IP ACCESS

The Lighthouse IP Access feature allows an engineer to reach hosts on a remote site via an OpenVPN client through Lighthouse, over the Lighthouse VPN fabric, without physically traveling to the site. If IP Access is enabled for Lighthouse, it can be managed from using the Configure > IP Access menu option on the Lighthouse web UI.

Note:For the Smart Management Fabric feature, see Smart Management Fabric and NetOps Interactions

IP Access adds client VPN capability to Lighthouse. Network engineers, firewall and server administrators can launch a VPN client connection to Lighthouse, be authenticated, then automatically connected to the remote site management network. The client PC has a secure VPN tunnel to the remote equipment the user needs to work on, providing the same TCP/IP access they would get if they traveled to the site and plugged into the management LAN.

The client can then access target devices on the remote network directly by their usual IP addresses and network ports. Requests from the client are masqueraded behind the node's IP address, so no additional routing configuration is required on the target devices.

Connectivity

By default, IP Access connects the client to the Management LAN of the Opengear appliance, or the interfaces in the LAN zone for the OM Series. A route for the directly attached subnet, plus any static routes configured on that interface (but never the default route) are also pushed automatically to the OpenVPN client.

image showing the Lighthouse Network connectivity

In the diagram, the client PC has a virtual tunnel interface with a route to the yellow management network, and the user can access any target IP devices on the yellow network using their real IP addresses.

The basic configuration of this feature is:

  • Activate the IP Access NetOps module – this starts the OpenVPN service in a Docker container on Lighthouse.

  • Activate the IP Access NetOps module on each node you wish to use for IP Access – this installs a remote connector service to allow the IP Access bridge to be created.

  • Generate a certificate and export an associated OpenVPN client configuration file.

  • Import the configuration into your preferred OpenVPN client.

The basic operation of this feature is:

  • Connect the tunnel – this starts a connection to Lighthouse on UDP port 8194.

  • Authenticate when prompted using your Lighthouse credentials, appending the node name to your Lighthouse username – client certificate authentication is automatic, this is a second factor of authentication.

  • Wait a moment for the connection to complete – this builds the GRE bridge between the client and pushes routes to the node's remote network(s).

While connected, the client can access IP addresses on the node's remote network(s) LAN directly, for example, by using the ping command or by typing them into the browser address bar.

Nodes Supported by IP Access

Opengear OM1200, OM2200, CM8100, ACM7000 and IM7200 nodes may be activated as IP Access nodes, to allow IP Access to their directly connected remote networks via Lighthouse.

Other vendors/models are not currently supported.

Select Configure > IP Access to view the available nodes in Lighthouse. The Node Access page displays.

IMage of the Lighthouse UI showing how to view node access

Note