PrivX Router Configuration
Network access manager supports three different router types and a logger router type.
The routers are configured to network access manager via the settings UI. The configuration is specified as an array of router configuration objects. A router configuration object has the following properties:
- type: router type
- client_ip_pool: an array of remote access client IP CIDRs the router handles
- username: SSH username, used with linux-iptables and sshexec routers
- hostname: SSH hostname, used with linux-iptables and sshexec routers
- router_sources: Array of IP addresses and IP CIDRs for restricting where extender listener sockets can be connected from. Mandatory for exec router, optional for linux-iptables and sshexec routers
- max_concurrent_ssh_exec_requests: maximum number of concurrent SSH exec requests, used with linux-iptables and sshexec routers
- parameters: a string of parameters to pass to router configuration commands, used with sshexec and exec routers; network access manager does interpret or use it.
The client_ip_pool parameter is used when deciding the set of routers where a network access session's rules are to be configured.
The routers can be configured to the following configurations:
Multiple VPN GWs: each router is associated with a VPN GW and the routers' client_ip_pools do not overlap. In this configuration the network access session rules are configured to a single router.
High Availability Setup: two or more routers are associated with a VPN GW cluster and those routers' client_ip_pools are configured to the IP pool the VPN GW cluster allocates remote IP addresses from. In this configuration the network access session rules are configured to all routers that are associated with the VPN GW cluster. Note that this setup requires the VPN GW cluster to be able to route individual IP flows via a single router so that the same NAT state is used for all packets of the IP flow.
Linux IPtables Router
The "linux-iptables" router type is used when configuring network access manager to use the built-in functionality to control a linux iptables based router component over SSH exec.
Requirements:
- Router must be placed on the path between the VPN server and the protected targets, and the router must able to forward IPv4 and/or IPv6 packets.
- Router must have kernel support for iptables and the user space tooling must be accessible.
- Router must run a SSH server that accepts exec requests.
- Any existing firewall solution on the router must either be disabled or configured to coexist with PrivX managed iptables rules.
To configure a linux-iptables router:
- Download the PrivX-Router-Linux-IPtables.zip package, and install the setup script and environment file following the instructions in the README file.
- Deploy the router as a host to PrivX.
- Configure the router to network access manager via the settings UI.
An example configuration block for linux-iptables router in the network access manager settings:
[
{
"type": "linux-iptables",
"client_ip_pool": [
"10.0.0.0/24"
],
"username": "privx",
"hostname": "router.privx.ssh.com",
"router_sources": [ "10.0.1.1" ],
"max_concurrent_ssh_exec_requests": 1
}
]
For further information refer to the README file inside PrivX-Router-Linux-IPtables.zip package.
SSH Exec Router
The "sshexec" router type is used when integrating a router that can be controlled over SSH exec.
Requirements:
- Router must be placed on the path between the VPN server and the protected targets, and the router must able to forward IPv4 and/or IPv6 packets.
- Router must run a SSH server that accepts exec requests.
- Router must support configuring firewall rules (including SNAT/DNAT parameters) over SSH exec commands.
To configure a sshexec router:
- Implement control scripts / commands according to documentation in /opt/privx/privx-router/sshexec/README.
- Deploy the router as a host to PrivX.
- Configure the router to network access manager via the settings UI.
An example configuration block for sshexec router in the network access manager settings:
[
{
"type": "sshexec",
"client_ip_pool": [ "11.0.0.0/24" ],
"username": "privx",
"hostname": "router.privx.ssh.com",
"router_sources": [ "11.0.1.1" ],
"max_concurrent_ssh_exec_requests": 1
"parameters": "router specific parameter string"
}
]
Exec Router
The "exec" router type is used when integrating a router that can be controlled by executing router vendor tools on the PrivX server.
Requirements:
- Router must be placed on the path between the VPN server and the protected targets, and the router must able to forward IPv4 and/or IPv6 packets.
- There must exists tools to control the router's firewall rules (including SNAT/DNAT) parameters, and PrivX server must be able to execute those tools locally.
To configure a exec router:
- Implement control scripts / commands according to documentation in /opt/privx/privx-router/exec/README.
- Configure the router to network access manager via the settings UI.
An example configuration block for exec router in the network access manager settings:
[
{
"type": "exec",
"client_ip_pool": [ "12.0.0.0/24" ],
"router_sources": [ "12.0.1.1" ],
"parameters": "router specific parameter string"
}
]
Logger Router
The "logger" router type can be used for debugging network session rule add / delete events. When logger router is configured the network access manager logs add / delete events with INFO log level.
An example configuration block for logger router in the network access manager settings:
[
{
"type": "logger",
"client_ip_pool": [ "13.0.0.0/24" ],
"username": "root",
"hostname": "router.privx.ssh.com",
"router_sources": [ "13.0.1.1" ],
"parameters": "router specific parameter string"
}
]
The logger router does not use other parameters than type and client_ip_pool for anything else than logging.