Skip to content

Network Rules#

Enabling System SSH Access

Key Points

  • SSH access to a VergeOS system is generally not needed because full access is provided from the UI.
  • SSH should only be enabled for specific hardware diagnostics or other special circumstances.
  • Although VergeOS employs many safety protections, opening SSH on any system can introduce vulnerability.

Important SSH Security Procedures

  • Always use source-controlled external rules to strictly limit ssh access to trusted addresses.
  • Enable SSH access on a temporary basis; disable rules again when done with the session.

Steps to Enable SSH access

SSH Access rules are auto-created, and disabled, during system installation.

  1. Enable the core network rule: Navigate to the Core network dashboard, modify the "SSH Access" rule, select the Enabled option and Submit to save the change. ssh-rule-core.png

  2. Add source control to the external network rule: Navigate to the external network dashboard, modify the "SSH Access" rule to configure specific source IP address(es) and/or address range(s) to tightly control access.

  3. Enable the external network rule: select the Enabled option and Submit to save the change.
    Ex. External Network Rule: ssh-rule-external.png

  4. Apply Rules to both networks.

Warning

Danger

  • VergeOS is a specialized kernel, with a read-only overlay. Do not install additional Debian packages or applications as they can conflict with VergeOS operation and cause system malfunction or data loss. Additionally, extraneous programs are wiped at reboot.
  • Check with VergeOS support before making any modifications at the command line. Issues resulting from unsanctioned command-line changes are the sole responsibility of the customer.

Allow Root to Tenant Site Connection

Overview

Important

Adding this rule will allow tenants to connect on the DMZ network. By default, this is disabled for security reasons.

This guide provides instructions on how to connect a root system to a tenant site in VergeOS. The Sites feature is typically used to connect two VergeOS sites together, but to extend this functionality to a tenant site, you’ll need to add a specific rule on the root system's External network.

Prerequisites

  • Access to the Root system with administrative privileges.
  • A basic understanding of network rules and DMZ interfaces in VergeOS.

Steps

  1. Access External Networks - In the Root system, navigate to Networks and then External Networks. - Double-click on the External network.

  2. Add the Rule - In the left menu, click on Rules. - Before adding a new rule, ensure it doesn’t already exist. - Click New in the left menu. - Enter the following details:

    • Name: Enter a descriptive name such as "Allow Tenant to Root".
    • Action: Translate.
    • Protocol: ANY.
    • Direction: Outgoing.
    • Interface: DMZ.
    • Source: Other Network Address (DMZ).
    • Destination: Any/None.
    • Target: My Router IP.

Rule Configuration

  1. Submit and Apply - Click Submit. - In the left menu or at the top, click Apply Rules to activate the new rule.

After the rule is applied, the root system should now be able to connect to the tenant site.

Testing the Rule

To verify that the rule works, follow these steps:

  1. From the Home screen, click System in the left menu.
  2. Click on Nodes in the left menu.
  3. Double-click on Node1 or select Node1 and click View.
  4. In the left menu, click on Diagnostics.
  5. Change the Query to TCP Connection Test.
  6. Set Host to the UI IP/Host of the tenant system.
  7. Set Port to 443.
  8. Click Send.

The Response should say Connection successful. If the connection fails, review the rule to ensure accuracy, particularly ensuring that the Interface is set to DMZ rather than Auto.

Troubleshooting

Common Issues

  • Issue: Connection test fails.
  • Solution: Double-check that the rule is configured correctly, especially the interface settings. Also, ensure there are no blocking rules that could prevent the connection.

Additional Resources

Feedback

Need Help?

If you encounter any issues while setting up the root-to-tenant site connection, or have any questions, feel free to contact our support team.

Document Information

  • Last Updated: 2023-09-12
  • VergeOS Version: 4.12.6

Accessing the Verge.io UI from a VM

Overview

Key Points

  • Access the VergeOS UI from a VM within your environment
  • Utilize hair-pinning network technique
  • Create a specific network rule on the internal network

This article guides you through the process of setting up access to the VergeOS User Interface (UI) from a virtual machine (VM) running inside the VergeOS system. This is accomplished using a networking technique known as hair-pinning, where a packet travels to an interface, goes out towards the Internet, but instead of continuing, it makes a "hairpin turn" and comes back in on the same interface.

Prerequisites

  • A running VergeOS environment
  • A virtual machine (VM) within your VergeOS environment
  • Access to the VergeOS UI
  • Basic understanding of network rules in VergeOS

Steps

  1. Navigate to the Internal Network - Log into your VergeOS environment - Go to the internal network that your target VM is connected to

  2. Create a New Rule - Locate the option to create a new rule - Configure the rule with the following settings:

    Rule: - Name: Use a reference name, such as "Allow UI" - Action: Translate - Protocol: TCP - Direction: Incoming - Interface: Auto - Pin: No

    Source: - Type: Any / None - Source Ports/Ranges: Leave blank

    Destination: - Type: My Network Address - Destination Ports/Ranges: 80, 443

    Target: - Type: Other Network DMZ IP - Target Network: Core - Target Ports/Ranges: Leave blank

  3. Submit the Rule - Click "Submit" to save the rule

  4. Apply the New Rule - Click "Apply Rules" to activate the newly created rule

  5. Access the UI from the VM - Open a web browser within your VM - Navigate to the IP address of the internal network (e.g., if the internal network IP is 192.168.0.1, use this address)

Pro Tip

Always ensure that your VM's network settings are correctly configured to use the internal network where you've set up this rule.

