Notice
Remote VPN Tunnel Access is available from VAST Cluster 3.2
In the event that VAST Data Support require direct access to your VAST Cluster in order to provide upgrade, maintenance or troubleshooting services, you can open a secure support tunnel to your VAST Cluster and provide access.
For this purpose, VAST Data provides a VPN service that enables you to open a temporary secure tunnel to your VAST Cluster. You control how long the VPN tunnel is open for and you can close it at any time.
Please note:
The VAST Data VPN service runs on a private IP that is not accessible to third parties.
Each customer is assigned a unique gateway IP within the VAST Data VPN service network to open a support tunnel.
As the customer, you open the support tunnel, you control how long the tunnel stays open, and you can close it at any time.
Access to the tunnel is provided to the support engineer by the customer only, who provides access by sharing the unique IP of the tunnel.
The support tunnel enables an authorized support engineer to access one CNode that you specify when you open the tunnel. The support engineer is able to open an SSH session to the CNode and run commands on that CNode.
Tip
Our personnel will only perform tasks for troubleshooting or remote assistance purposes.
-
Obtain the following items from your support engineer:
The VAST-support tunnel gateway IP
Your unique VAST-support VPN configuration file
Your unique user name and password for the VAST-support tunnel service
Make sure your firewall allows outbound traffic on port 1194 and the VAST-support tunnel gateway IP.
If VMS is running fine, continue with this procedure. Otherwise, see If VMS is Not Running.
-
Log into the VAST CLI using the admin user.
$/vast/data/vms.sh vcli -u admin -p ******
-
Run the
vpntunnel create
command, with the username and password that you received from the support engineer.-
For first time use, include the
--vpn-config
parameter. You'll be prompted to provide the VPN configuration file content. For example:vcli: admin> vpntunnel create --cnode 3 --ttl 1h --username *** --password *** --vpn-config Please enter vpn configuration (ALT+ENTER/option+ENTER to finish):
Paste the content and then press ALT+ENTER or option+ENTER.
-
For subsequent uses, you don't need to supply the configuration file content. The user name and password is the same each time:
vcli: admin> vpntunnel create --cnode 2 --ttl 1h --username *** --password ***
The tunnel is now open and will close automatically when the TTL is exceeded.
-
-
Run
vpntunnel list
to display the VPN tunnel details.vcli: admin> vpntunnel list +----+----------+----------+---------------+----------------------+---------------------+ | ID | CNode-ID | CNode-IP | Tunnel-IP | Tunnel-Creation-Date | Tunnel-End-Date | +----+----------+----------+---------------+----------------------+---------------------+ | 37 | 1 | 11.0.0.1 | 10.255.253.2 | 2020-07-16 14:50:43 | 2020-07-16 15:50:43 | +----+----------+----------+---------------+----------------------+---------------------+
You can see here when the tunnel was created and when it is due to close automatically.
To enable the support engineer to access the tunnel, provide the Tunnel-IP value that appears in the output of the vpntunnel list
command.
You do not need to provide the support engineer with any additional credentials.
Note
If VMS is not running, see If VMS is Not Running.
If you want to close the tunnel at any time, use the vpntunnel list
command to obtain the tunnel ID, and then run vpntunnel delete
. Note that you need to confirm the deletion:
vcli: admin> vpntunnel delete --id 37 Are you sure you want to delete the vpn tunnel [y/N] y
In the event that VMS is not running, you can use this procedure to open and close a remote support tunnel and retrieve the IP to provide to the SE:
-
Log in to the CNode from which you want to open a tunnel, and run this command as the root user:
# mkdir -p /var/run/vast-vpn/
-
Copy the VPN configuration file that you received from the support engineer to
/var/run/vast-vpn/openvpn.conf
.# cp <vpn configuration file> /var/run/vast-vpn/openvpn.conf
-
Create the file
/var/run/vast-vpn/auth
containing the username and then the password, each on their own line, and no additional content:# vim /var/run/vast-vpn/auth <username> <password>
-
Start the vast-vpn service.
# systemctl start vast-vpn
After a few seconds, the VAST-support tunnel interface is created. The interface is named
tun0
and has an IP within the VPN network. Provide the support engineer with the IP of that interface. -
In order to close the VPN tunnel, stop the service:
#systemctl stop vast-vpn
Comments
0 comments
Article is closed for comments.