Configure Remote Access



Enable remote access if you want to

Define devices allowed to remotely access resources
Role based remote access to IP resources
On Demand remote access to IP resources
Multi-factor access to IP resources

What is an IP resource?

An IP resource is any subnet or ip + port(s) combination. For example,

10.0.1.0/24 & ports 22,80,443,5600-5609

10.0.2.124/32 & ports 80,443

It is recommend that users NOT be provided with direct IP access to ssh and databases. Best practice is for those connections to go through their respective proxies. This provides improved management, security, monitoring and activity recording.

Overview

Remote access is provided via wireguard vpn. Wireguard is a fast VPN that uses state-of-the-art cryptography. It is faster and simpler than IPsec and considerably more performant than OpenVPN.

Mamori simplifies the wireguard configuration and integrates it with identity management, 2FA, Access On-Demand and monitoring services.

What triggers user's multi-factor authentication?

A user's multi-factor authentication is triggered when they access an IP - not when they activate the network. The authentication remains active until a user is inactive for a specified amount of time.


Steps

To configure remote access via mamori follow the steps below

Prerequisites

Server port configuration

Configure users

Step 1 - Configure wiregard subnet

Step 2 - Define IP resources

Step 3 - Grant IP resources to users and/or roles

Step 4 - Add user devices & email user connection details

Step 5 - Define on-demand resources to users and/or roles


Configure Wireguard Subnet

To view and manage the wireguard configuation

Click Wireguard

Click Settings

Next, enter the details

FieldDescription
Public Addressdefaults to your mamori server ip
Portdefaults to 51871
Private IP AddressDesired Server IP in new subnet
Private IP Subnet Maskdefaults to 255.255.255.0
Exposed Subnetslocal subnets that contain target IPs. eg, 192.168.1.0/24, 10.50.0.0/16
Your DNS Server IP (optional)Set if you want to access resources by name
Network UP Script (optional)

Click Update


Define IP resources

To view and manage the wireguard configuation

Click Wireguard

Click IP Resources

Click Add

Next, enter the details

FieldDescription
Resource Namegrant reference label
IP AddressExample: 10.0.100.0/24 will cover 10.0.100.*
PortsExample: 22,43,80,5000-6000

Click ADD


Grant IP resources to users and/or roles

To grant IP resources to a user or role

Navigate to users or roles

Click Users

Or

Click Roles

Click Edit

Click SSH & SERVER ACCESS

Click IP Resources

Select IP Resources

For on-demand access grant the IP resources to a roles. The role will be then be granted to the specified user by an on-demand policy. The grant will expire as per the policy.


Add User Device(s)

To grant IP resources to a user or role

Click Wireguard

Click Peers

Click Add

Next, enter the details

FieldDescription
Mamori UserThe identity this device will be linked to
Device NameReference name for device
Advanced Option: Peer Public KeyDevice's public key
Advanced Option: Peer Private IP AddressDevice's IP in wireguard network

Click Add Peer

After adding the peer mamori will display the device configuration.

Click on Email Configuration to email the configuration and client setup instructions to the user.


Define on-demand access policies

To create on-demand IP resource policies

Prerequisites

Define IP resources

Define Alert Channels

Click Policies

Click Access On Demand

Click Add

Policy Editor

For detailed field descriptions click here

Add a time parameter

Enter the statement below in the policy script

On Demand Policy
GRANT YOUR_IPRESOURCE_NAME TO :applicant VALID for :time minutes;

Example Policy Grant Statements

  • dev_web & dev_ssh are IP Resources
  • :applicant is the user making the request
  • :time is the custom parameter
On Demand Policy
GRANT dev_web TO :applicant VALID for :time minutes;
GRANT dev_ssh TO :applicant VALID for :time minutes;

Edit this page on GitHub Updated at Sun, Oct 17, 2021