Adding a Second Site – Running in Ravello Cloud – to my Homelab using pfSense and OpenVPN

Introduction
In my homelab, I’m currently running a fully nested VMware environment in a single box. With the necessary tweaking and tuning, and thanks to fast NVME SSD storage, I can quite comfortably run 6 ESXi hosts concurrently. 4 Nodes with vSAN are running the management cluster (non-stop), and two 2-node clusters with NFS storage (provided by a nested FreeNAS VM) run NSX-v and NSX-T. I start either of these clusters, depending on what I’m doing in my lab. Upstream networking is all handled by yet another nested VM running pfSense. You can read more on the networking bit in one of my previous posts about using VLANs and VXLAN in a nested environment. The box is a Supermicro SYS-5028A-TN4 by the way. I highly recommend it if you are looking for a powerful put low profile homelab!
In this blogpost I am going to walk you through the process of how I added a second site to my homelab environment using Ravello Cloud.
Setting up Ravello Cloud
Setting up Ravello Cloud is really dead simple. As a vExpert, I get free access to this awesome cloud service. Besides eternal fame, free access to Ravello Cloud is perhaps the biggest benefit gained by becoming a vExeprt. Take a look at https://cloud.ravellosystems.com/go/vexpert for more details!
The canvas user interface allows you to easily map out your environment. There is a lot of community stuff available on how to setup a VMware lab environment (take a look at this great post by my colleague and community hero Kim Bottu) so I’m not going to cover all the basics. One thing I do want to point out, is how to use VLANs inside the Ravello Cloud. As I wrote earlier, I’m using VLANs in my nested vSphere environment in my on-premises homelab and I also wanted to make use of VLANs inside of Ravello Cloud. As it turns out, all you have to do is use VLAN #1 and you are allowed to do Guest OS VLAN tagging. That means I can tag the VLAN IDs on the distributed port groups of my VDS. Great!
OpenVPN using pfSense
I’m using pfSense for pretty much all networking services I need in my homelab (with the exception of DNS and NTP. These are provided by the Domain Controller). All my VLANs route through pfSense, BGP peering with my NSX-v Edges and NSX-T T0 routers, NAT, DHCP and so on. The pfSense VM is running on my nested vSphere homelab and has the WAN interface configured in my “physical” home network and has one internal interface that trunks all the VLANs and provides an SVI for every VLAN that needs to be routed. I’ve put some static routes on my ISP router to forward all my homelab networks to the pfSense, and pfSense obviously has the ISP router as its default gateway. Take a look at my previous post to see some diagrams of this configuration.
It made sense for me to also leverage the VPN capabilities of pfSense (as opposed to using an NSX-v Edge for example). I opted for OpenVPN because it’s easy to configure and because I’m already using IPSec VPN on my ISP router to remotely connect to my home network from abroad. The OpenVPN service comes preinstalled with pfSense. I configured my on-premises pfSense as the OpenVPN Server. I’m using L3 by the way to really mimic a L3 isolated second environment/region. The OpenVPN config is really straightforward:
- Server mode: peer to peer (shared key)
- Protocol: UDP on IPv4 Only
- Device Mode: Layer 3 Tunnel Mode
- Interface: WAN
- Local port :1194
- pfSense will generate a shared key for you which you will need to copy to the client side.
- IPv4 Tunnel Network: Provide a virtual network thats used inside the tunnel. I chose 192.168.4.0/24
- IPv4 Remote Networks: all the networks you need to access on the other side.
Of course I needed to configure port forwarding on my ISP router for UDP port 1194 so OpenVPN traffic will be forwarded to pfSense. By configuring the OpenVPN client side on the pfSense appliance running in Ravello, I now have an additional L3 connected environment.
Enhanced Linked Mode
Ravello Cloud supports bare metal virtualization and that means the ESXi servers that you can boot up are pretty powerful. To enable bare metal virtualization, you need to open the Advanced Configuration settings of the ESXi host VM and configure the cpu-model for SandyBridge and set preferPhysicalHost to true:
I have currently deployed two ESXi hosts and two vCenter Servers (one for management and one for compute, to stay kind of in line with the VMware Validated Design I’m mimicking in my homelab). I joined the vCenter Servers to my SSO domain et voila … Enhanced Linked Mode!
Next steps
I will build out my 2-Region homelab environment in the coming weeks and add some additional hosts, NSX and some Disaster Recovery capabilities. But, I also want to deploy VMware PKS in my homelab (and on native AWS). Aargggh! … So much fun stuff to tinker with yet so little time 🙂