Relution Shield (Add-on)

Relution Shield enables secure access to the organisation’s internal intranet from the internet and combines Virtual Private Network (VPN), Private Key Infrastructure (PKI) and UEM - MDM. Further information: Relution Shield.

Upgrading from Relution Shield 1.x? See Update from 1.x to 2.x._

Prerequisites

Relution Server

  1. Relution Server
  2. One target organization on the server with Relution Shield license

Relution Shield Server

  • Relution Server 5.26+
  • Ubuntu 22.04+
  • UDP ports 500 and 4500
  • Outgoing traffic to all targets which should be protected by Relution Shield
  • The Relution Shield server MUST be available from the internet
  • Recommended: public DNS entry

Prepare Relution

Set up a technical user and create an API access key

  1. Create a new permission role with the “Relution Shield Access Check” permission

  2. Create a new non-password user in the target organisation

  3. Assign the role to the user

  4. Create an API access key for the user

    Configuring the technical user in the Global organisation allows the Relution Shield Server to check access for all organisations of the Relution Server (Requires Relution Shield 2.0 or higher).

Relution Shield Server

Required parameters

  1. Relution Host: Host name of the Relution server, e.g. yourserver.relution.io
  2. Relution API key: See previous step (user creation)
  3. VPN CIDR: The desired range for Relution Shield to assign internal IPs from, e.g. 10.1.0.0/16
  4. Network interface: Name of the network interface to use for Relution Shield, e.g. eth0
  5. Relution Shield Host: Host name of Relution Shield, e.g. vpn.yourserver.relution.io
  6. DNS Servers: IP addresses of the internal DNS servers, e.g. 10.1.0.1,10.1.0.2

Installation

The installation of Relution Shield is demanding and requires attention and time. Also pay attention to variables that need to be set. Check the commands and configurations before you save them.

  1. Run sudo apt update && upgrade

  2. Install Docker including docker compose: https://docs.docker.com/engine/install/ubuntu/ (Do not install via snap)

  3. Create install directory and compliance directory

    mkdir -p /opt/relution-shield/compliance
    
  4. Create environment file /opt/relution-shield/.env (make sure to replace <%Relution Host%>)

    touch /opt/relution-shield/.env
    vi /opt/relution-shield/.env
    
    RELUTION_HOSTNAME=<%Relution Host%>
    RELUTION_REST_API_ACCESS_TOKEN=<access token generated above>
    

    If the API access token belongs to Global organisation, enable access check for all organisations of the Relution Server (Requires Relution Shield 2.0 or higher):

       RELUTION_ACCESS_CHECK_SCOPE=global
    
  5. Configure Ubuntu firewall ufw

    1. Change default forward policy in /etc/default/ufw to DEFAULT_FORWARD_POLICY="ACCEPT"

      vi /etc/default/ufw
      
    2. Allow SSH and required UDP ports

      ufw allow ssh
      ufw allow 500,4500/udp
      
    3. Adjust /etc/ufw/before.rules. Add the following lines at the start of the file, before the required lines containing *filter (make sure to replace <%VPN CIDR%> and <%Network interface%> - each value 3 times):

      vi /etc/ufw/before.rules
      
      # Relution Shield additional rules
      *nat
      -A POSTROUTING -s <%VPN CIDR%> -o <%Network interface%> -m policy --pol ipsec --dir out -j ACCEPT
      -A POSTROUTING -s <%VPN CIDR%> -o <%Network interface%> -j MASQUERADE
      COMMIT
      
      *mangle
      -A FORWARD --match policy --pol ipsec --dir in -s <%VPN CIDR%> -o <%Network interface%> -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
      COMMIT
      
      # Don't delete these required lines, otherwise there will be errors
      *filter
      ...
      
    4. Adjust /etc/ufw/before.rules. Add the following lines at the start of the file, after the required lines containing *filter (make sure to replace <%VPN CIDR%>):

      ...
      # End required lines
      
      # Relution Shield additional rules
      -A ufw-before-forward --match policy --pol ipsec --dir in --proto esp -s <%VPN CIDR%> -j ACCEPT
      -A ufw-before-forward --match policy --pol ipsec --dir out --proto esp -d <%VPN CIDR%> -j ACCEPT
      
