Relution Shield (Add-on)
Relution Shield enables secure access to the organisation’s internal intranet from the internet and combines Virtual Private Network (VPN), Private Key Infrastructure (PKI) and UEM - MDM. Further information: Relution Shield.
Prerequisites
- Relution Server
- One target organization on the server with Relution Shield license
Prepare Relution
- Create a new non-password user in the target organisation
- Create a new permission role with the “Relution Shield Access Check” permission
- Assign the role to the user
- Create an API access key for the user
Relution Shield Server
Prerequisites
- Relution Server 5.26+
- Ubuntu 22.04+
- UDP ports 500 and 4500
- Outgoing traffic to all targets which should be protected by Relution Shield
- Recommended: public DNS entry
Required parameters
- Relution Host: Host name of the Relution server, e.g.
yourserver.relution.io
- Relution API key: See previous step
- VPN CIDR: The desired range for Relution Shield to assign internal IPs from, e.g.
10.1.0.0/16
- Network interface: Name of the network interface to use for Relution Shield, e.g.
eth0
- Relution Shield Host: Host name of Relution Shield, e.g.
vpn.yourserver.relution.io
- DNS Servers: IP addresses of the internal DNS servers, e.g.
10.1.0.1,10.1.0.2
Installation
Run
apt update
Install Docker including docker compose: https://docs.docker.com/engine/install/ubuntu/
Create install directory and compliance directory
mkdir -p /opt/relution-shield/compliance
Create environment file
/opt/relution-shield/.env
(make sure to replace<%Relution Host%>
)RELUTION_HOSTNAME=<%Relution Host%> REST_API_ACCESS_TOKEN=<access token generated above>
Configure Ubuntu firewall
ufw
Change default forward policy in
/etc/default/ufw
toDEFAULT_FORWARD_POLICY="ACCEPT"
Allow SSH and required UDP ports
ufw allow ssh ufw allow 500,4500/udp
Adjust
/etc/ufw/before.rules
. Add the following lines at the start of the file, before the required lines containing*filter
(make sure to replace<%VPN CIDR%>
and<%Network interface%>
):# Relution Shield additional rules *nat -A POSTROUTING -s <%VPN CIDR%> -o <%Network interface%> -m policy --pol ipsec --dir out -j ACCEPT -A POSTROUTING -s <%VPN CIDR%> -o <%Network interface%> -j MASQUERADE COMMIT *mangle -A FORWARD --match policy --pol ipsec --dir in -s <%VPN CIDR%> -o <%Network interface%> -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360 COMMIT # Don't delete these required lines, otherwise there will be errors *filter ...
Adjust
/etc/ufw/before.rules
. Add the following lines at the start of the file, after the required lines containing*filter
(make sure to replace<%VPN CIDR%>
):... # End required lines # Relution Shield additional rules -A ufw-before-forward --match policy --pol ipsec --dir in --proto esp -s <%VPN CIDR%> -j ACCEPT -A ufw-before-forward --match policy --pol ipsec --dir out --proto esp -d <%VPN CIDR%> -j ACCEPT
Adjust
/etc/ufw/sysctl.conf
, add the following lines at the end:# Relution Shield IPv4 forwarding kernel configuration net/ipv4/ip_forward=1 net/ipv4/conf/all/accept_redirects=0 net/ipv4/conf/all/send_redirects=0 net/ipv4/ip_no_pmtu_disc=1
Restart Ubuntu Firewall
ufw disable && ufw enable
Prepare configuration of Relution Shield
Create configuration file directories
mkdir -v -p /opt/relution-shield/etc/ipsec.d/{aacerts,acerts,cacerts,certs,crls,ocspcerts,private}
Create required certificates and keys (make sure to replace
<%Relution Shield Host%>
