To ensure data privacy and reliable access, it’s crucial to establish secure connections between networks and resources. However, with the countless connections we create, it becomes a hassle to maintain them.
Luckily, you can now optimize your VPN connections with IBM’s VPN offerings: Client-to-Site VPN and Site-to-Site VPN. While you can learn more about these offerings here, feel free to follow the instructions provided in this blog post to connect to your IBM Cloud and on-premises environments using a single Client-to-Site VPN connection.
The use case is visually depicted in Figure 1 below. End users connect to the VSIs in their IBM Cloud VPC and to the Instances and DBs in their on-premises environment using a single Client-to-Site VPN connection:
This optimized architecture requires that a Client-to-Site VPN server and a Site-to-Site VPN gateway first be deployed in your IBM Cloud account.
An IBM Cloud account with a VPC and at least one VSI deployed in the VPC to validate the VPN connection.
Necessary IAM permissions, Security Groups and ACLs in place to create VPN gateway(s) and other required resources.
Peer device information from the on-premises location along with pertinent Subnet CIDR information.
OpenVPN client installed on your local laptop, which will be used to validate the VPN connectivity.
Summary of the steps to set up the two VPNs in tandem
First, we’ll create a Site-to-Site VPN and then a Client-to-Site VPN. Once deployed, we’ll create routes and set up authentication and service-to-service authorization to connect the VPNs together. Finally, we’ll install OpenVPN on the laptop and validate connectivity to both IBM Cloud and the on-premises environment. We’ll go into each of these steps in more detail below.
Create the Site-to-Site VPN gateway
Before you begin this step, make sure you have the Peer Gateway and Preshared Key from your on-premises environment at hand along with any IKE and IPsec policies that you intend to use.
Log in to the IBM Cloud Catalog, search for “VPN” and select VPN for VPC. Choose Site-to-site gateways and select the location where you would like to deploy the gateway (along with all the required input parameters). You must choose the Route-based option for the VPN tunnel.
Click on the Create VPN gateway button on the right-hand side of the page. This creates the VPN connection to connect your IBM Cloud with your on-premises data center. Once the gateway is successfully created, it should show as active on the IBM Cloud portal. At this time, the connection is ready for the routes to be set up to route traffic from IBM Cloud to your on-premises environment.
For step-by-step guidance on creating a Site-to-Site VPN gateway, click here.
Create the Site-to-Site VPN routes
Now that the VPN connection is in place, we’ll create VPN routes to define egress routes from IBM Cloud VPC to your on-premises router. Navigate to the VPC Routing Tables to create a new Routing Table or use an existing one to create your VPN route. Input all the required fields. For example:
Destination subnet: CIDR from on-premises
Next hop type: VPN connection
VPN gateway: The VPN gateway that was just created
VPN connection: Connection name that was provided while creating the VPN gateway
Detailed instructions on creating and managing routes can be found here.
Important: Once the routes are created, do not forget to attach the source subnet(s) in the VPC to the routing table.
You should now have a VPN connection with routing established between your IBM Cloud VPC and your on-premises environment. This flow is indicated in red in Figure 1 above.
Configure authorization and authentication
Before we create a Client-to-Site VPN connection, we must generate client and server certificates and store them in IBM Cloud Secrets Manager. Follow the steps here to generate certificates and import them into the Secrets Manager.
To enable the VPN to access the certificates from the Secrets Manager, a service-to-service authorization for the VPN Server and IBM Cloud Secrets Manager needs to be established as described here.
Create the Client-to-Site VPN server
Login into IBM Cloud Catalog, search for VPN and select VPN for VPC. Choose Client-to-site servers and select the location where you would like to deploy the gateway (along with all the required input parameters). For this article, we have chosen a standalone configuration. Choose a desired CIDR range for the Client IPv4 address pool so that IPs can be assigned to client connections from this range. Input all the mandatory fields in the Subnets section.
Next, configure the Server and Client Authentications. Select Server and Client Certificates that were added to Secrets Manager from the previous steps in this article. For added security, you can optionally choose User ID and passcode. Finally, you must ensure that the Security Group rules are configured appropriately to allow VPN traffic into the subnet.
While the rest of the input parameters are optional in this form, choose the Full tunnel option to allow all traffic to flow through the VPN interface and into the VPN tunnel. Click on the Create VPN server button on the right-hand side of the page.
Create the Client-to-Site VPN routes
Once the connection shows active on the Portal, you must create two routes—one to allow end-user access to resources within the VPC and one to allow end-user access to the remote/on-premises network. Click here to learn how to create routes. This flow is indicated using solid green and red dashed lines in the VPC in the above diagram.
Configure the client profiles
Lastly, download the client profile from your VPN server. On your VPN server in the IBM Cloud portal, navigate to the Clients tab and click on the Download client profile button. Append the Client certificate and Private Key to the Client Profile .ovpn file.
Detailed instructions to set up the client VPN environment to connect to a VPN server can be found here.
Configure the OpenVPN client and validate connectivity
You will need a VPN client to access your IBM Cloud and on-premises environment. Depending on your local operating system, you can download and install an appropriate VPN client from here. Once installed, launch the OpenVPN client and connect to the OpenVPN profile that was configured in the previous steps to connect to the VPC.
This VPN connection allows users to connect to their VPC in IBM Cloud as well as their on-premises environment using IBM Cloud VPN offerings. You can validate successful client connections by navigating to the Clients tab on the VPN server in your IBM Cloud portal.