Hands-on with ZeroTier SD-WAN for Cloud Connectivity

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi i'm eric the security guy today we're going hands-on with software-defined wan technology or sd-wan for short with an example how to use it to protect access into a cloud environment [Music] this is my first time doing a screen recording in quite a while so i am only recording a portion of my screen to be kind to those of you on smaller monitors please let me know in the comments if you have any suggestions or how well this this works out for you so today we're talking about how to secure remote access into uh cloud environments such as amazon web services a couple different approaches i'm sure many of you are familiar with you can use a vpn uh a traditional point-to-point vpn certainly has some limitations especially if you're working in multiple multiple cloud environments or you want communication between your cloud environments so today we're going to be talking about what i like to refer to as a vpn on steroids it's called sd-wan or software-defined wan and the product we're going to be using is called zero tier to be clear this is not sponsored i use zero tier because it works well for me um they are but i have no business relationship with them other than as a customer one of the attractive things about zero tier for those of you doing personal projects or small businesses is pricing is really attractive up to 50 network nodes with one administrator for free obviously if you're a business using this you probably want to move into the professional tier which allows up to 10 administrators and up to 500 nodes on your network for 49 a month which is pretty reasonable so let's uh move over to the security guy aws account um we'll for those of you not familiar with with aws we're going to start with a little bit of a tour just so you can see how i've set this up and i'm going to tweak this a little bit to give a really convenient access remote access to uh to cloud resources via the sd-wan for administration or also for internal applications so we'll start by surfing into vpc those of you not familiar with aws vpc stands for virtual private cloud and by default in this region amazon has already created one vpc and you can see it's set up with a private address block um and a couple of subnets again amazon has created these by default um we sort them by ip you'll see it they're essentially uh the vpc is broken down into into six subnets and i've simply named them i named them access tier one and tier two a good practice if you're deploying applications in the cloud is to use multiple subnets and separate out your uh your application tiers makes writing security group rules uh using network acls and other security approaches to defense and depth a little bit easier so before we go any further one of things we're going to do is we're going to enable ipv6 for our access tier and that is simply because products like zero tier have a lot of functionality to work around network limitations firewalls particularly when end users are accessing it but to give us our maximum chance of having good connectivity we're going to able ipv6 as well so we're going to go dual stack in the in the access tier in order to do that we'll uh flip over to the vpc uh we will edit the network addresses for the vpc and we're going to add an amazon provided ipv6 block so we now have our own set of addresses available for this vpc next thing we need to do is we need to go into the route table since we enable ipv6 we need to add a route to allow egress and ingress traffic via the existing gateway so in this case just to keep our example simple we're going to add a default route for ipv6 and point it at our existing internet gateway so now we're set up for for ipv6 in this vpc the next thing we're going to do go next thing we're going to do is go into our access subnet and we're going to enable ipv6 there as well and now we're all set with dual stack in our in our access vpc next we'll flip over to ec2 and take a look what we have here in this test account we have one instance running and you see it has a public ip this is the server that we want to establish secure connectivity for administration or perhaps for some internal only services so in order to set this up what we're going to do is we're going to create an ec2 instance to act as a router in and out of this vpc for the sd-wan now you might be asking yourself why don't i just install the sd-wan on the server i have 50 free licenses i certainly could do that but the challenge from a security perspective is that if we install our sd-wan directly on the server then any traffic on the sd-wan is going to bypass all of other layers of security so they won't be subject to any of the security groups they're going to bypass aws guard duty if you're using that for intrusion detection and all those other things so we want to use our sd-wan as an additional layer of security instead of replacing other layers that exist so we're going to start by launching a small instance you can use pretty much any version of linux that you like uh in my case i prefer ubuntu so we're going to grab ubuntu server 2004 lts we'll select that just need a small instance to act as a as a router so a t3a nano will certainly do for uh the type of traffic that most people would have for an administration obviously if you have hundreds of people accessing an internal resource you might want to bump that up to a little a little beefier hardware we have one instance we're going to locate this machine on our access tier we're going to in this case autumn auto assign an ip address both ipv4 and ipv6 address just as a matter of practice we're going to enable hibernation sorry