Skip to main content

Site-to-Site VPN with Safous Linux Agent

Use Cases​

  • Site-to-Site VPN between branch office and head office, or between remote sites and the data center (DC)

Diagram​

Safous Agent

Components to set up: 

  1. Remote Subnet 1:
    Set the network gateway to the Linux Server running the Safous Agent.

  2. Linux Server with Safous Linux Agent:
    Enable IP forwarding and set up tunneling using the Safous Agent.

  3. Safous POP:
    No configuration required by the user.

  4. Safous App Gateway:
    Configure the network applications in Remote Subnet 2 to be accessible by the Safous Agent.

  5. Remote Subnet 2:
    No configuration required by the user.

How to​

On Safous App Gateway (via Admin Portal)​

  1. Create an Agent Token

    • Navigate to: Settings > Accounts > Agent Token > New Agent Token.

    • Enter a name for the token and click Save. 

    • A new token will be generated—be sure to save it in a secure location, as it will only be shown once. 

  2. Create a Network Application

    • Add the subnet for Remote Subnet 2, including the relevant ports and site association.

    • Define an access rule that allows the newly created agent token to access this network application.

On Linux Server with Safous Agent​

  1. Download Agent in User portal

    • Log in to the user portal.

    • Click "Download Agent" and select the Linux Agent.

    • Transfer the file to your Linux server using scp or another tool.

  2. Install the agent

    apt update  
    apt install libayatana-appindicator3-1  
    mv linux-amd64.deb <tenant>.ztna.safous.com.deb  
    dpkg -i <tenant>.ztna.safous.com.deb

  3. Authenticate and start tunneling

    cd /usr/local/share/cyolo/connect/  
    ./connect auth login https://login.<tenant>.ztna.safous.com -k <Safous Agent Token>  
    ./connect tunnel up  
    ./connect tunnel status

  4. Set the Linux Server as a Network Gateway

    sudo nano /etc/sysctl.conf  
    net.ipv4.ip\_forward = 1  
    sudo systctl -p

  5. Configure iptables (replace enp0s3 with your actual interface)

    sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE  
    sudo iptables -A FORWARD -i enp0s3 -o tun0 -j ACCEPT  
    sudo iptables -A FORWARD -i tun0 -o enp0s3 -m state --state RELATED,ESTABLISHED -j ACCEPT

  6. Verify routing

    netstat -nr

    Ensure that a route to Remote Subnet 2 exists via the tun0 interface.

On Remote Subnet 1​

  • Configure all machines in Remote Subnet 1 to use the IP address of the Linux Server’s local interface (enp0s3, for example) as their default gateway.
note

Do not use the tun0 interface IP as the gateway.

Last updated on