Author Topic: Tunnel mode and HTTPS  (Read 6316 times)

krisdebeule

  • Member
  • ***
  • Posts: 5
    • View Profile
Tunnel mode and HTTPS
« on: September 27, 2017, 01:11:42 PM »
Hi All,

I am trying out a proof-of-concept for our connection to Office 365.
As a little background : we are based in Europe, but our (email) data is located in a datacenter in the US.
This means that when we access data, we have anywhere from 90 to 110 ms latency.

My idea is to setup a WanOS in tunnel mode in Europe, and one in tunnel mode hosted on Azure in the same datacenter and "tunnel" everything that is Office 365 related through WanOS.

I have a WanOS VM on ESXi 5.5 setup and working, and another one hosted in Azure.
Both are connected through a tunnel (I can see that in WanOS), and I can access the Azure WanOS https config page through the tunnel.
But I cannot get any https connection to work through the tunnel.
Firefox says "Performing a TLS handshake to ...", IE says nothing but blanks out and Chrome says "Establishing secure connection" followed by "This site can’t be reached, took too long to respond..."
I'm a newbie in WanOS (else I wouldn't have placed this question :-) )
Anybody who can help me ?

thx in advance,
Kris
« Last Edit: September 27, 2017, 01:47:04 PM by krisdebeule »

ahenning

  • Team Wanos
  • Administrator
  • Full Member
  • *****
  • Posts: 629
    • View Profile
Re: Tunnel mode and HTTPS
« Reply #1 on: September 27, 2017, 01:49:38 PM »
Hi Kris,

Some questions to help troubleshoot:

Are both sides running v.4? If on v3, then HTTPS is bypassed from the tunnel, only optimized traffic is tunneled.

Is standard HTTP working fine over the tunnel?

Does the issue exist only when the webcache is enabled and HTTPS server ip configured in the SSL servers list?

CCIE RS, CCIE SP, Mnet&sys

Note: Forum posts may be outdated. Please see the latest documentation at wanos.co/docs

krisdebeule

  • Member
  • ***
  • Posts: 5
    • View Profile
Re: Tunnel mode and HTTPS
« Reply #2 on: September 28, 2017, 10:07:32 AM »
Hi Antonie,

Both sides are running v4.
There is a tunnel set-up from EU to Azure, but NOT from Azure to EU.
Both sides have identical traffic policies (see attached picture).
The EU side has a 0.0.0.0/0 mask in the tunnel policy.
Webcache and TCP Accelerator are on on both sides, and in webcache settings the "SSL Servers" has 1 entry "0.0.0.0/0".
Http works, but sometimes with a big delay (I suspect it's waiting for a https link somewhere on the webpage).
Are these settings correct ?

Thank you,
Kris

ahenning

  • Team Wanos
  • Administrator
  • Full Member
  • *****
  • Posts: 629
    • View Profile
Re: Tunnel mode and HTTPS
« Reply #3 on: September 28, 2017, 10:53:54 AM »
Hi Kris,

A couple things that stand out:
The Azure side needs a tunnel rule for the return traffic back to EU pointing to the EU local subnets.
Webcache only needs to be enabled on the EU side.
Disable Webcache completely until the whole setup works perfectly.
0.0.0.0/0 for SSL caching is definitely going to break some SSL sites.
CCIE RS, CCIE SP, Mnet&sys

Note: Forum posts may be outdated. Please see the latest documentation at wanos.co/docs

krisdebeule

  • Member
  • ***
  • Posts: 5
    • View Profile
Re: Tunnel mode and HTTPS
« Reply #4 on: October 03, 2017, 08:29:14 AM »
Hi Antonie,

I managed to get EU WanOS and Azure WanOS connect through a 2-way tunnel. I can access https and even rdp on the local Azure subnet through the tunnel so that's good !
Webcache/optimization are all disabled right now.
The EU side tunnels 0.0.0.0/0 to the Azure side, the Azure WanOS tunnels all traffic to the local EU subnet back.
What does not work is when I try to access a resource (http/https) that is NOT in the local Azure subnet.
If I set 0.0.0.0/0 as tunnel mask on the Azure side, packets bounce back and forward between Azure & EU (that's logical). If I limit the Azure tunnel to only the EU subnet, communication between EU and Azure subnet works A-ok, but nothing outside the Azure subnet is reachable.
I am attempting to tunnel all Internet traffic from EU to a Azure WanOS and breakout to Internet from there.
Is this possible with WanOS ?

