Who wants to manage their own VPN stack when you can easily provision a fully managed client-to-site VPN?

This post is a follow-up to a post I wrote two years ago called “Access Virtual Servers in a Virtual Private Cloud with OpenVPN.” At that time, I was going through the installation and configuration of OpenVPN to access your VPC resources. Since then, a new, fully managed option is available with Client VPN for VPC that removes the need to install and maintain your own OpenVPN server.

Client VPN for VPC provides client-to-site connectivity, which allows remote devices to securely connect to the VPC network using an OpenVPN software client. This solution is useful for telecommuters who want to connect to the IBM Cloud from a remote location—such as a home office—while still maintaining secure connectivity.

In this post, I will use Terraform to provision and configure and deploy a Client VPN for VPC. Source code and instructions on how to deploy a fully functional example of this architecture can be found in GitHub. I’ll provide a high-level description of the steps, and all steps use Terraform to ease the provisioning and the configuration:

The architecture depicted above involves the following:

  • IBM Cloud Secrets Manager is used to keep the server and client certificates used by Client VPN for VPC.

  • Client VPN for VPC pulls the certificates from Secrets Manager during its initialization.

  • The user establishes a connection to Client VPN for VPC. The computer obtains an IP address in the VPN IP pool.

  • From there, the user can connect to VSI in VPC or in Classic—provided the right routing configuration has been defined in Client VPN for VPC.

Step 1: Prepare the Client VPN for VPC configuration

The first step is to create the server and client certificates that will be used by Client VPN for VPC.  You will find the full instructions in the product documentation. It involves the following:

  • Generate server and client certificates.
  • Store the certificates as secrets in Secrets Manager.
  • Authorize Client VPN for VPC to access these secrets through an IAM authorization.

This is done in Terraform in these two files—generate.tf and secrets.tf:

Step 2: Provision Client VPN for VPC

With the certificates created, we can provision the Client VPN for VPC. It needs, at minimum, one VPC and one subnet. Client VPN for VPC supports a standalone mode (good for testing) and a high availability deployment. We will use the standalone deployment to test the capability:

  • The VPC and subnet are created in vpc.tf. They are created with a set of default security group rules to allow SSH, DNS and to reach private endpoints.
  • The Client VPN for VPC is created in vpn.tf. It includes a security group to enable SSH connectivity between the hosts connecting to the VPN and the hosts in the cloud. Once provisioned, the VPN is available with a public domain name and uses UDP as transport on port 443.
  • An OpenVPN configuration file is generated as part of the Terraform provisioning. It can be used with the OpenVPN client to establish the connection with the Client VPN for VPC server:

Step 3: Test connectivity with other virtual server instances in VPC and Classic 

At that stage, you can already test basic connectivity to cloud service endpoints. To take it further, we can provision one virtual server instance in VPC and one in Classic—connected through Transit Gateway—to complete our connectivity tests:

In the above picture, we have the following:

  1. OpenVPN connected to IBM Cloud through Client VPN for VPC.
  2. A ping to the Watson Speech to Text cloud service endpoint.
  3. A secure connection to a VSI in Classic Infrastructure over the private network.
  4. A secure connection to a VSI in VPC over the private network.

All done!

Feedback, questions and suggestions

Go ahead and try the sample on your own from the GitHub source. Although the project creates its own VPC, it can be used as a starting point to deploy OpenVPN in your existing VPCs.

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@L2FProd).


More from Cloud

IBM Cloud VMware as a Service introduces multitenant as a new, cost-efficient consumption model

4 min read - Businesses often struggle with ongoing operational needs like monitoring, patching and maintenance of their VMware infrastructure or the added concerns over capacity management. At the same time, cost efficiency and control are very important. Not all workloads have identical needs and different business applications have variable requirements. For example, production applications and regulated workloads may require strong isolation, but development/testing, training environments, disaster recovery sites or other applications may have lower availability requirements or they can be ephemeral in nature,…

IBM accelerates enterprise AI for clients with new capabilities on IBM Z

5 min read - Today, we are excited to unveil a new suite of AI offerings for IBM Z that are designed to help clients improve business outcomes by speeding the implementation of enterprise AI on IBM Z across a wide variety of use cases and industries. We are bringing artificial intelligence (AI) to emerging use cases that our clients (like Swiss insurance provider La Mobilière) have begun exploring, such as enhancing the accuracy of insurance policy recommendations, increasing the accuracy and timeliness of…

IBM NS1 Connect: How IBM is delivering network connectivity with premium DNS offerings

4 min read - For most enterprises, how their users access applications and data is an essential part of doing business, and how they service those application and data responses has a direct correlation to revenue generation.    According to We Are Social’s Digital 2023 Global Overview Report, there are 5.19 billion people around the world using the internet in 2023. There’s an imperative need for businesses to trust their networks to deliver meaningful content to address customer needs.  So how responsive is the…

Kubernetes version 1.28 now available in IBM Cloud Kubernetes Service

2 min read - We are excited to announce the availability of Kubernetes version 1.28 for your clusters that are running in IBM Cloud Kubernetes Service. This is our 23rd release of Kubernetes. With our Kubernetes service, you can easily upgrade your clusters without the need for deep Kubernetes knowledge. When you deploy new clusters, the default Kubernetes version remains 1.27 (soon to be 1.28); you can also choose to immediately deploy version 1.28. Learn more about deploying clusters here. Kubernetes version 1.28 In…