Administration

Admin User Configuration

The first and most important action to take after completing the installation is to change the credentials of the admin user. To do so login to the Console with the default EC credentials.

Username

ec-sys

Password

ec-password

Once you are logged in, click over the username located in the top right portion of the window and select Change password.

Certificates

At first access the EC auto generates two certificates used for authentication and message signing. These certificates can be replaced if needed; as a good practice, for a pre-production and production environments consider to install the correct certificates before start connecting devices, this will save time later. For more details regarding certificate management refer to section Certificates

Remote Access Service Configuration

The Remote Access Service is configured via the VPN Servers panel in EC. This panel is visible only to system administrator users.

There are few steps to create a new service instance:

  • deploy a new instance of the ec-vpn Helm Chart specifying the desired service name
  • create a corresponding service within Everyware Cloud console
  • assign configuration files contextualised with your newly deployed service

For the first step follow the documentation in the Installation pages.

Once the service is correctly configured on your orchestrator, login to Everyware Cloud console and navigate to the VPN Servers panel. At this point create a new server and specify its name (which should match the one on the orchestrator, the external DNS or IP address of the service and the port.

Lastly add the configuration files that will be used for the on-demand VPN connections to the Remote Access Service.

The following table explains the various parameters present in the panel.

Name

The name of the configuration.

OpenVPN Min Version

The minimum version the configuration is compatible with. This is used by ESF VPNv2 service to fetch the right configuration depending on the version of OpenVPN available. It can be left empty.

OpenVPN Max Version

The maximum version the configuration is compatible with. This is used by ESF VPNv2 service to fetch the right configuration depending on the version of OpenVPN available. It can be left empty.

Redirect All Traffic

This flag tells the configuration will change the routing of the client to redirect all traffic via the VPN connection.

Configuration File

The actual configuration file for the Remote Access Service.

For the version parameters, It's important to avoid overlapping between multiple configurations as this values are used to decide which file to send to the devices when a new on-demand connection is requested. For example, if we have a configuration with Min Version set to 2.4 and Max Version to 2.6 we cannot have a second configuration with Min Version set to 2.4 and Max Version unset. The only exception is when setting the Redirect All Traffic flag. In this case it's possible to have an overlapping configurations.

The following three blocks contain valid configurations for OpenVPN 2.4+, OpenVPN 2.4+ with traffic redirect and OpenVPN 2.3.

##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server.     #
#                                            #
# This configuration can be used by multiple #
# clients, however each client should have   #
# its own cert and key files.                #
#                                            #
# On Windows, you might want to rename this  #
# file so it has a .ovpn extension           #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
;proto tcp
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote PLACEHOLDER_VPN_HOST PLACEHOLDER_VPN_PORT

# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
;ca ca.crt
;cert client.crt
;key client.key

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1

tls-cipher DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA-256-CBC-SHA:DHE-RSA-CAMELLIA-128-CBC-SHA:AES256-SHA:AES128-SHA

verify-x509-name "PLACEHOLDER_CERT_SUBJECT"

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
cipher AES-128-CBC

auth SHA256

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20

# Everyware Cloud Security
auth-user-pass

# Disable key renegotiation
reneg-sec 0

# Everyware Cloud Network Configuration
inactive 300
ping 10
ping-exit 60

# Notify disconnect to server (UDP)
explicit-exit-notify 1

<ca>
PLACEHOLDER_CA_CHAIN
</ca>
##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server.     #
#                                            #
# This configuration can be used by multiple #
# clients, however each client should have   #
# its own cert and key files.                #
#                                            #
# On Windows, you might want to rename this  #
# file so it has a .ovpn extension           #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
;proto tcp
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote PLACEHOLDER_VPN_HOST PLACEHOLDER_VPN_PORT

# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
;ca ca.crt
;cert client.crt
;key client.key

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1

tls-cipher DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA-256-CBC-SHA:DHE-RSA-CAMELLIA-128-CBC-SHA:AES256-SHA:AES128-SHA

verify-x509-name "PLACEHOLDER_CERT_SUBJECT"

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
cipher AES-128-CBC

auth SHA256

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20

# Everyware Cloud Security
auth-user-pass

# Disable key renegotiation
reneg-sec 0

# Everyware Cloud Network Configuration
inactive 300
ping 10
ping-exit 60

# Route all the client traffic through the VPN
redirect-gateway def1

# Notify disconnect to server (UDP)
explicit-exit-notify 1

<ca>
PLACEHOLDER_CA_CHAIN
</ca>
##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server.     #
#                                            #
# This configuration can be used by multiple #
# clients, however each client should have   #
# its own cert and key files.                #
#                                            #
# On Windows, you might want to rename this  #
# file so it has a .ovpn extension           #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
;proto tcp
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote PLACEHOLDER_VPN_HOST PLACEHOLDER_VPN_PORT

# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
;ca ca.crt
;cert client.crt
;key client.key

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1

tls-cipher DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA-256-CBC-SHA:DHE-RSA-CAMELLIA-128-CBC-SHA:AES256-SHA:AES128-SHA

tls-remote "PLACEHOLDER_CERT_SUBJECT"

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
cipher AES-128-CBC

auth SHA256

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20

# Everyware Cloud Security
auth-user-pass

# Disable key renegotiation
reneg-sec 0

# Everyware Cloud Network Configuration
inactive 300
ping 10
ping-exit 60

# Notify disconnect to server (UDP)
explicit-exit-notify 1

<ca>
PLACEHOLDER_CA_CHAIN
</ca>

The three templates contain various placeholders that need to be replaced in order to have working configurations. These placeholders are listed in the following table.

PLACEHOLDER_VPN_HOST

The address of the VPN server as specified in the VPN server entry.

PLACEHOLDER_VPN_PORT

The port of the VPN server as specified in the VPN server entry

PLACEHOLDER_CA_CHAIN

The PEM formatted CA chain certificates, of which your certificate is the leaf

PLACEHOLDER_CERT_SUBJECT

The subject of your certificate. For example C=XX, ST=YY, L=ZZZ ZZZ, O=Example Company, CN=*.example.com. Note that for the OpenVPN 2.3 configurations this property need to be rewritten in the following format: /C=XX/ST=YY/L=ZZZ_ZZZ/O=Example_Company/CN=_.example.com

Once a service is correctly configured, in order to use it, it's necessary to configure account access. This is described on the Remote Access Service section of this documentation.

High Availability and Scaling

Everyware Cloud supports Auto Healing, High Availability and Horizontal Scaling for its services. See section High Availability and Scaling for more info regarding prerequisites for these functionalities.

  • Auto Healing is supported for all services
  • High Availability and Horizontal Scalability is supported for the following services
    • RESTful API
    • Messaging

Both REST API and Messaging can be made HA by scaling up the number of pods to more than one. In addition to this, Everyware Cloud supports partitioning of workloads through the creation of multiple instances of a service. Services supporting this feature are the following:

  • Messaging
  • Remote Access (on-demand VPN connection)

The scope of this feature is to support the creation of dedicated resource pools that can be assigned to distinct accounts. For example in a large installation it could be useful to assign distinct Messaging and Remote Access services to distinct level-one accounts. For more info regarding how to setup multiple service instances fo one type see sections: