GitHubContribute in GitHub: Edit online

Setting up OpenVPN to access the VSI

To set up a VPN for VPC service, configure the VPN by using a dedicated VSI that you create and configure manually with an OpenVPN distribution.

If you are assigned the role of Security Focal for the VPC, complete the following steps:

  1. Go to the IBM Cloud console.

  2. Create a Linux VSI (x86, CentOS, or Ubuntu) to act as VPN Server. Provide only the SSH Key of the VPC's Security Focal during creation. The Security Focal is responsible for all setup and maintenance of the VPN server, including the adding of new user access.

  3. Create an IBM Cloud Security Group with an Inbound rule allowing the OpenVPN access using the UDP protocol via port 1194 and an Outbound rule allowing all data to pass through (Protocol: ALL, Destination type: Any). For more information about security groups, see About security groups External link icon.

  4. SSH is needed to access the VPN server to configure it and to add new users. You can either add TCP port 22 to the new security group or add a new security group that only allows SSH access, enabling and disabling it as needed.

  5. Assign the new security group to the VPN Server.

  6. Assign a floating IP to the VPN Server.

When the VPN VSI is running, install and configure OpenVPN with the following steps:

  1. Get the helper script by running the following commands on the VPN server:

    curl -O
    chmod +x
  2. Run the helper script:


Accept default settings for all configuration options except the following: - For the IPv4 address of the network interface you want OpenVPN to listen to, specify the floating IP address that is assigned to the VPN Server.
- For DNS, choose option 1 (Current system resolvers (from /etc/resolv.conf)).

  1. Edit the /etc/openvpn/server.conf script to change the default configuration. Remove or comment out the lines that contain the existing push directives, for example, push "dhcp-option DNS ..." and push "redirect-gateway ...", then add the following directive to push the route to your network. Adjust the 10.242 to match the network configuration of your VPC—for example. For the London region, use example; for Tokyo, replace that with

    push "route"
  2. Restart the OpenVPN service: systemctl restart openvpn

When the VPN server is configured and running, complete the following steps to generate a configuration for each user:

  1. Re-execute the script, select Add a new user, and specify the username in client name.

  2. Distribute the <client name>.ovpn file to the users so that they can import this file into their OpenVPN client. The z/OS VSI is then accessible through its reserved (non-public) IP address, for example,

  3. Optionally, after the configuration of the VPN server is completed and all user configuration files are created, you can block port 22 (ssh) through the IBM Cloud Dashboard and leave only UDP port 1194 active. You can reopen port 22 temporarily when a new user configuration file needs to be generated.