On-premises network and IBM Cloud VPC via oneVPN

It’s essential to create secure connections between networks and resources in order to guarantee data privacy and trustworthy access. But it gets difficult to keep up with all the connections we make since there are so many of them.

Fortunately, IBM’s VPN services, Client-to-Site VPN and Site-to-Site VPN, allow you to immediately optimize your VPN connections. To connect to your IBM Cloud and on-premises environments via a single Client-to-Site VPN connection, feel free to follow the procedures provided in this blog article. You can read more about these offerings here.

Figure 1 below shows a graphic representation of the use case. A single Client-to-Site VPN connection is used by end users to access to both the VSIs in their IBM Cloud VPC and the instances and databases in their on-premises environment:

Your IBM Cloud account must first deploy a Client-to-Site VPN server and gateway for this optimal design.

Prerequisites

• An IBM Cloud account with a VPC and at least one VSI to verify VPN connections.
• IAM rights, Security Groups, and ACLs needed to create VPN gateways and other resources.
• On-premises peer device and Subnet CIDR data.
• Your local laptop’s OpenVPN client will verify VPN connectivity.

Steps to set up both VPNs simultaneously

Create a Site-to-Site VPN first, then a Client-to-Site VPN. To connect VPNs, we’ll construct routes, authentication, and service-to-service authorisation after deployment. Finally, we’ll install OpenVPN on the laptop and test IBM Cloud and on-premises connectivity. Each step will be explained below.

Create the Site-to-Site VPN gateway

Before starting this phase, gather your on-premises Peer Gateway, Preshared Key, and IKE and IPsec policies.

Log in to IBM Cloud Catalog, search “VPN” and pick VPC VPN. Choose Site-to-site gateways and enter the gateway’s deployment location and other information. Choose route-based for the VPN tunnel.

Click the right-hand Create VPN gateway button. This connects your IBM Cloud to your on-premises data center via VPN. The IBM Cloud portal should show the gateway as active after creation. Right now, the connection is ready to transport IBM Cloud traffic to your on-premises system.

Create Site-to-Site VPN routes

After connecting to the VPN, we’ll design VPN routes to connect IBM Cloud VPC to your on-premises router. Create a VPN route in the VPC Routing Tables or use an existing one. Enter all needed fields. As an example:

• Subnet destination: on-premises CIDR
• Action: Deliver
• Type of next hop: VPN connection
• The VPN gateway: It is the newly created VPN .
• VPN connection: Connection name supplied when creating VPN gateway.

Here are detailed instructions for designing and managing routes.

Important: After creating routes, attach VPC source subnets to the routing table.

You should now have a VPN with routing between your IBM Cloud VPC and on-premises environment. Figure 1 shows this flow in red.

Set up authentication and authorization

Before creating a Client-to-Site VPN, we must generate and store client and server certificates in IBM Cloud Secrets Manager. Generate and import certificates into Secrets Manager using these methods.

Establishing a service-to-service permission for the VPN Server and IBM Cloud Secrets Manager allows the VPN to access Secrets Manager certificates.

Client-to-Site VPN server creation

Enter IBM Cloud Catalog, search VPN, and pick VPC VPN. Client-to-site servers and the gateway deployment location (with all input parameters) are selected. This article uses a solo configuration. Select a CIDR range for the Client IPv4 address pool to assign IPs to client connections. In Subnets, fill out all required fields.

Configure Server and Client Authentications next. Select Server and Client Certificates from Secrets Manager from earlier procedures. Choose User ID and passcode for further security. Finally, configure Security Group rules to enable VPN traffic into the network.

To allow all traffic across the VPN interface and into the VPN tunnel, select Full tunnel in this form. The rest of the input options are optional. Click the right-hand Create VPN server button.

Create Client-to-Site VPN routes

Once the connection is operational on the Portal, you must construct two routes: one for VPC resources and one for remote/on-premises network access. Click here for route creation instructions. In the VPC diagram above, solid green and red dashed lines represent this flow.

Configure client profiles

Finally, download the VPN server client profile. Click Download client profile on the Clients tab of your IBM Cloud VPN server. Add Client certificate and Private Key to Client Profile.ovpn.

This article describes how to configure the client VPN environment to connect to a VPN server.

Config OpenVPN client and test connectivity

A VPN client is needed to access IBM Cloud and on-premises environments. Here you can download and install a VPN client for your operating system. Install OpenVPN and open the client to connect to the VPC using the profile established in the previous steps.

This VPN connection lets users connect to their IBM Cloud VPC and on-premises environment via IBM Cloud VPN. Visit the Clients tab on the VPN server in your IBM Cloud interface to verify client connections.

News source: