3

We are looking at renting a VMWare ESXi server through a provider. This VMWare ESXi server will be allocated a public IP. Most of the VMs that we will host on this server is only meant to be used internally.

My question is if it would be possible to set up a VPN tunnel (ipsec) from the gateway in our office (Cisco RV082) to the VMWare host server so that we do not have to expose all VMs to the internet? We do not have access to any equipment in front of the VMWare host server.

For example, would it be possible to configure such a tunnel on e.g. a Debian VM, and then achieve the following;

  1. We can reach all the VMs on the VMWare host via a local ip address on our intranet
  2. The VMs can reach machines on our intranet via a local ip address

The alternative to this I guess would be to 'buy' 1 public IP address from the provider per VM, and then access the VMs over the internet, each with its own iptables configuration to block access from IPs not stemming from our office.

Any help is appreciated.

John B
  • 65
  • 1
  • 2
  • 8

3 Answers3

8

My question is if it would be possible to set up a VPN tunnel (ipsec) from the gateway in our office (Cisco RV082) to the VMWare host server so that we do not have to expose all VMs to the internet?

No. You can't install third party services like a VPN client on the hypervisor.

This is what you need:

  • A management IP address for ESXi itself. This can be public, or it can be private, as long as you can reach it to manage. If it's public, make sure it's firewalled off well.

  • A VM to act as a VPN gateway (OpenVPN, pfsense, RRAS, whatever)

  • At least one public IP address for a VM to act as the VPN gateway.

  • A public vSwitch that has the public interface for your VPN gateway VM.

  • A private vSwitch that the rest of your "private only" VMs connect to.

You'll connect your VPN VM to both vSwitches and configure routing through it. This way, you'll tunnel to a VM that has access to both the public network (so that you can VPN into it) and the private network so that your VMs aren't exposed to the outside world unnecessarily and you won't need public IPs for all of them.

MDMarra
  • 100,734
  • 32
  • 197
  • 329
  • 1
    Thank you so much for the detailed answer MDMarra. I'm going to try this on a test server in a bit. – John B Nov 21 '12 at 15:13
  • I've just finished setting up my server and what you described worked perfectly. I configured two vmSwitches, one for the WAN and another for the LAN. The one for the WAN I connected to the NIC. I then installed pfSense in a VM, hooked it up to the two vSwitches, assigned it one of my available public IPs and set up an IPsec tunnel. Thanks again! – John B Nov 26 '12 at 20:59
  • @JohnB have you any example for this? – Derple May 26 '20 at 21:11
1

My firm does this all the time with virtualized firewall endpoints... We're a private cloud provider, so this is a realistic scenario.

  • This can come in the form of a virtualized Linux system running an n2n tunnel (if there's no control of the intermediate devices or no/insufficient public IP's).

  • We also have customers who've used Quagga for routing and OpenVPN as an endpoint on a VM.

  • Another popular option in our setups, as well as a necessity in some of the Amazon Web Services solutions is to use a Vyatta virtual firewall as a VPN terminus.

ewwhite
  • 197,159
  • 92
  • 443
  • 809
-1

In the ISP space, deploy an OpenVPN server (preferably running on Linux due to small footprint). This OpenVPN server will have two NICs, one of them will have a public IP and the other will a private IP on the same subnet as the ESXi server. The ESXi will have no public IP assigned to it, but all traffic to the internet will be routed via the OpenVPN server that will act as a gateway.

How does it work?

When an admin wants to connect to any of the ESXi VMs, he will first connect and authenticate to the OpenVPN server using its public IP, which will then grant him access to the remote private subnet. Once connected to the VPN server, he will then connect to the ESXi server using its private IP address.

Bruce Malaudzi
  • 214
  • 1
  • 5