Site-to-Site VPN with Safous Linux Agent

Use Cases

  • Site-to-Site VPN between branch office and head office, or between remote sites and the data center (DC)

Diagram

(1) Remote Subnet 1 
   --> (2) Linux Server with Safous Agent 
   --> (3) Safous POP 
   --> (4) Safous App Gateway 
         --> (5) Remote Subnet 2

 

Components to set up: 

  1. Remote Subnet 1:
    Set the network gateway to the Linux Server running the Safous Agent.

  2. Linux Server with Safous Agent:
    Enable IP forwarding and set up tunneling using the Safous Agent.

  3. Safous POP:
    No configuration required by the user.

  4. Safous App Gateway:
    Configure the network applications in Remote Subnet 2 to be accessible by the Safous Agent.

  5. Remote Subnet 2:
    No configuration required by the user.

How to

On Safous App Gateway (via Admin Portal)

  • Create an Agent Token
    • Navigate to: Settings > Accounts > Agent Token > New Agent Token.
    • Enter a name for the token and click Save
    • A new token will be generated—be sure to save it in a secure location, as it will only be shown once. 

  • Create a Network Application
    • Add the subnet for Remote Subnet 2, including the relevant ports and site association.
    • Define an access rule that allows the newly created agent token to access this network application.

On Linux Server with Safous Agent

  • Log in to the user portal.

  • Click "Download Agent" and select the Linux Agent.

  • Transfer the file to your Linux server using scp or another tool.

  • Install the agent
apt update
apt install libayatana-appindicator3-1
mv linux-amd64.deb <tenant>.ztna.safous.com.deb
dpkg -i <tenant>.ztna.safous.com.deb
  • Authenticate and start tunneling
cd /usr/local/share/cyolo/connect/
./connect auth login https://login.<tenant>.ztna.safous.com -k <Safous Agent Token>
./connect tunnel up
./connect tunnel status
  • Set the Linux Server as a Network Gateway
sudo nano /etc/sysctl.conf
net.ipv4.ip_forward = 1
sudo systctl -p


  • Configure iptables (replace enp0s3 with your actual interface)
sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
sudo iptables -A FORWARD -i enp0s3 -o tun0 -j ACCEPT
sudo iptables -A FORWARD -i tun0 -o enp0s3 -m state --state RELATED,ESTABLISHED -j ACCEPT
  • Verify routing
netstat -nr

Ensure that a route to Remote Subnet 2 exists via the tun0 interface.

On Remote Subnet 1

  • Configure all machines in Remote Subnet 1 to use the IP address of the Linux Server’s local interface (enp0s3, for example) as their default gateway.
  • Note: Do not use the tun0 interface IP as the gateway.