Up
Previous Next

Sheriff CSM™

Building a VPN Tunnel Without a Client-Server Connection

If there is no connection between the VPN server and the client, which is often the case in an MSSP (Managed Security Service Provider) environment, an error occurs when you try to configure the client:

Building the VPN node configuration...
Restarting OpenVPN server...
Retrieving the local vpn server ip...
Trying to deploy the VPN configuration on the remote Sheriff appliance...
An error occurred while establishing the vpn tunnel:
Currently there is no connectivity with the remote Sheriff appliance. The steps to deploy the VPN client manually are the following:
* A new VPN configuration file has been created for the remote Sheriff appliance at: /etc/openvpn/nodes/[client_IP].tar.gz.
* Copy this configuration file to the remote Sheriff appliance
* Extract the configuration file: /bin/tar zxf [client_IP].tar.gz -C /tmp/
* Move the VPN client configuration file to the OpenVPN folder: cp -arf /tmp/etc/openvpn/nodes/* /etc/openvpn/; mv /etc/openvpn/[client_IP]/*.conf /etc/openvpn/
* Fire the configuration triggers: dpkg-trigger --no-await Sheriff-network-vpn-net-client; dpkg --pending --configure
* Clean up: rm -rf /tmp/etc
* Finally, once the VPN connection has been established, please add the remote Sheriff appliance from the Configuration > Deployment menu option on the web UI
Press [Enter] to continue

This creates a configuration file instead. And you must configure the VPN client manually, as described here.

To configure the VPN client through the command line

1. Transfer the VPN configuration file to the VPN client manually:

   1. On the VPN server, go to the Sheriff Setup Main menu and select Jailbreak System, press Enter twice to confirm.
   2. Go to /etc/openvpn/nodes/ and locate the <client_IP>.tar.gz file, where <client_IP> is the VPN client IP address you specified in step 4 when creating the VPN client.
   3. Using scp, or a similarly secure copy method, transfer the <client_IP>.tar.gz file to the VPN client and place it in /etc/sheriff/network/.
   4. Type Exit to return to the Sheriff Setup main menu.

2. Configuring the tunnel on the VPN client:

   1. SSH to the VPN client.
   2. In the Sheriff Setup menu, select System Preferences > Configure Network > Setup VPN > Configure VPN client from file, and press Enter (<OK>).
   3. Select the entry with the correct IP address for the VPN client, press Enter (<OK>).
   4. Confirm that the configuration file is the correct one, the file copied in Step 3 of this procedure, then press Enter (<Yes>).

The system extracts from the configuration file to build a tunnel.

Additional Step When the VPN server and VPN client Reside in Different Networks

Please be aware that if the VPN client and VPN server are in different private networks and the connection from the VPN client to the VPN server is only allowed through their public IP addresses, you need to change the IP address in the configuration file manually.

Let's consider the following example, where the VPN server and VPN client have different private the public IP addresses:

Sample IP addresses for the VPN server and VPN client

	VPN server	VPN client
Private IP	192.168.0.1	172.16.20.56
Public IP	88.132.33.11	145.156.44.33

When configuring the VPN client, enter the public IP address for the client, in this case 145.156.44.33. Extract the resulting /etc/openvpn/nodes/145.156.44.33.tar.gz file and locate the VPN client configuration file, 145.156.44.33.conf. Observe that the private IP address of the VPN server (192.168.0.1) is added instead of the public IP address, as indicated in line 4 below:

client
dev tun
proto tcp
remote 192.168.0.1 33800
resolv-retry infinite
nobind
user nobody
group nogroup
verb 3
ca /etc/openvpn/145.156.44.33/ca.crt
cert /etc/openvpn/145.156.44.33/145.156.44.33.crt
key /etc/openvpn/145.156.44.33/145.156.44.33.key
script-security 2 system
up "/etc/init.d/fprobe stop || true"
comp-lzo
persist-key
persist-tun

This causes the VPN tunnel not be established. Changing the IP address to 88.132.33.11 in the file above resolves this issue.