How do I copy a VM to another Project or Contract?

Currently, there is no one-step-process for copying or transferring a VM into another project  within the same contract or different contract. In order to do this, first you must shut down the VM and then clone the VM’s  system drive and any additional data drives separately.

This cloning process will then create a private image of each cloned disk, storing each image within the Portal under ‘Project | Compute | Image menu’. See the below steps:

Clone System and Data Disks

1. Setup and declare the required variables :

VOLUME_ID=

FORCE=true

DISK_FORMAT=raw

CONTAINER_FORMAT=bare

NAME=

Run the following command to Image the disk:

Repeat the above for each disk. The VM can be powered back on, once the above command has been run for all disks associated with the VM.

CAUTION: Cloning of a VM that has had the default partitions altered in anyway, may corrupt the image, preventing any VM deployed using it from booting correctly.

Publish Images between Projects

Once the status of each disk with ‘List Storage’ screen has changed from “Upload” to “in-use”, you can then begin the process of making that/those image(s) available to other projects. See the below steps:

1. Setup and declare the required variables :

MEMBER=

STATUS=accepted

IMAGE_ID=

2. Scope to Source Project and get your API token

3. Run the following command to make the image available to the destination project:

4. Scope to Destination Project and get your API token

5. Run the following command to accept the image from the source project

Repeat the above for each image required.

Deploying a VM from private Image

A VM can then be created as normal, using this system disk image, but before deploying a VM in the target project, I would recommend waiting a while. It seems that if you try to deploy a VM too quickly, that it remains with a status of ‘building’ and eventually results in an error. If this happens to you, simply delete and try and redeploy. I will update this blog, once I have a response from a support query I have raised.

Each data disk first needs to be added as storage, specifying the ‘Storage Source’ as ‘Image’, then choosing the appropriate image in the ‘The volume will be created from an image’ drop down box.

The storage can then be attached to a VM as normal, under the Storage ‘Action | Edit Connection’ menu

A Word on Deletion of an Image

It is important to note that the image of the cloned VM is only stored once per contract, having the same ID across projects. If you delete the image from the source project, you will also remove it from all target projects also.

An image cannot currently be deleted using the portal and can only be deleted using the API.

The following command can be used to delete an image

curl -X DELETE $COMPUTE/v2/$PROJECT_ID/images/<IMAGE ID> -H “X-Auth-Token: $OS_AUTH_TOKEN” -H “Content-Type: application/json”

 

How to Configure and use the K5 SSL VPN Service

This blog provides a short introduction to establishing a SSL VPN  connection to your K5 virtual system, from a client device (both a Windows workstation and Android Mobile device). This requires the download, install and configuration of OpenVPN. In this blog I have performed the necessary steps on a Microsoft Windows machine, but will look at performing the same procedure within a Linux environment in a future blog.

Download OpenVPN Software

The latest version (2.4) of the Windows OpenVPN installer can be downloaded from https://openvpn.net/index.php/open-source/downloads.html . This contains the full suite of OpenVPN components, although we only require the certificate creation tools and client components.

The first step is to create the necessary certificate files for both the client and server. This can be performed on any suitable Windows machine (including a K5 Windows Server VM.

1. Double click the downloaded file ‘Openvpn-install-2.x.x-y.exe’. In the resulting wizard, ensure the only components that are ticked are ‘OpenVPN RSA Certificate Management Scripts’ component and ‘Advanced | Add OpenVPN to path’ . Otherwise accept all other default options.

2. Once installed, open Notepad with administrator permissions and open ‘C:/Program Files/OpenVPN/easy-rsa/openssl-1.0.0.cnf.

  • Within the ‘CA default’section, change the value of ‘default_md’ to ‘sha256’, e.g. default_md = sha256
  • Within the ‘req’section, add ‘default = sha256’

 

Set up a Certificate Authority (CA)

A Certificate Authority (CA) is required to sign client and server certificates. This can be achieved using the easy-rsa scripts that are packaged with OpenVPN.

1. Run a CMD prompt with administrative permissions.

2. Change to the appropriate directory i.e.  C:\Program Files\OpenVPN\easy-rsa

3. Enter the command: init-config

This will initialise the directory, wiping any previous certificates etc.

