Skip to content

connect-landingzone-client-vpn.md

Latest commit

 

History

History
177 lines (129 loc) · 11 KB

connect-landingzone-client-vpn.md

File metadata and controls

177 lines (129 loc) · 11 KB
copyright
years
2023, 2025
lastupdated 2025-12-12
lasttested 2025-10-31
keywords
subcollection secure-infrastructure-vpc
content-type tutorial
services vpc, openshift, secrets-manager, dl, schematics
account-plan paid

{{site.data.keyword.attribute-definition-list}}

Connect to a landing zone by using a client-to-site VPN

{: #connect-landingzone-client-vpn} {: toc-content-type="tutorial"} {: toc-services="vpc, openshift, secrets-manager, dl, schematics"} {: toc-completion-time="1h"}

This tutorial dives into the fastest option to get up and running with a client VPN for VPC connectivity. Rather than doing manual steps, you set up an automated way to create a client-to-site VPN connection to one or more landing zones in your account by using the Cloud automation for Client to Site VPN deployable architecture{: term} from the Community registry. {: shortdesc}

Objectives

{: #solution-connect-client-vpn-objectives}

Problem

{: #solution-connect-client-vpn-problem}

Let's say that you deployed the Landing zone for containerized applications with OpenShift{: external} deployable architecture{: term}. In the {{site.data.keyword.cloud_notm}} console, you can see that the cluster is created and working correctly. When you try to access the Red Hat OpenShift web console on the management cluster, you see this error:

It is not possible to access the Red Hat OpenShift console because the cluster is accessible only on the management VPC’s private network, which is locked down and not accessible from the internet.

You might also have connectivity issues to the VPC's private networks if you deploy the Cloud foundation for VPC{: external}, Landing zone for applications with virtual servers{: external}, or the Landing zone for containerized applications with OpenShift{: external} deployable architecture.

For example, you ping the network but it times out:

ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1): 56 data bytes
ping: sendto: Host is down
Request timeout for icmp_seq 0
ping: sendto: Host is down
Request timeout for icmp_seq 1
ping: sendto: Host is down
Request timeout for icmp_seq 2
ping: sendto: Host is down
Request timeout for icmp_seq 3
^C
--- 10.0.0.1 ping statistics ---
5 packets transmitted, 0 packets received, 100.0% packet loss

{: pre}

How can you securely access that private network to complete operations on resources within these VPCs?

Solution

{: #solution-connect-client-vpn-solution}

Establish secure connections to a private VPC network:

  • Client-to-site VPN server and VPN Client - Configure a VPN client application on your device to create a secure connection to your VPC network that uses {{site.data.keyword.cloud_notm}} VPN for VPC. The {{site.data.keyword.cloud_notm}} VPN server service has high availability mode for production use and is managed by {{site.data.keyword.IBM_notm}}.

Deploying Cloud automation for Client to Site VPN with IBM projects

{: #deploy-client-to-site-vpn} {: step}

  1. Navigate to the Cloud automation for Client to Site VPN deployable architecture in the community registry.
  2. Choose the Fully configurable variation. By default, this variation will include all dependant deployable architectures, including all of the best practise security and observability services. This however can be changed by clicking the Customize button and customizing to meet your needs. For example, you may wish to de-select the Cloud foundation for VPC deployable architecture if you already have your VPC deployed.
  3. When you finish customizing, choose the project you wish to use, or choose the option to create a new one, and click Configure and deploy.
  4. Optional configurations:
    • If you de-selected the Cloud foundation for VPC or Cloud automation for Secrets Manager deployable architectures, you will need to enter a value for the existing_vpc_crn and / or existing_secrets_manager_instance_crn inputs.
    • By default the deployable architecture will create a new subnet for the VPN using the value of vpn_subnet_cidr_zone_1. You can enable high availability by creating a second subnet using the vpn_subnet_cidr_zone_2 input. If you want to use existing subnet, you can pass a list of subnets using the existing_subnet_ids input.
  5. Once you are hapopy with all of the input values, proceed to validate and deploy.

A deployable architecture{: term} is infrastructure as code (IaC) that's designed for easy deployment, scalability, and modularity. In this case, the deployable architecture{: term} represents a repeatable way to create client-to-site VPN connections for more than one landing zone in your org. It also simplifies how others in your company can set up more VPN connections for their landing zones.

