Oracle Cloud Infrastructure Documentation

VPN Connection

Use site-to-site VPN, FastConnect, or OpenVPN Access Server to bridge your local network with the Oracle Cloud Infrastructure VCN.

Use any of the following VPN connection methods to connect to the virtual cloud network (VCN):

  • Site-to-site VPN: Provides a site-to-site IPSec VPN between your on-premises network and your VCN over a secure, encrypted connection. See Site-to-Site VPN.
  • FastConnect: Provides a dedicated private connection between your data center and Oracle Cloud Infrastructure. It provides higher-bandwidth options, and a more reliable and consistent networking experience compared to internet-based connections. See FastConnect Overview.
  • OpenVPN Access Server: Connects your client devices directly to Oracle cloud resources, such as MySQL DB systems. You cannot use OpenVPN Access Server to connect entire sites or networks to an Oracle VCN; in that scenario, it is recommended to use Site-to-site VPN or FastConnect. OpenVPN Access Server is available in the Oracle Cloud Infrastructure Marketplace. It is free to install and you can use for two simultaneous VPN connections. See OpenVPN Access Server.

OpenVPN Access Server

Use OpenVPN Access Server to connect your client devices directly to Oracle cloud resources, such as MySQL DB systems.

Note

Use site-to-site VPN or FastConnect to connect entire sites or networks to an Oracle VCN.
  1. Create an OpenVPN stack. The OpenVPN stack consists of a compute instance running the Access Server. The stack is attached to the same VCN the DB system is attached to, and you need to configure the network to enable external connections to the Access Server. See Creating an OpenVPN Stack.
  2. Configure the OpenVPN Access Server to route traffic to the DB system. It includes configuring static IP addresses, routing instead of NAT, and creating and configuring a VPN user. See Configuring an OpenVPN Access Server.
  3. Install and configure a VPN client to use with the OpenVPN Access Server and connect to the DB System. See your VPN client documentation.
  4. Configure the VCN to allow communications from the OpenVPN Access Server to the MySQL DB system attached to the private subnet. See Configuring a VCN for OpenVPN Access Server Connections.
Note

It is recommended to secure the OpenVPN connection with a shared secret key. See Hardening OpenVPN Security.

Creating an OpenVPN Stack

The OpenVPN stack consists of a compute instance running the Access Server. The stack is attached to the same VCN your DB system is attached to, and you need to configure the network to enable external connections to the Access Server.

Using the Console

Use the Console to create an OpenVPN Stack.

This task requires the following:

Do the following to create an OpenVPN Stack:

  1. Open the navigation menu, select Marketplace, and then select All applications.
  2. In the search box, search for OpenVPN Access Server, and click OpenVPN access server.
  3. Select the compartment you created the VCN in, and select the terms and conditions check box.
  4. Click Launch stack.
  5. In the Stack information panel of the Create stack page, provide the following information:

    Stack information:

    • Name: (Optional) Specify a name for the Stack.
    • Description: (Optional) Specify a description of the Stack.
    • Create in compartment: You cannot edit the field.
    • Terraform version: You cannot edit the field.
  6. Click Next.
  7. In the Configure variables panel, provide the following information:

    Compute configuration:

    • OpenVPN access server name: Specify a unique name for your Access Server.
    • Compute shape: Select a shape of the compute instance.

    Application configuration:

    • Administrator username: Specify an administrator username to log into the administration portal. The username should start with a lowercase letter and contain only alphanumeric characters .
      Note

