PrivX Router Configuration
Network access manager supports certain functional router types and a logger router type.
The routers are configured to network access manager via the settings UI. The configuration is specified as an array of router configuration objects. A router configuration object has the following properties:
- type: router type
- client_ip_pool: an array of remote access client IP CIDRs the router handles
- username: SSH username, used with linux-iptables and sshexec routers
- hostname: SSH hostname, used with linux-iptables and sshexec routers
- router_sources: Array of IP addresses and IP CIDRs for restricting where extender listener sockets can be connected from. Mandatory for exec router, optional for linux-iptables and sshexec routers
- max_concurrent_ssh_exec_requests: maximum number of concurrent SSH exec requests, used with linux-iptables and sshexec routers
- parameters: a string of parameters to pass to router configuration commands, used with sshexec and exec routers; network access manager does interpret or use it.
The client_ip_pool parameter is used when deciding the set of routers where a network access session's rules are to be configured.
The routers can be configured to the following configurations:
-
Multiple VPN GWs: each router is associated with a VPN GW and the routers' client_ip_pools do not overlap. In this configuration the network access session rules are configured to a single router.
-
High Availability Setup: two or more routers are associated with a VPN GW cluster and those routers' client_ip_pools are configured to the IP pool the VPN GW cluster allocates remote IP addresses from. In this configuration the network access session rules are configured to all routers that are associated with the VPN GW cluster. Note that this setup requires the VPN GW cluster to be able to route individual IP flows via a single router so that the same NAT state is used for all packets of the IP flow.
Linux nftables/iptables Router
The linux-nftables and linux-iptables"* router types are used when configuring network access manager to use the built-in functionality to control a linux nftables/iptables based router component over SSH exec.
Requirements:
- Router must be placed on the path between the VPN server and the protected targets, and the router must be able to forward IPv4 and/or IPv6 packets.
- A linux-nftables router must have kernel support for nftables; a linux-iptables router must have kernel support for iptables.
- User space tooling must be accessible.
- Router must run a SSH server that accepts exec requests.
- Any existing firewall solution on the router must either be disabled or configured to coexist with PrivX managed iptables rules.
linux-nftables routers offer better performance than linux-iptables routers.
linux-iptables are unsupported on RHEL/Rocky 9.x.
To configure a linux-nftables router or a linux-iptables router:
- Download the PrivX Router Package. Install the setup script and the environment file according to the README file.
- Deploy the router as a host to PrivX.
- Configure the router in PrivX: On the PrivX UI under Administration→Settings→Network Access Manager, Edit the PrivX Router Configuration. Click Add Router, provide the router settings and click Save.
SSH Exec Router
The "sshexec" router type is used when integrating a router that can be controlled over SSH exec.
Requirements:
- Router must be placed on the path between the VPN server and the protected targets, and the router must able to forward IPv4 and/or IPv6 packets.
- Router must run a SSH server that accepts exec requests.
- Router must support configuring firewall rules (including SNAT/DNAT parameters) over SSH exec commands.
To configure a sshexec router:
- Implement control scripts / commands according to documentation in /opt/privx/privx-router/sshexec/README.
- Deploy the router as a host to PrivX.
- Configure the router to network access manager via the settings UI.
An example configuration block for sshexec router in the network access manager settings:
[
{
"type": "sshexec",
"client_ip_pool": [ "11.0.0.0/24" ],
"username": "privx",
"hostname": "router.privx.ssh.com",
"router_sources": [ "11.0.1.1" ],
"max_concurrent_ssh_exec_requests": 1
"parameters": "router specific parameter string"
}
]
Exec Router
The "exec" router type is used when integrating a router that can be controlled by executing router vendor tools on the PrivX server.
Requirements:
- Router must be placed on the path between the VPN server and the protected targets, and the router must able to forward IPv4 and/or IPv6 packets.
- There must exists tools to control the router's firewall rules (including SNAT/DNAT) parameters, and PrivX server must be able to execute those tools locally.
To configure a exec router:
- Implement control scripts / commands according to documentation in /opt/privx/privx-router/exec/README.
- Configure the router to network access manager via the settings UI.
An example configuration block for exec router in the network access manager settings:
[
{
"type": "exec",
"client_ip_pool": [ "12.0.0.0/24" ],
"router_sources": [ "12.0.1.1" ],
"parameters": "router specific parameter string"
}
]
Logger Router
The "logger" router type can be used for debugging network session rule add / delete events. When logger router is configured the network access manager logs add / delete events with INFO log level.
An example configuration block for logger router in the network access manager settings:
[
{
"type": "logger",
"client_ip_pool": [ "13.0.0.0/24" ],
"username": "root",
"hostname": "router.privx.ssh.com",
"router_sources": [ "13.0.1.1" ],
"parameters": "router specific parameter string"
}
]
The logger router does not use other parameters than type and client_ip_pool for anything else than logging.