Configure the OpenVPN client

{: #solution-connect-client-vpn-openvpn} {: step}

After the VPN server cloud resources are deployed, set up the OpenVPN client on devices that will access your landing zone.

  1. Download the OpenVPN profile from the VPN server

    • By using the {{site.data.keyword.cloud_notm}} console:

      1. Click the Navigation menu icon Navigation menu icon, and then click Infrastructure > VPNs in the Network section to open the VPNs for VPC page.
      2. Click the Client-to-site servers tab, and select the client-to-site VPN server that you created.
      3. Click the Clients tab. Then, click Download client profile.

      Or

    • By using the {{site.data.keyword.cloud_notm}} CLI:

      ibmcloud is vpn-server-client-configuration VPN_SERVER --file client2site-vpn.ovpn

      {: pre}

      Look for the VPN_SERVER ID in the output of the Terraform apply from the validation step. If you don't find it there, follow the previous steps to download the profile and look in the <vpn_server>.ovpn file.

  2. Set up the client:

    You can follow the steps in Setting up a VPN client. {: tip}

    1. Download and install the OpenVPN client application from https://openvpn.net.
    2. Open the OpenVPN client application, and import the client2site-vpn.ovpn file.
    3. Enter one of the {{site.data.keyword.cloud_notm}} email addresses that was configured to access the VPN as the user ID.

  3. Go to https://iam.cloud.ibm.com/identity/passcode in your browser to generate a passcode. Copy the passcode.

  4. Return to the OpenVPN client application and paste the one-time passcode. You might be prompted to select client certificate in case it was not configured. You can click Continue. You are connected to the VPN Server now.

(Optional) Using client certificates

{: #connect-client-vpn-certs} {: step}

To use client certificates follow these steps:

  1. Set enable_certificate_auth to true and pass values of client_cert_crns when you deploy this architecture.

  2. To generate certificate you must configure private certificate engine which issues private certificates. You can use Cloud automation for Secrets Manager private certificates engine deployable architecture to configure private certificate engine.

  3. To generate certificates for VPN Server and Clients use Cloud automation for Secrets Manager private certificate deployable architecture. You will have to do multiple runs as the architecture only generates a single certificate at a time.

Test access to the Red Hat OpenShift web console

{: #connect-client-vpn-rh} {: step}

If your landing zone includes a Red Hat OpenShift cluster, you can now test that you have access to the web console.

  1. Open https://{DomainName}/kubernetes/clusters in your browser.
  2. Select the cluster details for the management cluster in your landing zone.
  3. Click OpenShift Web Console in the upper right to access your Red Hat OpenShift web console.
  4. Repeat steps (2) and (3) to test connectivity to the landing zone’s workload cluster.

Test your VPN connection

{: #connect-client-vpn-connection} {: step}

On the device that has the OpenVPN client, ping the 10.* network (which is in your management VPC).

ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1): 56 data bytes
64 bytes from 10.0.0.1: icmp_seq=0 ttl=64 time=19.920 ms
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=19.301 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=14.490 ms
64 bytes from 10.0.0.1: icmp_seq=3 ttl=64 time=20.896 ms
64 bytes from 10.0.0.1: icmp_seq=4 ttl=64 time=13.938 ms
^C
--- 10.0.0.1 ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 13.938/17.709/20.896/2.904 ms

If you see no timeouts or other errors, your local workstation has connectivity to the VPC’s private network.

Solving connectivity issues

{: #connect-client-vpn-connectivity}

In the following error, OpenVPN has an active connection, but can't reach a server on your private VPN subnet. Check the local network that your device connects through. Some newer routers allocate IP addresses in 10.* range rather than 192.168.*.

error: dial tcp: lookup YOUR_SERVER_URL on 10.0.0.1:53:
read udp 10.0.0.2:0->10.0.0.1:53:
i/o timeout- verify you have provided the correct host and port and that the server is currently running.

{: screen}

Summary

{: #connect-client-vpn-summary}

Automating the creation of client-to-site VPN connections to your secure landing zones is straightforward when you use the capabilities of deployable architectures on {{site.data.keyword.cloud_notm}}.