This guide provides an example for setting up PrivX Routers in HA mode.

In this example setup we use RHEL's keepalived and conntrackd to create a two-node Router cluster in active/passive mode. Active connections are dynamically replicated between the nodes to ensure seamless handover and persistency of existing connections during failover.

To replicate iptables rules and active connections allowing established connections to continue in the event of handover to the passive node, the configuration setup described in this guide relies on sshexec router type and auxiliary scripts for configuring iptables using the SNAT method.

The configuration process described in this guide includes the following elements:

The procedures described in this guide are for example purposes only: PrivX-Router-HA setup is not in the scope of standard support. If you need help setting up PrivX Routers in HA configuration, please contact professional services via support.ssh.com

Prerequisites for PrivX-Router-HA Setup

The HA PrivX router setup requires certain network-related configurations to be in place:

  • VPN gateways must route traffic designated to the network targets via a dedicated PrivX router VIP (Virtual IP).
  • Consider any network devices that may be on the path that need to be configured to allow traffic back from the network targets to be routed via the router cluster’s VIP.
  • Enable IP forwarding on the Router machines.

Your environment must have the following components:

  • PrivX load balancer
  • PrivX Router node1
  • PrivX Router node2
  • Virtual IP (VIP) to be shared between all Router nodes
  • VPN Gateway
  • Target subnet(s)
  • Keepalived Virtual Router ID (arbitrary number between 0..255)

To follow this example setup, you will need to download the PrivX-Router-HA-Example package. The package contains extra scripts and configurations for Router HA functionality.

In the following instructions, <PrivX-Router-HA-Example> will refer to the path where you extracted the PrivX-Router-HA-Example package.

The setup process assumes that:

  • PrivX service and a load balancer are already configured and operational.
  • On the Router machines, the setup is executed with a privileged account or otherwise with sufficient privileges.
  • SELinux is set to permissive mode on Router machines.

The process consists of the following configuration areas:

  • Configurations on cluster’s router nodes
    • privx-router service on the cluster
    • keepalived service
    • conntrackd service
  • Configure PrivX service settings related to the Network Target access.

Configuring PrivX Routers for HA

PrivX Router HA configuration involves the following actions:

  • Basic privx-router setup and HA modifications.
  • Setting up keepalived and conntrackd.
  • Restarting services to apply configuration changes.

The actions must be repeated on each Router belonging to the HA cluster.

Basic privx-router Setup and HA Modifications

  1. Create a privx user, for running the Router service and synchronizing iptables:

    sudo adduser privx

    The privx user needs permissions for operating iptables and HA scripts. Enable these by adding the following to the sudoers file:

    %privx   ALL = NOPASSWD: /usr/sbin/iptables, /usr/sbin/ip6tables, /sbin/sysctl
%privx   ALL = NOPASSWD: /opt/privx/scripts/sync_iptables.sh
%privx   ALL = NOPASSWD: /sbin/iptables-restore
%privx   ALL = NOPASSWD: /sbin/iptables-save

  2. For synchronizing iptables in HA setup, privx users on Routers must be able to access each other non-interactively. To accomplish this, we set up public-key authentication between the privx users.

    1. Generate a private and public key for the privx user on Router node1, for example:

      su - privx
ssh-keygen -t ed25519 -f ~/.ssh/routersynckey

      This generates a private key to ~/.ssh/routersynckey and a public key to ~/.ssh/routersynckey.pub

    2. Add an authorization to the privx account of Router node2. Typically this mean adding the previously-generated public key to the ~/.ssh/authorized_keys file of privx@node2.

    3. Test that privx@node1 can ssh to privx@node2 without being prompted for a password. Also save the target server’s host key when prompted:

    ssh -i ~/.ssh/routersynckey privx@node2

    Repeat these steps on node2 to enable public-key authentication from node2 to node1.

  3. Install the Router files to the machine.

    Copy and extract PrivX-Router-HA-Example package to the machine.

    Create the directories for Router files:

    sudo mkdir -p /opt/privx/scripts /opt/privx/etc
sudo chown -R root:root /opt/privx
sudo chmod -R 0755 /opt/privx

    Then copy the files from the extracted package to the following locations:

    cd <PrivX-Router-HA-Example>

sudo cp scripts/setup.sh /opt/privx/scripts/setup.sh
sudo chown privx:privx /opt/privx/scripts/setup.sh
sudo chmod 0755 /opt/privx/scripts/setup.sh

sudo cp etc/privx-router.env /opt/privx/etc/privx-router.env
sudo chown privx:privx /opt/privx/etc/privx-router.env
sudo chmod 0444 /opt/privx/etc/privx-router.env

sudo cp scripts/sync_iptables.sh /opt/privx/scripts/sync_iptables.sh
sudo chown privx:privx /opt/privx/scripts/sync_iptables.sh
sudo chmod 755 /opt/privx/scripts/sync_iptables.sh

  4. You will need to modify some Router files for HA compatibility.

    In /opt/privx/scripts/setup.sh, replace <Other_Router_Address> with the address of the other Router node.

    Configure at least the following settings in /opt/privx/etc/privx-router.env:

    • RAC_IP_POOL - The possible IPs from which clients can access network targets.
    • RAC_BYPASS_TARGETS - PrivX load balancer's IP.
    • PRIVX_TARGET_SNAT_IP - The VIP of this Router cluster.

    In /opt/privx/scripts/sync_iptables.sh, replace <Other_Router_Address> with the address of the other Router node.

