If you wish to host, secure and maintain certain service connectors yourself it is possible to set up a client to connect to the Tray.io VPN.
In order to do this you will need to contact us to ask for a tunnel to be set up to your network, whereby you will need to provide us with both the public IP and internal IP range of your network, plus a few other details.
Once we have set this up you will be issued with:
2 tunnel IP addresses
2 PSK secrets for each tunnel
You can then run the client either using a docker image or by installing the strongSwan VPN client.
If you do not already have Docker installed please see the Docker installation page for instructions.
You can then create an environment file e.g. tray-vpn-credentials.env within a directory you have created:
ON_PREM_NETWORK is the IP range of your on-premise subnet, which you can specify.
TRAY_NETWORK is the subnet for the IPs that will be assigned to the different Tray.io connectors. You can set your own desired range for the TRAY_NETWORK subnet, but it cannot overlap with the range for ON_PREM_NETWORK e.g. they could not both be 192.168.0.0/16
The accepted range for both of these is:
172.16.0.0 - 172.31.0.0
10.0.0.0 - 10.255.255.255
ON_PREM_NETWORK supports range /7 through to /28 while TRAY_NETWORK supports only /16.
You can then pull the Docker image:
docker pull tray/vpn-client:latest
And start the client with:
docker run -d --rm --network=host --cap-add=NET_ADMIN --cap-add=SYS_MODULE --env-file /path/to/tray-vpn-credentials.env tray/vpn-client:latest
The other option is to install the strongSwan VPN client and configure it for use with the same credentials.
The following install instructions are for Ubuntu 18.04 (Please see the Appendix for instructions for multiple other OSes):
# Install ntp and strongswanapt updateapt install ntp strongswan# Enable servicessystemctl enable ntpsystemctl enable strongswan# Modify strongswan config and secretvim /etc/ipsec.confvim /etc/ipsec.secrets# Restart serviceservice strongswan restart# Verify logtail -F /var/log/syslog | grep charon
See below for the configuration and secret file you need to edit in the third step above.
Note that some OSes have the configuration files stored in /etc/strongswan/ while some have them in /etc/ ):
config setup# strictcrlpolicy=yes# uniqueids=no# Default configurationconn %defaultmobike=nocompress=noauthby=pskkeyexchange=ikev1ike=aes128-sha1-modp1024!ikelifetime=28800sesp=aes128-sha1-modp1024!lifetime=3600srekeymargin=3mkeyingtries=3installpolicy=yesroute=autodpdaction=restarttype=tunnel# Tunnel 1 configurationconn aws-tunnel-1leftsubnet=192.168.0.0/16 # your on-premise subnetright=34.x.x.x # tunnel 1 public IPrightsubnet=172.27.0.0/16 # tray subnetauto=start# Tunnel 2 configurationconn aws-tunnel-2leftsubnet=192.168.0.0/16 # your on-premise subnetright=35.x.x.x # tunnel 2 public IPrightsubnet=172.27.0.0/16 # tray subnetauto=start
# ipsec.secrets - strongSwan IPsec secrets file34.x.x.x : PSK "3abUpxxxxxxxxxxxEnZ1BimUQ9w"35.x.x.x : PSK "6NbCDxxxxxxxxxxxkqf7p07bMMK"
Once you have your setup running, the easiest way to test it is to:
Run a MySQL server instance on a machine in your network
Create a Tray.io workflow with a MySQL connector authenticated using your network address as host
So, assuming that you already have mysql-server installed on a network machine, you can create a test database, table and user with a sequence of commands such as:
CREATE DATABASE db1;USE db1;CREATE TABLE example ( id smallint unsigned not null auto_increment, name varchar(20) not null, constraint pk_example primary key (id) );INSERT INTO example ( id, name ) VALUES ( null, 'Sample data' );CREATE USER 'billy'@'%' IDENTIFIED BY 'password';GRANT ALL PRIVILEGES ON db1.* TO 'billy'@'%';
Then make sure that your MySQL server is listening to remote connections.
Exactly how to do this depends on your OS, but in Ubuntu 18.04 you would edit /etc/mysql/mysql.conf.d/mysqld.cnf
And change bind address to:
bind-address = 0.0.0.0
sudo systemctl restart mysql followed by
sudo netstat -tulnp | grep mysqld to check you have an output such as:
tcp 0 0 0.0.0.0:3306 0.0.0.0: LISTEN 622/mysql
Your firewall should also be open to receiving connections to the default MySQL port 3306.
In your Tray.io account create a new workflow and add a MySQL step:
Then create an authentication, adding your network machine internal IP address as the host, leaving 3306 as the default port, and entering the username and password of the database user you created:
Then you run a simple query such as
select * from example using the **Run SQL query' operation:
You can then check the Debug tab to make sure your query has been successful!
# Install ntp and strongswansudo amazon-linux-extras install epelsudo yum repolistyum updateyum install ntp strongswan# Enable servicessystemctl enable ntpsystemctl enable strongswan# Modify strongswan config and secretvim /etc/strongswan/ipsec.confvim /etc/strongswan/ipsec.secrets# Restart serviceservice strongswan restart# Verify logtail -F /var/log/messages | grep charon
# Install strongswanbrew install strongswan# Modify strongswan config and secretvim /usr/local/etc/ipsec.confvim /usr/local/etc/ipsec.secrets# Start servicesudo ipsec start
# Instal epeldnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpmrpm -ql epel-releasednf repolist -v# Install chrony and strongswandnf install chronydnf install strongswan# Enable servicessystemctl enable chronydsystemctl enable strongswan# Modify strongswan config and secretvim /etc/strongswan/ipsec.confvim /etc/strongswan/ipsec.secrets# Restart serviceservice strongswan restart# Verify logtail -F /var/log/messages | grep charon
# Install ntp and strongswanzypper install ntpzypper install strongswan# Enable servicessystemctl enable ntpdsystemctl enable strongswan# Modify strongswan config and secretvim /etc/ipsec.confvim /etc/ipsec.secrets# Restart serviceservice strongswan restart# Verify logtail -F /var/log/messages | grep charon