This guide provides an example for setting up PrivX Routers in HA mode.
In this example setup we use RHEL's keepalived
and conntrackd
to create a two-node Router cluster in active/passive mode. Active connections are dynamically replicated between the nodes to ensure seamless handover and persistency of existing connections during failover.
To replicate iptables rules and active connections allowing established connections to continue in the event of handover to the passive node, the configuration setup described in this guide relies on sshexec router type and auxiliary scripts for configuring iptables using the SNAT method.
The configuration process described in this guide includes the following elements:
The procedures described in this guide are for example purposes only: PrivX-Router-HA setup is not in the scope of standard support. If you need help setting up PrivX Routers in HA configuration, please contact professional services via support.ssh.com
Prerequisites for PrivX-Router-HA Setup
The HA PrivX router setup requires certain network-related configurations to be in place:
- VPN gateways must route traffic designated to the network targets via a dedicated PrivX router VIP (Virtual IP).
- Consider any network devices that may be on the path that need to be configured to allow traffic back from the network targets to be routed via the router cluster’s VIP.
- Enable IP forwarding on the Router machines.
Your environment must have the following components:
- PrivX load balancer
- PrivX Router node1
- PrivX Router node2
- Virtual IP (VIP) to be shared between all Router nodes
- VPN Gateway
- Target subnet(s)
- Keepalived Virtual Router ID (arbitrary number between 0..255)
To follow this example setup, you will need to download the PrivX-Router-HA-Example package. The package contains extra scripts and configurations for Router HA functionality.
In the following instructions, <PrivX-Router-HA-Example>
will refer to the path where you extracted the PrivX-Router-HA-Example package.
The setup process assumes that:
- PrivX service and a load balancer are already configured and operational.
- On the Router machines, the setup is executed with a privileged account or otherwise with sufficient privileges.
- SELinux is set to permissive mode on Router machines.
The process consists of the following configuration areas:
- Configurations on cluster’s router nodes
- privx-router service on the cluster
- keepalived service
- conntrackd service
- Configure PrivX service settings related to the Network Target access.
Configuring PrivX Routers for HA
PrivX Router HA configuration involves the following actions:
- Basic privx-router setup and HA modifications.
- Setting up
keepalived
andconntrackd
. - Restarting services to apply configuration changes.
The actions must be repeated on each Router belonging to the HA cluster.
Basic privx-router Setup and HA Modifications
Create a
privx
user, for running the Router service and synchronizing iptables:sudo adduser privx
The
privx
user needs permissions for operating iptables and HA scripts. Enable these by adding the following to the sudoers file:%privx ALL = NOPASSWD: /usr/sbin/iptables, /usr/sbin/ip6tables, /sbin/sysctl %privx ALL = NOPASSWD: /opt/privx/scripts/sync_iptables.sh %privx ALL = NOPASSWD: /sbin/iptables-restore %privx ALL = NOPASSWD: /sbin/iptables-save
For synchronizing iptables in HA setup,
privx
users on Routers must be able to access each other non-interactively. To accomplish this, we set up public-key authentication between theprivx
users.Generate a private and public key for the
privx
user on Router node1, for example:su - privx ssh-keygen -t ed25519 -f ~/.ssh/routersynckey
This generates a private key to
~/.ssh/routersynckey
and a public key to~/.ssh/routersynckey.pub
Add an authorization to the
privx
account of Router node2. Typically this mean adding the previously-generated public key to the~/.ssh/authorized_keys
file of privx@node2.Test that privx@node1 can ssh to privx@node2 without being prompted for a password. Also save the target server’s host key when prompted:
ssh -i ~/.ssh/routersynckey privx@node2
Repeat these steps on node2 to enable public-key authentication from node2 to node1.
Install the Router files to the machine.
Copy and extract PrivX-Router-HA-Example package to the machine.
Create the directories for Router files:
sudo mkdir -p /opt/privx/scripts /opt/privx/etc sudo chown -R root:root /opt/privx sudo chmod -R 0755 /opt/privx
Then copy the files from the extracted package to the following locations:
cd <PrivX-Router-HA-Example> sudo cp scripts/setup.sh /opt/privx/scripts/setup.sh sudo chown privx:privx /opt/privx/scripts/setup.sh sudo chmod 0755 /opt/privx/scripts/setup.sh sudo cp etc/privx-router.env /opt/privx/etc/privx-router.env sudo chown privx:privx /opt/privx/etc/privx-router.env sudo chmod 0444 /opt/privx/etc/privx-router.env sudo cp scripts/sync_iptables.sh /opt/privx/scripts/sync_iptables.sh sudo chown privx:privx /opt/privx/scripts/sync_iptables.sh sudo chmod 755 /opt/privx/scripts/sync_iptables.sh
You will need to modify some Router files for HA compatibility.
In
/opt/privx/scripts/setup.sh
, replace<Other_Router_Address>
with the address of the other Router node.Configure at least the following settings in
/opt/privx/etc/privx-router.env
:RAC_IP_POOL
- The possible IPs from which clients can access network targets.RAC_BYPASS_TARGETS
- PrivX load balancer's IP.PRIVX_TARGET_SNAT_IP
- The VIP of this Router cluster.
In
/opt/privx/scripts/sync_iptables.sh
, replace<Other_Router_Address>
with the address of the other Router node.Configure the privx-router service as a system service.
