Contact UsGet started
© 2024 Direct Cursus Technology L.L.C.

ViPNet Coordinator VA in Yandex Cloud

Written by
Improved by
Updated at November 7, 2024

You can install ViPNet Coordinator VA in your cloud and use it as a VPN gateway for a site-to-site VPN between cloud and on-premises resources.

ViPNet Coordinator VA is installed on a VM with four network interfaces. One interface is assigned a public IP address for a tunnel to an on-premises gateway. The other interfaces can have internal addresses and be connected to different subnets of the same availability zone.

When used in the cloud, ViPNet Coordinator VA does not support the following features:

  • Export and import of keys and settings in vbe format.
  • Failover cluster.
  • Interface aggregation.
  • DHCP server.
  • VLAN.
  • L2OverIP.
  • Export of a system log and IP packet log to a USB flash drive or over TFTP.
  • Adding a backup set of personal keys.
  • Local software updates.
  • Certificate import using a USB flash drive.
  • Authentication using a token.

To deploy ViPNet Coordinator VA in Yandex Cloud:

  1. View a solution description.
  2. Prepare your cloud.
  3. Prepare the environment.
  4. Create images of ViPNet Coordinator VA disks.
  5. Create a VM with ViPNet Coordinator VA in the cloud.
  6. Configure ViPNet Coordinator VA.

If you no longer need the resources you created, delete them.

About the solution

A VPN tunnel works between two ViPNet solutions: Coordinator VA on the cloud infrastructure side and Coordinator HW on the on-premises site.

The cloud configuration is as follows:

  • ViPNet Coordinator VA:

    Interface Internal address Public address Subnet Note
    eth0 10.1.0.8 Automatically public-subnet A public address is mapped to the internal one over One-to-One NAT.
    eth1 10.1.1.8 No address segment1-subnet -
    eth2 10.1.2.8 No address segment2-subnet -
    eth3 10.1.3.8 No address segment3-subnet -

  • All traffic going to the on-premises resources is routed to the ViPNet Coordinator VA internal interfaces using static routes:

    Subnet Destination prefix Next hop
    segment1-subnet 192.168.200.0/24 10.1.1.8
    segment2-subnet 192.168.200.0/24 10.1.2.8
    segment3-subnet 192.168.200.0/24 10.1.3.8

On the on-premises site:

  • ViPNet Coordinator HW:

    Interface Address Subnet
    eth0 Public address -
    eth1 192.168.200.5 192.168.200.0/24

  • The traffic to the cloud resources is routed to the ViPNet Coordinator HW internal interface using a static route:

    Subnet Destination prefix Next hop
    192.168.200.0/24 10.1.1.0/24, 10.1.2.0/24, 10.1.3.0/24 192.168.200.5

Getting started

Sign up for Yandex Cloud and create a billing account:

  1. Go to the management console and log in to Yandex Cloud or create an account if you do not have one yet.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one.

If you have an active billing account, you can go to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

To create a VM with multiple network interfaces, contact our technical support and ask them to enable the MULTI_INTERFACE_INSTANCES_ALPHA flag for the cloud.

The cost of the infrastructure includes:

Prepare the environment

Install the solution on a local machine

Create a cloud network

If you do not have a cloud network yet, create one in the folder for ViPNet Coordinator VA, such as vipnet-folder:

  1. In the management console, go to vipnet-folder.
  2. In the list of services, select Virtual Private Cloud.
  3. Click Create network.
  4. Enter a name for the network, e.g., vipnet-network.
  5. Disable the Create subnets option.
  6. Click Create network.

To create a cloud network, run the command:

yc vpc network create --name vipnet-network --folder-id <vipnet-folder_ID>

Where:

  • name: Name of the cloud network.
  • folder-id: ID of the folder where the network will be created.

Create subnets

Create a subnet named public-subnet for the ViPNet Coordinator VA external interface:

  1. In the management console, go to vipnet-folder.
  2. In the list of services, select Virtual Private Cloud.
  3. Select the vipnet-network cloud network.
  4. Click Add subnet.
  5. Give your subnet a name, such as public-subnet.
  6. Select an availability zone, such as ru-central1-a.
  7. Enter the subnet CIDR, such as 10.1.0.0/24.
  8. Click Create subnet.

