1.3.6. OpenNAC VPNGW
The ON VPNGW node serves as a tunnel terminator, facilitating VPN connections through Wireguard.
This functionality enables authorized users to securely connect to a private network. Additionally, VPNGW incorporates Shorewall, providing users with the capability to establish rules for controlling traffic between various network zones. With Shorewall, users can define permissions or restrictions based on criteria such as source, destination, ports, and protocols, enhancing the overall control and security of the network configuration.
It is a mandatory component for the Secure Remote Access (2SRA) module, which includes critical components such as:
Policy Enforce: Stateful Firewall module that allows the definition and execution of access rules, based on IP, port source and destination.
VPN module: It allows the configuration of the VPN Gateway, authentication, encryption, pool of IP addresses, internal networks, dynamic zones, etc.
Administration Portal: The VPNGW component management console is integrated in the ON Core Administration Portal. You will find it under the VPNGW section.
Note
OpenNAC VPNGW is a critical node in the solution, and high-availability deployment is recommended. The deployment of one or more nodes to provide this high availability will depend on the deployment requirements, and the final architecture design. If this module is offline, we would lose the ability to establish connections in the VPN.
1.3.6.1. Component flows
The following table outlines the firewall rules for the ON VPNGW component:
Source |
Destination |
Port |
Service |
|---|---|---|---|
Princ/Worker |
VPNGW |
TCP/10443 |
Disconnection |
Princ/Worker |
VPNGW |
TCP/6379 |
Redis |
VPNGW |
Princ/Worker |
TCP/443 |
HTTPS (HAProxy) |
VPNGW |
Princ/Worker |
TCP/22 |
SSH |
VPNGW |
Princ/Worker |
TCP/5002 |
Filebeat |
VPNGW |
Princ/Worker |
UDP/2003 |
Collectd |
VPNGW |
Sensor |
UDP/4789 |
VXLAN |
VPNGW |
NTP Server |
UDP/123 |
NTP |
VPNGW |
DNS Server |
UDP/53 |
DNS |
Internet (PAT) |
VPNGW |
TCP/443 |
HTTPS |
Internet (PAT) |
VPNGW |
UDP/1195 |
WIREGUARD |
1.3.6.2. Sizing an OpenNAC VPNGW
The dimension of Network Access solution infrastructure can be directly inferred from the expected workload in terms of users, IPs, types of authentication or use cases deployed that the NAC must sustain. The workload may be complicated to estimate, but this is a crucial exercise to build an efficient NAC Architecture.
The hardware specifications for the VPN Gateway are:
Resources |
Minimum |
Recommended |
|---|---|---|
Memory |
16 GB |
32 GB |
CPU |
8 CPU |
16 CPU |
Disk Size |
200 GB |
200 GB |
Disk Type |
SCSI/SATA |
SSD |
Network |
2 NIC |
2 NIC** |
Note
** The 2 network interfaces are mainly for service and management (internal communication between the different nodes).