Deploy Security Onion sensor and VPN traffic back to Server

[Stafford Waltho]

Ive got Security Onion Server and 1 sensor working fine. I now want to deploy a remote sensor and connect back to my server using a VPN tunnel. Ive set up the VPN (OpenVPN) and can connect back ok, my router says the VPN connection is up, however Im not able to manage the remote sensor over the VPN and Im not getting any alerts from traffic being sniffed on the sniffing interface.

When I run set up on the sensor I allocate eth0 as management and eth1 as sniffing but when I bring up my VPN tunnel I now have tun0 but how would I get my IDS alerts back to the server from this remote sensor and be able to remotely manage it?

Thanks in advance of any help received.

[Wes]

Stafford,

You may want to try something similar to what is described here (VPN portion):

https://github.com/Security-Onion-Solutions/security-onion/wiki/CloudClient

Thanks,
Wes

[Stafford Waltho]

This wasnt really what I was after. I have OpenVPN server running on my router and my internal network is monitored by a mirrored port on my switch. I now want to deploy 1 security onion sensor at a remote location, connect it to my VPN and forward any alerts to my security onion server across the internet.

So far I am able to connect the remote sensor to my VPN but I am not seeing any alerts from it. I have this remote sensor connected to a network TAP and the monitoring interface is seeing the traffic, alerts are being generated but they dont show on my security onion server back at my central office.

How would I configure my management interface so that the alerts make it back to my central server via VPN ?

[dan confused]

Is the server actually seeing the sensor? i.e. what is the output of:

sudo salt '*' cmd.run 'service nsm status'