The privx-router scripts must be executed on boot. This can be achieved by for example setting up a privx-router as a
systemd
service. The privx-router.service must be run as root.privx-router.service
contents:[Unit] Description=PrivX Router Service Wants=network.target Requires=network.target [Service] Type=oneshot User=privx Group=privx ExecStart=/opt/privx/scripts/setup.sh up ExecStop=/opt/privx/scripts/setup.sh down RemainAfterExit=true [Install] WantedBy=multi-user.target
Configure persistent static routing on Router nodes: Routers need to route traffic back to the VPN gateway from the cluster's VIP.
IPv4 forwarding on the Router nodes must be enabled and persist upon reboot.
Setting up keepalived and conntrackd
To set up keepalived
:
Install
keepalived
:sudo yum install keepalived
Create required directories with necessary permissions:
sudo mkdir -p /usr/libexec/keepalived sudo chmod 0755 /usr/libexec/keepalived sudo chown root:root /usr/libexec/keepalived/
Copy configuration files and set permissions:
cd <PrivX-Router-HA-Example> sudo cp scripts/check_router_health_status.sh /usr/libexec/keepalived/check_router_health_status.sh sudo chown privx:privx /usr/libexec/keepalived/check_router_health_status.sh sudo chmod 0755 /usr/libexec/keepalived/check_router_health_status.sh sudo cp scripts/primary-backup.sh /usr/libexec/keepalived/primary-backup.sh sudo chown privx:privx /usr/libexec/keepalived/primary-backup.sh sudo chmod 0755 /usr/libexec/keepalived/primary-backup.sh sudo cp conf/keepalived.conf /etc/keepalived/keepalived.conf sudo chown privx:privx /etc/keepalived/keepalived.conf sudo chmod 644 /etc/keepalived/keepalived.conf
In
/etc/keepalived/keepalived.conf
, replace the placeholder values as follows:<VRRP_NIC>
- Network interface of VRRP (ip -br a)<Router_VIP>/<MASK>
- The current VIP and network mask for this environment<Virtual_Router_ID>
- Virtual Router ID
keepalived
setup is now complete.
To configure conntrackd
:
Install
conntrackd
:yum install conntrackd
Copy configurations and set permissions:
cd <PrivX-Router-HA-Example> sudo cp conf/conntrackd.conf /etc/conntrackd/conntrackd.conf sudo chown privx:privx /etc/conntrackd/conntrackd.conf sudo chmod 644 /etc/conntrackd/conntrackd.conf
In
/etc/conntrackd/conntrackd.conf
, replace the placeholder values:<Current_Router_Address>
- Address of the current Router.<Other_Router_Address>
- Address of the other Router.<Router_VIP>
- VIP of the Router cluster.
conntrackd
is now set up.
Restarting Router Services
Restart all Router-related services:
sudo systemctl restart keepalived
sudo systemctl restart conntrackd
sudo systemctl restart privx-router
Your PrivX Router nodes are now set up for HA operation.
Configuring PrivX Service for Router HA
To support sshexec-type routers, set up PrivX Servers to dynamically configure necessary iptables rules over ssh on the active node. To do this, perform the following on all your PrivX Servers:
Create directories and set permissions for them:
sudo mkdir -p /opt/privx/privx-router/sshexec sudo chown root:privx /opt/privx/privx-router/sshexec sudo chmod 750 /opt/privx/privx-router/sshexec
Copy the
<PrivX-Router-HA-Example>/scripts/add
script to/opt/privx/privx-router/sshexec/add
.Also configure the script with:
sudo chmod 755 /opt/privx/privx-router/sshexec/add sudo ln -s /opt/privx/privx-router/sshexec/add /opt/privx/privx-router/sshexec/del
After these steps are performed on each PrivX Server, proceed to enabling connections from PrivX to Routers.
To enable non-interactive SSH connections from PrivX to Routers:
Create a dedicated role for PrivX to control access to the routers. This role should grant access to Router machines. This role should not be granted to PrivX users.
Also generate a principal key for the role. This will be used for public-key authentication to the Router machines.
Add the Router machines to PrivX as hosts, with the following configurations:
- Host's Addresses must include
<Current_Router_Address>
,<Other_Router_Address>
, and<VIP>
(these were set previously inconntrackd.conf
). - Define the host's SSH service. Then under its Additional Settings specify the ssh host keys from both Routers.
Add an Explicit account with username
privx
to this host with the dedicated Router role. Under Allowed Service Options only allowExec
.
- Host's Addresses must include
Configure Network Access Manager in GUI
The client_ip_pool
must match the RAC_IP_POOL
provided earlier. Username and hostname are used when connecting to the router using SSH. The hostname can contain an optional port number and an optional Extender prefix. Optional parameter max_concurrent_ssh_exec_requests
can be used for setting the SSH exec worker pool size. By default, the size is 1.
- Navigate to Administration→Settings→Network Access Manager, then Edit the Routers setting.
- In the Routers setting, specify a router with the following parameters:
- Type: sshexec
- Host name: VIP of the Router cluster
- Client IP pool: must match the IP pool(s) serviced by this router cluster (configured in the
RAC_IP_POOL
variable earlier)
- Restart PrivX to apply your changes.
Your Router cluster should now be set up and functional.