4. Next edit vars.bat

  • change “KEY_SIZE=1024” to “set KEY_SIZE=2048”
  • amend the “KEY_” settings at the bottom of the file and adjust the ‘HOME’ path (if required). E.g. :
@echo off

rem Edit this variable to point to

rem the openssl.cnf file included

rem with easy-rsa.

set HOME=%ProgramFiles%\OpenVPN\easy-rsa

set KEY_CONFIG=openssl-1.0.0.cnf

rem Edit this variable to point to

rem your soon-to-be-created key

rem directory.

rem

rem WARNING: clean-all will do

rem a rm -rf on this directory

rem so make sure you define

rem it correctly!

set KEY_DIR=keys

rem Increase this to 2048 if you

rem are paranoid.  This will slow

rem down TLS negotiation performance

rem as well as the one-time DH parms

rem generation process.

set KEY_SIZE=2048

rem These are the default values for fields

rem which will be placed in the certificate.

rem Change these to reflect your site.

rem Don’t leave any of these parms blank.

set KEY_COUNTRY=GB

set KEY_PROVINCE=England

set KEY_CITY=London

set KEY_ORG=FujitsuK5

set KEY_EMAIL=k5user

set KEY_CN=sslvpn

set KEY_NAME=sslvpn

set KEY_OU=HybridIT

set PKCS11_MODULE_PATH=changeme

set PKCS11_PIN=1234

5. Run the following commands one after the other to generate the CA key:

vars
clean-all
build-ca

IMPORTANT: The process will prompt for some details.  In the majority of cases the default for each should be accepted by pressing ‘Enter’, except where this value is changeme.

 

Set Up Server Key and Certificate

The next step is to generate a key and certificate for the VPN Server. This is only performed once.

1. To do this, run the following commands:

C:..\easy-rsa> vars
C:..\easy-rsa> build-key-server  K5SSLVPN 

The process will again prompt for confirmation of values. This time specify the value of ‘Common Name’ and ‘Name’ as the K5SSLVPN

Leave the challenge password and optional company name blank.  Answer Y to sign the certificate and Y to commit

2. The service also needs Diffie Hellman parameters. Run the command

‘C:\..\easy-rsa> build-dh

This may take several minutes…

Finally copy the key, certificates and DH file to the OpenVPN config folder.

C:..\easy-rsa> copy keys\*.crt ..\config\
C:..\easy-rsa> copy keys\*.key ..\config\
C:..\easy-rsa> copy keys\dh2048.pem ..\config\

(Create C:\Program Files\OpenVPN\config if required)

The files within the config folder now need to be made available within your API environment for upload into K5.

In my case, this is a simple case of copying the files (minus the README) to the same location within c:\cygwin64\home\\ as my init.sh and get_token files

Set Up Client Key and Certificate

The next step is to generate the  client key(s) and certificates. These keys will then need to be securely transferred to the client machine. Repeat this for each client device, choosing a unique Common Name/Name each time.

1. To generate the client key and certificate on the OpenVPN server machine:

  1. Run a CMD prompt with administrative permissions.
  2. Change to the appropriate directory  C:\Program Files\OpenVPN\easy-rsa
  3. Enter the commands: vars
    then build-key <client/ user name>  [e.g. client1]

IMPORTANT: The process will prompt for some details.  In the majority of cases the default for each should be accepted by pressing ‘Enter’, except where this value is changeme.

In the case of ‘Common Name’ and ‘Name’, please enter a unique name that describes the client/user [client] [e.g. client1]

The client key and certificate along with the root certificate will be needed on the connecting workstation later:

C:\Program Files\OpenVPN\easy-rsa\keys\<client/ user name>.crt
C:\Program Files\OpenVPN\easy-rsa\keys\<client/ user name>.key
C:\Program Files\OpenVPN\easy-rsa\ca.crt

 

Registering Server Certificates with K5 Key Management

Register the CA.CRT Certificate

1. Enter the below API command, inserting the string from your ‘CA.CRT’ command as shown, making sure to include all text between and including “”:”—–BEGIN CERTIFICATE” .. “END CERTIFICATE—–“.