Similarly, create subnets for vipnet-network or any other network:

  • segment1-subnet, CIDR: 10.1.1.0/24
  • segment2-subnet, CIDR: 10.1.2.0/24
  • segment3-subnet, CIDR: 10.1.3.0/24

Note

All subnets must be in the same availability zone.

  1. Create the public-subnet subnet:

    yc vpc subnet create \
--name public-subnet \
--folder-id <vipnet-folder_ID> \
--network-name vipnet-network \
--zone <availability_zone> \
--range 10.1.0.0/24

    Where:

    • name: Subnet name.
    • folder-id: ID of the folder where the cloud network is located.
    • network-name: Name of the cloud network.
    • zone: Availability zone, e.g., ru-central1-a.
    • range: Subnet CIDR.

  2. Similarly, create subnets for cloud resources:

    • segment1-subnet, CIDR: 10.1.1.0/24
    • segment2-subnet, CIDR: 10.1.2.0/24
    • segment3-subnet, CIDR: 10.1.3.0/24

Note

All subnets must be in the same availability zone.

Create route tables

Create the segment1-rt, segment2-rt, and segment3-rt route tables:

  1. In the management console, go to vipnet-folder.
  2. In the list of services, select Virtual Private Cloud.
  3. Select the vipnet-network cloud network.
  4. In the left-hand panel, select Route tables.
  5. Click Create.
  6. Enter segment1-rt for Name.
  7. Click Add route and specify:
    • Destination prefix: 192.168.200.0/24.
    • Next hop: IP address.
    • IP address: 10.1.1.8.
  8. Click Add.
  9. Click Create route table.

Similarly, create the segment2-rt and segment3-rt tables, specifying 10.1.2.8 and 10.1.3.8 as IP addresses, respectively.

Link the route tables to the subnets:

  1. In the management console, go to vipnet-folder.
  2. In the list of services, select Virtual Private Cloud.
  3. Select the vipnet-network cloud network.
  4. In the left-hand panel, select Route tables.
  5. Select segment1-subnet and click Link route table.
  6. Select the segment1-rt table.
  7. Click Link.

Similarly, link segment2-rt and segment3-rt to segment2-subnet and segment3-subnet, respectively.

Create disk images for the VM with ViPNet Coordinator VA

Create a VM with ViPNet Coordinator VA on a local machine

The VM is created from the disk image prepared for Compute Cloud. Image requirements:

  • Keys are installed in the system.
  • Key authentication type: Password.
  • Image format: qcow2.

Download a ViPNet Coordinator VA image

  1. Request a ViPNet Coordinator VA image on the infotecs page.

    1. Under Downloads on the Software tab, choose the demo version of ViPNet Coordinator VA (for the VMWare ESX and Oracle VM environments).
    2. On the page that opens, specify your details.
    3. Agree to the personal data processing policy and click SUBMIT REQUEST.

  2. Wait for an email with the download link to ViPNet Coordinator VA, file size details, and the MD5 checksum. The link expires five days after you complete the form on the website.

  3. Download the ViPNet Coordinator VA archive and check its integrity:

    1. Create the vipnet folder and upload the archive:

      mkdir vipnet
cd vipnet
curl --remote-name <link_to_ViPNet_Coordinator_VA_download>

    2. Find out the archive name:

      ls -la

      Result:

      -rw-r--r--   1 user  457853789 Aug 21 12:28 va_vipnet_base_x86_64_4.5.1-5668.ova.zip

    3. Find out the archive MD5 cheksum:

      md5 <archive_name>

      Result:

      MD5 (va_vipnet_base_x86_64_4.5.1-5668.ova.zip) = 42c0f1401aa77fc5366e7eff8cc8ed4a

      Compare the checksum against the one in the email: If the values differ, repeat the download.

