Back to OP5 Monitor FAQ

How to setup secure communication with a Cloud poller

OP5 Monitor can be used in a distributed monitoring setup with a master system and one or several pollers. The pollers can be cloud-based or set up as a standard local poller using OP5 Poller Extension. This how-to describes how to secure the communication between master and cloud or normal poller using OpenVPN.

Design Copied

Poller Copied

openvpn server

IP: 10.1.0.1

Master Copied

openvpn client

IP: 10.1.0.2

Requirements Copied

How-to Copied

Poller-side configuration Copied

`# cd /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0

chmod +x *` Copied

export KEY_COUNTRY="SE" export KEY_PROVINCE="Stockholm" export KEY_CITY="Stockholm" export KEY_ORG="op5 AB" export KEY_EMAIL="support@op5.com"

# ./vars

`# ./clean-all

./pkitool –initca Copied

./build-key-server poller-to-master` Copied

This will generate the following output, press enter on all questions except y/n questions where you will answer ‘y’:

?- Buffer ?- Generating a 1024 bit RSA private key ?????????????????????++++++ ?????++++++ writing new private key to ‘poller-to-master.key’

?? You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank. ??

*Country Name (2 letter code) [SV]:*State or Province Name (full name) [NA]: Locality Name (eg, city) [Stockholm]: Organization Name (eg, company) [op5 AB]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server’s hostname) [cloud-poller]: Email Address [support@op5.com]: Please enter the following ’extra’ attributes to be sent with your certificate request A challenge password []: *An optional company name []:*Using configuration from /usr/share/doc/openvpn-2.2.0/easy-rsa/2.0/openssl.cnf Check that the request matches the signature Signature ok The Subject’s Distinguished Name is as follows countryName :PRINTABLE:‘SE’ stateOrProvinceName :PRINTABLE:‘Stockholm’ localityName :PRINTABLE:‘Stockholm’ organizationName :PRINTABLE:‘op5 AB’ commonName :PRINTABLE:‘cloud-poller’ emailAddress :IA5STRING:‘support@op5.com Certificate is to be certified until Aug 30 07:48:35 2021 GMT (3650 days) Sign the certificate? [y/n]: y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries Data Base Updated*– Buffer –*

# ./build-key internal-master-to-poller

– Buffer – Generating a 1024 bit RSA private key .++++++ ?????????????++++++ writing new private key to ‘internal-master-to-poller.key’

You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank.**–

Country Name (2 letter code) [SE]: State or Province Name (full name) [Stockholm]: Locality Name (eg, city) [Stockholm]: Organization Name (eg, company) [op5 AB]: Organizational Unit Name (eg, section) []: IT Common Name (eg, your name or your server’s hostname) [internal-master-to-poller]: internal-master Email Address [support@op5.com]:

Please enter the following ’extra’ attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /usr/share/doc/openvpn-2.2.0/easy-rsa/2.0/openssl.cnf Check that the request matches the signature Signature ok The Subject’s Distinguished Name is as follows countryName :PRINTABLE:‘SE’ stateOrProvinceName :PRINTABLE:‘Stockholm’ localityName :PRINTABLE:‘Stockholm’ organizationName :PRINTABLE:‘op5 AB’ organizationalUnitName:PRINTABLE:‘IT’ commonName :PRINTABLE:‘internal-master’ emailAddress :IA5STRING:‘support@op5.com Certificate is to be certified until Aug 30 08:28:57 2021 GMT (3650 days) Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated

– Buffer –

`# cd /etc/openvpn

mkdir certs Copied

mkdir dh Copied

mkdir keys Copied

mkdir /var/log/openvpn/` Copied

# openssl dhparam -out dh/dh1024.pem 1024

# openvpn --genkey --secret keys/ta.key

`# cp /usr/share/doc/openvpn-2.2.0/easy-rsa/2.0/keys/ca.crt certs/

cp /usr/share/doc/openvpn-2.2.0/easy-rsa/2.0/keys/poller-to-master.crt certs/ Copied

cp /usr/share/doc/openvpn-2.2.0/easy-rsa/2.0/keys/poller-to-master.key keys/` Copied

Default configuration is stored in /etc/openvpn/master-to-poller.conf. Create this file with your favorite editor and copy/paste the code below. Remember to change parameters to match your setup.

/etc/openvpn/master-to-poller.conf

local <pollers public ip>port 1194proto udpdev tunca certs/ca.crtcert certs/poller-to-master.crtkey keys/poller-to-master.keydh dh/dh1024.pemifconfig 10.1.0.1 10.1.0.2keepalive 10 60tls-servertls-auth keys/ta.key 0user nobodygroup nobodypersist-keypersist-tunlog /var/log/openvpn/master-to-poller.logverb 4mute 20script-security 2

To allow traffic from your master to your poller, you need to open the poller’s firewall to let in your master’s gateway. In this example 193.201.96.46 is our master’s gateway to the internet; please look up your gateway and replace the IP. You can use http://whatismyip.org/ or contact your IT administrator.

`# iptables -I RH-Firewall-1-INPUT -s 193.201.96.46 -p udp –dport 1194 -j ACCEPT

service iptables save` Copied

# chkconfig --level 345 openvpn on

Test your installation and look in the logs for problems in the logs.

# service openvpn restart

Verify that startup is successful. If it does not start OK, take a look in log files. These are located in /var/log/openvpn

Master-side configuration Copied

`# cd /etc/openvpn

mkdir certs keys logs Copied

scp root@91.123.201.38:/usr/share/doc/openvpn-2.2.0/easy-rsa/2.0/keys/internal-master-to-poller.key keys/ Copied

scp root@91.123.201.38:/usr/share/doc/openvpn-2.2.0/easy-rsa/2.0/keys/internal-master-to-poller.crt certs/ Copied

scp root@91.123.201.38:/usr/share/doc/openvpn-2.2.0/easy-rsa/2.0/keys/ca.crt certs/ Copied

scp root@91.123.201.38:/etc/openvpn/keys/ta.key keys/` Copied

/etc/openvpn/master-to-poller.conf

clientdev tunproto udpremote <Poller public IP> 1194resolv-retry infinitenobindpersist-keypersist-tunca certs/ca.crtcert certs/internal-master-to-poller.crtkey keys/internal-master-to-poller.keytls-clienttls-auth keys/ta.key 1ifconfig 10.1.0.2 10.1.0.1log logs/internal-master-to-poller.logverb 4mute 20user nobodygroup nobodyscript-security 2

# chkconfig --level 345 openvpn on

# service openvpn restart

Verify that startup is OK. If it does not start OK, take a look in log files. These are located in /var/log/openvpn

# ping 10.1.0.1

If 10.1.0.1 responds, the VPN tunnel is working.

Secure Merlin protocol Copied

Secure Merlin communication by using the internal IP (openvpn) instead of public IP.

Open /opt/monitor/op5/merlin/merlin.conf and change your poller’s IP to the internal IP 10.1.0.1

Open /opt/monitor/op5/merlin/merlin.conf and change your master IP to the internal IP 10.1.0.2

Restart master and all pollers, run on master

# mon node ctrl --self --mon restart

["Geneos"] ["FAQ"]

Was this topic helpful?