)# Create mounted directories mkdir -v -p pki/{cacerts,certs,private} docker run -ti --volume "$(pwd)/pki:/opt/pki" relution/relution-shield:latest bash # Now in docker container cd /opt # Create CA private key and certificate pki --gen --type rsa --size 4096 --outform pem > pki/private/ca-key.pem pki --self --ca --lifetime 3650 --in pki/private/ca-key.pem \ --type rsa --dn "CN=ca.<%Relution Shield Host%>" --outform pem > pki/cacerts/ca-cert.pem # Generate server key and certificate, signed by the CA pki --gen --type rsa --size 4096 --outform pem > pki/private/server-key.pem pki --pub --in pki/private/server-key.pem --type rsa \ | pki --issue --lifetime 1825 \ --cacert pki/cacerts/ca-cert.pem \ --cakey pki/private/ca-key.pem \ --dn "CN=<%Relution Shield Host%>" --san "<%Relution Shield Host%>" \ --flag serverAuth --flag ikeIntermediate --outform pem \ > pki/certs/server-cert.pem # Prepare Key Pair archive, will be needed for Relution later openssl pkcs12 -export -out "pki/ca.<%Relution Shield Host%>.p12" -inkey pki/private/ca-key.pem -in pki/cacerts/ca-cert.pem # Exit the docker container exit
Move the certificate files to the appropriate places
mv pki/private/ca-key.pem /opt/relution-shield/etc/ipsec.d/private/ca-key.pem mv pki/cacerts/ca-cert.pem /opt/relution-shield/etc/ipsec.d/cacerts/ca-cert.pem mv pki/private/server-key.pem /opt/relution-shield/etc/ipsec.d/private/server-key.pem mv pki/certs/server-cert.pem /opt/relution-shield/etc/ipsec.d/certs/server-cert.pem
Create server authentication file
/opt/relution-shield/etc/ipsec.secrets
: RSA "server-key.pem"
Create configuration file
/opt/relution-shield/etc/strongswan.conf
# strongswan.conf - strongSwan configuration file # # Refer to the strongswan.conf(5) manpage for details # # Configuration changes should be made in the included files charon { load_modular = yes threads = 64 processor { priority_threads { high = 2 medium = 8 } } filelog { stdout { default = 0 enc = 0 } } plugins { include strongswan.d/charon/*.conf bypass-lan { interfaces_use = lo } } }
Create configuration file
/opt/relution-shield/etc/ipsec.conf
(make sure to replace<%Relution Shield Host%>
,<%VPN CIDR%>
,<%Relution Host%>
and<%DNS Servers%>
)# see <https://wiki.strongswan.org/projects/strongswan/wiki/Ipsecconf> config setup uniqueids=no # see <https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection> conn %default dpdaction=clear # DPD disabled since covered in IKEv2 dpddelay=0s fragmentation=yes mobike=yes compress=yes conn <%Relution Shield Host%>-base keyexchange=ikev2 left=%any leftauth=pubkey leftid=<%Relution Shield Host%> leftca=ca-cert.pem leftcert=server-cert.pem leftsendcert=always leftsubnet=0.0.0.0/0 leftfirewall=yes right=%any rightsourceip=<%VPN CIDR%> rightdns=<%DNS Servers%> type=tunnel auto=add forceencaps=yes reauth=yes rekey=yes eap_identity=%identity ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha384-ecp384! esp=chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha384-ecp384! conn <%Relution Shield Host%>-eaptls also=<%Relution Shield Host%>-base rightauth=eap-tls rightid="%*@<%Relution Host%>" rightca=ca-cert.pem rightsendcert=always conn <%Relution Shield Host%>-eaptls-windows also=<%Relution Shield Host%>-base rightauth=eap-tls rightid=%any rightca=ca-cert.pem rightsendcert=always
Install Relution Shield via docker
Create
/opt/relution-shield/compose.yml
services: relution-shield: image: relution/relution-shield:latest restart: unless-stopped cap_add: - NET_ADMIN - NET_RAW - SYS_MODULE network_mode: host ports: - "500:500/udp" - "4500:4500/udp" environment: RELUTION_HOSTNAME: ${RELUTION_HOSTNAME} REST_API_ACCESS_TOKEN: ${REST_API_ACCESS_TOKEN} volumes: - '/dev/net/tun:/dev/net/tun' - './etc/ipsec.conf:/etc/ipsec.conf:ro' - './etc/ipsec.d:/etc/ipsec.d:ro' - './etc/ipsec.secrets:/etc/ipsec.secrets:ro' - './etc/strongswan.conf:/etc/strongswan.conf:ro' - '/lib/modules:/lib/modules:ro' - './compliance:/opt/strongswan/compliance'
Start Relution Shield in
/opt/relution-shield
viadocker compose up -d
Automatically restart Relution Shield after network daemon restart (e.g. after auto-updates), create
/etc/systemd/system/relution-shield-networkd-post-restarter.service
[Unit] Requires=systemd-networkd.service After=systemd-networkd.service network-online.target [Service] Type=oneshot ExecStart=docker compose -f /opt/relution-shield/compose.yml restart RemainAfterExit=yes [Install] WantedBy=multi-user.target
