Setting up OpenVPN to access the VSI
To set up a VPN for VPC service, configure the VPN by using a dedicated VSI that you create and configure manually with an OpenVPN distribution.
If you are assigned the role of Security Focal for the VPC, complete the following steps:
-
Go to the IBM Cloud console.
-
Create a Linux VSI (x86, CentOS, or Ubuntu) to act as VPN Server. Provide only the SSH Key of the VPC's Security Focal during creation. The Security Focal is responsible for all setup and maintenance of the VPN server, including the adding of new user access.
-
Create an IBM Cloud Security Group with an Inbound rule allowing the OpenVPN access using the
UDP
protocol via port1194
and an Outbound rule allowing all data to pass through (Protocol: ALL, Destination type: Any). For more information about security groups, see About security groups . -
SSH is needed to access the VPN server to configure it and to add new users. You can either add
TCP
port22
to the new security group or add a new security group that only allows SSH access, enabling and disabling it as needed. -
Assign the new security group to the VPN Server.
-
Assign a floating IP to the VPN Server.
When the VPN VSI is running, install and configure OpenVPN with the following steps:
-
Get the helper script by running the following commands on the VPN server:
curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh chmod +x openvpn-install.sh
-
Run the helper script:
./openvpn-install.sh
Accept default settings for all configuration options except the following: - For the IPv4 address of the network interface you want OpenVPN to listen to, specify the floating IP address that is assigned to the VPN Server.
- For DNS, choose
option 1 (Current system resolvers (from /etc/resolv.conf)
).
-
Edit the
/etc/openvpn/server.conf
script to change the default configuration. Remove or comment out the lines that contain the existingpush
directives, for example,push "dhcp-option DNS ..."
andpush "redirect-gateway ..."
, then add the following directive to push the route to your network. Adjust the10.242
to match the network configuration of your VPC—for example. For the London region, use example10.242.0.0
; for Tokyo, replace that with10.244.0.0
:push "route 10.242.0.0 255.255.0.0"
-
Restart the OpenVPN service:
systemctl restart openvpn
When the VPN server is configured and running, complete the following steps to generate a configuration for each user:
-
Re-execute the
openvpn-install.sh
script, select Add a new user, and specify the username inclient name
. -
Distribute the
<client name>.ovpn
file to the users so that they can import this file into their OpenVPN client. The z/OS VSI is then accessible through its reserved (non-public) IP address, for example,10.244.64.5
. -
Optionally, after the configuration of the VPN server is completed and all user configuration files are created, you can block port
22
(ssh) through the IBM Cloud Dashboard and leave only UDP port1194
active. You can reopen port22
temporarily when a new user configuration file needs to be generated.