    4. Unpack the archive:

      unzip <file_name>

      Result:

      Archive: va_vipnet_base_x86_64_4.5.1-5668.ova.zip
  inflating: va_vipnet_base_x86_64_4.5.1-5668.ova

    1. Create the vipnet folder and upload the archive:

      mkdir vipnet
cd vipnet
curl.exe --remote-name <link_to_ViPNet_Coordinator_VA_download>

    2. Find out the archive name:

      Get-ChildItem

      Result:

      Mode            LastWriteTime       Length    Name
----            -------------       ------    ----
------    8/24/2022   2:07 PM    457853789    va_vipnet_base_x86_64_4.5.1-5668.ova.zip

    3. Find out the archive MD5 cheksum:

      Get-FileHash <archive_name> -Algorithm MD5

      Result:

      Algorithm    Hash                                Path
---------    ----                                ----
MD5          42C0F1401AA77FC5366E7EFF8CC8ED4A    C:\Users\User1\vipnet\va_vipnet_base_x86_64_4.5.1-5668.ova.zip

      Compare the checksum against the one in the email: If the values differ, repeat the download.

    4. Unpack the archive:

      Expand-Archive <archive_name>

Prepare a USB flash drive with the keys

The tutorial uses the demo versions of the keys.

  1. Insert your USB flash drive in a port on a computer and format it using the operating system tools. Format the USB flash drive to FAT32.

  2. Upload the file with the keys to the USB flash drive:

    curl --remote-name https://files.infotecs.ru/_dl/sess/vipnet_demokeys/vipnet_demokeys.zip
unzip vipnet_demokeys.zip
cp Coordinator\ 4\ MOBILE/Coordinator\ 4\ MOBILE/abn_0004.dst <path_to_USB_disk_root_directory>

  3. Make sure the keys are written to the USB flash drive:

    ls <path_to_USB_disk_root_directory>

    Result:

    abn_0004.dst

  4. Using operating system tools, disconnect the USB flash drive from the computer but do not remove it from the USB port.

  1. Insert your USB flash drive in a port on a computer and format it using the operating system tools. Format the USB flash drive to FAT32.

  2. Upload the file with the keys to the USB flash drive:

    curl.exe --remote-name https://files.infotecs.ru/_dl/sess/vipnet_demokeys/vipnet_demokeys.zip
Expand-Archive vipnet_demokeys.zip
Copy-Item -Path "<path_to_vipnet_directory>\vipnet_demokeys\Coordinator 4 MOBILE\Coordinator 4 MOBILE\abn_0004.dst" -Destination <path_to_USB_disk_root_directory>

  3. Make sure the keys are written to the USB flash drive:

    Get-ChildItem <path_to_USB_disk_root_directory>

    Result:

    Mode            LastWriteTime    Length Name
----            -------------    ------ ----
-a----    1/26/2022   5:38 PM     27456 abn_0004.dst

  4. Using operating system tools, disconnect the USB flash drive from the computer but do not remove it from the USB port.

Create a VM with ViPNet Coordinator VA in VirtualBox

  1. Using Oracle VM VirtualBox, open the ViPNet Coordinator VA image file in ova format.
  2. In the window that opens, click Import and wait for the setting import to finish.
  3. Choose the VM called vm and click Start.