It is best to use a fully featured text editor, rather than Notepad to ensure that the format is correct and the certificate ‘beginning line’, body and ‘end line’ components are on separate lines as shown below:

cert

curl $KEYMANAGEMENT/v1/$PROJECT_ID/secrets -X POST -H “X-Auth-Token: $OS_AUTH_TOKEN” -H “Content-Type: application/json”  -d ‘{“name”:”ca”,”payload”:”—–BEGIN CERTIFICATE—–
MIIDvMZps
—–END CERTIFICATE—–“,”payload_content_type”: “text/plain”}’

2. Record the resulting reference number for later use, e.g.

{“secret_ref”: “https://keymanagement.uk-1.cloud.global.fujitsu.com/v1/75xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/secrets/ff7xxxxxxxxxxxxxxx-xxxx-xxxxxxxxxxxb&#8221;}

 

Register the server.crt Certificate

1. Enter the following API command, inserting the string from your ‘server.crt’ command as shown, making sure to include all text between and including “”:”—–BEGIN CERTIFICATE” .. “END CERTIFICATE—–”

curl $KEYMANAGEMENT/v1/$PROJECT_ID/secrets -X POST -H “X-Auth-Token: $OS_AUTH_TOKEN” -H “Content-Type: application/json”  -d ‘{“name”:”server_certificate”,”payload”:”—–BEGIN CERTIFICATE—–
+LfN
—–END CERTIFICATE—–“,”payload_content_type”: “text/plain”}’

2. Record the resulting reference number for later use, e.g.

{“secret_ref”: “https://keymanagement.uk-1.cloud.global.fujitsu.com/v1/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/secrets/xxxxxxxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx}

 

Register the server.key Certificate

1. Enter the following API command, inserting the string from your ‘server.key’ command as shown, making sure to include all text between and including “”:”—–BEGIN CERTIFICATE” .. “END CERTIFICATE—–”

curl $KEYMANAGEMENT/v1/$PROJECT_ID/secrets -X POST -H “X-Auth-Token: $OS_AUTH_TOKEN” -H “Content-Type: application/json”  -d ‘{“name”:”server_key”,”payload”:”—–BEGIN PRIVATE KEY—–
MIIC+==
—–END PRIVATE KEY—–“,”payload_content_type”: “text/plain”}’

2. Record the resulting reference number for later use, e.g.

{“secret_ref”: “https://keymanagement.uk-1.cloud.global.fujitsu.com/v1/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/secrets/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx&#8221;}

 

Register the DH Certificate

1. Enter the following API command, inserting the string from your ‘dh1024.pem’ command as shown, making sure to include all text between and including “”:”—–BEGIN DH PARAMETERS” .. “END DH PARAMETERS—–”

curl $KEYMANAGEMENT/v1/$PROJECT_ID/secrets -X POST -H “X-Auth-Token: $OS_AUTH_TOKEN” -H “Content-Type: application/json”  -d ‘{“name”:”dh”,”payload”:”—–BEGIN DH PARAMETERS—–
MI+==
—–END DH PARAMETERS—–“,”payload_content_type”: “text/plain”}’

2. Record the resulting reference number for later use, e.g.

{“secret_ref”: “https://keymanagement.uk-1.cloud.global.fujitsu.com/v1/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/secrets/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx&#8221;}

 

Create Container to reference all SSLVPN Server Certs

1. Enter the following API command, inserting your own secret references from above into the appropriate places:

curl $KEYMANAGEMENT/v1/$PROJECT_ID/containers -X POST -H “X-Auth-Token: $OS_AUTH_TOKEN” -H “Content-Type: application/json”  -d ‘
{
“name”: “SSL-VPN_VPNCredential”,
“type”: “generic”,
“secret_refs”: [
{
“name”: “ca”,
“secret_ref”:”https://keymanagement.uk-1.cloud.global.fujitsu.com/v1/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/secrets/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
},
{
“name”: “server_certificate”,
“secret_ref”:”https://keymanagement.uk-1.cloud.global.fujitsu.com/v1/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/secrets/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
},
{
“name”: “server_key”,
“secret_ref”:”https://keymanagement.uk-1.cloud.global.fujitsu.com/v1/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/secrets/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
},
{
“name”: “dh”,
“secret_ref”:”https://keymanagement.uk-1.cloud.global.fujitsu.com/v1/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/secrets/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
}
]
}’

2. Record the resulting container reference number for later use:

{“container_ref”: “https://keymanagement.uk-1.cloud.global.fujitsu.com/v1/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/containers/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx“}

The second part of this after ‘/containers’ is the UUID required later i.e. xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx [is it?]