Thx in advance,
Kris

ahenning

  • Team Wanos
  • Administrator
  • Full Member
  • *****
  • Posts: 629
    • View Profile
Re: Tunnel mode and HTTPS
« Reply #5 on: October 03, 2017, 10:11:48 AM »
Hi Kris,

Yes, this is a known and expected behavior:
The local subnets are tunneled to the AWS/Azure private network, so private communications works as expected.
When all traffic is sent out of the AWS/Azure side the security rules don't allow the EU private networks to use the gateway (or NAT at least).
It makes sense from the provider perspective that they don't want any remote IP to exit the VPC/Private subnets.

The quick and simple way around it is to enable TCP-X and set:
PEP_TCP_FULL_TRANSPARENT=false

Also the DNS servers needs to be reachable locally or on the Azure/AWS VPC.

The right way is probably to use a NAT Gateway and configure it to allow the EU private subnets to be NATted out the public IP.
« Last Edit: October 03, 2017, 04:25:54 PM by ahenning »
CCIE RS, CCIE SP, Mnet&sys

Note: Forum posts may be outdated. Please see the latest documentation at wanos.co/docs

krisdebeule

  • Member
  • ***
  • Posts: 5
    • View Profile
Re: Tunnel mode and HTTPS
« Reply #6 on: October 03, 2017, 11:31:57 AM »
Hi Antonie,

thx ! I will try soon, but in the meantime I deleted my Azure vm and re-uploaded it again.
But the mac address has changed, so my previous key does no longer work.
I reapplied for a new trial key already..

Kris

krisdebeule

  • Member
  • ***
  • Posts: 5
    • View Profile
Re: Tunnel mode and HTTPS
« Reply #7 on: October 04, 2017, 09:11:15 AM »
Hi Antonie,

Works like a charm :-)
I just have one more question: for us (EU) it's not interesting to go through the tunnel to Azure and then head back from Azure US to Europe to visit a European website.
So I though we could limit the tunnel from EU to Azure only to specific IP addresses.
I have a (dynamic) list of IP addresses in CIDR notation for O365, but it's > 200 lines and I think that the tunnel configuration is limited to 99 entries. Is there a way to get over 99 entries (tunnel_policies file) ?
For now I'm using a custom built batch file with over 200 "route add" commands, but this does not give us the benefit of the WanOS acceleration for EU websites.
And - almost forgot - , I don't think you need to do anything with the traffic policies (v4 automatically optimizes everything) ?

Thx,
Kris

ahenning

  • Team Wanos
  • Administrator
  • Full Member
  • *****
  • Posts: 629
    • View Profile
Re: Tunnel mode and HTTPS
« Reply #8 on: October 04, 2017, 10:03:30 AM »
Hi Kris,

Yes, no traffic policies are needed, since the default 0.0.0.0 would listen to all traffic over the tunnel and would optimize the TCP traffic that flows both ways over the tunnel.

On the 100 tunnel rules, yes, this limit can easily be increased.
One way is to edit the tunnel_policies rules directly:

1000=0.0.0.0/0,-,Default
111=11.0.0.0/8,1,Lab-3-24,10.10.3.24,
112=10.0.0.0/8,1,Lab-3-24,10.10.3.24,


That said, the result of this would be the same as setting a default rule to use Azure (Tunnel 0.0.0.0/0) and using the batch script to add the routes on the host or using Policy based routing to redirect only the interesting routes to the tunnel.
CCIE RS, CCIE SP, Mnet&sys

Note: Forum posts may be outdated. Please see the latest documentation at wanos.co/docs