protection against external termination turn off unlimited we don't want to pay extra for a high cpu utilization i'm going to bump up the bump up the disc just a little bit to make sure we don't embarrass yourself by running at this space while doing an example eight is probably enough but we'll just bump it up for this we'll add ourselves a name tag while we're in the system and next for a security group sd-wan uses uh particularly the zero-tier sd-wan uses udp so we're going to create a separate security group for this instance to start off with we're going to leave the ssh port open of course in practice you'd probably want to lock this down temporarily to your own ip address but in this case i don't want to show my ip address on camera so for right now we'll just leave that open for a few minutes to to the world then we're going to create a custom udp rule and we're going to allow essentially all of the high ports from 1024 to uh we'll say 1025 65535 and again from anywhere this is going to allow our sd-wan to communicate effectively because it is a peer-to-peer technology this is also another good reason to run it on a separate little instance as a router instead of installing it on all of your all of your production servers and finally we're going to pick the they already existing security guy key pair and fire up this instance so all this instance is launching it's going to take a couple minutes let's go over to zero tier we're going to start this is a fresh zero tier account we're going to log in and then i will be back in a sec okay now we're logged back in again i guess it timed out while it uh while we're working in aws we're going to start by creating a network um a lot of different options here we're just going to create a network you see it by default it gives us a name we're going to go in i don't really like the default name so we're going to call this sd-wan security guy one we're also going to make a note of our network id because we're going to need that later to connect instances to it so we'll just put that in a scratch pad we want a public sorry private a public would allow anyone to join obviously is not much point from security perspective want to keep it private and we can see that it's already defaulted to a range for us 10.1 44. that works fine for us and it doesn't conflict with anything else you're doing obviously if you had a more advanced uh doing more advanced configuration or you had a lot of cloud environments you want to make sure you pick an address range either from this list or go into advanced and define define your own so that you don't have any conflicts between the address range you're going to be using for the zero tier sd-wan and your your various environments so this point this is actually set up this is all we need we have a a we we have a network set up we have a network id and then our members will pop up here as we join the network so let's go back and see how our instance is coming along and we can see that's initializing because we're going to use this as a router in and out of our epc there are two very important things the first there are two very important things we need to do the first is we need to go into networking and we need to disable the source destination checking it's a little backwards the way amazon shows it instead of just turning the source destination checking on and off uh to turn it off you actually check check a box it says stop what does it means is that amazon will now allow traffic to to enter this uh or do it or to be sent to this instance that is destined to an ip address other than that instance itself so we're going to enable that and the next thing we're going to do we see that is it is now running is we need to make one other change in our vpc uh we want to set a route to the to this box so we can use it as a router to and from the zero tier sd-wan so we're going to go back into our route tables you can see there's only one routes we're going to edit our routes again and we're going to take the ip address range of our sd-wan which is right here and we're going to create a route or add a route to that uh that destination and in this case we're going to specify an instance and our ec2 instance we've just created as an sd-wan router and save that route so again if we look at this routing table we'll see that the default for the internet remains the gateway both ipv4 and ipv6 but now any traffic to our sd-wan address is going to be sent to this instance and we've turned off source checking so this will be now allow this this little instance to work as a router just going to pause the video for a sec set up an ssh session and i'll be right back okay we've now got an ssh session up the first thing we're going to do as usual is we're going to get root on this machine and we're going to make sure the operating system is reasonably up-to-date which unfortunately is often not the case when you spin up a spin up a new machine these days now i'll just pause the recording until this is done that did take a couple minutes to complete and along the way it did install a new kernel and um as you can see a micro code update so we're going to want to reboot this before we install the the sd-wan on it just to make sure everything's running well however before we do that we can address one other thing that we do need to do is we need to turn on ipv4 forwarding so that this system again connect as a router for us see there's a line here i know it's a little hard to see on the screen because of the color but it says net dot ipv4 ip4 it equals one and by uncommenting this uh next time the machine boots and anytime thereafter it'll automatically have ip forwarding turned on so now we'll reboot this and i'll be back as