 

Set up K5 Network Infrastructure

This section can be skipped if your virtual network, router etc has already been created. Just make sure that you have assigned a Global IP Address to the router as described below.

1. Create a Network using the API

NW_NAME=<Name OF YOUR CHOOSING> e.g. SSL_VPN_NETWORK

AZ=<AZ reference of your choosing> e.g. uk-1a

curl -s $NETWORK/v2.0/networks -X POST -H “X-Auth-Token: $OS_AUTH_TOKEN” -H “Content-Type: application/json” -d ‘{“network”:{ “name”: “‘$NW_NAME'”, “availability_zone”: “‘$AZ'”}}’ | jq .

sslvpn1

2. Create a Subnet

SN_NAME=<ANY NAME OF YOUR CHOOSING> e.g. SSLVPNSUBNET

NETWORK_ID=<ID FROM PREVIOUS COMMAND>

CIDR=<SUBNET OF YOUR CHOOSING> e.g. 10.10.1.0/24

#NOTE ABOVE CIDR MUST BE A DIFFERENT RANGE TO THAT LATER FOR THE CLIENT SSLVPN NETWORK. IN THIS EXAMPLE WE WILL USE 10.1.1.0/24 for the CLIENT SSLVPN NETWORK.

GATEWAY=<GATEWAY OF YOUR CHOOSING> e.g. 10.10.1.1

DNS=<DNS SERVERS FOR YOU AZ> e.g. \”62.60.39.9\”,\”62.60.39.10\”

curl -k $NETWORK/v2.0/subnets -X POST -H “X-Auth-Token: $OS_AUTH_TOKEN” -H “Content-Type: application/json” -d ‘{“subnet”: {“name”: “‘$SN_NAME'”, “network_id”: “‘$NETWORK_ID'”, “cidr”: “‘$CIDR'”, “dns_nameservers”: [‘$DNS’], “ip_version”: 4, “gateway_ip”: “‘$GATEWAY'”, “availability_zone”: “‘$AZ'”}}’ | jq .

sslvpn2

Note: I’ve not used a  192.168.X.X CIDR to avoid any potential clash with a home/work client network

3. Create a Router

SUBNET_ID=<ID FROM PREVIOUS COMMAND>

ROUTER_NAME=<ROUTER NAME OF YOUR CHOOSING> e.g. SSLVPNROUTER

AZ=<AZ reference of your choosing> e.g. uk-1a

curl -k  $NETWORK/v2.0/routers -X POST -H “X-Auth-Token: $OS_AUTH_TOKEN” -H “Content-Type: application/json” -d ‘{“router”: {“name”: “‘$ROUTER_NAME'”, “tenant_id”: “‘$TENANT_ID'”, “availability_zone”: “‘$AZ'”}}’ | jq .

sslvpn3

4. Find External Network ID and associate with the router

ROUTER_ID=<ID FROM PREVIOUS COMMAND>

curl -s $NETWORK/v2.0/networks -X GET -H “X-Auth-Token: $OS_AUTH_TOKEN” | jq .

Use the ID of the external network of choice to create the variable as below:

EXT_NET_ID=<External Network ID> e.g. df8d3f21-75f2-412a-8fd9-29de9b4a4fa8

curl -k $NETWORK/v2.0/routers/$ROUTER_ID -X PUT -H “X-Auth-Token: $OS_AUTH_TOKEN” -H “Content-Type: application/json” -d ‘{“router”: {“external_gateway_info”: { “network_id”: “‘$EXT_NET_ID'”}}}’ | jq .

sslvpn6

5. Attaching router to subnet

curl -k  $NETWORK/v2.0/routers/$ROUTER_ID/add_router_interface -X PUT -H “X-Auth-Token: $OS_AUTH_TOKEN” -H “Content-Type: application/json” -d ‘{“subnet_id”: “‘$SUBNET_ID'” }’ | jq .

sslvpn6

6. Attaching a Floating/Global IP Address to the Router Interface

PORT_ID = <PORT_ID FROM PREVIOUS COMMAND>

curl -k -s $NETWORK/v2.0/floatingips -X POST -H “X-Auth-Token: $OS_AUTH_TOKEN” -H “Content-Type:application/json” -d ‘{“floatingip”: {“floating_network_id”:”‘$EXT_NET_ID'”, “port_id”:”‘$PORT_ID'”, “availability_zone”: “‘$AZ'”}}’ | jq .

fip

Note down the assigned Floating IP Address for use later.

 

Creation of SSLVPN Services:

1. Create a VPN Service on the Router

ADMIN_STATE_UP=true

VPN_SERVICE_NAME=<NAME OF YOUR CHOOSING> e.g. SSL_VPN_Service1

curl $NETWORK/v2.0/vpn/vpnservices -X POST -H “X-Auth-Token: $OS_AUTH_TOKEN” -H “Content-Type: application/json” -d ‘{“vpnservice”:{“subnet_id”: “‘$SUBNET_ID'”, “router_id”: “‘$ROUTER_ID'”, “name”: “‘$VPN_SERVICE_NAME'”, “admin_state_up”: “‘$ADMIN_STATE_UP'”, “availability_zone”: “‘$AZ'” }}’ | jq .

sslvpn6

2. Create a SSL VPN Service associated with the newly created VPN Service

VPNSERVICE_ID=<ID FROM PREVIOUS COMMAND?

SSL_NAME=<NAME OF YOUR CHOOSING> e.g. SSLCONNECTION

CLIENT_ADDR_POOL=<CIDR RANGE OF YOUR CHOOSING> e.g. 10.1.1.0/24

#NOTE: THE ABOVE ADDRESS SHOULD BE UNIQUE WITHIN YOUR ENVIRONMENT TO ENSURE ROUTING CAN TAKE PLACE CORRECTLY.

CREDENTIAL_ID=<CONTAINER REFERENCE ID CREATED EARLIER>

AZ=uk-1a

curl $NETWORK/v2.0/vpn/ssl-vpn-connections -X POST -H “X-Auth-Token: $OS_AUTH_TOKEN” -H “Content-Type: application/json” -d ‘{“ssl_vpn_connection”:{“name”:”‘$SSL_NAME'”,”client_address_pool_cidr”:”‘$CLIENT_ADDR_POOL'”,”credential_id”:”‘$CREDENTIAL_ID'”,”admin_state_up”: “true”,”vpnservice_id”:”‘$VPNSERVICE_ID'”,”availability_zone”:”‘$AZ'”,”protocol”:”tcp”}}’ | jq .

sslvpn6

curl $NETWORK/v2.0/vpn/ssl-vpn-connections -X GET  -H “X-Auth-Token: $OS_AUTH_TOKEN” -H “Content-Type: application/json”

sslvpn6

If the ssl_vpn_connection status is not shown as ‘ACTIVE’, then something has gone wrong. Try recreating your certificate secrets/container, making sure that you have not cut and paste errors and separate lines are used for each as previously explained.

Windows OpenVPN Client Install

1. The latest version (2.4) of the Windows OpenVPN installer can be downloaded from https://openvpn.net/index.php/open-source/downloads.html

2. Double click the downloaded file Openvpn-install-2.x.x-y.exe. In the resulting wizard, remove the OpenVPN Service component, but otherwise accept all other default options

3. If prompted to install an unsigned driver for a ‘TAP-Win32 virtual adapter’, select ‘Continue Anyway’.

4. Click ‘Next’, untick the ‘show readme’ box and click ‘Finish’.

5. The installation installs one TAP Virtual Ethernet Adapter by default. This is enough to allow one single VPN connection.

