scope link src 172.18.0.1

ipsec.conf

root@kasm1703312441:~# cat /etc/ipsec.conf

ipsec.conf - strongSwan IPsec configuration file

basic configuration

config setup charondebug="all" uniqueids=yes strictcrlpolicy=no conn oyo-vpn authby=secret type=tunnel left=%defaultroute leftid=172.93.53.118 leftsubnet=172.18.0.0/16 right=122.160.39.118 rightsubnet=192.168.4.0/23 ike=aes256-sha1-modp1536 esp=aes256-sha1 keyexchange=ikev2 keyingtries=0 ikelifetime=28800s lifetime=3600s dpddelay=30s dpdtimeout=120s dpdaction=clear auto=route

root@kasm1703312441:~# ufw status Status: inactive

root@kasm1703312441:~# ipsec statusall Status of IKE charon daemon (strongSwan 5.9.5, Linux 5.15.0-92-generic, x86_64): uptime: 22 minutes, since Feb 13 09:28:22 2024 malloc: sbrk 3801088, mmap 0, used 2033360, free 1767728 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 10 loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru drbg curl attr kernel-netlink resolve socket-default connmark forecast farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters Listening IP addresses: 172.93.53.118 2602:ff16:1:0:1:52e:0:1 172.22.0.1 172.17.0.1 172.18.0.1 Connections: oy-vpn: %any...122.160.39.118 IKEv2, dpddelay=30s oy-vpn: local: [172.93.53.228] uses pre-shared key authentication oy-vpn: remote: [122.160.39.118] uses pre-shared key authentication oy-vpn: child: 172.18.0.0/16 === 192.168.4.0/23 TUNNEL, dpdaction=clear Routed Connections: oy-vpn{1}: ROUTED, TUNNEL, reqid 1 oy-vpn{1}: 172.18.0.0/16 === 192.168.4.0/23 Security Associations (2 up, 0 connecting): oy-vpn[6]: ESTABLISHED 22 minutes ago, 172.93.53.118[172.93.53.118]...122.160.39.118[122.160.39.118] oy-vpn[6]: IKEv2 SPIs: fb57248c122f63f8_i 781f60a91b6462f5_r, pre-shared key reauthentication in 7 hours oy-vpn[6]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256 oy-vpn{5}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c79683bf_i c5c4dacf_o oy-vpn{5}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i (0 pkts, 913s ago), 0 bytes_o, rekeying in 25 minutes oy-vpn{5}: 172.18.0.0/16 === 192.168.4.0/23 oy-vpn{6}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c9c17f60_i cbc213ec_o oy-vpn{6}: AES_CBC_256/HMAC_SHA2_512_256, 588 bytes_i (7 pkts, 913s ago), 588 bytes_o (7 pkts, 913s ago), rekeying in 19 minutes oy-vpn{6}: 172.18.0.0/16 === 192.168.4.0/23 oy-vpn[5]: ESTABLISHED 22 minutes ago, 172.93.53.118[172.93.53.118]...122.160.39.118[122.160.39.118] oy-vpn[5]: IKEv2 SPIs: 61ac5b612ecf5138_i 8e5a99a369177dd9_r, pre-shared key reauthentication in 7 hours oy-vpn[5]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/CURVE_25519 oy-vpn{4}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c289386b_i cdeb619a_o oy-vpn{4}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i (0 pkts, 913s ago), 0 bytes_o, rekeying in 23 minutes oy-vpn{4}: 172.18.0.0/16 === 192.168.4.0/23

iptables -nL

root@kasm1703312441:~# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination ufw-before-logging-input all -- 0.0.0.0/0 0.0.0.0/0 ufw-before-input all -- 0.0.0.0/0 0.0.0.0/0 ufw-after-input all -- 0.0.0.0/0 0.0.0.0/0 ufw-after-logging-input all -- 0.0.0.0/0 0.0.0.0/0 ufw-reject-input all -- 0.0.0.0/0 0.0.0.0/0 ufw-track-input all -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT) target prot opt source destination DOCKER-USER all -- 0.0.0.0/0 0.0.0.0/0 DOCKER-ISOLATION-STAGE-1 all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ufw-before-logging-forward all -- 0.0.0.0/0 0.0.0.0/0 ufw-before-forward all -- 0.0.0.0/0 0.0.0.0/0 ufw-after-forward all -- 0.0.0.0/0 0.0.0.0/0 ufw-after-logging-forward all -- 0.0.0.0/0 0.0.0.0/0 ufw-reject-forward all -- 0.0.0.0/0 0.0.0.0/0 ufw-track-forward all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT) target prot opt source destination ufw-before-logging-output all -- 0.0.0.0/0 0.0.0.0/0 ufw-before-output all -- 0.0.0.0/0 0.0.0.0/0 ufw-after-output all -- 0.0.0.0/0 0.0.0.0/0 ufw-after-logging-output all -- 0.0.0.0/0 0.0.0.0/0 ufw-reject-output all -- 0.0.0.0/0 0.0.0.0/0 ufw-track-output all -- 0.0.0.0/0 0.0.0.0/0

Chain DOCKER (3 references) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 172.17.0.2 tcp dpt:443

Chain DOCKER-ISOLATION-STAGE-1 (1 references) target prot opt source destination DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0 DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0 DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0 RETURN all -- 0.0.0.0/0 0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (3 references) target prot opt source destination DROP all -- 0.0.0.0/0 0.0.0.0/0 DROP all -- 0.0.0.0/0 0.0.0.0/0 DROP all -- 0.0.0.0/0 0.0.0.0/0 RETURN all -- 0.0.0.0/0 0.0.0.0/0

Chain DOCKER-USER (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0

Chain ufw-after-forward (1 references) target prot opt source destination

Chain ufw-after-input (1 references) target prot opt source destination

Chain ufw-after-logging-forward (1 references) target prot opt source destination

Chain ufw-after-logging-input (1 references) target prot opt source destination

Chain ufw-after-logging-output (1 references) target prot opt source destination

Chain ufw-after-output (1 references) target prot opt source destination

Chain ufw-before-forward (1 references) target prot opt source destination

Chain ufw-before-input (1 references) target prot opt source destination

Chain ufw-before-logging-forward (1 references) target prot opt source destination

Chain ufw-before-logging-input (1 references) target prot opt source destination

Chain ufw-before-logging-output (1 references) target prot opt source destination

Chain ufw-before-output (1 references) target prot opt source destination

Chain ufw-reject-forward (1 references) target prot opt source destination

Chain ufw-reject-input (1 references) target prot opt source destination

Chain ufw-reject-output (1 references) target prot opt source destination

Chain ufw-track-forward (1 references) target prot opt source destination

Chain ufw-track-input (1 references) target prot opt source destination

Chain ufw-track-output (1 references) target prot opt source destination