In this article we will automate a deployment of F5 VPN using Application Services Extension 3 (AS3) and use HashiCorp Vault to secure communication to the VPN service using mutual TLS (mTLS).
You are working at home and want to connect your development environment on your laptop to an external resource in a public cloud that resides on a private network (i.e. connect your app to a DB running in the cloud). You could use SSH to setup a quick tunnel, but you’re not a fan of a persistent re-usable key. IPSec is another option, but IKE (Internet Key Exchange) makes you nauseous thinking about all the options. Instead you would like to setup an automated deployment where you can create a VPN tunnel using private certificates that get rotated regularly and a simple VPN client that can run on Mac/Windows/Linux/ARM architectures.
We’ll make use of BIG-IP APM to provide the VPN service. To automate the deployment, we’ll use AS3 to configure the VPN service with the appropriate certificates. To ensure proper certificate rotation we will use HashiCorp Vault as a private PKI provider of short-lived certificates and Consul Template (also from HashiCorp) to automate the rotation of certificates using AS3. (Note: I have another article that also talks about Consul Template).
How it Works
If you’re familiar with the idea of a unix pipe, it looks something like:
Vault | Consul Template | AS3 | BIG-IP
A bit more verbosely
Vault is used to store the certificate of the VPN service (vpn.example.com) and the client certificate (node1.example.com)
Consul Template is used to generate an AS3 template that contains the certificates that are stored in Vault (vpn.example.com)
The AS3 declaration is sent to the BIG-IP to generate the VPN configuration
The VPN client extracts the client certificate to authenticate to the VPN service (node1.example.com)
Here’s what the template looks like. It has syntax that will dynamically populate the certificate from Vault.
If you are familiar with AS3 declarations you will notice that we are creating a HTTPS virtual server that requires mTLS to authenticate.
Here’s the AS3 declaration with the certificates from Vault.
Resulting BIG-IP Configuration
Not pictured is that we did have to create a Connectivity profile to be used in the configuration by AS3 (done via iControl REST).
Linux client connecting using certificates from Vault.
A Simple Tunnel
This solution can work in any environment where you deploy a BIG-IP whether it is on-prem, public cloud, or your basement. This example avoids performing password based authentication to simplify the solution, but it also makes it more secure by using certificates that are rotated regularly on both the client and server (default of 72 hours in Vault). Using automation you can create creative solutions, to provide secure communication, using ephemeral tokens.