Virtual Private Networks
When your clouds or servers reside in a network that sits behind a restrictive firewall or use a private IP range, you will need to set up a Virtual Private Network between Mist.io and your network to be able to manage them through the Mist.io service.
Mist.io's VPN functionality is based on the OpenVPN protocol, which implements a Virtual Private Network (VPN) in order to create secure point-to-point connections to remote access areas. OpenVPN is capable of accessing private networks by traversing network address translators (NATs) and
Setting up the VPN using the UI
To set up a new VPN, visit the Tunnels section from your dashboard menu and click on the Add your tunnels button. Type in a name for your tunnel, and optionally a description. Then, on the CIDRs field, add the private IP range that the cloud that you want to manage resides in. Mist.io will choose two random IPv4 addresses for the endpoints of the VPN tunnel. If you want to exclude some of the addresses of the network to avoid IP conflicts, you can fill them in on the excluded CIDRs field. You also have the option to choose between UDP and TCP protocol
Once you’re done, click on the Add button. Mist.io will create the tunnel. Click on it, and Mist.io will provide you with a bash script that you’ll need to run on your VPN client - usually one of the machines or the router of your private network.
When deploying your VPN client, make sure that there are no firewall rules blocking incoming or forwarded Internet traffic. Your VPN client needs to allow incoming data and outgoing data to Mist.io. The UDP port that is used can be seen
As soon as you have established your VPN tunnels, you can go ahead and add your infrastructure in Mist.io. Your private network IPs will be accessible for you by the Mist.io service as if they were public. Just go ahead and add your private clouds and perform actions on private VMs like you would normally do.
Troubleshooting
To confirm that the tunnel has been established on your VPN client, run ifconfig and make sure you can see the vpn-tunXYZ interface, where XYZ is a number. Example
#ifconfig
...
vpn-tun114 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.105.191.176 P-t-P:10.105.191.177 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
...
The tunnel is up and we should be able to ping the P-t-P ip (in my case this is 10.105.191.177).
On the tunnel page we can also see the port on the remote side that is assigned for our VPN client. Make sure that outgoing traffic to this port is allowed (UDP to port 1319 in my case).
Setting up the VPN using the command-line interface
All VPN related actions have been also integrated into the mist CLI, which can be installed by simply running pip install mist. The available VPN related commands are:
- List tunnels
You can retrieve a list of your established tunnels by invoking: mist list-tunnels. You can optionally add the --pretty argument to the aforementioned command in order to print the output in a nicely formatted table.
- Add tunnel
In order to add a new
name: a required parameter denoting the unique name of the tunnel
cidrs: a required list of the CIDRs to be routed over the particular VPN tunnel
exclude_cidrs: an optional parameter specifying a list of CIDRs that you may wish to be excluded from the tunnel establishment process in order to avoid potential routing conflicts due to the allocation of already locally existing IP addresses to the VPN endpoints
description: an argument to optionally add a description to the newly created tunnel
Now, let's see a couple of examples adding new VPN tunnels:
root@ubuntu:~ $ mist add-tunnel --name MyTunnel --cidrs 192.168.2.0/24 192.168.3.0/24 --exclude-cidrs 172.16.150.0/24 --description 'This is just an example'
The first command requests the establishment of a VPN tunnel named “MyTunnel” via which the mist.io service will be able to reach the private networks 192.168.2.0/24 and 192.168.3.0/24. Additionally, the network 172.16.150.0/24 has been specified as a network to be excluded from the allocation process of IP addresses for the two VPN endpoints in order to avoid routing conflicts. For example, the 172.16.150.0/24 CIDR could represent a network that is directly attached to your VPN client, thus you would like to avoid an existing 172.16.150.x IP to be allocated to your VPN interface, as well. Finally, the newly established tunnel comes with the description “This is just an example”. The description and exclude-
As soon as the newly requested VPN interface has been established on the server-side (the Mist.io side), the mist add-tunnel command will return the configuration script that needs to be executed on the client-side in order for the tunnel establishment to be completed. At this point, the client-side configuration comes in two forms. Firstly, a bash script will be returned, which needs to be run on your VPN client and will take care of downloading the necessary dependencies, setting up the VPN configuration files and security key, and starting the OpenVPN service. All you have to do is copy and paste the bash script on your VPN client, make it executable, and run it.
The second option consists of a single curl command, which you can execute on you VPN client and will take care of automatically downloading and executing the configuration script.
Your VPN client can be any machine sitting
After the configuration's execution has been successfully completed, you should have a new interface up and
vpn-tun1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr: 10.166.30.100 P-t-P: 10.166.30.101 Mask:255.255.255.255
inet
- Edit tunnel
The mist CLI also allows you to edit an already established tunnel. The mist edit-tunnel command allows you edit the name, description, and list of accessible CIDRs. However, you cannot edit the list of excluded CIDRs. For instance, let's edit tunnel “MyTunnel”:
root@ubuntu:~ $ mist edit-tunnel e63fddace687u754aa9e66e4g56th257 --name EditedTunnel --cidrs 192.168.2.0/24 192.168.3.0/24 172.19.100.0/24 --description 'This is just an example'
The above command will edit the tunnel with tunnel ID e63fddace687u754aa9e66e4g56th257. Once you run it, the tunnel's name will be changed to “MyEditedTunnel” and Mist.io will also be able to access machines that sit in the 172.19.100.0/24 network.
All tunnel IDs can be retrieved by calling the mist list-tunnels command. Tunnel IDs are required in order to perform actions on existing tunnels, such as editing, deleting, or retrieving a tunnel's configuration script.
- Get the client configuration script
For every already established
root@ubuntu:~ $ mist tunnel-script e63fddace687u754aa9e66e4g56th257
- Get the shell command
Similarly, you may request the corresponding curl command for a more automated deployment. Again, the tunnel's ID is all that needs to be provided to the shell command:
root@ubuntu:~ $ mist tunnel-command e63fddace687u754aa9e66e4g56th257
- Delete tunnel
Finally, you can tear down an existing VPN tunnel using the mist delete-tunnel command, as follows:
root@ubuntu:~ $ mist delete-tunnel e63fddace687u754aa9e66e4g56th257