soon as it's rebooted and i have a ssh session set up again all right our sd-wan router uh running ubuntu is back up and running it's all updated uh and just to recap we have configured the vpc including the uh the route tables or subnets to use this this box as a as a router uh back to the uh tier 1 we have enabled ip forwarding so the remaining task we need to do on this vm is simply to install uh zero tier zero tier does have some simple installation instructions uh i've had a look at their script before and i do trust it so in this case i'm just gonna paste in their suggested install script obviously we do need to be careful when we're downloading something and running it as root this script will not only install zero tier but you can see it's doing it via the package manager so that future updates will work using in this case apt or yum if you're on a centos or aws linux linux variant and this should just take another few seconds perfect so zero tier is installed it's up and running and then our final task on this vm is going to be to use the uh is to ask zero tier to join our network that we've previously defined so issue the zero tier cli join command and it's responded with a with an ok so we'll flip back to our zero tier configuration and we'll refresh this and now we can see that our device has joined the zero tier network of course there's a note saying it should have at least two members obviously because having only one member on a lan to enable it and allow it access again at this point it's been joined but it's not being given access to our private network all we have to do is click here to uh to authenticate it zero tier will automatically assign it an address on the uh on the zero tier when we're waiting for a second or so for it to do that we'll give this uh this a name and we can now see that zero tier has assigned an ip address and even though these are assigned at enrollment time or at that when it's joined the network this address will not change so it is although it's automatically chosen by the zero tier it will not change during the lifetime of this node on the on the sd-wan which makes it convenient for routing purposes we'll scroll up and their final task is we will add a route to our amazon vpc via the [Music] via this this sd-wan box so now any other node that joins this this sd-wan will get this route and be able to communicate through the router we've created in amazon to the um to the rest of the vpc assuming the security groups in the vpc allow that and we'll get to that in just a minute going back to our ssh session if we look at the ip address we'll now see that zero tier has added another interface to this machine and it has the ip address that we expected to have on the zero tier sd-wan that we saw in the zero tier console so this is all set up the next thing we can do is now that we have secure connectivity into this into this vpc we can make some changes to the security groups so we're going to go into our server have a look at the security group and as expected it's open to the entire world to allow ssh connectivity we'll edit this security group and instead of allowing the the whole universe in for right now we're going to lock it down to addresses on the sd-wan in other words if you're on the sd-wan you're allowed to communicate with this this ec2 instance on the ssh port finally to show this all works i'm going to join my computer to the sd-wan and i'll be back in just a moment to show you how it works i already had the zero tier client installed on my pc the client is available for windows mac os ios android and linux so has fairly good fairly good coverage all i've done while the recording was paused is i went into my zero tier client on my windows machine and i had joined it to the network through the uh through the gui and you can see there is now another system joined and is waiting for approval we'll approve that and you can see now that an address has been assigned to uh to my to my laptop so with my laptop now on the the same zero tier uh sd-wan and as an aside a with the exception of mobile devices which are somewhat limited by by ios and android restrictions most desktop computers to windows mac linux machines can be connected to multiple zero tier networks at the same time so what we're going to do is we're going to flip back over to [Music] our amazon account we're going to this time grab the private ip address for this server and then we're going to modify the ssh entry for that server instead of connecting on the public ip addresses which is no longer allowed by the security group we're going to plug in the the private ip and demonstrate that we now have connectivity across the sd-wan routed into the amazon vpc to this server our ssh session timed out so let's have a look and see what the what the problem is i suspect i made a mistake with the security group role for the server and sure enough i included the the ip address range for the vpc when i should have included the ip address of we now have connectivity from our desktop across the sd-wan through the router that we've built in our amazon vpc to our destination server and of course this technique can be used for a lot more than ssh it can be used to access all sorts of internal resources that you don't want to expose to the internet i hope you found this helpful and if you have any questions please do leave them in the comments below thanks a lot and we'll see you in the next video
Info
Channel: SecurityGuy
Views: 986
Rating: undefined out of 5
Keywords: zerotier, zerotier one, zerotier one tutorial, zerotier setup
Id: pntbQBtneZg
Channel Id: undefined
Length: 23min 47sec (1427 seconds)
Published: Thu Apr 08 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.