Visual Guide

Here's a visual representation of the rule configuration:

hairpin.png

Troubleshooting

Common Issues

  • Problem: Unable to access the UI after creating the rule
  • Solution:
    1. Verify that the rule is applied correctly
    2. Check if the VM's network interface is on the correct internal network
    3. Ensure no firewall rules are blocking the connection

Additional Resources

Feedback

Need Help?

If you encounter any issues while setting up UI access or have questions about this process, please don't hesitate to contact our support team.

Document Information

  • Last Updated: 2024-08-29
  • VergeOS Version: 4.13.3

How to Configure Routing Between Networks

The following is a simple method to establish a route between two networks in the VergeOS platform.

Create a Network Rule on the First Network to Route Traffic to the Second Network

  1. Navigate to the first network that you would like to route traffic from.
  2. From the network dashboard, click on Rules in the left navigation menu.
  3. In the Rules menu, click on New to create a new network rule.
  4. Configure the rule with the following settings: - Rule:
    • Name: A name indicating this rule is a route to the second network.
    • Action: Route
    • Protocol: Any
    • Direction: Outgoing
    • Source:
    • Type: My Network Address
    • Destination:
    • Type: Other Network Address
    • Network: The name of the second network
    • Target:
    • Type: Other Network DMZ IP
    • Target Network: The name of the second network
  5. After completing this rule, click Submit to save the rule.

Create a Network Rule on the First Network to Allow Traffic from the Second Network

  1. From the same network dashboard, click on Rules in the left navigation menu.
  2. In the Rules menu, click on New to create a new network rule.
  3. Configure the rule with the following settings: - Rule:
    • Name: A name indicating this rule allows traffic from the second network.
    • Action: Accept
    • Protocol: Any
    • Direction: Incoming
    • Source:
    • Type: Other Network Address
    • Network: The name of the second network
    • Destination:
    • Type: My Network Address
  4. After completing this rule, click Submit to save the rule.
  5. Click Apply Rules to enable the rule.

Info

After completing the two rules on the first network, you will need to create identical rules on the second network.

Create a Network Rule on the Second Network to Route Traffic to the First Network

  1. Navigate to the second network that you would like to route traffic from.
  2. From the network dashboard, click on Rules in the left navigation menu.
  3. In the Rules menu, click on New to create a new network rule.
  4. Configure the rule with the following settings: - Rule:
    • Name: A name indicating this rule is a route to the first network.
    • Action: Route
    • Protocol: Any
    • Direction: Outgoing
    • Source:
    • Type: My Network Address
    • Destination:
    • Type: Other Network Address
    • Network: The name of the first network
    • Target:
    • Type: Other Network DMZ IP
    • Target Network: The name of the first network
  5. After completing this rule, click Submit to save the rule.

Create a Network Rule on the Second Network to Allow Traffic from the First Network

  1. From the same network dashboard, click on Rules in the left navigation menu.
  2. In the Rules menu, click on New to create a new network rule.
  3. Configure the rule with the following settings: - Rule:
    • Name: A name indicating this rule allows traffic from the first network.
    • Action: Accept
    • Protocol: Any
    • Direction: Incoming
    • Source:
    • Type: Other Network Address
    • Network: The name of the first network
    • Destination:
    • Type: My Network Address
  4. After completing this rule, click Submit to save the rule.
  5. Click Apply Rules to enable the rule.

Document Information

  • Last Updated: 2024-08-29
  • vergeOS Version: 4.12.6

Accessing the User Interface from an Internal Network

Overview

Key Points

  • Access the vergeOS UI from a VM within your environment
  • Create a route rule on the internal network
  • Simple process involving dashboard navigation and rule creation

This article guides you through the process of setting up access to the vergeOS User Interface (UI) from a virtual machine (VM) within your vergeOS environment. This is accomplished by creating a specific route rule on the network to which your VM is connected, typically an internal network.

Prerequisites

  • A running vergeOS environment
  • A virtual machine (VM) within your vergeOS environment
  • Access to the vergeOS dashboard
  • Basic understanding of network rules in vergeOS

Steps

  1. Navigate to the Network Dashboard - Log into your vergeOS environment - Go to the dashboard of the network that your target VM is connected to

  2. Create a New Rule - Locate the option to create a new rule - Use the settings shown in the image below:

ui-access-rule.png

  1. Submit the Rule - After configuring the rule, submit it - You will be redirected to the list view of rules on the network

  2. Apply the New Rule - Click "Apply Rules" to activate the newly created rule

  3. Access the UI from the VM - Open a web browser within your VM - Navigate to the IP address of the Verge UI (e.g., https://192.168.4.1)

Pro Tip

Always ensure that your VM's network settings are correctly configured to use the internal network where you've set up this rule.

Troubleshooting

Common Issues

  • Problem: Unable to access the UI after creating the rule
  • Solution:
    1. Verify that the rule is applied correctly
    2. Check if the VM's network interface is on the correct network
    3. Ensure no firewall rules are blocking the connection

Additional Resources

Feedback

Need Help?

If you encounter any issues while setting up UI access or have questions about this process, please don't hesitate to contact our support team.

Document Information

  • Last Updated: 2024-08-29
  • vergeOS Version: 4.12.6