6. Rename the adapter to “OpenVPNClient”.  This is cosmetic only but helps identification.

Configure Windows OpenVPN Client

1. Copy the 3 client certificates created earlier into  c:\program files\openvpn\config

2. Copy the sample client client settings file “C:\Program Files\OpenVPN\sample-config\client.ovpn” into c:\program files\openvpn\config

3. Edit client.ovpn and perform the following:

Find the line starting ‘proto’ and ensure/change this to

e.g. proto tcp

Find the line starting ‘remote’ and add the Global IP address assigned to the             router

e.g. remote 62.60.52.222  443

Find the line that starts with ca and insert the CA certificate filename

e.g. ca ca.crt

Find the line that starts with cert and insert the server.crt filename

e.g. cert  client.crt

Find the line that starts with key and insert the key filename

e.g. key client.key

Find the line that starts with comp-lzo and comment it out.

e.g. #comp-lzo

Establishing the VPN Connection from a Windows Client

1. On the client, right click the OpenVPN desktop icon and select ‘Run As Administrator’. If a warning is received that the OpenVPN is already running, then close any instances shown in the system try and ensure the OpenVPN service is stopped and repeat this step.

2. Right click on the OpenVPN GUI system tray icon (a grey screened monitor) and select “Connect”. It will open a status window showing the connection progress, and if everything is working ok then the status window should close and the icon should turn yellow, then green. The client virtual TAP adaptor will then be assigned an IP address within the client SSLVPN subnet.

The next stage is to configure routing from the client to the K5. To aid in the test process it is recommended that any firewall rules/security groups are configured temporarily to allow PING (ICMP) between SSL VPN client subnet and K5 subnet.

If the client is not able to ping the K5 server, perform the following:

1. Open CMD prompt as administrator on the client

2. Type IPCONFIG /ALL and note down details for the TAP interface shown in the example below in red

Ethernet adapter Local Area Connection 2
Connection-specific DNS Suffix:
Description . . . . . . . . . . . : TAP-Win32 Adapter V9
 Physical Address. . . . . . . . . : 00-FF-16-04-1E-42
 DHCP Enabled. . . . . . . . . . . : Yes
 Autoconfiguration Enabled . . . . : Yes
 Link-local IPv6 Address . . . . . : fe80::58b0:89a1:7320:26ac%18(Preferred)
 IPv4 Address. . . . . . . . . . . : 10.9.0.6(Preferred)
 Subnet Mask . . . . . . . . . . . : 255.255.255.252
 Lease Obtained. . . . . . . . . . : 30 September 2011 10:33:20
 Lease Expires . . . . . . . . . . : 29 September 2012 10:33:20
 Default Gateway . . . . . . . . . :
 DHCP Server . . . . . . . . . . . : 10.9.0.5
 DHCPv6 IAID . . . . . . . . . . . : 302055190
 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-9F-BB-2E-44-87-FC-82-4F-22
 DNS Servers . . . . . . . . . . . : 62.60.19.30
 NetBIOS over Tcpip. . . . . . . . : Enabled

3. Next enter the command ‘route print’ and note the interface number for the TAP adapter

Interface List
 18…00 ff 16 04 1e 42 …...TAP-Win32 Adapter V9
 11…44 87 fc 82 4f 22 ……NVIDIA nForce Networking Controller
 13…00 50 56 c0 00 01 ……VMware Virtual Ethernet Adapter for VMnet1
 15…00 50 56 c0 00 08 ……VMware Virtual Ethernet Adapter for VMnet8
  1………………………Software Loopback Interface 1
 17…00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 12…00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 14…00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
 16…00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
 19…00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
  1. Type the following command, substituting the values as appropriate:

route -P add <K5 subnet> mask 255.255.255.0 <VPN DHCP> if <TAP INTERFACE Number>

e.g. route -P add 10.10.1.0 mask 255.255.255.0 10.1.1.6 if 18

You should now be able to PING a VM on the K5 subnet. You can now configure Security Groups on the VM to allow RDP etc from the SSL VPN Client IP Address/CIDR e.g

sg

Establishing the VPN Connection from an Android Device

1. The ‘OpenVPN Connect’ app can be downloaded and installed from the Play Store.

2. Once installed, simply create further client certificates and ovpn file as described above, then copy/email all these files onto your Android device.

3. Open the OpenVPN Connect app, go to the menu and select ‘Import |Import Profile from SD card’ and browser/select your OVPN file. The SSLVPN link is then automatically connected.

4.You can then install and use other apps like ‘RD Client’ to RDP directly onto a K5 VM……Brilliant!!!!

Screenshot_20170316-171251.png