Intro and prerequisites
If you wish to host, secure and maintain certain services yourself it is possible to set up an IPSec client to connect to the Tray.io VPN.
In order to do this you will need to contact us to ask for a tunnel to be set up to your network, whereby you will need to provide us with the following information:
The location of your network - This is so that we can deploy the on-premise environment as close as possible to your location. This reduces the data transfer latency between your services/databases and the Tray.io connectors.
The Tray.io On-Premise network range - This can be specified by you. If not we use a default
Your on-premise network range - This is your private address space that should be addressable from the connectors inside the Tray On-Premise network. This is where the services and databases you wish to maintain must be located. In the diagram, this is shown as
10.0.25.0/24but this can be anything (such as
192.168.0.0/16) as long as it is configured as a private address space.
Note that the VPN client does not need to be in this range, but it needs to be able to route inbound traffic from the Tray.io private network to the target databases inside the local infrastructure. Additionally, relevant ports, such as TCP 1433 or TCP 3306 (if using SQL server with default port settings), must be opened.
Each service you are hosting (e.g. MySQL Server, MongoDB etc.) should have its own address which falls within this private address range
Your on-premise public IP address - This is required for the connection and is used to generate the IPSec credentials between the two environments.
Once we have set this up you will be issued with:
2 tunnel IP addresses
2 PSK secrets for each tunnel
You can then run the client using either:
The Tray.io VPN client Docker image. This is available in a public Github repository as a transparent open-source product which makes use of the strongSwan VPN client.
Directly installing strongSwan or another IPSec VPN client of your choice.
Tray On-Premise Infrastructure
The On-Premise infrastructure has the ability to establish 2 tunnels for high-availability, redundancy, and maintenance reasons. (See Maintenance Note below). In the event that one tunnel becomes unavailable, the other tunnel is available for use. This is why we provide two IPSec credentials and we recommend that our users configure both tunnels.
Most VPN devices and software clients (e.g. strongSwan) allow the configuration of two tunnels and can automatically failover in the event that one goes down. We recommend that both tunnels are configured but note that only one tunnel can be used at the same time.
- strongSwan is an IPsec solution and uses the standard UDP ports 500 and 4500. The traffic itself is not handled by the software but by the internal network and IPsec stack of the operating system. Read more here: https://wiki.strongswan.org/projects/strongswan/wiki/IntroductionTostrongSwan#IKE-and-IPsec-Basics
- The VPN client only creates a secure tunnel between the host where the software is running and the Tray.io private network. It does not have the ability to modify or override the operating system's network routing or security. Allowing or restricting traffic to other resources in your network must be separately configured by your own system/network administrator
1. Running the Tray.io VPN Docker image
If you do not already have Docker installed please see the Docker installation page for instructions.
You can then create an environment file e.g. tray-vpn-credentials.env within a directory you have created:
CLIENT_NETWORK is the IP range of your on-premise subnet, which you can specify.
TRAY_NETWORK is the subnet for the IPs that will be assigned to the different Tray.io connectors. You can set your own desired range for the TRAY_NETWORK subnet, but it cannot overlap with the range for CLIENT_NETWORK e.g. they could not both be 192.168.0.0/16
The accepted range for both of these is:
172.16.0.0 - 172.31.0.0
10.0.0.0 - 10.255.255.255
CLIENT_NETWORK supports range /7 through to /28 while TRAY_NETWORK supports only /16.
You can then clone the Tray VPN Client from https://github.com/trayio/vpn-client
You can then build the container with:
docker build -t tray-vpn-client:latest .
The client can then be started with:
docker run -d --rm --network=host --cap-add=NET_ADMIN --cap-add=SYS_MODULE --env-file /path/to/tray-vpn-credentials.env tray-vpn-client:latest
Please see the readme of the github repo for more tips on running your Docker container.
2. Installing the StrongSwan VPN client
The other option is to install the strongSwan VPN client directly and configure it for use with the same credentials.
The following install instructions are for Ubuntu 18.04 (Please see the Appendix for instructions for multiple other OSes):
# Install ntp and strongswanapt updateapt install ntp strongswan# Enable servicessystemctl enable ntpsystemctl enable strongswan# Modify strongswan config and secretvim /etc/ipsec.confvim /etc/ipsec.secrets# Restart serviceservice strongswan restart# Verify logtail -F /var/log/syslog | grep charon
See below for the configuration and secret file you need to edit in the third step above.
