IBM Cloud Docs
Configuring security groups and ACLs for use with a VPN server

Configuring security groups and ACLs for use with a VPN server

Security groups and access control lists (ACLs) can be configured on the VPN server's subnet where the VPN server is deployed, as well as on other VPC subnets that communicate over the VPN tunnel.

If you configure security groups and ACLs on the VPN server's subnet, make sure that the following rules are in place to allow VPN tunnel traffic. For more information, see About security groups and Setting up network ACLs.

If you don't specify a security group when you provision the VPN server, the default security group of the VPC is attached to the VPN server. You can attach other security groups to the VPN server after provisioning your server.

Rules for VPN protocol traffic

VPN servers can run on TCP or UDP protocols. You can specify the protocol and port when you provision the VPN server. You must open the corresponding protocol and port with the security group rules and ACL.

Security group rules for a VPN server
Inbound/Outbound Rules Protocol Source/Destination Type Source Value
inbound VPN server protocol CIDR block 0.0.0.0/0 VPN server port
outbound VPN server protocol CIDR block 0.0.0.0/0 VPN server port
ACL rules for a VPN server
Inbound/Outbound Rules Protocol Source IP Source Port Destination IP Destination Port
inbound VPN server protocol Any Any VPN server subnet VPN server port
outbound VPN server protocol VPN server subnet VPN server port Any Any

For example, by default, the VPN server runs on UDP port 443, so you should configure the security group and ACL rules as follows:

Configuration information for security group rules of a VPN server with default protocol and port
Inbound/Outbound Rules Protocol Source/Destination Type Source Value
inbound UDP CIDR block 0.0.0.0/0 443
outbound UDP CIDR block 0.0.0.0/0 443
Configuration information for ACL of a VPN server with default protocol and port
Inbound/Outbound Rules Protocol Source IP Source Port Destination IP Destination Port
inbound UDP Any Any VPN server subnet 443
outbound UDP VPN server subnet 443 Any Any

Rules for VPN traffic with deliver route action

When the client is connected to the VPN server, the VPN server drops all traffic from the client by default. You have to configure the VPN route on the VPN server to allow this traffic. The action of the route may be either deliver or translate.

  • When the action is deliver, after the packet is decrypted from the tunnel, the packet is forwarded directly, so the source IP of the packet is the VPN client IP, which is from the client IP pool.
  • When the action is translate, after the packet is decrypted from the tunnel, the source IP of the packet is translated to the private IP of the VPN server, then the packet is sent.

Note which CIDR should be specified when you create the security group and ACL rules.

Security group rules for a VPN deliver route on the VPN server
Inbound/Outbound Rules Protocol Source/Destination Type Source Value
inbound ALL CIDR block VPN route destination CIDR Any
outbound ALL CIDR block VPN route destination CIDR Any
ACL rules for a VPN deliver route on the VPN server subnet
Inbound/Outbound Rules Protocol Source IP Source Port Destination IP Destination Port
inbound ALL VPN route destination CIDR Any VPN server client IP pool Any
outbound ALL VPN server client IP pool Any VPN route destination CIDR Any

At the same time, you need to configure the security group and ACL on the VPC VSI to unblock traffic from the VPN client:

Security group rules for a VPN deliver route on the VPC VSI
Inbound/Outbound Rules Protocol Source/Destination Type Source Value
inbound ALL CIDR block VPN server client IP pool Any
outbound ALL CIDR block VPN server client IP pool Any
ACL rules for a VPN deliver route on the VPC VSI subnet
Inbound/Outbound Rules Protocol Source IP Source Port Destination IP Destination Port
inbound ALL VPN server client IP pool Any VPN route destination CIDR Any
outbound ALL VPN route destination CIDR Any VPN server client IP pool Any

For example, if you use 172.16.0.0/20 as the client IP pool when you provision the VPN server, and you want to access the resources of subnet 10.240.128.0/24 from the VPN client, you need to create a VPN route with destination:10.240.128.0/24, and action: deliver. You should also configure security group and ACL rules as follows:

