IBM Cloud Docs
Connect to a VPC landing zone by using a client-to-site VPN

Connect to a VPC landing zone by using a client-to-site VPN

This tutorial dives into the fastest option to get up and running with a client VPN for VPC connectivity. Rather than doing manual steps, you set up an automated way to create a client-to-site VPN connection to one or more landing zones in your account by using Cloud automation for Client to Site VPN deployable architectureCloud automation for deploying a common architectural pattern that combines one or more cloud resources that is designed for easy deployment, scalability, and modularity. from the Community registry.

Objectives

  • Create a client-to-site VPN connection between the private VPC network and clients by using Cloud automation for Client to Site VPN deployable architectureCloud automation for deploying a common architectural pattern that combines one or more cloud resources that is designed for easy deployment, scalability, and modularity. from the Community registry.

Problem

Let's say that you deployed the Red Hat OpenShift Container Platform on VPC landing zone deployable architectureCloud automation for deploying a common architectural pattern that combines one or more cloud resources that is designed for easy deployment, scalability, and modularity.. In the IBM Cloud console, you can see that the cluster is created and working correctly. When you try to access the Red Hat OpenShift web console on the management cluster, you see this error:

It is not possible to access the Red Hat OpenShift console because the cluster is accessible only on the management VPC’s private network, which is locked down and not accessible from the internet.

You might also have connectivity issues to the VPC's private networks if you deploy the VPC landing zone, VSI on VPC landing zone, or the Red Hat OpenShift Container Platform on VPC landing zone deployable architecture.

For example, you ping the network but it times out:

ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1): 56 data bytes
ping: sendto: Host is down
Request timeout for icmp_seq 0
ping: sendto: Host is down
Request timeout for icmp_seq 1
ping: sendto: Host is down
Request timeout for icmp_seq 2
ping: sendto: Host is down
Request timeout for icmp_seq 3
^C
--- 10.0.0.1 ping statistics ---
5 packets transmitted, 0 packets received, 100.0% packet loss

How can you securely access that private network to complete operations on resources within these VPCs?

Solution

Establish secure connections to a private VPC network:

  • Client-to-site VPN server and VPN Client - Configure a VPN client application on your device to create a secure connection to your VPC network that uses IBM Cloud VPN for VPC. The IBM Cloud VPN server service has high availability mode for production use and is managed by IBM.

Deploying Cloud automation for Client to Site VPN with projects

  1. From the Community registry, search for Cloud automation for Client to Site VPN.
  2. You can chose between two different variations:
    • quickstart: Designed for quick testing and seamless access to a private VPC network via a VPN client. The VPN is fully open, with ACL rules and security groups granting unrestricted access and allowing all incoming requests from any source.
    • standard: A fully customizable solution. By default, all incoming requests to private VPC networks are denied and must be authorized by configuring ACL rules and security groups. The VPN has two separate VPC subnets for the VPN server, ensuring high availability.
  3. Add it to an existing project or create a project.
  4. Customize Cloud automation for Client to Site VPN by selecting optional add-on components as needed:
    • Red Hat OpenShift Container Platform on VPC landing zone
    • VSI on VPC landing zone
    • VPC landing zone
    • Cloud automation for Secrets Manager
  5. Complete the next steps depending on how you plan to use the deployable architectureCloud automation for deploying a common architectural pattern that combines one or more cloud resources that is designed for easy deployment, scalability, and modularity.:
    • Configure it in your project and deploy
    • You can stack deployable architectures together in a project to create a robust end-to-end solution architecture. You don't need to code Terraform to connect the member deployable architectures within the stack. As you configure input values in a member deployable architecture, you can reference inputs or outputs from another member to link the deployable architectures together. After you deploy the deployable architectures in your stack, you can add the stack to a private catalog to easily share it with others in your organization.

A deployable architectureCloud automation for deploying a common architectural pattern that combines one or more cloud resources that is designed for easy deployment, scalability, and modularity. is infrastructure as code (IaC) that's designed for easy deployment, scalability, and modularity. In this case, the deployable architectureCloud automation for deploying a common architectural pattern that combines one or more cloud resources that is designed for easy deployment, scalability, and modularity. represents a repeatable way to create client-to-site VPN connections for more than one landing zone in your org. It also simplifies how others in your company can set up more VPN connections for their landing zones.

Configure the OpenVPN client

After the VPN server cloud resources are deployed, set up the OpenVPN client on devices that will access your landing zone.

  1. Download the OpenVPN profile from the VPN server

    • By using the IBM Cloud console:

      1. Click the Navigation menu icon Navigation menu icon, and then click Infrastructure > VPNs in the Network section to open the VPNs for VPC page.
      2. Click the Client-to-site servers tab, and select the client-to-site VPN server that you created.
      3. Click the Clients tab. Then, click Download client profile.

      Or

    • By using the IBM Cloud CLI:

      ibmcloud is vpn-server-client-configuration VPN_SERVER --file client2site-vpn.ovpn
      

      Look for the VPN_SERVER ID in the output of the Terraform apply from the validation step. If you don't find it there, follow the previous steps to download the profile and look in the <vpn_server>.ovpn file.

  2. Set up the client:

    You can follow the steps in Setting up a VPN client.

    1. Download and install the OpenVPN client application from https://openvpn.net.
    2. Open the OpenVPN client application, and import the client2site-vpn.ovpn file.
    3. Enter one of the IBM Cloud email addresses that was configured to access the VPN as the user ID.
  3. Go to https://iam.cloud.ibm.com/identity/passcode in your browser to generate a passcode. Copy the passcode.

  4. Return to the OpenVPN client application and paste the one-time passcode. Then, import the client2site-vpn.ovpn certificate file.

Using client certificates rather than one-time passcodes

If you want to configure client certs on the VPN rather than using a one-time-passcode, follow the instructions in the Managing VPN server and client certifications section of the client-to-site documentation.

Test access to the Red Hat OpenShift web console

If your landing zone includes a Red Hat OpenShift cluster, you can now test that you have access to the web console.

  1. Open https://{DomainName}/kubernetes/clusters in your browser.
  2. Select the cluster details for the management cluster in your landing zone.
  3. Click OpenShift Web Console in the upper right to access your Red Hat OpenShift web console.
  4. Repeat steps (2) and (3) to test connectivity to the landing zone’s workload cluster.

Test your VPN connection

On the device that has the OpenVPN client, ping the 10.* network (which is in your management VPC).

ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1): 56 data bytes
64 bytes from 10.0.0.1: icmp_seq=0 ttl=64 time=19.920 ms
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=19.301 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=14.490 ms
64 bytes from 10.0.0.1: icmp_seq=3 ttl=64 time=20.896 ms
64 bytes from 10.0.0.1: icmp_seq=4 ttl=64 time=13.938 ms
^C
--- 10.0.0.1 ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 13.938/17.709/20.896/2.904 ms

If you see no timeouts or other errors, your local workstation has connectivity to the VPC’s private network.

Solving connectivity issues

In the following error, OpenVPN has an active connection, but can't reach a server on your private VPN subnet. Check the local network that your device connects through. Some newer routers allocate IP addresses in 10.* range rather than 192.168.*.

error: dial tcp: lookup YOUR_SERVER_URL on 10.0.0.1:53:
read udp 10.0.0.2:0->10.0.0.1:53:
i/o timeout- verify you have provided the correct host and port and that the server is currently running.

Summary

Automating the creation of client-to-site VPN connections to your secure landing zones is straightforward when you use the capabilities of deployable architectures on IBM Cloud.