Articles in this section

Providing Remote Support Access

Sara Levy
  • Updated
Follow

Notice

Remote VPN Tunnel Access is available from VAST Cluster 3.2

In the event that VAST Data Support require direct access to your VAST Cluster in order to provide upgrade, maintenance or troubleshooting services, you can open a secure support tunnel to your VAST Cluster and provide access.

For this purpose, VAST Data provides a VPN service that enables you to open a temporary secure tunnel to your VAST Cluster. You control how long the VPN tunnel is open for and you can close it at any time.

Support Tunnel Security

Please note:

  • The VAST Data VPN service runs on a private IP that is not accessible to third parties.

  • Each customer is assigned a unique gateway IP within the VAST Data VPN service network to open a support tunnel.

  • As the customer, you open the support tunnel, you control how long the tunnel stays open, and you can close it at any time.

  • Access to the tunnel is provided to the support engineer by the customer only, who provides access by sharing the unique IP of the tunnel.

  • The support tunnel enables an authorized support engineer to access one CNode that you specify when you open the tunnel. The support engineer is able to open an SSH session to the CNode and run commands on that CNode.

Tip

Our personnel will only perform tasks for troubleshooting or remote assistance purposes.

Opening a Support Tunnel

  1. Obtain the following items from your support engineer:

    • The VAST-support tunnel gateway IP

    • Your unique VAST-support VPN configuration file

    • Your unique user name and password for the VAST-support tunnel service

  2. Make sure your firewall allows outbound traffic on port 1194 and the VAST-support tunnel gateway IP.

  3. If VMS is running fine, continue with this procedure. Otherwise, see If VMS is Not Running.

  4. Log into the VAST CLI using the admin user.

    $/vast/data/vms.sh vcli -u admin -p ******

  5. Run the vpntunnel create command, with the username and password that you received from the support engineer.

    • For first time use, include the --vpn-config parameter. You'll be prompted to provide the VPN configuration file content. For example:

      vcli: admin> vpntunnel create --cnode 3 --ttl 1h --username *** --password *** --vpn-config

Please enter vpn configuration (ALT+ENTER/option+ENTER to finish):

      Paste the content and then press ALT+ENTER or option+ENTER.

    • For subsequent uses, you don't need to supply the configuration file content. The user name and password is the same each time:

      vcli: admin> vpntunnel create --cnode 2 --ttl 1h --username *** --password ***

    The tunnel is now open and will close automatically when the TTL is exceeded.

  6. Run vpntunnel list to display the VPN tunnel details.

    vcli: admin> vpntunnel list
+----+----------+----------+---------------+----------------------+---------------------+
| ID | CNode-ID | CNode-IP | Tunnel-IP     | Tunnel-Creation-Date | Tunnel-End-Date     |
+----+----------+----------+---------------+----------------------+---------------------+
| 37 | 1        | 11.0.0.1 | 10.255.253.2  | 2020-07-16 14:50:43  | 2020-07-16 15:50:43 |
+----+----------+----------+---------------+----------------------+---------------------+

    You can see here when the tunnel was created and when it is due to close automatically.

Providing Access to the Tunnel

To enable the support engineer to access the tunnel, provide the Tunnel-IP value that appears in the output of the vpntunnel list command.

You do not need to provide the support engineer with any additional credentials.

Closing the Tunnel

Note

If VMS is not running, see If VMS is Not Running.

If you want to close the tunnel at any time, use the vpntunnel list command to obtain the tunnel ID, and then run vpntunnel delete. Note that you need to confirm the deletion:

vcli: admin> vpntunnel delete --id 37
Are you sure you want to delete the vpn tunnel [y/N] y
If VMS is Not Running

In the event that VMS is not running, you can use this procedure to open and close a remote support tunnel and retrieve the IP to provide to the SE:

  1. Log in to the CNode from which you want to open a tunnel, and run this command as the root user:

    # mkdir -p /var/run/vast-vpn/

  2. Copy the VPN configuration file that you received from the support engineer to /var/run/vast-vpn/openvpn.conf.

    # cp <vpn configuration file> /var/run/vast-vpn/openvpn.conf

  3. Create the file /var/run/vast-vpn/auth containing the username and then the password, each on their own line, and no additional content:

    # vim  /var/run/vast-vpn/auth
<username>
<password>

  4. Start the vast-vpn service.

    # systemctl start vast-vpn

    After a few seconds, the VAST-support tunnel interface is created. The interface is named tun0 and has an IP within the VPN network. Provide the support engineer with the IP of that interface.

  5. In order to close the VPN tunnel, stop the service:

    #systemctl stop vast-vpn

Related articles

Comments

0 comments

Article is closed for comments.