Security group rules for a VPN deliver route on the VPN server
Inbound/Outbound Rules Protocol Source/Destination Type Source Value
inbound ALL CIDR block 10.240.128.0/24 Any
outbound ALL CIDR block 10.240.128.0/24 Any
ACL rules for a VPN deliver route on the VPN server subnet
Inbound/Outbound Rules Protocol Source IP Source Port Destination IP Destination Port
inbound ALL 10.240.128.0/24 Any 172.16.0.0/20 Any
outbound ALL 172.16.0.0/20 Any 10.240.128.0/24 Any
Security group rules for a VPN deliver route on the VPC VSI
Inbound/Outbound Rules Protocol Source/Destination Type Source Value
inbound ALL CIDR block 172.16.0.0/20 Any
outbound ALL CIDR block 172.16.0.0/20 Any
ACL rules for a VPN deliver route on the VPC VSI subnet
Inbound/Outbound Rules Protocol Source IP Source Port Destination IP Destination Port
inbound ALL 172.16.0.0/20 Any 10.240.128.0/24 Any
outbound ALL 10.240.128.0/24 Any 172.16.0.0/20 Any

Rules for VPN traffic with translate route action

The rules for the VPN translate route are almost the same as the deliver route. The only difference is the source IP of the packet is translated to the VPN server's private IP. Therefore, you must use the VPN server's subnet instead of the VPN server's client IP pool.

If you select multiple subnets when you provision the VPN server, you must include all subnets in the security group and ACL rules.

Security group rules for a VPN translate route on the VPN server
Inbound/Outbound Rules Protocol Source/Destination Type Source Value
inbound ALL CIDR block VPN route destination CIDR Any
outbound ALL CIDR block VPN route destination CIDR Any
ACL rules for a VPN translate route on the VPN server subnet
Inbound/Outbound Rules Protocol Source IP Source Port Destination IP Destination Port
inbound ALL VPN route destination CIDR Any VPN server subnet CIDR Any
outbound ALL VPN server subnet CIDR Any VPN route destination CIDR Any

Normally, the destination of the VPN translate route is out of the VPC. For example, suppose that you want to use a VPN server to access the IBM classic infrastructure virtual server instance. At the same time, you must configure firewall rules on the destination to unblock traffic from the VPN client.

For example, if you use the subnets 10.240.64.0/24 and 10.240.129.0/24 when provisioning the VPN server, there is a subnet 10.187.190.0/26 in the IBM classic infrastructure, and you want to access the classic virtual server instance from the VPN client. Then, you must create a VPN route with destination: 10.187.190.0/26, action: translate, and configure security group and ACL rules as follows:

Security group rules for a VPN translate route on the VPN server
Inbound/Outbound Rules Protocol Source/Destination Type Source Value
inbound ALL CIDR block 10.187.190.0/26 Any
outbound ALL CIDR block 10.187.190.0/26 Any
ACL rules for a VPN translate route on the VPN server subnet
Inbound/Outbound Rules Protocol Source IP Source Port Destination IP Destination Port
inbound ALL 10.187.190.0/26 Any 10.240.64.0/24 Any
inbound ALL 10.187.190.0/26 Any 10.240.129.0/24 Any
outbound ALL 10.240.64.0/24 Any 10.187.190.0/26 Any
outbound ALL 10.240.129.0/24 Any 10.187.190.0/26 Any
Firewall rules for a VPN translate route on the target firewall device (optional)
Inbound/Outbound Rules Protocol Source IP Source Port Destination IP Destination Port
inbound ALL 10.240.64.0/24 Any 10.187.190.0/26 Any
inbound ALL 10.240.129.0/24 Any 10.187.190.0/26 Any
outbound ALL 10.187.190.0/26 Any 10.240.64.0/24 Any
outbound ALL 10.187.190.0/26 Any 10.240.129.0/24 Any