How to set up a virtual private network connection between an IBM Cloud VPC VPN and a strongSwan VPN running on your home network.
As an increasing number of enterprise workloads are moving to public cloud providers like IBM, and with cyber attacks on the rise, security becomes front and center. With IBM Cloud, you can create Kubernetes clusters in a virtual private cloud (VPC) that let your enterprise establish its own private cloud-like computing environment on public cloud infrastructure. A VPC gives an enterprise the ability to define and control a virtual network that is logically isolated from all other public cloud tenants, creating a private and secure place on the public cloud.
After you have a secure environment for your workloads, performing any operations or checks on your Kubernetes cluster or resources becomes cumbersome because the cluster is on a private network and not accessible from the outside world. As many people continue to work from home, you might wonder how you can access these private resources in the VPC from your home network. We will describe how to set up a virtual private network (VPN) connection between an IBM Cloud VPC VPN and a strongSwan VPN that runs on your home network.
Note that this blog outlines just one way of setting up a site-to-site IPsec VPN to access resources in IBM Cloud VPC infrastructure from your home network. It is not intended to be an exhaustive discussion of how to set up this kind of connection or all of the various configuration options of IPsec and strongSwan.
We will be setting up a VPN connection from your home network to IBM Cloud VPC infrastructure by using two VPN services: strongSwan VPN for your home network, and the IBM Cloud VPC VPN service for the VPC network that contains your cluster. In our example, we have a single VPC with VPC resources in three different availability zones. For security purposes, the public IP addresses are obfuscated using .x.y.z. Your IP addresses will be different, so adjust the IP address values accordingly:
Note: StrongSwan uses the terms left and right to indicate the two sides of the tunnel. In this document, the left side is the home network and the right side is the IBM Cloud network.
IBM Cloud VPC network (the right side)
- IBM Cloud VPC
- VPC subnets
- A Kubernetes or OpenShift cluster in the VPC
- Your home network CIDR, which you typically find in the configuration settings of your home router
Create a VPC VPN and the VPN connection
To get started, create a VPN gateway for VPC:
- Enter a name for your VPN.
- Select your resource group.
- Select the region that your VPC is in.
- Select your VPC.
- Select the subnet where the worker nodes in your cluster are. (Note: Currently, these instructions are for a single zone only.)
- For mode, select Policy-Based.
- Give the connection a name, such as home.
- In the peer gateway address field, enter the public IP address of your home network. You can usually find this in the network settings of your home router.
- In the pre-shared key field, enter any string of the appropriate size. Just remember what you enter here because you will need it later on.
- In the local subnets field, enter the IP address range of your VPC subnet and the Cloud Service Endpoint subnet constant value of 126.96.36.199/14, separated by a comma.
- Example: 10.241.128.0/18,188.8.131.52/14
- Note that even though you previously selected the subnet on this form, that subnet information is not carried through to the connection, so you have to enter it again in this field.
- In the Peer subnets field, enter your home network CIDR. For example, 192.168.1.0/24.
- Click the Create VPN Gateway button to create the VPN and the VPN connection. Note that the VPN connection will show as down until the Home network side is configured.
- After the VPN Gateway is created, make a note of the public VPN gateway IP address.
Repeat these steps to set up at least one VPN gateway and connection for each zone and associated VPC subnet that your cluster is in.
Update the VPC security group
Verify your VPC security group allows the traffic that you want. For example, in order to access Kubernetes or OpenShift clusters in IBM Cloud, make sure TCP ports 30000-32767 are open for inbound traffic:
Home network (the left side)
Before you begin, you will need access to your home router.
- Typically, in a home network, machines are assigned IP addresses via DHCP by the router. However, we don't want the machine running the VPN's IP address to change because that IP address is part of the configuration. I used the home router settings to give the machine a static IP address of 192.168.1.2.
- Obtain the WAN IP address of your home router. This IP address can usually be found in the WAN section of the router settings. This IP address is typically assigned dynamically by your internet service provider. (See Notes section at the end.)
There are two ways to set up your home side
- Run the VPN gateway on your laptop or computer.
- Set up the VPN gateway on another machine on your home network and route through that machine from your laptop or computer.
These instructions were tested using both a MacBook Pro (Catalina) and a Raspberry Pi Model 4b (Raspbian GNU/Linux 10 (buster)) as the VPN gateway. However, any fairly modern Linux machine should work.
Setting up the VPN gateway
- On the machine that you want to use for the VPN, install strongSwan. In the command line, you can run the following command.
sudo apt-get install strongswan
brew install strongswan
- Add the VPC connections to the IPsec configuration file, located at
/usr/local/etc/ipsec.conf). The following example shows a connection to three VPC subnets (each subnet has its own VPC VPN). Depending on your VPC environment, you might have only one VPC subnet or more than three. Remember, left fields mean the home network, and right fields mean the VPC network:
- Edit the
/usr/local/etc/ipsec.secrets) to add the VPC VPN pre-shared key for each tunnel. The format is
leftsideid rightsideid : PSK "your secret key". For example:
- Enable IP forwarding on your VPN machine:
- Uncomment or add:
sysctl -pto reload the sysctl settings
sudo sysctl -w net.inet.ip.forwarding=1)
- Establish the VPN connection:
sudo ipsec start
- Check the VPN connection by running
sudo ipsec status. The output looks similar to the following:
- If you don't see a tunnel for all your connections, check the log files located in /var/log/syslog. On MacOS, follow these instructions to enable logging.
- If you need to make changes to any config files, run
sudo ipsec restart.
- Important note: Since we are using "auto=route" configuration, the VPN tunnel is not established until traffic flows to resources on the VPN subnet. Therefore, the the VPN connection on the IBM Cloud side continues to show "down" and the ipsec status on the home VPN shows "none" for Security Associations.
- Verify the connection:
- Ping one of your worker node's private IP address from the VPN machine or the subnet router. For example, 10.241.128.1:
- If you now run
sudo ipsec statusagain, you see that the Security Association is created for that tunnel, and the IBM Cloud VPN connection shows an "up" status.
Option "b" setup: Routing from your laptop via a VPN Gateway
If you set up your home network VPN gateway on a machine other than your laptop, you can route from your laptop via the VPN.
Set up the routing table on your laptop or computer to route the network traffic which is destined to the VPC resources through the VPN gateway machine:
- Add the following routes to your computer. In our example, the VPN gateway machine has the IP address of 192.168.1.2. For each VPC subnet, add a route:
- Add a route to the cloud service's private endpoint subnet:
sudo route -n add -net 184.108.40.206/14 192.168.1.2
- Verify you can ping your VPC subnets and cluster from your computer.
You should now be able to access your Kubernetes or OpenShift clusters over their private service endpoints and other VPC resources that you might have from your computer on your home network.
Security does not have to come at the cost of compromising access to your private resources. In this blog, we talked about one of the ways to get access to your private clusters in IBM VPC. The approach described in this blog works with clusters created using IBM Cloud Kubernetes Service as well as the Red Hat OpenShift on IBM Cloud service in VPC.
Stay tuned for a follow on blog about how this setup can be extended to allow multi-user access.
Note: Most home networks use dynamic public IP addresses, and, therefore, the public IP address can change over time. If your VPN suddenly stops working, this is likely the cause. You will have to update the IPsec configuration and the VPN connections in your VPC with the new IP address.