    5. Adjust /etc/ufw/sysctl.conf, add the following lines at the end:

      vi /etc/ufw/sysctl.conf
      
      # Relution Shield IPv4 forwarding kernel configuration
      net/ipv4/ip_forward=1
      net/ipv4/conf/all/accept_redirects=0
      net/ipv4/conf/all/send_redirects=0
      net/ipv4/ip_no_pmtu_disc=1
      
    6. Restart Ubuntu Firewall

      ufw disable && ufw enable
      
  6. Prepare configuration of Relution Shield

    1. Create required certificates and keys (make sure to replace <%Relution Shield Host%>)

      # Create mounted directories
      mkdir -v -p pki/{cacerts,certs,private}
      docker run -ti --volume "$(pwd)/pki:/opt/pki" relution/relution-shield:latest bash
      
      # Now in docker container
      cd /opt
      
      # Create CA private key
      pki --gen --type rsa --size 4096 --outform pem > pki/private/ca-key.pem
      

      A line is displayed in the terminal (plugin ‘tpm’: failed to load…), which indicates a missing TPM plugin. This message can be ignored. This is not an error.

      # Create certificate
      pki --self --ca --lifetime 3650 --in pki/private/ca-key.pem \
          --type rsa --dn "CN=ca.<%Relution Shield Host%>" --outform pem > pki/cacerts/ca-cert.pem
      
      # Generate server key, signed by the CA
      pki --gen --type rsa --size 4096 --outform pem > pki/private/server-key.pem
      
      # Generate certificate, signed by the CA
      pki --pub --in pki/private/server-key.pem --type rsa \
          | pki --issue --lifetime 1825 \
              --cacert pki/cacerts/ca-cert.pem \
              --cakey pki/private/ca-key.pem \
              --dn "CN=<%Relution Shield Host%>" --san "<%Relution Shield Host%>" \
              --flag serverAuth --flag ikeIntermediate --outform pem \
          >  pki/certs/server-cert.pem
      
      # Prepare Key Pair archive, will be needed for Relution later
      openssl pkcs12 -export -out "pki/ca.<%Relution Shield Host%>.p12" -inkey pki/private/ca-key.pem -in pki/cacerts/ca-cert.pem
      
      # Exit the docker container
      exit
      

      The Certification Authority (CA) private key needs to be stored securely, as its theft would compromise the VPN Public Key Infrastructure (PKI).

    2. Move the certificate files to the appropriate places

      mkdir -v -p /opt/relution-shield/etc/swanctl/{x509,x509ca,private}
      mv pki/cacerts/ca-cert.pem /opt/relution-shield/etc/swanctl/x509ca/ca-cert.pem
      mv pki/private/server-key.pem /opt/relution-shield/etc/swanctl/private/server-key.pem
      mv pki/certs/server-cert.pem /opt/relution-shield/etc/swanctl/x509/server-cert.pem
      
    3. Create configuration file /opt/relution-shield/etc/strongswan.conf

      # strongswan.conf - strongSwan configuration file
      #
      # Refer to the strongswan.conf(5) manpage for details
      #
      # Configuration changes should be made in the included files
      
      charon {
          load_modular = yes
      
          threads = 64
      
          start-scripts {
              creds = swanctl --load-creds
              conns = swanctl --load-conns
              pools = swanctl --load-pools
          }
      
          processor {
              priority_threads {
                high = 2
                medium = 8
              }
          }
      
          filelog {
              stdout {
                  default = 0
                  enc = 0
              }
          }
      
          plugins {
              include strongswan.d/charon/*.conf
      
              bypass-lan {
                  interfaces_use = lo
              }
          }
      }
      
