Virtual Private Networks (VPN)

About VPN

VPN (Virtual Private Network) is a tool to create a secured network connection over unsecured channel (internet). Using provided VPN functionality, you can make an encrypted channel between the two different cloud deployments, or between cloud and on-prem deployment, so that, for example, machines in one project can see machines in another project, and vice versa, while securing the traffic between the two projects.

VPN is delivered in form of a marketplace application (appliance), using IPsec solution called strongswan. The appliance includes UI front-end for basic strongswan configuration, and sets up proper routing to ensure traffic is properly routed between two sites. Once deployed, the appliance will build and maintain active connection with a remote side configured, so clients on both private network segments can communicate to each other.

The VPN appliance also supports connecting to another deployment of the same appliance, working in a different cloud or a different project (as an alternative to connecting to a third-party VPN gateway). That way you can easily interconnect private networks of two different projects, even when they are running in different data centers.

Note that while you manually create the same configuration (deploying and configuring instance with strongswan, assigning floating IP to that instance, configuring routes on the router, etc), the appliance allows you to make this configuration much easier and repeatable.

Setting-Up VPN

In order to set up a new VPN connection, do the following:

In the left part of the screen, to the "Networking" section and click "VPN". When the application description window will show up, click "Launch now" button to continue.

Enter the following parameters:

  • Instance name. If you use multiple appliances in a single project, make sure each one uses a unique name for each appliance.
  • Key pair to install into the created appliance (same as you'd do for a regular instance).
  • Floating IP. Select the IP from the list of available floating IPs; if you don't yet have one, go back to the "Floating IPs" section to allocate one.
  • Router to teach about your new routes to the remote network, and the Subnet for the appliance to connect and get a fixed IP from. Note that the network of the subnet selected must be connected to the router, as the router should be able to redirect VPN traffic to the appliance IP address (which will be connected to the network of the chosen subnet).
  • Instance flavor. For testing, you can use smallest flavor available; later you can adjust flavor depending on connection requirements (number of active connections, amount of traffic, used encryption, etc).
  • Right IP address and Right subnet. This is the other side of the VPN channel we build - the IP address of the appliance on the other side to connect to, and CIDR of the remote private network, to set up proper routing. In a scenario where you would like to connect two cloud accounts, you would use floating IP and subnet of second appliance as Right IP and Right Subnet of the first one.
  • Key Exchange protocol version, IKE encryption, and ESP (Encapsulating Security Payload) settings define IPsec configuration, matching the other side configuration (like /etc/ipsec.conf file, or Cisco appliance configuration). When you build a VPN connection between two clouds, you can leave these settings unchanged on both sides.
  • Secret key used to authenticate between two sides - make sure the key matches on both sides.

Once completed, click "Launch now" button. It will take several minutes for the appliance to deploy, configure and connect. After application status becomes "Created successfully", you can verify connection by logging in into an instance connected to the router specified above, and try pinging hosts on the other side.

As a debugging/troubleshooting measure, you can also log in into the appliance directly using the key pair specified, and check connection to the remote side from there.

Establishing site-to-site VPN connection between two VPN appliances

The VPN appliance can also connect to an identical appliance (with different configuration), in order to create site-to-site VPN connection between two projects (running in the same or different clouds).

In this case, use the following configuration:

  • The Floating IP of one site becomes "Right IP address" of the other side, and vice versa. To know the IP in advance for creating Site A appliance, you can preallocate the IP in Site B, note it, then use on Site A as "Right IP address". The Floating IP that Site A gets becomes the "Right IP address for the Site B.
  • Similarly, the subnet of Site A becomes the "Right subnet" of Site B and vice versa. This is how both sides will know how to route traffic to each other.
  • Key Exchange protocol version, IKE encryption, and ESP (Encapsulating Security Payload) settings define IPsec configuration, and Secret key used to authenticate between two sides - make sure these fields are identical on both sides.

Once you create VPN appliances on both sides, the connection will be established within few minutes. To verify that connection is active, ping an instance of Site A from Site B (or vice versa). Make sure the security groups and operating system firewall (if exist) are configured to let the ping to pass through. To troubleshoot, you can use network path tools like traceroute, tracert, tracepath.