Configure ViPNet Coordinator VA on a local VM

  1. In the VM startup selection window, select VA.
  2. Wait for the va login: prompt to appear in the VM console.
  3. Add the USB flash drive with the keys to the VM: at the top left, open DevicesUSB and choose the USB flash drive.
  4. In the va login field, enter user.
  5. In the Password field, enter user.
  6. For Please select setup wizard operating mode, enter 2 (full screen interface).
  7. Accept the license agreement by selecting Yes and clicking Next.
  8. Select Europe for continent, Russia for country, and MSK+00 for timezone, and then click Yes.
  9. Set the current date and time, if required.
  10. Select usb as the source of downloading information about the keys. After reading the USB flash drive, information about the discovered files is listed with key details. Click Next.
  11. Enter 11111111 for password and click Next. The data from the file will be uploaded to the VM.
  12. Configure the eth0 and eth1 network interfaces:
    • Activate interface on boot.
    • Get IP-address automatically on boot (via DHCP).
  13. Configure the eth2 and eth3 network interfaces:
  14. Configure the following parameters:
    • In the Enable/Disable NTP server mode field, select Disable starting the DNS server on boot.
    • In the Enter hostname field, specify yc-vipnet-1.
    • When prompted Do you want to specify custom virtual IP address range?, choose Leave the default setting.
    • When prompted Do you want to probe VPN-connection with some host in order to verify the configuration you've just made?, choose No.
    • When prompted Do you want to start VPN services before leaving the installation wizard?, choose No.
  15. Click FINISH and wait for the VM to restart.
  16. Remove the USB flash drive with the keys: at the top left, open DevicesUSB and choose the USB flash drive.
  17. Shut down your VM: at the top left, open the MachineACPI Shutdown menu.
  18. Wait until the VirtualBox logo appears in the VM console window and close the window. Click Power off to confirm the VM's shutdown.

Convert disk images to qcow2

  1. Go to the directory with the VM files and find out the names of vdi files:

    cd <path_to_VirtualBox_VMs_directory>/vm
ls -ogh *.vdi

    Result:

    -rw-------  1    272M Aug 21 15:22 va_vipnet_base_x86_64-disk1.vdi
-rw-------  1    311M Aug 21 15:22 va_vipnet_base_x86_64-disk2.vdi

  2. Convert the disks to qcow2 format using the qemu-img utility:

    qemu-img convert -f vdi -O qcow2 <name_of_VDI_file_with_disk_1> va_vipnet_base_x86_64-disk1.qcow2
qemu-img convert -f vdi -O qcow2 <name_of_VDI_file_with_disk_2> va_vipnet_base_x86_64-disk2.qcow2

  3. Make sure the disks are saved in qcow2 format:

    ls -ogh *.qcow2

    Result:

    -rw-r--r--  1    236M Aug 21 15:32 va_vipnet_base_x86_64-disk1.qcow2
-rw-r--r--  1    246M Aug 21 15:32 va_vipnet_base_x86_64-disk2.qcow2

  1. Go to the directory with the VM files and find out the names of vdi files:

    cd <path_to_VirtualBox_VMs_directory>/vm
Get-ChildItem *.vdi

    Result:

    Mode            LastWriteTime       Length Name
----            -------------       ------ ----
------    8/24/2022  10:42 PM    324009984 va_vipnet_base_x86_64-disk2.vdi
------    8/24/2022  10:42 PM    286261248 va_vipnet_base_x86_64-disk1.vdi

  2. Convert the disks to qcow2 format using the qemu-img utility:

    qemu-img.exe convert -f vdi -O qcow2 <name_of_VDI_file_with_disk_1> va_vipnet_base_x86_64-disk1.qcow2
qemu-img.exe convert -f vdi -O qcow2 <name_of_VDI_file_with_disk_2> va_vipnet_base_x86_64-disk2.qcow2

  3. Make sure the disks are saved in qcow2 format:

    Get-ChildItem -Name *.qcow2

    Result:

    ------    8/24/2022  10:52 PM    324009984 va_vipnet_base_x86_64-disk2.qcow2
------    8/24/2022  10:52 PM    286261248 va_vipnet_base_x86_64-disk1.qcow2

Upload disk images to Object Storage

  1. Create a bucket:
    1. In the management console, select the folder you want to create a bucket in.
    2. Select Object Storage.
    3. Click Create bucket.
    4. Set the bucket parameters:
      • Name: my-vipnet-images.
      • Max size: No limit.
      • Object read access: Limited.
      • Object listing access: Limited.
      • Read access to settings: Limited.
      • Storage class: Cold.
    5. Click Create bucket.
  2. Upload qcow2 disk images to the bucket:
    1. Select the created bucket.
    2. Click Upload.
    3. In the window that opens, select the files and click Open.
    4. Click Upload.
    5. Refresh the page.
  3. Get the links to the uploaded objects:
    1. Click the object name.
    2. Click Get link.
    3. Set the link Lifetime in hours or days (up to 7 days).
    4. Click Get link.
    5. Copy the links.

