Documentation Center
AlienVault® USM Appliance™

Building a VPN Tunnel Without a Client-Server Connection

Applies to Product: USM Appliance™ AlienVault OSSIM®

If there is no connection between the VPN server and the client, which is often the case in an MSSP (Managed Security Service Provider) environment, an error occurs when you try to configure the client:

Building the VPN node configuration...

Restarting OpenVPN server...

Retrieving the local vpn server ip...

Trying to deploy the VPN configuration on the remote AlienVault appliance...

An error occurred while establishing the vpn tunnel:

Currently there is no connectivity with the remote AlienVault appliance. The steps to deploy the VPN client manually are the following:

* A new VPN configuration file has been created for the remote AlienVault appliance at: /etc/openvpn/nodes/[client_IP].tar.gz.

* Copy this configuration file to the remote AlienVault appliance

* Extract the configuration file: /bin/tar zxf [client_IP].tar.gz -C /tmp/

* Move the VPN client configuration file to the OpenVPN folder: cp -arf /tmp/etc/openvpn/nodes/* /etc/openvpn/; mv /etc/openvpn/[client_IP]/*.conf /etc/openvpn/

* Fire the configuration triggers: dpkg-trigger --no-await alienvault-network-vpn-net-client; dpkg --pending --configure

* Clean up: rm -rf /tmp/etc

* Finally, once the VPN connection has been established, please add the remote AlienVault appliance from the Configuration > Deployment menu option on the web UI

Press [Enter] to continue

This creates a configuration file instead. And you must configure the VPN client manually, as described here.

To configure the VPN client through the command line

  1. Transfer the VPN configuration file to the VPN client manually:

    1. On the VPN server, go to the AlienVault Setup Main menu and select Jailbreak System, press Enter twice to confirm.
    2. Navigate to /etc/openvpn/nodes/ and locate the <client_IP>.tar.gz file, where <client_IP> is the VPN client IP address you specified in step 4 when creating the VPN client.
    3. Using scp, or a similarly secure copy method, transfer the <client_IP>.tar.gz file to the VPN client and place it in /etc/alienvault/network/.
    4. Type Exit to return to the AlienVault Setup main menu.
  2. Configuring the tunnel on the VPN client:

    1. SSH to the VPN client.
    2. In the AlienVault Setup menu, select System Preferences > Configure Network > Setup VPN > Configure VPN client from file, and press Enter (<OK>).
    3. Select the entry with the correct IP address for the VPN client, press Enter (<OK>).
    4. Confirm that the configuration file is the correct one, the file copied in Step 3 of this procedure, then press Enter (<Yes>).

      The system extracts from the configuration file to build a tunnel.

Additional Step When the VPN server and VPN client Reside in Different Networks

Please be aware that if the VPN client and VPN server are in different private networks and the connection from the VPN client to the VPN server is only allowed through their public IP addresses, you need to change the IP address in the configuration file manually.

Let's consider the following example, where the VPN server and VPN client have different private the public IP addresses:

Sample IP addresses for the VPN server and VPN client
  VPN server VPN client
Private IP 192.168.0.1 172.16.20.56
Public IP 88.132.33.11 145.156.44.33

When configuring the VPN client, enter the public IP address for the client, in this case 145.156.44.33. Extract the resulting /etc/openvpn/nodes/145.156.44.33.tar.gz file and locate the VPN client configuration file, 145.156.44.33.conf. Observe that the private IP address of the VPN server (192.168.0.1) is added instead of the public IP address, as indicated in line 4 below:

client

dev tun

proto tcp

remote 192.168.0.1 33800

resolv-retry infinite

nobind

user nobody

group nogroup

verb 3

ca /etc/openvpn/145.156.44.33/ca.crt

cert /etc/openvpn/145.156.44.33/145.156.44.33.crt

key /etc/openvpn/145.156.44.33/145.156.44.33.key

script-security 2 system

up "/etc/init.d/fprobe stop || true"

comp-lzo

persist-key

persist-tun

This causes the VPN tunnel not be established. Changing the IP address to 88.132.33.11 in the file above resolves this issue.