    4. Create configuration file /opt/relution-shield/etc/swanctl/swanctl.conf (make sure to replace <%Relution Shield Host%>, <%VPN CIDR%>, <%Relution Host%> and <%DNS Servers%>)

      relution-shield-default {
          version = 2
          dpd_delay = 0s
          send_cert = always
          encap = yes
          # Listen on all interfaces for incoming connections
          local_addrs = 0.0.0.0
          proposals = chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha256-ecp384,aes256-sha256-ecp256
          pools = relution-shield
          children {
              child {
                  start_action = none
                  esp_proposals = chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha256-ecp384,aes256-sha256-ecp256
                  # Server can route all traffic, including internet-bound
                  local_ts = 0.0.0.0/0
                  # Accept client's dynamically assigned IP
                  remote_ts = dynamic
                  # Ensures reconnection when the client is reachable again
                  dpd_action = restart
                  updown = /usr/libexec/ipsec/_updown iptables
              }
          }
          local {
              auth = pubkey
              certs = server-cert.pem
              id = <%Relution Shield Host%>
          }
          remote {
              auth = eap-tls
              eap_id = %any
              id = "*@<%Relution Host%>"
              cacerts = ca-cert.pem
          }
      }
      
      connections {
          relution-shield-eaptls : relution-shield-default {
              remote {
                  id = "*@<%Relution Host%>"
              }
          }
          relution-shield-eaptls-windows : relution-shield-default {
              remote {
                  id = "%any"
              }
          }
      }
      
      pools {
         relution-shield {
              addrs = <%VPN CIDR%>
              dns = <%DNS Servers%>
          }
      }
      
      secrets {
          private {
              file = "server-key.pem"
          }
      }
      
  7. Install Relution Shield via docker

    1. Create /opt/relution-shield/compose.yml

      services:
        relution-shield:
          image: relution/relution-shield:2-latest
          restart: unless-stopped
          privileged: true
          cap_add:
            - NET_ADMIN
            - NET_RAW
            - SYS_MODULE
          network_mode: host
          ports:
            - "500:500/udp"
            - "4500:4500/udp"
          environment:
            RELUTION_HOSTNAME: ${RELUTION_HOSTNAME}
            RELUTION_REST_API_ACCESS_TOKEN: ${RELUTION_REST_API_ACCESS_TOKEN}
          volumes:
            - './etc/swanctl:/etc/swanctl:ro'
            - './etc/strongswan.conf:/etc/strongswan.conf:ro'
            - './compliance:/opt/strongswan/compliance'
      

      If Relution Shield 1.x is used, RELUTION_REST_API_ACCESS_TOKEN needs to be replaced by REST_API_ACCESS_TOKEN.

    2. Start Relution Shield in /opt/relution-shield via docker compose up -d

    3. Automatically restart Relution Shield after network daemon restart (e.g. after auto-updates), create /etc/systemd/system/relution-shield-networkd-post-restarter.service

      [Unit]
      Requires=systemd-networkd.service
      After=systemd-networkd.service network-online.target
      
      [Service]
      Type=oneshot
      ExecStart=docker compose -f /opt/relution-shield/compose.yml restart
      RemainAfterExit=yes
      
      [Install]
      WantedBy=multi-user.target
      
    4. Start the service via systemctl enable relution-shield-networkd-post-restarter --now

Configure Relution

Certificate Setup

  1. Import the certificates into the target organsiation
    1. Navigate to “Settings” > “Certificates”
    2. Upload the certificate at /opt/relution-shield/etc/swanctl/x509ca/ca-cert.pem and give it a name like ‘<%Relution Shield Host%> CA Certificate’
    3. Upload the certificate at /opt/relution-shield/etc/swanctl/x509/server-cert.pem and give it a name like ‘<%Relution Shield Host%> Server Certificate’
    4. Upload the PKCS12 archive at /opt/relution-shield/pki/ca.<%Relution Shield Host%>.p12 and give it a name like ‘<%Relution Shield Host%> CA Key Pair’
    5. Backup the contents of /opt/relution-shield/pki/ securely, and remove the folder
  2. Create certificate authority and certificate template
    1. Navigate to “Settings” > “Certificate Authorities”
    2. Add a new certificate authority with type “Built-in” and select the ‘<%Relution Shield Host%> CA Key Pair’ certificate uploaded before
    3. Navigate to “Settings” > “Certificate Templates”
    4. Add a new certificate template
      1. Select the certificate authority created before
      2. Set “Subject Name” to CN=${device.uuid}@<%Relution Host%> (Note the CN= at the beginning)
      3. Enable “Signature” and “Key encryption”
      4. Add a “Subect Alternative Name” of type “Email” with ${device.uuid}@<%Relution Host%> (No CN= at the beginning)
      5. Enable “automatic renewal” and set appropriate values, e.g. 60 days and 180 days

