Remote Access
Now we have our environment configured, we want to lock down entry points to a single source (via the Sophos firewall). The first thing we will configure is a split tunnel VPN, this will ensure only traffic destined for the remote network is sent via the VPN. To prevent opening our Proxmox environment to the internet directly we will configure a software based KVM solution for those who want UI access to their VPS via a web browser.
Firewall Configuration
This guide will assume you are already logged into the firewall and the out of box experience has been completed as per the previous articles.
Configuring ACL
The below rules will allow for cross network communication between the VPN subnet (10.81.0.0/24) and the LAN subnet (172.16.16.0/24).
-
Select ‘Administration’
-
Select ‘Device Access’
-
Ensure the following variables have been set for ‘Local service ACL’
- Under ‘WAN’ enable - ‘SSL VPN’ & ‘User Portal’
- Under ‘VPN’ enable - ‘DNS’ & ‘User Portal’
-
Select ‘Apply’
-
Select ‘Hosts and Services’
-
Select ‘IP Host’
-
Select ‘Add’
- Ensure the following have been set
- Name - ‘OVLAN’
- IP Version - ‘IPv4’
- Type - ‘Network’
- IP Address - ‘172.16.16.0’
- Subnet - ‘/24’
-
Select ‘Save’
-
Select ‘Rules & Policies’
-
Select ‘Add firewall rule’
- Select ‘New firewall rule’
-
Ensure your page has the following information filled out
- Rule Name - ‘VPN_TO_LAN’
- Action - ‘Accept’
- Rule Position - ‘TOP’
- Rule Group - ‘None’
- Source Zone - ‘VPN’
- Source Network - ‘ANY’
- Destination Zone - ‘LAN’
- Destination Network - ‘ANY’
- Services - ‘ANY’
-
Select ‘Save’
Configuring the SSL VPN
- Select ‘Remote Access VPN’
- Select ‘SSL VPN’
- Select ‘Add’
- Ensure your page has the following information filled out
- Name - ‘(Identifiable Name)’
- Use as default gateway - ‘Unticked’
- Permitted network resources - ‘OVLAN’
- Select ‘Apply’
Creating SSL VPN User
- Select ‘Authentication’
- Select ‘Users’
- Select ‘Add’
- Ensure your page has the following information filled out
- Username - ‘(Define a username)’
- Name - ‘(Match username)’
- User Type - ‘User’
- Password - ‘(Define a password)’
- Email address - ‘(Use a valid email address)’
- Group - ‘Open Group’
- Set all of the 4 qouta’s to unlimited / none
- SSL VPN Policy - ‘No policy applied’
- Clientless SSL VPN Policy - ‘No policy applied’
- Select ‘Save’
From here, go back to the remote access server we created and assign it to your user.
Accessing the Network
You will now be able to login to the user portal which is located at https://publicip:443 / https://publicip:8443, this can be changed under the Administration tab within the firewall if needed.
Once logged into the portal you can go to the ‘VPN’ tab and download the Sophos Connect Client and the SSL VPN Configuration file.