Note that some OSes have the configuration files stored in /etc/strongswan/ while some have them in /etc/ ):
config setup# strictcrlpolicy=yes# uniqueids=no# Default configurationconn %defaultmobike=nocompress=noauthby=pskkeyexchange=ikev1ike=aes128-sha1-modp1024!ikelifetime=28800sesp=aes128-sha1-modp1024!lifetime=3600srekeymargin=3mkeyingtries=3installpolicy=yesroute=autodpdaction=restarttype=tunnel# Tunnel 1 configurationconn aws-tunnel-1leftsubnet=192.168.0.0/16 # your on-premise subnetright=34.x.x.x # tunnel 1 public IPrightsubnet=172.27.0.0/16 # tray subnetauto=start# Tunnel 2 configurationconn aws-tunnel-2leftsubnet=192.168.0.0/16 # your on-premise subnetright=35.x.x.x # tunnel 2 public IPrightsubnet=172.27.0.0/16 # tray subnetauto=start
# ipsec.secrets - strongSwan IPsec secrets file34.x.x.x : PSK "3abUpxxxxxxxxxxxEnZ1BimUQ9w"35.x.x.x : PSK "6NbCDxxxxxxxxxxxkqf7p07bMMK"
Testing your on-prem setup
Once you have your setup running, the easiest way to test it is to:
Run a MySQL server instance on a machine in your network
Create a Tray.io workflow with a MySQL connector authenticated using your network address as host
So, assuming that you already have mysql-server installed on a network machine, you can create a test database, table and user with a sequence of commands such as:
CREATE DATABASE db1;USE db1;CREATE TABLE example ( id smallint unsigned not null auto_increment, name varchar(20) not null, constraint pk_example primary key (id) );INSERT INTO example ( id, name ) VALUES ( null, 'Sample data' );CREATE USER 'billy'@'%' IDENTIFIED BY 'password';GRANT ALL PRIVILEGES ON db1.* TO 'billy'@'%';
Then make sure that your MySQL server is listening to remote connections.
Exactly how to do this depends on your OS, but in Ubuntu 18.04 you would edit /etc/mysql/mysql.conf.d/mysqld.cnf
And change bind address to:
bind-address = 0.0.0.0
sudo systemctl restart mysql followed by
sudo netstat -tulnp | grep mysqld to check you have an output such as:
tcp 0 0 0.0.0.0:3306 0.0.0.0: LISTEN 622/mysql
Your firewall should also be open to receiving connections to the default MySQL port 3306.
Creating the test workflow
In your Tray.io account create a new workflow and add a MySQL step:
Then create an authentication, adding your network machine internal IP address as the host, leaving 3306 as the default port, and entering the username and password of the database user you created:
Then you run a simple query such as
select * from example using the **Run SQL query' operation:
You can then check the Debug tab to make sure your query has been successful!
Appendix - other OS VPN install instructions
Amazon Linux 2 AMI
# Install ntp and strongswansudo amazon-linux-extras install epelsudo yum repolistyum updateyum install ntp strongswan# Enable servicessystemctl enable ntpsystemctl enable strongswan# Modify strongswan config and secretvim /etc/strongswan/ipsec.confvim /etc/strongswan/ipsec.secrets# Restart serviceservice strongswan restart# Verify logtail -F /var/log/messages | grep charon
OS X (Catalina)
# Install strongswanbrew install strongswan# Modify strongswan config and secretvim /usr/local/etc/ipsec.confvim /usr/local/etc/ipsec.secrets# Start servicesudo ipsec start
Red Hat Enterprise Linux 8
# Instal epeldnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpmrpm -ql epel-releasednf repolist -v# Install chrony and strongswandnf install chronydnf install strongswan# Enable servicessystemctl enable chronydsystemctl enable strongswan# Modify strongswan config and secretvim /etc/strongswan/ipsec.confvim /etc/strongswan/ipsec.secrets# Restart serviceservice strongswan restart# Verify logtail -F /var/log/messages | grep charon
SUSE Enterprise Linux 15 SP1
# Install ntp and strongswanzypper install ntpzypper install strongswan# Enable servicessystemctl enable ntpdsystemctl enable strongswan# Modify strongswan config and secretvim /etc/ipsec.confvim /etc/ipsec.secrets# Restart serviceservice strongswan restart# Verify logtail -F /var/log/messages | grep charon