Configuring Veltar VPN Server

The first step to allow managed devices to access internal resources is to set up a VPN server. In this document we will perform the following steps,

1. Download and install the Veltar VPN server and its dependencies

2. Configure the Veltar VPN API server that is bundled in the solution and generate the required API keys

3. Configure the VPN server using a certificate and make it available on a public IP.

Prerequisites

Hardware & Software

1. A server running a compatible Linux distribution (e.g., Ubuntu 20.04 LTS or later) with the following configuration,

   1. CPU: 4vCPU

   2. RAM: 4GB+

   3. Storage: 100GB+

   4. Network: 10Gbps connection

   5. Concurrent Users: Up to 500

   6. Traffic: 10 TB+/month

2. Administrator (root) access to the the  server machine

Network Requirements

1. Static Public IP Address

2. Registered domain name (optional)

SSL Certificate Requirements

1. Domain Certificate

2. Intermediate Certificate

3. Private Key

Installation

Step 1: Prepare Your System

Open a terminal on your server and run the following commands to install required tools:

sudo apt-get update
sudo apt-get install wireguard wireguard-tools

Example output:

Reading package lists... Done
Building dependency tree       
Reading state information... Done
wireguard-tools is already the newest version (1.0.20200513-1~18.04.1).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Step 2: Download Veltar VPN Package

Download the Veltar VPN package to your server. The file name will look like veltar-vpn_X.X.X_amd64.deb, where X.X.X is the version number.

Step 3: Install Veltar VPN

In the terminal, navigate to the directory where you downloaded the package and run:

sudo dpkg -i veltar-vpn_X.X.X_amd64.deb

Replace X.X.X with the actual version number of your downloaded package.

Example output:

Selecting previously unselected package veltar-vpn.
(Reading database ... 72591 files and directories currently installed.)
Preparing to unpack veltar-vpn_1.2.3_amd64.deb ...
Unpacking veltar-vpn (1.2.3) ...
Setting up veltar-vpn (1.2.3) ...

Basic Usage

After installation, you can use the following commands to manage Veltar VPN:

Check Veltar VPN status:

sudo veltar-vpn-ctl status

Example output:

run: haproxy: (pid 12345) 134s; run: log: (pid 12346) 134s
run: postgresql: (pid 12347) 134s; run: log: (pid 12348) 134s
run: veltar-vpn: (pid 12349) 134s; run: log: (pid 12350) 134s

View Veltar VPN logs:

sudo veltar-vpn-ctl tail

Example output:

2024-10-11_09:15:23.12345 [INFO] Veltar VPN started successfully
2024-10-11_09:15:24.67890 [INFO] Listening on port 80

Display the API Bearer Token (for Scalefusion MDM integration):

sudo veltar-vpn-ctl api-token-display

Example output:

API Bearer Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Keep this token safe and do not share it!

Advanced Configuration

Configuring Veltar VPN for Scalefusion MDM Integration

To configure Veltar VPN for integration with Scalefusion MDM, use the following command:

sudo veltar-vpn-ctl setup

This command will guide you through the configuration process. See the "Detailed Setup Instructions" section for more information.

Rotating the API Bearer Token

To change the API Bearer Token:

sudo veltar-vpn-ctl api-token-rotate

Example output:

Security Warning: Rotating the API Bearer Token will invalidate the current one. Ensure any dependent systems are updated with the new token!
Rotating API Bearer Token...
Rotated API Bearer Token successfully. New token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Keep this token safe and do not share it!

Important: After rotation, immediately update the token in your Scalefusion MDM integration to maintain connectivity.

Detailed Setup Instructions

Running the Setup Script

To begin the setup process, run:

sudo veltar-vpn-ctl setup

Step-by-Step Configuration Process

1. Domain/IP Configuration

   • Enter the domain or public IP for integrating Veltar VPN with Scalefusion MDM.

   • Example: Enter the domain or Public IP for integrating Veltar VPN with Scalefusion MDM: example.com

2. Protocol Selection

   • Choose between HTTP and HTTPS (HTTPS is strongly recommended for production).

   Which schema would you like to use?
   1. HTTP (not recommended for production)
   2. HTTPS
   Enter your choice (1 or 2):

3. Port Configuration a. For HTTP:

   • Enter the internal port number: Enter the internal port number for Veltar VPN:

   • Enter the external port number: Enter the external port number (or press Enter if same as internal):

   b. For HTTPS:

   • Enter the HTTPS port number: Enter the HTTPS port number:

4. SSL Certificate Configuration (HTTPS only)

   • Choose how to provide certificates:

     How would you like to provide the certificates and key?
     Enter 'F' to provide file paths, or 'P' to paste the content directly:

   • Provide the Domain SSL Certificate, Intermediate SSL Certificate (optional), and SSL Private Key.

Network Architecture Considerations

1. Direct Internet Connection

   • Use the public IP or domain name of your server.

   • Ensure configured ports are open and accessible from the internet.

2. Behind a NAT/Firewall

   • Use the public IP or domain name that points to your NAT/Firewall.

   • Configure port forwarding on your NAT/Firewall.

3. Load Balanced Environment

   • Use the domain name that points to your load balancer.

   • Configure load balancer to forward traffic to Veltar VPN server(s).

   • Enable session persistence if running multiple instances.

4. Reverse Proxy Setup

   • Use the domain name that points to your reverse proxy.

   • Configure reverse proxy to forward requests to the Veltar VPN server.

   • Ensure proper SSL termination if using HTTPS.

Now that you have completed the VPN server setup, please proceed to configure a VPN Tunnel that will allow access to the resources via this VPN server.

Frequently Asked Questions (FAQ)

Q: How often should I rotate the API Bearer Token?

A: It is recommended to rotate the token every 90 days or immediately if you suspect it has been compromised.

Q: Can I use Veltar VPN without Scalefusion MDM?

A: No, Veltar VPN is designed to work seamlessly with Scalefusion MDM only.

Q: What should I do if I forget to update the API Bearer Token in Scalefusion after rotation?

A: If this happens, your devices will not lose the connection. However, you will not be able to create new tunnels or publish VPN on devices. Simply update the token in Scalefusion as soon as possible to restore full functionality.

Q: How can I check if Veltar VPN is running correctly?

A: Use the following command to check the status of all Veltar VPN services:

sudo veltar-vpn-ctl status

This will show the status of HAProxy, PostgreSQL, and the main Veltar VPN service.

Q: What ports do I need to open for Veltar VPN?

A: You need to open:

1. The port configured for the web interface (HTTP or HTTPS)

2. UDP port(s) for VPN tunnels (e.g., 51820-51830) Always ensure these ports are properly secured and only accessible as needed.