Virtual Networking Mode

Last modified on August 6, 2024

This article introduces Virtual Networking Mode as a new connectivity mode for StrongDM, explains the differences between Virtual Networking Mode and Loopback Mode, and provides guidance on how to transition your organization’s resources to operate in Virtual Networking Mode.

Overview

Dual Connectivity Modes

The resources in your StrongDM network can operate in one of two connectivity modes: Virtual Networking Mode or Loopback Mode.

What Is Virtual Networking Mode?

Virtual Networking Mode is a new mode of operation that enables the StrongDM client to connect to many resources concurrently using a software-defined, IP-based network. Virtual Networking Mode uses a virtual point-to-point network device for IP tunneling.

You can configure Virtual Networking Mode to use a private IP address space or the Carrier-Grade Network Address Translation (CGNAT) IP address space, 100.64.0.0/10, which includes IP addresses from 100.64.0.0 to 100.127.255.255. Each IP address space offers a size in terms of maximum allocatable IP addresses, giving you the flexibility to choose the appropriate space for the number of resources you wish to connect.

Configuring your network to utilize Virtual Networking Mode provides your organization with increased scalability and lets the client connect to a significantly high number of resources simultaneously. Network configuration is done on the Admin UI’s new Networking page.

What Is Loopback Mode?

Loopback Mode, StrongDM’s classic mode of operation, allows the client to connect to resources using the local loopback adapter in the user’s operating system. When in Loopback Mode, the client can use ports on all 127.0.0.1 addresses (that is, localhost or loopback addresses) to support connections to resources. A file descriptor limit, however, restricts the number of resources that users can connect to simultaneously, depending on their operating system: 1,024 resources for Linux-based, 256 resources for macOS, and 512 resources for Windows.

Loopback Mode requires no network configuration.

Use both connectivity modes

To ease the process of transitioning resources from using Loopback Mode to Virtual Networking Mode, your organization has the option to use both, where some resources are configured for Virtual Networking Mode and some are configured for Loopback Mode.

Each resource can operate in only one mode at a time, and each resource must be configured with one of the two connectivity modes.

StrongDM Client and Virtual Networking Mode

The client comprises two main components: desktop app/CLI and listener. The StrongDM Virtual Network Adapter attaches to the listener via a local software-based carrier-grade network (CGNAT) utilizing 100.64.0.0/10 addresses.

Virtual Networking Mode requires the StrongDM Virtual Network Adapter to be installed on the user’s local machine (for macOS and Windows). The adapter performs the privileged task of activating Virtual Networking Mode on the user’s workstation and allowing the user to connect to Virtual Networking Mode resources. The StrongDM Virtual Network Adapter is operated by the OS itself, usually through an OS Process Manager, and thus needs admin privilege to be installed. On macOS, the StrongDM Virtual Network Adapter is installed via the PKG installer with admin privilege. On Windows, the StrongDM Virtual Network Adapter is installed via the EXE installer when the installer is run as administrator.

Some of the benefits of using the StrongDM Virtual Network Adapter with the client include the following:

  • Users gain connect-on-knock functionality. Instead of clicking on a resource’s lightning icon to initiate a connection, the connection happens automatically when the user logs in to StrongDM.
  • There is no file descriptor limit to the number of resources that can be connected. Users can connect to all resources available to them without being limited by operating system constraints.
  • Resources can be displayed with either their bind address (for example, 100.64.100.100:12345) or a human-readable DNS name (for example, mysql01.my-organization-name) depending on how resources have been configured.

Connectivity Mode Comparison

Virtual Networking ModeLoopback Mode
NetworkUses Class A, Class B, Class C, or CGNAT IP address space, 100.64.0.0/10 (IP addresses from 100.64.0.0 to 100.127.255.255)Uses 127.0.0.1 only
Client connection to resourcesSupported resources connect on knockUsers must click the lightning icon to connect to resources
Local Ports ManagementDoes not work with Virtual Networking mode-configured resourcesLocal Ports Management works
Maximum number of resources that can be connectedNo maximum1,024 resources (Linux-based), 256 resources (macOS), or 512 resources (Windows)

Summary of What’s New For Virtual Networking Mode

Admin UI

Networking settings

In the Admin UI, there is a new Networking page for configuring your organization’s network settings. Networking settings determine the number of resources that your organization can potentially connect to via StrongDM, as well as the way that users access resources via their StrongDM client.

Admin UI Settings > Networking
Admin UI Settings > Networking

Your selected network class (Class A, Class B, Class C, or CGNAT) sets the Base IP Address and Subnet Mask default values.

Network Class Selector
Network Class Selector
Network class defaults

See the following table for default values for each class. You can change the default values, as long as the IP address value is in a valid range and the subnet mask is in a valid format.