  5. Configure the privx-router service as a system service.

    The privx-router scripts must be executed on boot. This can be achieved by for example setting up a privx-router as a systemd service. The privx-router.service must be run as root.

    privx-router.service contents:

    [Unit]
Description=PrivX Router Service
Wants=network.target
Requires=network.target
     
[Service]
Type=oneshot
User=privx
Group=privx
ExecStart=/opt/privx/scripts/setup.sh up
ExecStop=/opt/privx/scripts/setup.sh down
RemainAfterExit=true
 
[Install]
WantedBy=multi-user.target

  6. Configure persistent static routing on Router nodes: Routers need to route traffic back to the VPN gateway from the cluster's VIP.

    IPv4 forwarding on the Router nodes must be enabled and persist upon reboot.

Setting up keepalived and conntrackd

To set up keepalived:

  1. Install keepalived:

    sudo yum install keepalived

  2. Create required directories with necessary permissions:

    sudo mkdir -p /usr/libexec/keepalived
sudo chmod 0755 /usr/libexec/keepalived
sudo chown root:root /usr/libexec/keepalived/

  3. Copy configuration files and set permissions:

    cd <PrivX-Router-HA-Example>

sudo cp scripts/check_router_health_status.sh /usr/libexec/keepalived/check_router_health_status.sh
sudo chown privx:privx  /usr/libexec/keepalived/check_router_health_status.sh
sudo chmod 0755 /usr/libexec/keepalived/check_router_health_status.sh

sudo cp scripts/primary-backup.sh /usr/libexec/keepalived/primary-backup.sh
sudo chown privx:privx /usr/libexec/keepalived/primary-backup.sh 
sudo chmod 0755 /usr/libexec/keepalived/primary-backup.sh

sudo cp conf/keepalived.conf /etc/keepalived/keepalived.conf
sudo chown privx:privx /etc/keepalived/keepalived.conf
sudo chmod 644 /etc/keepalived/keepalived.conf

  4. In /etc/keepalived/keepalived.conf, replace the placeholder values as follows:

    • <VRRP_NIC> - Network interface of VRRP (ip -br a)
    • <Router_VIP>/<MASK> - The current VIP and network mask for this environment
    • <Virtual_Router_ID> - Virtual Router ID

    keepalived setup is now complete.

To configure conntrackd:

  1. Install conntrackd:

    yum install conntrackd

  2. Copy configurations and set permissions:

    cd <PrivX-Router-HA-Example>

sudo cp conf/conntrackd.conf /etc/conntrackd/conntrackd.conf
sudo chown privx:privx /etc/conntrackd/conntrackd.conf
sudo chmod 644 /etc/conntrackd/conntrackd.conf

    In /etc/conntrackd/conntrackd.conf, replace the placeholder values:

    • <Current_Router_Address> - Address of the current Router.
    • <Other_Router_Address> - Address of the other Router.
    • <Router_VIP> - VIP of the Router cluster.

    conntrackd is now set up.

Restarting Router Services

Restart all Router-related services:

sudo systemctl restart keepalived
sudo systemctl restart conntrackd
sudo systemctl restart privx-router

Your PrivX Router nodes are now set up for HA operation.

Configuring PrivX Service for Router HA

To support sshexec-type routers, set up PrivX Servers to dynamically configure necessary iptables rules over ssh on the active node. To do this, perform the following on all your PrivX Servers:

  1. Create directories and set permissions for them:

    sudo mkdir -p /opt/privx/privx-router/sshexec
sudo chown root:privx /opt/privx/privx-router/sshexec
sudo chmod 750 /opt/privx/privx-router/sshexec

  2. Copy the <PrivX-Router-HA-Example>/scripts/add script to /opt/privx/privx-router/sshexec/add.

    Also configure the script with:

    sudo chmod 755 /opt/privx/privx-router/sshexec/add
sudo ln -s /opt/privx/privx-router/sshexec/add /opt/privx/privx-router/sshexec/del

    After these steps are performed on each PrivX Server, proceed to enabling connections from PrivX to Routers.

To enable non-interactive SSH connections from PrivX to Routers:

  1. Create a dedicated role for PrivX to control access to the routers. This role should grant access to Router machines. This role should not be granted to PrivX users.

    Also generate a principal key for the role. This will be used for public-key authentication to the Router machines.

  2. Add the Router machines to PrivX as hosts, with the following configurations:

    • Host's Addresses must include <Current_Router_Address>, <Other_Router_Address>, and <VIP> (these were set previously in conntrackd.conf).
    • Define the host's SSH service. Then under its Additional Settings specify the ssh host keys from both Routers.

      1. Add an Explicit account with username privx to this host with the dedicated Router role. Under Allowed Service Options only allow Exec.

Configure Network Access Manager in GUI

The client_ip_pool must match the RAC_IP_POOL provided earlier. Username and hostname are used when connecting to the router using SSH. The hostname can contain an optional port number and an optional Extender prefix. Optional parameter max_concurrent_ssh_exec_requests can be used for setting the SSH exec worker pool size. By default, the size is 1.

  1. Navigate to Administration→Settings→Network Access Manager, then Edit the Routers setting.
  2. In the Routers setting, specify a router with the following parameters:
    • Type: sshexec
    • Host name: VIP of the Router cluster
    • Client IP pool: must match the IP pool(s) serviced by this router cluster (configured in the RAC_IP_POOL variable earlier)
  3. Restart PrivX to apply your changes.

Your Router cluster should now be set up and functional.

Was this page helpful?

On this page