August 31, 2023 By Vidhi Shah
Vinayak Harnoor
5 min read

To ensure data privacy and reliable access, it’s crucial to establish secure connections between networks and resources. However, with the countless connections we create, it becomes a hassle to maintain them.

Luckily, you can now optimize your VPN connections with IBM’s VPN offerings: Client-to-Site VPN and Site-to-Site VPN. While you can learn more about these offerings here, feel free to follow the instructions provided in this blog post to connect to your IBM Cloud and on-premises environments using a single Client-to-Site VPN connection.

The use case is visually depicted in Figure 1 below. End users connect to the VSIs in their IBM Cloud VPC and to the Instances and DBs in their on-premises environment using a single Client-to-Site VPN connection:

Figure 1

This optimized architecture requires that a Client-to-Site VPN server and a Site-to-Site VPN gateway first be deployed in your IBM Cloud account.


  • An IBM Cloud account with a VPC and at least one VSI deployed in the VPC to validate the VPN connection.
  • Necessary IAM permissions, Security Groups and ACLs in place to create VPN gateway(s) and other required resources.
  • Peer device information from the on-premises location along with pertinent Subnet CIDR information.
  • OpenVPN client installed on your local laptop, which will be used to validate the VPN connectivity.

Summary of the steps to set up the two VPNs in tandem

First, we’ll create a Site-to-Site VPN and then a Client-to-Site VPN. Once deployed, we’ll create routes and set up authentication and service-to-service authorization to connect the VPNs together. Finally, we’ll install OpenVPN on the laptop and validate connectivity to both IBM Cloud and the on-premises environment. We’ll go into each of these steps in more detail below.

Create the Site-to-Site VPN gateway

Before you begin this step, make sure you have the Peer Gateway and Preshared Key from your on-premises environment at hand along with any IKE and IPsec policies that you intend to use.

Log in to the IBM Cloud Catalog, search for “VPN” and select VPN for VPC. Choose Site-to-site gateways and select the location where you would like to deploy the gateway (along with all the required input parameters). You must choose the Route-based option for the VPN tunnel.

Click on the Create VPN gateway button on the right-hand side of the page. This creates the VPN connection to connect your IBM Cloud with your on-premises data center. Once the gateway is successfully created, it should show as active on the IBM Cloud portal. At this time, the connection is ready for the routes to be set up to route traffic from IBM Cloud to your on-premises environment.

For step-by-step guidance on creating a Site-to-Site VPN gateway, click here.

Create the Site-to-Site VPN routes

Now that the VPN connection is in place, we’ll create VPN routes to define egress routes from IBM Cloud VPC to your on-premises router. Navigate to the VPC Routing Tables to create a new Routing Table or use an existing one to create your VPN route. Input all the required fields. For example:

  • Destination subnet: CIDR from on-premises
  • Action: Deliver
  • Next hop type: VPN connection
  • VPN gateway: The VPN gateway that was just created
  • VPN connection: Connection name that was provided while creating the VPN gateway

Detailed instructions on creating and managing routes can be found here.

Important: Once the routes are created, do not forget to attach the source subnet(s) in the VPC to the routing table.

You should now have a VPN connection with routing established between your IBM Cloud VPC and your on-premises environment. This flow is indicated in red in Figure 1 above.

Configure authorization and authentication

Before we create a Client-to-Site VPN connection, we must generate client and server certificates and store them in IBM Cloud Secrets Manager. Follow the steps here to generate certificates and import them into the Secrets Manager.

To enable the VPN to access the certificates from the Secrets Manager, a service-to-service authorization for the VPN Server and IBM Cloud Secrets Manager needs to be established as described here.

Create the Client-to-Site VPN server

Login into IBM Cloud Catalog, search for VPN and select VPN for VPC. Choose Client-to-site servers and select the location where you would like to deploy the gateway (along with all the required input parameters). For this article, we have chosen a standalone configuration. Choose a desired CIDR range for the Client IPv4 address pool so that IPs can be assigned to client connections from this range. Input all the mandatory fields in the Subnets section.

Next, configure the Server and Client Authentications. Select Server and Client Certificates that were added to Secrets Manager from the previous steps in this article. For added security, you can optionally choose User ID and passcode. Finally, you must ensure that the Security Group rules are configured appropriately to allow VPN traffic into the subnet.

While the rest of the input parameters are optional in this form, choose the Full tunnel option to allow all traffic to flow through the VPN interface and into the VPN tunnel. Click on the Create VPN server button on the right-hand side of the page.

Create the Client-to-Site VPN routes

Once the connection shows active on the Portal, you must create two routes—one to allow end-user access to resources within the VPC and one to allow end-user access to the remote/on-premises network. Click here to learn how to create routes. This flow is indicated using solid green and red dashed lines in the VPC in the above diagram.

Configure the client profiles

Lastly, download the client profile from your VPN server. On your VPN server in the IBM Cloud portal, navigate to the Clients tab and click on the Download client profile button. Append the Client certificate and Private Key to the Client Profile .ovpn file.

Detailed instructions to set up the client VPN environment to connect to a VPN server can be found here.

Configure the OpenVPN client and validate connectivity

You will need a VPN client to access your IBM Cloud and on-premises environment. Depending on your local operating system, you can download and install an appropriate VPN client from here. Once installed, launch the OpenVPN client and connect to the OpenVPN profile that was configured in the previous steps to connect to the VPC.

Figure 2

This VPN connection allows users to connect to their VPC in IBM Cloud as well as their on-premises environment using IBM Cloud VPN offerings. You can validate successful client connections by navigating to the Clients tab on the VPN server in your IBM Cloud portal.

Learn more

Learn more about IBM Cloud VPC

More from Cloud

IBM Tech Now: December 11, 2023

< 1 min read - ​Welcome IBM Tech Now, our video web series featuring the latest and greatest news and announcements in the world of technology. Make sure you subscribe to our YouTube channel to be notified every time a new IBM Tech Now video is published. IBM Tech Now: Episode 90 On this episode, we're covering the following topics: IBM Quantum Heron IBM Quantum System Two The GA of watsonx.governance Stay plugged in You can check out the IBM Blog Announcements for a full…

Get ready for change with IBM Cloud Training

2 min read - As generative AI creates new opportunities and transforms cloud operations, it is crucial to learn how to maximize the value of these tools. A recent report from the IBM Institute for Business Value found that 68% of hybrid cloud users already have a formal, organization-wide policy or approach for the use of generative AI. That same report also noted that 58% of global decision makers say that cloud skills remain a considerable challenge. Being proactive in your learning can significantly…

Data center consolidation: Strategy and best practices

7 min read - The modern pace of data creation is staggering. The average organization produces data constantly—perhaps even continuously—and soon it’s investing in servers to provide ample storage for that information. In time, and probably sooner than expected, the organization accrues more data and outgrows that server, so it invests in multiple servers. Or that company could tie into a data center, which is built to accommodate even larger warehouses of information. But the creation of new data never slows for long. And…

Hybrid cloud examples, applications and use cases

7 min read - To keep pace with the dynamic environment of digitally-driven business, organizations continue to embrace hybrid cloud, which combines and unifies public cloud, private cloud and on-premises infrastructure, while providing orchestration, management and application portability across all three. According to the IBM Transformation Index: State of Cloud, a 2022 survey commissioned by IBM and conducted by an independent research firm, more than 77% of business and IT professionals say they have adopted a hybrid cloud approach. By creating an agile, flexible and…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters