Enable IP Access in Lighthouse

This topic walks through the steps required to activate and enable the IP Access feature.

Enable NetOps Automation

After deploying the Lighthouse, sync the latest NetOps Modules from Docker Hub:

  1. Log in to the Lighthouse web UI as a Lighthouse Administrator or the root user.

  2. From the menu, select SETTINGS > Services > NetOps Modules.

  3. Click the Synchronize icon.

    Note:If Lighthouse cannot contact the Docker Hub, you may be able to use the offline installer.

Activate the IP Access Module

NetOps Modules must be activated on Lighthouse and a per-node basis.

  1. Log in to the Lighthouse web UI as root or a Lighthouse Administrator, and upload the Enterprise Edition or Enterprise Automation Edition licence file under SETTINGS > System > Subscriptions > Add.

  2. Click CONFIGURE > NetOps Modules > Manage Modules and wait until Lighthouse activation is complete.

To activate on the node you wish to access IP networks via, use the following steps:

  1. Ensure CONFIGURE > NetOps Modules > Manage Modules > IP Access > Always Activate is unchecked and applied.

  2. Select CONFIGURE > Configuration Templating > Apply Templates.

  3. Under NetOps Module Activation select IP Access and click Next.

  4. Select the nodes to to activate and click Next.

  5. To ensure the preflight check has succeeded click the Update icon above the table, then click Next.

Note:Any locally attached subnet and any static routes configured on the Management LAN (OGCS) or interfaces in the LAN zone will get pushed to the client.

See also: Activate a NetOps Module.

Network Ports Used for IP Access

IP Access OpenVPN clients connect on UDP port 8194, inbound to Lighthouse.

The remainder of the connection is bridged over the existing Lighthouse VPN between the node and Lighthouse, therefore no additional ports are utilized.

Generate a Certificate and Export Client Configuration

Clients connect to Lighthouse via an OpenVPN client, which in turn connects them to the Management LAN network of a particular node. IP Access provides a convenient means to configure the OpenVPN client by generating the configuration files that may be imported directly into your OpenVPN client of choice.

  1. Log in to the Lighthouse web UI as root or a Lighthouse Administrator, and click CONFIGURE > IP Access > Client Certificates. Enter a Certificate Name and click Create.

  2. When the certificate is created, download an associated OpenVPN client configuration by clicking Export.

    Note: Deleting a client configuration file from Lighthouse revokes that client certificate and any associated client configurations using that certificate will no longer be permitted to connect.

Connect the VPN Client

The final step is to establish the VPN connection that allows IP Access to the Management LAN (and optionally other networks) behind a node.

  1. Import the client configuration from the previous step into your preferred OpenVPN client and start the VPN connection.

  2. When prompted to authenticate the VPN connection, you must also specify your Lighthouse credentials and the node that you want to establish IP access via.

  3. Specify the node by adding :node-name to your Lighthouse username, for example, authenticating with the username james:my-acm7004-5 will authenticate as Lighthouse user james and connect the VPN to the IP network(s) behind my-acm7004-5.

Note: To be permitted connection, the Lighthouse user must have at least Node User rights for the specified node.

Note: The IP Access NetOps module creates a Layer 2 TAP mode tunnel which is not supported by Android or iOS operating systems.

Password Authentication During VPN Connection

During VPN connection, the client is prompted to enter a username and password. These credentials are used to authenticate the user, and also to specify the remote node to establish IP access through.

Specify the node by adding :node-name to your Lighthouse username,for example, authenticating with the username james:my-acm7004-5 will authenticate as Lighthouse user james and connect the VPN to the IP network(s) behind my-acm7004-5.

For authentication to succeed, the Lighthouse user must be one of:

  • Lighthouse Administrator role, or root

  • Node Administrator role with access to the node you are connecting through

  • Node User role with access to the node you are connecting through