About Extender v2
The PrivX Extender v2 introduces improvements over the PrivX Extender v1, including:
- Support alternative use cases.
- Support for PQC encryption.
- Performance improvements.
Extender v2 uses SSH connections for data transport; Extender v1 uses TLS-secured secure web sockets instead. A benefit of Extender v2 SSH connections is that it supports hybrid key exchange using
mlkem1024nistp384-sha38 as the algorithm.
As Extender v2 does not use TLS connections, the registration step when configuring a new Extender v1 is unnecessary and TLS certificates are no longer issued to the instance running v2. Registration is run for every SSH connection between PrivX and Extender and the registration status in the UI for normal mode extenders can be ignored.
From PrivX 42, Extender v1 enters maintenance mode: it will not receive any improvements besides security fixes.
Modes of Operation
PrivX Extender v2 can operate in different modes:
- Normal - Extender v2 connects to the PrivX instance defined in the Extender configuration, similarly to Extender v1. If you have private networks that PrivX can't connect to directly, you can put a normal-mode Extender v2 into that network and then provide connections to it. This is identical to the Extender v1 use case.
- Forward - PrivX connects to the Extender v2 with a persistent control connection. This mode is for situations where the Extender is publicly accessible and your network topology requires PrivX to initiate the SSH connection.
- Passive - PrivX connects to the Extender v2 on demand. Suitable for deployments where there are too many Extenders for PrivX to keep track of, such as site automation. This enables scalability and versatility in your network setup.
An Extender v2 in normal or forward mode keeps a persistent SSH tunnel open at all times, which enables status reporting, remote upgrades, host deployment, and connection requests. The Monitoring→Status page in the PrivX GUI shows the Extender mode, number of active SSH tunnels, and the number of active connections via the Extender. On the other hand, an Extender v2 in passive mode does not have a control connection: it doesn't appear on the monitoring page, it can't be used to deploy hosts, and it can't be remotely upgraded. The passive mode is considered reachable at all times.
The Extender Service details in the monitoring page will list the number of recently connected Extenders (in the last 8 hours since the last service restart).
For PrivX HA deployments, using any Extender v2 in normal mode requires the PrivX load balancer to use a TCP load balancing strategy (like round-robin), with sticky sessions disabled. This is to ensure that the Extender can reach every PrivX node. Connection timeout must also be disabled.
Connecting via Extenders
When PrivX users connect to a target that's behind Extenders, the connection will be established in the following order of preference:
- Using Extender v1.
- Using Extender v2 in normal mode.
- Using Extender v2 in forward/passive mode.
Extender v2 connections will first try to use active SSH tunnels. If the maximum number of connections through an SSH tunnel (1000) has been reached, Extender Service will open/request a new SSH tunnel. In HA mode, if there are no active connections to the requested normal mode Extender v2, the Extender Service of that node performs a reachability check and a connection request from the other connected nodes.
Comparison of Extender Versions and Modes
| Extender Modes | v1 normal | v2 normal | v2 forward | v2 passive |
|---|---|---|---|---|
| Connection Type | Websockets | SSH | SSH | SSH |
| Connection Initiator | Extender | Extender | PrivX | PrivX |
| Control Connection | Persistent | Persistent | Persistent | On-demand only |
| SSL/TLS Required | Yes | No | No | No |
| Public IP Required | No | No | Yes | Yes |
| Extender Status Report | Yes | Yes | Yes | No |
| PQC Support | No | Yes | Yes | Yes |
| Deployment Script Support | Yes | Yes | Yes | No |
| Remote Upgrade Support | Yes | Yes | Yes | No |
| Best For | Legacy implementation needing outbound access only | Latest implementation with better performance and PQC support; for outbound access only | Latest implementation with better performance and PQC support; for inbound access only | Latest implementation with better performance and PQC support; lower resource usage compared to forward; for inbound access only |
Configuration Changes
After upgrading to PrivX 42 or later, you have the option to download the configuration file for Extender v1 or for Extender v2.
When you create a new Extender configuration, your browser will automatically download the Extender v1 configuration. This is currently transitional behavior that may be changed in a future release.
To configure an Extender v2 you will need to manually download the correct version of the configuration.
You can choose the Extender's mode of operation during creation. If you choose forward or passive mode, you must list the address and port where the Extender is accessible. You can only download the Extender v2 configuration when using forward or passive mode.
While the configuration file between Extender versions may look similar, there are notable changes that are necessary for the correct functioning of Extender v2. Therefore, you should download the new configuration for Extender v2 when first creating them or on any configuration changes. The notable fields are as follows.
If you are configuring a PrivX Extender v1 instance after the PrivX 42 upgrade, please make sure you have also upgraded the PrivX Extender instance to version 42 or higher. Existing Extenders won't require any reconfiguring.
extender_mode sets the mode of operation. When unspecified or set to an empty string ("") value starts
the legacy Extender v1. When set to "normal", "forward", or "passive" will start the associated
Extender v2.
extender_mode = "forward"
privx_deployment_proxy_port sets the Extender deployment's proxy port, used as a target to deploy hosts behind the Extender to PrivX can be set using in Extender v2. It will listen on all local interfaces on that port.
# both v1 and v2
privx_deployment_proxy_enabled = true
# v1
host_deployment_listen_address = ":8443"
# v2
privx_deployment_proxy_port = 10443
For Extender v2 in normal mode, the privx_instance_endpoints must specify the address and port of the PrivX load balancer that forwards to the SSH server Extender Service listener on PrivX Servers (by default on port 2322). In HA mode, it can be set in the GUI under Administration→Settings→Extender Service with the SSH Listener Load Balancer Address. When using a single-server deployment or when the load-balancer address matches the PrivX frontend_address shared configuration, using this setting is unnecessary. This value is used in the Extender configuration field using the following syntax.
privx_instance_endpoints = [
"wss://privx-frontend-address.example.com/extender-service/api/v1/ws/extender",
"ssh://privx-load-balancer-address.example.com:2322",
]
Recommendations
All Extenders under the same prefix should use the same mode of operation.
If you need to change the mode of an Extender after first deployment, you will need to:
- Change the mode of operation in the Extender configuration on the PrivX side.
- Download the new configuration and replace it on all the Extender hosts under the same prefix.
Extender v2 FAQ
How long will PrivX Extender v1 be supported?
After PrivX 42, PrivX Extender v1 will continue to function until further notice. Please follow future PrivX release notes for updates.
Can I have both v1 and v2 Extenders in my PrivX environment?
Yes. After upgrading to PrivX 42, existing Extender v1 instances will continue to operate. When you need to deploy new Extenders, we recommend doing so with Extender v2s. We also recommend planning a timeline to retire Extender v1 instances.
Does Extender v2 support an HA setup with routing prefix?
Yes. We recommend configuring all Extenders within the same routing prefix to use the same mode. Note that for PrivX 42, load balancing by connection count isn't available (PX-8185).
After upgrading to PrivX 42, can I still configure new v1 Extender instances?
Yes. Please ensure that the PrivX Extender RPM is also upgraded to version 42 before creating new Extender v1 configurations. When downloading the configuration, be sure to choose Download v1 Config.
I'm running PrivX 41 and PrivX Extender 41. After upgrading PrivX to version 42, do I also need to upgrade PrivX Extender RPM to version 42?
Running the same version of PrivX and PrivX Extender is always recommended. Your existing PrivX Extender 41 instances will continue to work with PrivX 42. However, you cannot create new Extender instances until the Extender package is upgraded to version 42.
How do I determine an Extender's version?
In the PrivX GUI under Monitoring→Status, if an Extender instance displays the Extender Mode field, it is an Extender v2 instance.