Use site-to-site VPN, FastConnect, or OpenVPN Access Server to bridge
your local network with the Oracle Cloud Infrastructure VCN.
Use any of the following VPN connection methods to connect to the virtual
cloud network (VCN):
- Site-to-site VPN: Provides a site-to-site IPSec VPN between your on-premises
network and your VCN over a secure, encrypted connection. See Site-to-Site VPN.
- FastConnect: Provides a dedicated private connection between your data
center and Oracle Cloud Infrastructure. It provides higher-bandwidth options, and a
more reliable and consistent networking experience compared to internet-based
connections. See FastConnect Overview.
- OpenVPN Access Server: Connects your client devices directly to Oracle cloud
resources, such as MySQL DB systems. You cannot use OpenVPN Access Server to connect
entire sites or networks to an Oracle VCN; in that scenario, it is recommended to
use Site-to-site VPN or FastConnect. OpenVPN Access Server is available in the
Oracle Cloud Infrastructure Marketplace. It is free to install and you can use for
two simultaneous VPN connections. See OpenVPN Access Server.
OpenVPN Access Server
Use OpenVPN Access Server to connect your client devices directly to
Oracle cloud resources, such as MySQL DB systems.
Note
Use
site-to-site VPN or FastConnect to connect entire sites or networks to an Oracle VCN.
- Create an OpenVPN stack. The OpenVPN stack consists of a compute instance running
the Access Server. The stack is attached to the same VCN the DB system is attached to, and
you need to configure the network to enable external connections to the Access Server. See
Creating an OpenVPN Stack.
- Configure the OpenVPN Access Server to route traffic to the DB system. It includes
configuring static IP addresses, routing instead of NAT, and creating and configuring a VPN
user. See Configuring an OpenVPN Access Server.
- Install and configure a VPN client to use with the OpenVPN Access Server and
connect to the DB System. See your VPN client documentation.
- Configure the VCN to allow communications from the OpenVPN Access Server to the MySQL
DB system attached to the private subnet. See Configuring a VCN for OpenVPN Access Server Connections.
Creating an OpenVPN Stack
The OpenVPN stack consists of a compute instance running the Access Server.
The stack is attached to the same VCN your DB system is attached to, and you need to
configure the network to enable external connections to the Access Server.
Using the Console
Use the Console to create an OpenVPN Stack.
This task requires the following:
Do the following to create an OpenVPN Stack:
- Open the navigation menu, select Marketplace, and then select All
applications.
- In the search box, search for OpenVPN Access Server, and click OpenVPN
access server.
- Select the compartment you created the VCN in, and select the terms and
conditions check box.
- Click Launch stack.
- In the Stack information panel of the Create stack page, provide
the following information:
Stack information:
- Name: (Optional) Specify a name for the Stack.
- Description: (Optional) Specify a description of the
Stack.
- Create in compartment: You cannot edit the
field.
- Terraform version: You cannot edit the field.
- Click Next.
- In the Configure variables panel, provide the following
information:
Compute configuration:
- OpenVPN access server name: Specify a unique name for
your Access Server.
- Compute shape: Select a shape of the compute
instance.
Application configuration:
Network configuration:
- Network strategy: Select Use existing
VCN.
- Existing network: Select the VCN to which your
DB system is attached.
- Existing subnet: Select the public subnet of your
VCN.
Additional configuration:
- Compartment: Select the compartment in which you
want to create all resources. By default, it is set to the
compartment that you specify on the Marketplace page.
- Public SSH key string: (Optional) Specify the
public SSH key to access the compute instance using SSH. You do not
need to specify the string if you use the administration page of the
Access Server.
- Click Next to open the Review page.
- Confirm your settings and click Create.
The
Resource manager job details page is displayed. The
Logs
section lists the details of the created stack and the login details of the Access
Server in the following
format:
Outputs:admin_password = ********
admin_username = username
instance_public_url = https://193.122.164.108/admin
Here,
instance_public_url is the public IP of the compute instance hosting the
Access Server. Note these details as you need them in subsequent tasks.
Configuring an OpenVPN Access
Server
The OpenVPN Access Server routes traffic to the DB system. It includes
configuring static IP addresses, routing instead of NAT, and creating and configuring a VPN
user.
Using the Console
Use the Console to configure an OpenVPN Access Server to route traffic to
the DB system.
This task requires the following:
Do the following to configure an OpenVPN Access Server:
- Load the OpenVPN Access Server Administration tool using the IP address and
credentials that you get in the instance_public_url field at the end of
creating the OpenVPN stack:
https://<IPAddress>/admin
- Open the navigation menu, select Configuration, then select VPN
settings.
- Specify a static IP in the Static IP address network field. A static IP
is preferred because you must also configure ingress rules for this IP address
on the subnet of your VCN. If you used a dynamic address, you have to update the
ingress rules each time the address was reassigned.
Note
The dynamic IP address
field is mandatory. Do not change the default value, similar to
172.27.233.0/24. When specifying the value for your static network, use a
similar value, such as 172.27.232.0/24.
- In the Routing section, select Yes, using Routing and add the CIDR blocks of the private and public subnets to which the VPN clients require access. These are the CIDR blocks of the subnets attached to your VCN. For example: 10.0.0.0/24 and 10.0.1.0/24.
- Click Save settings.
- Open the navigation menu, select User management, then User
permissions.
- In the User permissions dialog box, enter a username in the New
username field, and click the More settings icon in the adjacent
column.
- Provide the following information:
- Password: Specify a password for the new user.
- Select IP addressing: Select Use static.
- VPN static IP address: Specify the IP address to
assign to the new user. This IP address must be in the range defined in
the Static IP address network field of the VPN
Configuration.
- Select addressing method: Select Use
routing.
- Allow access to these networks: Specify the IP
addresses of the public and private subnets, as mentioned in the
Routing section of the VPN configuration.
- Save the user. Log out, and log in using the new user credentials. Download the
profile,
client.ovpn
, using the Yourself (user-locked
profile) link at the bottom of the page.
- Import the profile to the OpenVPN client. See OpenVPN documentation.
- Configure your network to accept connections from the OpenVPN Access
Server.
Configuring a VCN for OpenVPN
Access Server Connections
Configure a virtual cloud network to enable communications from the OpenVPN
Access Server to the MySQL DB system attached to the private subnet.
Using the Console
Use the Console to configure a virtual cloud network to enable
communications from the OpenVPN Access Server to the MySQL DB system attached to the private
subnet.
This task requires the following:
Do the following to configure a virtual cloud network (VCN):
- Open the navigation menu, select Networking, and then select Virtual
cloud networks.
- Click on the name of the VCN.
- In the Virtual cloud network details page, under Subnets, click
the name of your private subnet.
- In the Subnet details page, click the Route table.
- Click Add route rules and provide the following information:
- Target type: Select Private IP.
- Destination type: Select CIDR block.
- Destination CIDR block: Specify the CIDR block you
defined in the Static IP address network field of the OpenVPN
Access Server VPN settings.
- Target selection: Specify the private IP address of
the compute instance of the OpenVPN Access Server .
- Click Add route rules.
- Navigate to the Security list details page of your private subnet.
- Add ingress rules for the VPN Static IP addresses. The default MySQL ports are
3306 and 33060.