Setting up OpenVPN to access the VSI
To set up a VPN for VPC service, configure the VPN by using a dedicated VSI that you create and configure manually with an OpenVPN distribution.
If you are assigned the role of Security Focal for the VPC, complete the following steps:
Go to the IBM Cloud console.
Create a Linux VSI (x86, CentOS, or Ubuntu) to act as VPN Server. Provide only the SSH Key of the VPC's Security Focal during creation. The Security Focal is responsible for all setup and maintenance of the VPN server, including the adding of new user access.
Create an IBM Cloud Security Group with an Inbound rule allowing the OpenVPN access using the
UDPprotocol via port
1194and an Outbound rule allowing all data to pass through (Protocol: ALL, Destination type: Any). For more information about security groups, see About security groups .
SSH is needed to access the VPN server to configure it and to add new users. You can either add
22to the new security group or add a new security group that only allows SSH access, enabling and disabling it as needed.
Assign the new security group to the VPN Server.
Assign a floating IP to the VPN Server.
When the VPN VSI is running, install and configure OpenVPN with the following steps:
Get the helper script by running the following commands on the VPN server:
curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh chmod +x openvpn-install.sh
Run the helper script:
Accept default settings for all configuration options except the following: - For the IPv4 address of the network interface you want OpenVPN to listen to, specify the floating IP address that is assigned to the VPN Server.
- For DNS, choose option 1 (
Current system resolvers (from /etc/resolv.conf)).
/etc/openvpn/server.confscript to change the default configuration. Remove or comment out the lines that contain the existing
pushdirectives, for example,
push "dhcp-option DNS ..."and
push "redirect-gateway ...", then add the following directive to push the route to your network. Adjust the
10.242to match the network configuration of your VPC—for example. For the London region, use example
10.242.0.0; for Tokyo, replace that with
push "route 10.242.0.0 255.255.0.0"
Restart the OpenVPN service:
systemctl restart openvpn
When the VPN server is configured and running, complete the following steps to generate a configuration for each user:
openvpn-install.shscript, select Add a new user, and specify the username in
<client name>.ovpnfile to the users so that they can import this file into their OpenVPN client. The z/OS VSI is then accessible through its reserved (non-public) IP address, for example,
Optionally, after the configuration of the VPN server is completed and all user configuration files are created, you can block port
22(ssh) through the IBM Cloud Dashboard and leave only UDP port
1194active. You can reopen port
22temporarily when a new user configuration file needs to be generated.