      Do not use openvpn for the Administrator username. It is a reserved username.
    • Administrator password: Specify the administrator password. The password should be at least eight alphanumeric characters long and should not contain any special characters.
    • Activation key: (Optional) Specify the activation key, which you purchase from OpenVPN, if you intend to use more than two VPN connections with this Access Server compute instance.
    Network configuration:
    • Network strategy: Select Use existing VCN.
    • Existing network: Select the VCN to which your DB system is attached.
    • Existing subnet: Select the public subnet of your VCN.
    Additional configuration:
    • Compartment: Select the compartment in which you want to create all resources. By default, it is set to the compartment that you specify on the Marketplace page.
    • Public SSH key string: (Optional) Specify the public SSH key to access the compute instance using SSH. You do not need to specify the string if you use the administration page of the Access Server.
  8. Click Next to open the Review page.
  9. Confirm your settings and click Create.
The Resource manager job details page is displayed. The Logs section lists the details of the created stack and the login details of the Access Server in the following format:
Outputs:admin_password = ********
admin_username = username
instance_public_url = https://193.122.164.108/admin
Here, instance_public_url is the public IP of the compute instance hosting the Access Server. Note these details as you need them in subsequent tasks.

Configuring an OpenVPN Access Server

The OpenVPN Access Server routes traffic to the DB system. It includes configuring static IP addresses, routing instead of NAT, and creating and configuring a VPN user.

Using the Console

Use the Console to configure an OpenVPN Access Server to route traffic to the DB system.

This task requires the following:
Do the following to configure an OpenVPN Access Server:
  1. Load the OpenVPN Access Server Administration tool using the IP address and credentials that you get in the instance_public_url field at the end of creating the OpenVPN stack:
    https://<IPAddress>/admin
  2. Open the navigation menu, select Configuration, then select VPN settings.
  3. Specify a static IP in the Static IP address network field. A static IP is preferred because you must also configure ingress rules for this IP address on the subnet of your VCN. If you used a dynamic address, you have to update the ingress rules each time the address was reassigned.
    Note

    The dynamic IP address field is mandatory. Do not change the default value, similar to 172.27.233.0/24. When specifying the value for your static network, use a similar value, such as 172.27.232.0/24.
  4. In the Routing section, select Yes, using Routing and add the CIDR blocks of the private and public subnets to which the VPN clients require access. These are the CIDR blocks of the subnets attached to your VCN. For example: 10.0.0.0/24 and 10.0.1.0/24.
  5. Click Save settings.
  6. Open the navigation menu, select User management, then User permissions.
  7. In the User permissions dialog box, enter a username in the New username field, and click the More settings icon in the adjacent column.
  8. Provide the following information:
    • Password: Specify a password for the new user.
    • Select IP addressing: Select Use static.
    • VPN static IP address: Specify the IP address to assign to the new user. This IP address must be in the range defined in the Static IP address network field of the VPN Configuration.
    • Select addressing method: Select Use routing.
    • Allow access to these networks: Specify the IP addresses of the public and private subnets, as mentioned in the Routing section of the VPN configuration.
  9. Save the user. Log out, and log in using the new user credentials. Download the profile, client.ovpn, using the Yourself (user-locked profile) link at the bottom of the page.
  10. Import the profile to the OpenVPN client. See OpenVPN documentation.
  11. Configure your network to accept connections from the OpenVPN Access Server.

Configuring a VCN for OpenVPN Access Server Connections

Configure a virtual cloud network to enable communications from the OpenVPN Access Server to the MySQL DB system attached to the private subnet.

Using the Console

Use the Console to configure a virtual cloud network to enable communications from the OpenVPN Access Server to the MySQL DB system attached to the private subnet.

This task requires the following:
Do the following to configure a virtual cloud network (VCN):
  1. Open the navigation menu, select Networking, and then select Virtual cloud networks.
  2. Click on the name of the VCN.
  3. In the Virtual cloud network details page, under Subnets, click the name of your private subnet.
  4. In the Subnet details page, click the Route table.
  5. Click Add route rules and provide the following information:
    • Target type: Select Private IP.
    • Destination type: Select CIDR block.
    • Destination CIDR block: Specify the CIDR block you defined in the Static IP address network field of the OpenVPN Access Server VPN settings.
    • Target selection: Specify the private IP address of the compute instance of the OpenVPN Access Server .
  6. Click Add route rules.
  7. Navigate to the Security list details page of your private subnet.
  8. Add ingress rules for the VPN Static IP addresses. The default MySQL ports are 3306 and 33060.