FieldDescriptionClass A defaultClass B defaultClass C defaultCGNAT default
Base IP AddressIP address used to transmit data to all of the hosts on the subnet; the highest, or last, number in its class10.0.0.0172.16.0.0192.168.0.0100.64.0.0
Subnet MaskNumber that distinguishes the host address from the network address within the IP address; automatically populated if you entered a starting IP address that specifies /255.0.0.0255.240.0.0255.255.0.0255.192.0.0
Summary fields

The Summary tells you what to expect if you save the settings with the current selections. Alert messages display when you choose a private network or when you change networks from one class to another.

The following table shows the fields provided in the summary.

FieldDescriptionClass A exampleClass B exampleClass C exampleCGNAT example
VNM Device IPIP address of any machine using StrongDM to connect to Virtual Networking Mode-enabled resources on your network10.255.255.254172.31.255.254192.168.255.254100.127.255.254
VNM DNS IPIP address that the Domain Name System (DNS) has assigned to the network operating in Virtual Networking Mode10.255.255.253172.31.255.253192.168.255.253100.127.255.253
First IP AddressStarting IP address of the network; allows for /bits or a /subnet mask10.0.0.1172.16.0.1192.168.0.1100.64.0.1
Last IP AddressEnding IP address of the network; allows for /bits or a /subnet mask10.255.255.252172.31.255.252192.168.255.252100.127.255.252
Total Number of Resources Allowed in RangeMaximum number of resources that can be connected to for the selected network class IP address range; if the range is too small for the total number of resources, the Admin UI prompts you to change your networking settings to use a more appropriate network class16,777,2121,048,57265,5324,194,300
How to configure network settings

To configure your network settings for Virtual Networking Mode, follow these steps.

  1. Log in to the Admin UI.
  2. Go to Settings > Networking.
  3. On the Networking page, select your preferred defaults based on network class. Select Class A, Class B, Class C, or CGNAT to populate Base IP Address and Subnet Mask with default values.
  4. Optionally edit Base IP Address. If changed, the IP address value must be in a valid range.
  5. Optionally edit Subnet Mask. The subnet mask must be in a valid format.
  6. Review the summary. The summary shows the VNM Device IP address, VNM DNS IP address, IP address range, and how many resources are allowed in that range, if you save your networking settings right now.
  7. Click Update to save your changes.

New resource settings

Admin UI resource configuration forms now include Connectivity Mode, IP Address, and DNS properties.

Connectivity Mode is required, and your selection causes the IP Address, Port Override, and/or DNS properties to appear. The Port Override property now can be edited directly on the form; before, it was read-only.

Resource Settings When Virtual Networking Mode Is Selected
Resource Settings When Virtual Networking Mode Is Selected
When Loopback Mode Is Selected
When Loopback Mode Is Selected
PropertyRequirementDescription
Connectivity ModeRequiredSelect either Virtual Networking Mode, which lets users connect to the resource with a software-defined, IP-based network; or Loopback Mode, which allows users to connect to the resource using the local loopback adapter in their operating system
IP AddressEditableIf Virtual Networking Mode is the selected connectivity mode, an IP address value in the range 100.64.0.1 to 100.127.255.252 (default 100.64.100.100); optionally change the default value for Virtual Networking Mode to your preferred IP address value, as long as it’s a valid IP address defined by your organization settings; edit either on this form or later on the Admin UI’s Port Overrides page after the resource is created; if Loopback Mode is the selected connectivity mode, the IP address value must be 127.0.0.1
Port OverrideOptionalIf Virtual Networking Mode is the selected connectivity mode, a port value between 1 and 65535 that is not already in use by another resource; if Loopback Mode is the selected connectivity mode, a port value between 1024 to 64999 that is not already in use by another resource; when left empty, the system assigns the default port to this resource; preferred port also can be modified later from the Admin UI’s Port Overrides page
DNSOptionalIf Virtual Networking Mode is the selected connectivity mode, a unique hostname alias for this resource; when set, causes the desktop app to display this resource’s human-readable DNS name (for example, k8s.my-organization-name) instead of the bind address that includes IP address and port (for example, 100.64.100.100:5432)

Activities

New activities that might be logged on the Admin UI Activities page include the following:

  • Organization resources allocated within VNM subnet
  • Organization VNM subnet updated

Desktop App

Every user who can access Virtual Networking Mode resources must have the StrongDM Virtual Network Adapter installed on their machine, in addition to the desktop app and/or CLI. The StrongDM Virtual Network Adapter is installed via the PKG installer on macOS and via the EXE installer on Windows.

StrongDM Virtual Network Adapter installation

Installation instructions for Linux, macOS, and Windows include information about how the StrongDM Virtual Network Adapter is installed.

Linux

Instructions for non-admin users

The Install StrongDM procedure remains the same from step 1 through step 8 and adds the following:

Depending on your organization’s network settings, you may need to install the StrongDM Virtual Network Adapter on your machine in order to connect to Virtual Networking Mode resources. Virtual Networking Mode is a mode of operation that enables the StrongDM client to connect to many resources concurrently using a software-defined, IP-based network. If your StrongDM admin has assigned you Virtual Networking Mode resources, follow these next steps.

