Apoyar Wiki

Apoyar Network & VPN Structure

Revision as of 11:52, 13 May 2021 by Admin (talk | contribs)

Apoyar Network & VPN Structure



We have 2 ESX host, 1 Disk array these provides access to VM’s

We have separate server Vcentre, which is a physical server and provides

- management over vpshere

- access to VM’s

We have firewall called Juniper (2 firewall), if one fails other starts

Also we have Clavister, which has same level as Juniper. Clavister has better support for different types of VPN

It supports 3 types of VPN

- L2TP

- IPsec (used to connect customers)

- OpenVPN


Connecting any of Apoyar server

Weather we are connecting through OpenVPN or L2TP, we always getting through Clavister.

For connecting using OpenVPN, we just need AD logins

If we are connecting as L2TP user, it uses passphrase

If we are connecting from any AWS console VM, it uses certificate


Certificates on AWS RMG server

Login to rmg.aws.apoyar

• Cd /etc/isakmpd

• cd ca

• ls

ca.crt (this is the certificate authority of mother or father certificate)

It is only saved on clavister (one copy)

Also on each AWS console machine, its only get compared not sent



To see contents of certificates

• openssl x509 -in cert.crt -noout -text

To check local certificate

• cd.. /certs/

• openssl x509 -in local.crt -noout –text

To compare cert, key and request

• openssl x509 -noout -modulus -in zebssl.crt | openssl md5 && openssl rsa -noout -modulus -in zebssl.key | openssl md5 && openssl req -noout -modulus -in zebssl.csr | openssl md5

These certificates contain the information related to

• Issuer

• Customer

• Expiry

• DNS




Apoyar network access by clients

Wise Geary also have clavister (Newer version), but not same as Edge router in HYD Office

Apoyar clavister can access Apoyar(Apoyar machine’s), and Apoyar(Apoyar machine’s) also can access Apoyar Clavister

Clavitser can access WG (Physical clavister machine), but WG can not access clavister back

AWS and Azure console machines(server’s) are Virtual OpenBSD machines (Most secure OS), they can access Apoyar network through L2TP with certificate authentication

We have our own Certificate Authority (CA) on server called phobos.apoyar at /home/neal/certs/

We have two certs -

1) main cert

2) client cert (Child)


When clients try to connect clavister, clavister ask for cert and compare with main cert and then if it confirms the same issuing authority with main cert, it allows the clients.

Below are the three commands for cert

• openssl x509

• openssl req

• openssl rsa (for private keys)

Generated Clients Cert (WG)

We can see generated clients cert at

• cd /home/neal/certs/generated/

• ls

We can see the cert content using below command

• openssl x509 –in firewall.wg.crt –noout –text

Cert content will show the cert security measures as below

Sha256 security

- Higher lever cert

- generate traffic and take 10 sec longer to connect

CN – Common Name

It follows the certain naming convention



VPN Connection Creation


When we create cert for VPN, there are always two places to look, like for AWS on rmg.aws.apoyar we can check at below two locations

• cd /etc/isakmpd/certs/

• ls

We can see content of cert using below command

• openssl x509 local.cert –noout –text

and setting will be in ipsec file at below location, we can see using below command

• cat /etc/ipsec.conf

DNS in local.crt and srcid in ipsec.conf file should be same

When OpenBSD creates connection, it sends cert

When firewall.apoyar which will be in clavister finds out this, it checks weather it is matching or not, if it’s matching then only VPN connection get created.

Retrieved from ‘https://wiki.apoyar.eu/index.php?title=Apoyar_Network_%26_VPN_Structure&oldid=168