Open Navigation

On-prem setup

Intro

If you wish to host, secure and maintain certain service connectors yourself it is possible to set up a client to connect to the Tray.io VPN.

In order to do this you will need to contact us to ask for a tunnel to be set up to your network, whereby you will need to provide us with both the public IP and internal IP range of your network, plus a few other details.

Once we have set this up you will be issued with:

  • 2 tunnel IP addresses

  • 2 PSK secrets for each tunnel

You can then run the client either using a docker image or by installing the strongSwan VPN client.

1. Running the Tray.io VPN Docker image

If you do not already have Docker installed please see the Docker installation page for instructions.

You can then create an environment file e.g. tray-vpn-credentials.env within a directory you have created:

ON_PREM_NETWORK=192.168.0.0/16
TRAY_NETWORK=172.27.0.0/16
TUNNEL_1_IP_ADDRESS=34.x.x.x
TUNNEL_2_IP_ADDRESS=35.x.x.x
TUNNEL_1_PSK_SECRET=3abUpxxxxxxxxxxxEnZ1BimUQ9w
TUNNEL_2_PSK_SECRET=6NbCDxxxxxxxxxxxkqf7p07bMMK

ON_PREM_NETWORK is the IP range of your on-premise subnet, which you can specify.

TRAY_NETWORK is the subnet for the IPs that will be assigned to the different Tray.io connectors. You can set your own desired range for the TRAY_NETWORK subnet, but it cannot overlap with the range for ON_PREM_NETWORK e.g. they could not both be 192.168.0.0/16

The accepted range for both of these is:

  • 192.168.0.0

  • 172.16.0.0 - 172.31.0.0

  • 10.0.0.0 - 10.255.255.255

ON_PREM_NETWORK supports range /7 through to /28 while TRAY_NETWORK supports only /16.

You can then pull the Docker image:

docker pull tray/vpn-client:latest

And start the client with:

docker run -d --rm --network=host --cap-add=NET_ADMIN --cap-add=SYS_MODULE --env-file /path/to/tray-vpn-credentials.env tray/vpn-client:latest

2. Running the VPN client

The other option is to install the strongSwan VPN client and configure it for use with the same credentials.

The following install instructions are for Ubuntu 18.04 (Please see the Appendix for instructions for multiple other OSes):

# Install ntp and strongswan
apt update
apt install ntp strongswan
# Enable services
systemctl enable ntp
systemctl enable strongswan
# Modify strongswan config and secret
vim /etc/ipsec.conf
vim /etc/ipsec.secrets
# Restart service
service strongswan restart
# Verify log
tail -F /var/log/syslog | grep charon

See below for the configuration and secret file you need to edit in the third step above.

Note that some OSes have the configuration files stored in /etc/strongswan/ while some have them in /etc/ ):

/etc/ipsec.conf:

config setup
# strictcrlpolicy=yes
# uniqueids=no
# Default configuration
conn %default
mobike=no
compress=no
authby=psk
keyexchange=ikev1
ike=aes128-sha1-modp1024!
ikelifetime=28800s
esp=aes128-sha1-modp1024!
lifetime=3600s
rekeymargin=3m
keyingtries=3
installpolicy=yes
route=auto
dpdaction=restart
type=tunnel
# Tunnel 1 configuration
conn aws-tunnel-1
leftsubnet=192.168.0.0/16 # your on-premise subnet
right=34.x.x.x # tunnel 1 public IP
rightsubnet=172.27.0.0/16 # tray subnet
auto=start
# Tunnel 2 configuration
conn aws-tunnel-2
leftsubnet=192.168.0.0/16 # your on-premise subnet
right=35.x.x.x # tunnel 2 public IP
rightsubnet=172.27.0.0/16 # tray subnet
auto=start

/etc/strongswan/ipsec.secrets:

# ipsec.secrets - strongSwan IPsec secrets file
34.x.x.x : PSK "3abUpxxxxxxxxxxxEnZ1BimUQ9w"
35.x.x.x : PSK "6NbCDxxxxxxxxxxxkqf7p07bMMK"

Testing your on-prem setup

Once you have your setup running, the easiest way to test it is to:

  1. Run a MySQL server instance on a machine in your network

  2. Create a Tray.io workflow with a MySQL connector authenticated using your network address as host

So, assuming that you already have mysql-server installed on a network machine, you can create a test database, table and user with a sequence of commands such as:

CREATE DATABASE db1;
USE db1;
CREATE TABLE example ( id smallint unsigned not null auto_increment, name varchar(20) not null, constraint pk_example primary key (id) );
INSERT INTO example ( id, name ) VALUES ( null, 'Sample data' );
CREATE USER 'billy'@'%' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON db1.* TO 'billy'@'%';

Then make sure that your MySQL server is listening to remote connections.

Exactly how to do this depends on your OS, but in Ubuntu 18.04 you would edit /etc/mysql/mysql.conf.d/mysqld.cnf

And change bind address to:

bind-address = 0.0.0.0

Then sudo systemctl restart mysql followed by sudo netstat -tulnp | grep mysqld to check you have an output such as:

tcp 0 0 0.0.0.0:3306 0.0.0.0: LISTEN 622/mysql

Your firewall should also be open to receiving connections to the default MySQL port 3306.

Creating the test workflow

In your Tray.io account create a new workflow and add a MySQL step:

on-prem-workflow-mysql

Then create an authentication, adding your network machine internal IP address as the host, leaving 3306 as the default port, and entering the username and password of the database user you created:

on-prem-mysql-auth

Then you run a simple query such as select * from example using the **Run SQL query' operation:

on-prem-run-sql-query

You can then check the Debug tab to make sure your query has been successful!

Appendix - other OS VPN install instructions

Amazon Linux 2 AMI

# Install ntp and strongswan
sudo amazon-linux-extras install epel
sudo yum repolist
yum update
yum install ntp strongswan
# Enable services
systemctl enable ntp
systemctl enable strongswan
# Modify strongswan config and secret
vim /etc/strongswan/ipsec.conf
vim /etc/strongswan/ipsec.secrets
# Restart service
service strongswan restart
# Verify log
tail -F /var/log/messages | grep charon

OS X (Catalina)

# Install strongswan
brew install strongswan
# Modify strongswan config and secret
vim /usr/local/etc/ipsec.conf
vim /usr/local/etc/ipsec.secrets
# Start service
sudo ipsec start

Red Hat Enterprise Linux 8

# Instal epel
dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
rpm -ql epel-release
dnf repolist -v
# Install chrony and strongswan
dnf install chrony
dnf install strongswan
# Enable services
systemctl enable chronyd
systemctl enable strongswan
# Modify strongswan config and secret
vim /etc/strongswan/ipsec.conf
vim /etc/strongswan/ipsec.secrets
# Restart service
service strongswan restart
# Verify log
tail -F /var/log/messages | grep charon

SUSE Enterprise Linux 15 SP1

# Install ntp and strongswan
zypper install ntp
zypper install strongswan
# Enable services
systemctl enable ntpd
systemctl enable strongswan
# Modify strongswan config and secret
vim /etc/ipsec.conf
vim /etc/ipsec.secrets
# Restart service
service strongswan restart
# Verify log
tail -F /var/log/messages | grep charon
Was this article helpful?
Yes
No