  1. Install as sudo:

    sudo /Applications/SDM.app/Contents/Resources/sdm.linux listen –install
    
  2. When prompted, enter the password to your machine (not to StrongDM).

  3. Restart the StrongDM client.

Instructions for admins

If you are a StrongDM user with the Administrator permission level, follow these steps to install StrongDM and the StrongDM Virtual Network Adapter.

  1. Install as sudo:

    sudo /Applications/SDM.app/Contents/Resources/sdm.linux listen –install
    
  2. When prompted, enter the password to your machine (not to StrongDM).

  3. Restart the StrongDM service.

  4. Enable Virtual Networking Mode:

    sdm admin ports subnet 100.64.0.0/10
    

    That command enables the virtual network of the private IP address to be used for a particular resource for your entire organization. If successful, the output provides device and network configuration settings similar to the following:

    Device Configuration:
    - VNM Device IP:       100.127.255.254
    - VNM Device Netmask:  255.192.0.0
    - VNM Virtual DNS:     100.127.255.253:53
    
    Network Configuration:
    - Subnet:               100.64.0.0/10
    - Subnet Broadcast IP:  100.127.255.255
    - First Available IP:   100.64.0.1
    - Last Available IP:    100.127.255.252
    - Total Available IPs:  4194300
    

macOS

The macOS Installation Guide remains the same. The StrongDM Virtual Network Adapter is installed on the user’s machine when the PKG installer is used.

Windows

For Windows clients, Virtual Networking Mode supports Windows 10/11 and corresponding Windows Server versions.

The Windows Installation Guide remains the same.

The StrongDM Virtual Network Adapter is installed on the user’s machine when the EXE (full version) is run as administrator. The adapter requires the Windows DirectAccess feature, which is not supported in the Home Edition of Windows.

Resource display

If configured to use Virtual Networking Mode, resources connect on knock—instead of clicking on a resource’s lightning icon to initiate a connection, the connection happens automatically when the user logs in to StrongDM. In addition, resources are displayed with either their bind address (for example, 100.64.100.100:12345) or a human-readable DNS name (for example, mysql01.my-organization-name), depending on how resources have been configured.

No limit to the number of resource connections

In addition, users can connect to all Virtual Networking Mode-enabled resources available to them without being limited by their operating system’s file descriptor limit.

CLI

Added sdm admin ports subnet

The sdm admin ports subnet command is used for defining the subnet for your organization. Setting the subnet enables the virtual network of the private IP address to be used for a particular resource for your entire organization. See the following help text for usage and options.

NAME:
   sdm admin ports subnet - define a subnet for the VNM devices. WARNING: Updating the organization's subnet will disconnect all sessions.

USAGE:
   sdm admin ports subnet [command options] <address/bits>

DESCRIPTION:
   
    This tool sets the VNM subnet for the organization. It must be within the scope of private IP classes (A, B, or C) and Shared IP Space (CGNAT).


OPTIONS:
   --dry            allows to see how the network will look like before applying the change
   --shuffle        reassigns an IP and port for all resources of the organization. It is a non-reversible operation.
   --clear          clears the organization's VNM subnet (this flag cannot be used with a subnet or --shuffle)
   --timeout value  set time limit for command

If successful, the output provides device and network configuration settings similar to the following:

Device Configuration:
- VNM Device IP:       100.127.255.254
- VNM Device Netmask:  255.192.0.0
- VNM Virtual DNS:     100.127.255.253:53

Network Configuration:
- Subnet:               100.64.0.0/10
- Subnet Broadcast IP:  100.127.255.255
- First Available IP:   100.64.0.1
- Last Available IP:    100.127.255.252
- Total Available IPs:  4194300

New command options

All CLI commands that interact with resources (for example, sdm admin datasources add <RESOURCE>) now include the following options:

  • --bind-interface
  • --subdomain
  • --port-override

Deprecated port field in sdm status output

The command sdm status -j now returns the address field instead of port. For example:

% sdm status -j
[
	{
		"address": "100.100.42.42:5432",
		"connected": true,
		"connection_status": "connected",
		"hostname": "example-host.example.sdm.network",
		"id": "rs-1234ab5678c91234",
		"message": "100.100.42.42:5432",
		"name": "Example Name",
		"tags": "env=example",
		"type": "postgres"
	}
	...      
]

How Do I Use Virtual Networking Mode?

Now that you’ve learned what Virtual Networking Mode is, you can use the following quick start guide to set up and use it.

Quick start for admins

  1. Configure your organization’s networking settings. Choose the network class that supports the number of resources you need.
  2. For new or existing resources that you want to operate in Virtual Networking Mode, set the Connectivity Mode to Virtual Networking Mode. Optionally add a port override and DNS. Repeat this step for every resource that you want to operate in Virtual Networking Mode.
  3. Download and install the appropriate StrongDM package for your operating system, or update the one you already have.

Now you and everyone in your organization can use StrongDM to connect to different resources.

Quick start for users

  1. Download and install the appropriate StrongDM package for your operating system, or update the one you already have.
Top