Start the service via
systemctl enable relution-shield-networkd-post-restarter --now
Configure Relution
Certificate Setup
- Import the certificates into the target organsiation
- Navigate to “Settings” > “Certificates”
- Upload the certificate at
/opt/relution-shield/etc/ipsec.d/cacerts/ca-cert.pem
and give it a name like ‘<%Relution Shield Host%> CA Certificate’ - Upload the certificate at
/opt/relution-shield/etc/ipsec.d/certs/server-cert.pem
and give it a name like ‘<%Relution Shield Host%> Server Certificate’ - Upload the PKCS12 archive at
/opt/relution-shield/pki/ca.vpn.staging.relution.xyz.p12
and give it a name like ‘<%Relution Shield Host%> CA Key Pair’
- Create certificate authority and certificate template
- Navigate to “Settings” > “Certificate Authorities”
- Add a new certificate authority with type “Built-in” and select the ‘<%Relution Shield Host%> CA Key Pair’ certificate uploaded before
- Navigate to “Settings” > “Certificate Templates”
- Add a new certificate template
- Select the certificate authority created before
- Set “Subject Name” to
CN=${device.uuid}@<%Relution Host%>
(Note theCN=
at the beginning) - Enable “Signature” and “Encryption”
- Add a “Subect Alternative Name” of type “Email” with
${device.uuid}@<%Relution Host%>
(NoCN=
at the beginning) - Enable “automatic renewal” and set appropriate values, e.g. 60 days and 180 days
Sample iOS configuration
- Create a new iOS policy or extend an existing one
- Add a VPN configuration
- Select type “IKEv2”
- Enable “Per App and Account VPN” (see also Relution Hub Docs)
- Set “Server” and “Remote identifier” to the value of
<%Relution Shield Host%>
- Set “Local identifier” to
${device.uuid}@<%Relution Host%>
- Set “Machine authentication” to “Certificate” and select the certificate template created before
- Acvivate “Enable extended authentication (EAP)”
- Set both IKE SA params and Child SA params to “AES-256”, “SHA-256”, “DH group 16: 4096-bit group”, “1440” minutes
- Optional: Add a test domain to “Safari Domains” below to automatically activate the VPN when the domain is accessed via Safari
- Add a “Certificate” configuration to the policy and select the “<%Relution Shield Host%> CA Certificate” uploaded before
- Optionally add a “App to VPN Mapping” configuration and select the VPN configuration created before and another browser app like Firefox or Chrome to test VPN access. It is recommended to also add an app compliance with this app as required to ensure it is installed
- Publish the policy, and assign it to a device. The VPN can now be manually connected via “Settings” > “General” > “VPN & Device Management” > “VPN”. Relution Shield will also automatically be connected when accessing the Safari domains configured above in Safari or opening the browser app
- Adjust the configuration according to include the accounts, apps and domains which should only be accessed via Relution Shield
Sample Android Enterprise configuration
- Crate a new Android Enterprise policy or extend an existing one
- Add a “StrongSwan VPN Profile” configuration
- Select “IKEv2 EAP-TLS” as “VPN Type”
- Set “Server” and “Server identity” to the value of
<%Relution Shield Host%>
- Set “User Certificate” to the certificate template generated before
- Set “CA certificate” to the “<%Relution Shield Host%> CA Certificate” uploaded before
- Set “Client identity” to
${device.uuid}@<%Relution Host%>
- Set “Only these Apps will use the VPN” to a browser like Firefox
- Add a “StrongSwan VPN Restrictions” configuration and select the VPN profile created before as the default profile
- Publish the policy, and assign it to a device. The VPN can now be manually connected via the StrongSwan app. Relution Shield will also automatically be connected when opening the browser app configured before
- Adjust the configuration according to include the apps which should only be accessed via Relution Shield