Sample iOS configuration

  1. Create a new iOS policy or extend an existing one
  2. Add a VPN configuration
    1. Select type “IKEv2”
    2. Enable “Per App and Account VPN” (see also Relution Hub Docs)
    3. Set “Server” and “Remote identifier” to the value of <%Relution Shield Host%>
    4. Set “Local identifier” to ${device.uuid}@<%Relution Host%>
    5. Set “Machine authentication” to “Certificate” and select the certificate template created before
    6. Acvivate “Enable extended authentication (EAP)”
    7. Set both IKE SA params and Child SA params to “AES-256”, “SHA-256”, “DH group 16: 4096-bit group”, “1440” minutes
    8. Optional: Add a test domain to “Safari Domains” below to automatically activate the VPN when the domain is accessed via Safari
  3. Add a “Certificate” configuration to the policy and select the “<%Relution Shield Host%> CA Certificate” uploaded before
  4. Optionally add a “App to VPN Mapping” configuration and select the VPN configuration created before and another browser app like Firefox or Chrome to test VPN access. It is recommended to also add an app compliance with this app as required to ensure it is installed
  5. Publish the policy, and assign it to a device. The VPN can now be manually connected via “Settings” > “General” > “VPN & Device Management” > “VPN”. Relution Shield will also automatically be connected when accessing the Safari domains configured above in Safari or opening the browser app
  6. Adjust the configuration according to include the accounts, apps and domains which should only be accessed via Relution Shield

Sample Android Enterprise configuration

  1. Crate a new Android Enterprise policy or extend an existing one
  2. Add a “StrongSwan VPN Profile” configuration
    1. Select “IKEv2 EAP-TLS” as “VPN Type”
    2. Set “Server” and “Server identity” to the value of <%Relution Shield Host%>
    3. Set “User Certificate” to the certificate template generated before
    4. Set “CA certificate” to the “<%Relution Shield Host%> CA Certificate” uploaded before
    5. Set “Client identity” to ${device.uuid}@<%Relution Host%>
    6. Set “Only these Apps will use the VPN” to a browser like Firefox
  3. Add a “StrongSwan VPN Restrictions” configuration and select the VPN profile created before as the default profile
  4. Publish the policy, and assign it to a device. The VPN can now be manually connected via the StrongSwan app. Relution Shield will also automatically be connected when opening the browser app configured before
  5. Adjust the configuration according to include the apps which should only be accessed via Relution Shield

Major Upgrades

Upgrade from 1.x to 2.x

Securely store the CA private key /opt/relution-shield/etc/ipsec.d/private/ca-key.pem outside the Relution Shield server if not already done

  1. Stop Relution Shield in /opt/relution-shield via docker compose down

  2. Create/adjust the following files as described in the installation instructions above

    1. Create new config folders

      mkdir -v -p /opt/relution-shield/etc/swanctl/{x509,x509ca,private}
      
    2. Create etc/swanctl/swanctl.conf

    3. Replace contents of /opt/relution-shield/compose.yml

    4. Update /opt/relution-shield/.env

    5. Update /opt/relution-shield/etc/strongswan.conf

  3. Move the following files

    Previous pathTarget path
    /opt/relution-shield/etc/ipsec.d/cacerts/ca-cert.pem/opt/relution-shield/etc/swanctl/x509ca/ca-cert.pem
    /opt/relution-shield/etc/ipsec.d/certs/server-cert.pem/opt/relution-shield/etc/swanctl/x509/server-cert.pem
    /opt/relution-shield/etc/ipsec.d/private/server-key.pem/opt/relution-shield/etc/swanctl/private/server-key.pem
  4. Remove the /opt/relution-shield/etc/ipsec.d directory

  5. Remove /opt/relution-shield/etc/ipsec.conf

  6. Remove /opt/relution-shield/etc/ipsec.secrets

  7. Start Relution Shield in /opt/relution-shield via docker compose up -d