Create disk images in Compute Cloud

  1. In the management console, select the example_folder folder.
  2. Select Compute Cloud.
  3. In the left-hand panel, select Images.
  4. Click Upload image.
  5. Enter the image name: vipnet-va-disk1.
  6. Insert the link to the first disk image in Object Storage.
  7. Click Upload.
  8. Repeat the steps for the second image, vipnet-va-disk2.

To create disk images in Compute Cloud, run the following commands:

yc compute image create vipnet-va-disk1 --source-uri="<link_to_disk_1_image>"
yc compute image create vipnet-va-disk2 --source-uri="<link_to_disk_2_image>"

Create a VM with ViPNet Coordinator VA in the cloud

  1. Configure the variables for creating a VM:

    VM_NAME=vipnet-va
ZONE_ID=ru-central1-a
DISK1_NAME=vipnet-va-disk1
DISK2_NAME=vipnet-va-disk2
ETH0_SUBNET=public-subnet
ETH1_SUBNET=segment1-subnet
ETH2_SUBNET=segment2-subnet
ETH3_SUBNET=segment3-subnet

  2. Run the following command to create a VM:

    yc compute instance create \
  --name=$VM_NAME \
  --hostname=$VM_NAME \
  --zone $ZONE_ID \
  --create-boot-disk name=$DISK1_NAME,type=network-hdd,image-name=$DISK1_NAME\
  --create-disk name=$DISK2_NAME,type=network-hdd,image-name=$DISK2_NAME,auto-delete=true\
  --cores=2 \
  --memory=4G \
  --core-fraction=100 \
  --network-interface subnet-name=$ETH0_SUBNET,ipv4-address=10.1.0.8,nat-ip-version=ipv4 \
  --network-interface subnet-name=$ETH1_SUBNET,ipv4-address=10.1.1.8 \
  --network-interface subnet-name=$ETH2_SUBNET,ipv4-address=10.1.2.8 \
  --network-interface subnet-name=$ETH3_SUBNET,ipv4-address=10.1.3.8 \
  --metadata serial-port-enable=1

    Where:

    • name: VM name.
    • hostname: VM host name.
    • zone: Availability zone that matches the selected subnet for the VM.
    • create-boot-disk: Boot disk parameters.
    • create-disk: Additional disk parameters.
    • cores: Number of vCPU cores.
    • memory: Amount of memory (RAM)
    • core-fraction: vCPU performance level.
    • network-interface: Network interface parameters.
    • metadata: VM metadata.

Configure ViPNet Coordinator VA

Connect to ViPNet Coordinator VA using the serial console

Go to the serial console of the created VM:

  1. In the management console, select the vipnet-folder folder.
  2. Go to Compute Cloud and select the vipnet-va VM.
  3. Go to the Serial console tab.
  4. Enter user for username and 11111111 for password.

After successful authorization, the ViPNet Coordinator VA command line will open:

yc-vipnet-1> version
Product: ViPNet Coordinator VA
Platform: VA VIRTUALBOX
License: VA500
Software version: 4.5.1-5668
yc-vipnet-1>

Enable SSH

  1. Switch to admin mode:

    yc-vipnet-1> enable
Type the administrator password:

  2. Enter 11111111, the admin password for the demo version:

    yc-vipnet-1#

  3. Enable ICMP and SSH:

    firewall service-object add name @ICMP icmp
firewall local add 1 rule LICMP src @any dst @any service @ICMP pass
firewall local add 1 rule LSSH  src @any dst @any service @SSH pass

  4. Exit admin mode and the serial console:

    exit
exit

Connect to ViPNet Coordinator VA over SSH

  1. Get ViPNet Coordinator VA's public address:

    VIPNET_IP=$(yc compute instance get \
  --name=$VM_NAME \
  --format=json | jq -r '.network_interfaces[0].primary_v4_address.one_to_one_nat.address')

  2. Run the SSH client:

    ssh user@$VIPNET_IP

How to delete the resources you created

To stop paying for the resources you created: