Configuring security groups and ACLs for use with a VPN server
Security groups and access control lists (ACLs) can be configured on the VPN server's subnet where the VPN server is deployed, as well as on other VPC subnets that communicate over the VPN tunnel.
If you configure security groups and ACLs on the VPN server's subnet, make sure that the following rules are in place to allow VPN tunnel traffic. For more information, see About security groups and Setting up network ACLs.
If you don't specify a security group when you provision the VPN server, the default security group of the VPC is attached to the VPN server. You can attach other security groups to the VPN server after provisioning your server.
Rules for VPN protocol traffic
VPN servers can run on TCP or UDP protocols. You can specify the protocol and port when you provision the VPN server. You must open the corresponding protocol and port with the security group rules and ACL.
Table 1. Security group rules for a VPN server
| Inbound/Outbound Rules |
Protocol |
Source/Destination Type |
Source |
Value |
| inbound |
VPN server protocol |
CIDR block |
0.0.0.0/0 |
VPN server port |
| outbound |
VPN server protocol |
CIDR block |
0.0.0.0/0 |
VPN server port |
Table 2. ACL rules for a VPN server
| Inbound/Outbound Rules |
Protocol |
Source IP |
Source Port |
Destination IP |
Destination Port |
| inbound |
VPN server protocol |
Any |
Any |
VPN server subnet |
VPN server port |
| outbound |
VPN server protocol |
VPN server subnet |
VPN server port |
Any |
Any |
For example, by default, the VPN server runs on UDP port 443, so you should configure the security group and ACL rules as follows:
Table 3. Configuration information for security group rules of a VPN server with default protocol and port
| Inbound/Outbound Rules |
Protocol |
Source/Destination Type |
Source |
Value |
| inbound |
UDP |
CIDR block |
0.0.0.0/0 |
443 |
| outbound |
UDP |
CIDR block |
0.0.0.0/0 |
443 |
Table 4. Configuration information for ACL of a VPN server with default protocol and port
| Inbound/Outbound Rules |
Protocol |
Source IP |
Source Port |
Destination IP |
Destination Port |
| inbound |
UDP |
Any |
Any |
VPN server subnet |
443 |
| outbound |
UDP |
VPN server subnet |
443 |
Any |
Any |
Rules for VPN traffic with deliver route action
When the client is connected to the VPN server, the VPN server drops all traffic from the client by default. You have to configure the VPN route on the VPN server to allow this traffic. The action of the route may be either deliver or translate.
- When the action is
deliver, after the packet is decrypted from the tunnel, the packet is forwarded directly, so the source IP of the packet is the VPN client IP, which is from the client IP pool.
- When the action is
translate, after the packet is decrypted from the tunnel, the source IP of the packet is translated to the private IP of the VPN server, then the packet is sent.
Note which CIDR should be specified when you create the security group and ACL rules.
Table 5. Security group rules for a VPN deliver route on the VPN server
| Inbound/Outbound Rules |
Protocol |
Source/Destination Type |
Source |
Value |
| inbound |
ALL |
CIDR block |
VPN route destination CIDR |
Any |
| outbound |
ALL |
CIDR block |
VPN route destination CIDR |
Any |
Table 6. ACL rules for a VPN deliver route on the VPN server subnet
| Inbound/Outbound Rules |
Protocol |
Source IP |
Source Port |
Destination IP |
Destination Port |
| inbound |
ALL |
VPN route destination CIDR |
Any |
VPN server client IP pool |
Any |
| outbound |
ALL |
VPN server client IP pool |
Any |
VPN route destination CIDR |
Any |
At the same time, you need to configure the security group and ACL on the VPC VSI to unblock traffic from the VPN client:
Table 7. Security group rules for a VPN deliver route on the VPC VSI
| Inbound/Outbound Rules |
Protocol |
Source/Destination Type |
Source |
Value |
| inbound |
ALL |
CIDR block |
VPN server client IP pool |
Any |
| outbound |
ALL |
CIDR block |
VPN server client IP pool |
Any |
Table 8. ACL rules for a VPN deliver route on the VPC VSI subnet
| Inbound/Outbound Rules |
Protocol |
Source IP |
Source Port |
Destination IP |
Destination Port |
| inbound |
ALL |
VPN server client IP pool |
Any |
VPN route destination CIDR |
Any |
| outbound |
ALL |
VPN route destination CIDR |
Any |
VPN server client IP pool |
Any |
For example, if you use 172.16.0.0/20 as the client IP pool when you provision the VPN server, and you want to access the resources of subnet 10.240.128.0/24 from the VPN client, you need to create a VPN route with
destination:10.240.128.0/24, and action: deliver. You should also configure security group and ACL rules as follows:
Table 9. Security group rules for a VPN deliver route on the VPN server
| Inbound/Outbound Rules |
Protocol |
Source/Destination Type |
Source |
Value |
| inbound |
ALL |
CIDR block |
10.240.128.0/24 |
Any |
| outbound |
ALL |
CIDR block |
10.240.128.0/24 |
Any |
Table 10. ACL rules for a VPN deliver route on the VPN server subnet
| Inbound/Outbound Rules |
Protocol |
Source IP |
Source Port |
Destination IP |
Destination Port |
| inbound |
ALL |
10.240.128.0/24 |
Any |
172.16.0.0/20 |
Any |
| outbound |
ALL |
172.16.0.0/20 |
Any |
10.240.128.0/24 |
Any |
Table 11. Security group rules for a VPN deliver route on the VPC VSI
| Inbound/Outbound Rules |
Protocol |
Source/Destination Type |
Source |
Value |
| inbound |
ALL |
CIDR block |
172.16.0.0/20 |
Any |
| outbound |
ALL |
CIDR block |
172.16.0.0/20 |
Any |
Table 12. ACL rules for a VPN deliver route on the VPC VSI subnet
| Inbound/Outbound Rules |
Protocol |
Source IP |
Source Port |
Destination IP |
Destination Port |
| inbound |
ALL |
172.16.0.0/20 |
Any |
10.240.128.0/24 |
Any |
| outbound |
ALL |
10.240.128.0/24 |
Any |
172.16.0.0/20 |
Any |
Rules for VPN traffic with translate route action
The rules for the VPN translate route are almost the same as the deliver route. The only difference is the source IP of the packet is translated to the VPN server's private IP. Therefore, you must use the VPN server's subnet instead of the VPN
server's client IP pool.
If you select multiple subnets when you provision the VPN server, you must include all subnets in the security group and ACL rules.
Table 13. Security group rules for a VPN translate route on the VPN server
| Inbound/Outbound Rules |
Protocol |
Source/Destination Type |
Source |
Value |
| inbound |
ALL |
CIDR block |
VPN route destination CIDR |
Any |
| outbound |
ALL |
CIDR block |
VPN route destination CIDR |
Any |
Table 14. ACL rules for a VPN translate route on the VPN server subnet
| Inbound/Outbound Rules |
Protocol |
Source IP |
Source Port |
Destination IP |
Destination Port |
| inbound |
ALL |
VPN route destination CIDR |
Any |
VPN server subnet CIDR |
Any |
| outbound |
ALL |
VPN server subnet CIDR |
Any |
VPN route destination CIDR |
Any |
Normally, the destination of the VPN translate route is out of the VPC. For example, suppose that you want to use a VPN server to access the IBM classic infrastructure virtual server instance. At the same time, you must configure firewall rules
on the destination to unblock traffic from the VPN client.
For example, if you use the subnets 10.240.64.0/24 and 10.240.129.0/24 when provisioning the VPN server, there is a subnet 10.187.190.0/26 in the IBM classic infrastructure, and you want to access the classic
virtual server instance from the VPN client. Then, you must create a VPN route with destination: 10.187.190.0/26, action: translate, and configure security group and ACL rules as follows:
Table 15. Security group rules for a VPN translate route on the VPN server
| Inbound/Outbound Rules |
Protocol |
Source/Destination Type |
Source |
Value |
| inbound |
ALL |
CIDR block |
10.187.190.0/26 |
Any |
| outbound |
ALL |
CIDR block |
10.187.190.0/26 |
Any |
Table 16. ACL rules for a VPN translate route on the VPN server subnet
| Inbound/Outbound Rules |
Protocol |
Source IP |
Source Port |
Destination IP |
Destination Port |
| inbound |
ALL |
10.187.190.0/26 |
Any |
10.240.64.0/24 |
Any |
| inbound |
ALL |
10.187.190.0/26 |
Any |
10.240.129.0/24 |
Any |
| outbound |
ALL |
10.240.64.0/24 |
Any |
10.187.190.0/26 |
Any |
| outbound |
ALL |
10.240.129.0/24 |
Any |
10.187.190.0/26 |
Any |
Table 17. Firewall rules for a VPN translate route on the target firewall device (optional)
| Inbound/Outbound Rules |
Protocol |
Source IP |
Source Port |
Destination IP |
Destination Port |
| inbound |
ALL |
10.240.64.0/24 |
Any |
10.187.190.0/26 |
Any |
| inbound |
ALL |
10.240.129.0/24 |
Any |
10.187.190.0/26 |
Any |
| outbound |
ALL |
10.187.190.0/26 |
Any |
10.240.64.0/24 |
Any |
| outbound |
ALL |
10.187.190.0/26 |
Any |
10.240.129.0/24 |
Any |