FAQs

Fundamentals

What is a Site-to-Site VPN Gateway?

A Site-to-Site VPN Gateway is a network solution that establishes a secure, encrypted connection between two or more networks over the internet. This setup allows an on-premises network to connect securely with cloud resources, enabling seamless data transfer while ensuring data privacy and integrity. For example, IONOS VPN Gateway is a fully managed service that connects your data center or branch office to your IONOS Cloud resources using IPSec tunnels or WireGuard peers.

What VPN protocols are supported?

Our VPN Gateway supports both IPSec and WireGuard protocols. IPSec is widely used for its robust security features and flexibility, while WireGuard is known for its simplicity and high performance. These options allow you to choose the protocol that best suits your network's security and performance needs.

How does a Site-to-Site VPN enhance my network’s security?

A Site-to-Site VPN enhances network security by encrypting data traffic between your on-premises network and your cloud resources. This encryption protects data from interception and tampering during transit, ensuring that sensitive information remains confidential and secure. It also provides a secure connection for applications and services that require a high level of security.

Getting Started

How do I set up a Site-to-Site VPN Gateway using IPSec?

Setting up a Site-to-Site VPN Gateway with IPSec involves several key steps:

  1. Reserve a public IPv4 address via our Data Center Designer (DCD) or Cloud API.

  2. Create an IPSec VPN gateway, configuring it with a relevant tier, high availability, IP address, virtual data center, and LANs that will use the gateway.

  3. Configure the IPSec tunnels by specifying parameters such as the pre-shared key (PSK), IKE version, encryption, and integrity algorithms.

  4. Set up your on-premises VPN device to match these parameters.

  5. Establish the connection and verify that the tunnel is active by checking the tunnel status and logs.

How do I set up a Site-to-Site VPN Gateway using WireGuard?

Setting up a Site-to-Site VPN Gateway with WireGuard involves these steps:

  1. Reserve a public IPv4 address via our DCD or Cloud API.

  2. Create a WireGuard VPN gateway, configuring it with the tier, high availability, IP address, virtual data center, and LANs that will use the gateway. You can also define a maintenance period.

  3. Generate public and private keys for your WireGuard peers.

  4. Configure the WireGuard interface by adding peers, allowed IPs, and endpoints.

  5. Sync the configuration with your on-premises WireGuard devices.

  6. Establish the connection and verify its status by checking the tunnel status and logs.

Can I use both IPSec and WireGuard tunnels simultaneously?

Yes, you can use both IPSec and WireGuard tunnels simultaneously to connect resources between the same virtual data center networks and remote networks. This setup requires creating and configuring separate VPN gateway instances for each protocol, allowing you to take advantage of the unique benefits of each protocol.

How much does a VPN gateway cost?

The cost of a VPN Gateway is determined by the chosen tier, HA selection, instance lifetime, and the amount of egress traffic. For detailed pricing information, refer to the Price List. You can also compare the prices using the Cloud Price Calculator.

Are there limits to the number of LANs I can connect to a VPN gateway and the number of tunnels/peers I can create?

Yes, the number of LANs, IPSec Tunnels, or WireGuard Peers varies based on the chosen tier. For more information about the limitations, see Define tier.

An IPSec Tunnel or a Wireguard Peer allows for extensive connectivity options while maintaining manageable configurations.

Ensure that all LANs belong to the same VDC, ensuring streamlined management and configuration.

Is there a VPN Gateway API for automation?

Yes, we provide a comprehensive VPN Gateway API, along with a GO SDK and Terraform tooling. These tools enable automation of various gateway-related tasks, ensuring seamless integration with your DevOps workflow and simplifying the management of VPN gateways.

Is dual stack supported?

Yes, our VPN Gateway supports both IPv4 and IPv6, allowing your traffic to be sent across both network types. This capability helps future-proof your services and ensures broad accessibility. Note that tunnel endpoint and Gateway IP addresses are IPv4 only.

What routing options are available for the VPN gateway?

Currently, only static routing is available for the VPN gateway. Dynamic routing protocols like BGP are not supported at this time.

Can I use VPN Gateway to connect virtual data centers in different IONOS locations or regions?

Yes, you can connect virtual data centers (VDCs) across different IONOS locations or regions. There are no region constraints, allowing one VDC to connect to another, regardless of their geographical location.

WireGuard Private Keys

What is a private key in the context of WireGuard?

A private key in WireGuard is a critical component of the VPN security framework. It is used to encrypt and decrypt packets sent between IONOS Cloud and your remote infrastructure, ensuring that only authorized users can read the data transmitted over the VPN.

How do I generate a WireGuard private key?

You will need either of the following command line tools:

  • WireGuard Tools (WG): This provides the necessary commands to manage WireGuard configurations. Execute the following command in the command line tool to generate a private key:

wg genkey | tee private_key | wg pubkey > public_key;

Result: This single command does the following: — Generates a private key and saves it to the private_key file. — Passes the private key to wg pubkey, which outputs the corresponding public key to the public_key file.

  • OpenSSL: The command-line tool is useful for managing SSL/TLS and cryptography. Execute the following command to generate a private key:

openssl genpkey -algorithm X25519 -outform der -out private_key.der;
openssl pkey -inform der -in private_key.der -pubout -outform der -out public_key.der;
cat public_key.der | tail -c 32 | base64 > public_key;
cat private_key.der | tail -c 32 | base64 > private_key;

Result: The command generates a private key file named private_key and a public key file named public_key: — openssl genpkey -algorithm X25519 -outform der -out private_key.der; generates a private key file named private_key. — openssl pkey -inform der -in private_key.der -pubout -outform der -out public_key.der; can be used to obtain the corresponding public key after generating the private key. In this example, this command creates a public key file named public_key.

What format are the generated keys in?

The keys are in base64 format, a standard method for representing binary data as an ASCII string, which makes them easy to configure and transport.

How do I ensure the security of my private key?

  • Permissions: Ensure that the private key file has the correct file permissions to restrict access.

  • Backup: Keep a secure backup of your private key, but ensure it is stored safely to prevent unauthorized access.

  • Do not share it: Never share your private key with anyone. Only the public key is safe to share with peers.

What should I do if I suspect my private key is compromised?

We recommend generating a new key pair and updating your configurations to use the new keys.

Security

How secure is the Site-to-Site VPN Gateway?

Our VPN Gateway employs industry-standard encryption techniques to ensure data security. IPSec uses strong encryption algorithms such as AES-256, while WireGuard leverages modern cryptographic primitives like ChaCha20 and Poly1305. These methods provide high levels of data security, protecting your information during transit.

Can I customize encryption and hashing algorithms for IPSec tunnels?

Yes, you can customize the encryption and integrity algorithms used in IPSec tunnels. Supported algorithms include AES-128, AES-256, SHA-256, SHA-384, and SHA-512. These settings can be configured in the DCD or through the Cloud API, allowing you to tailor security to your specific requirements.

How can I determine the right combination of encryption and hashing algorithm for my requirements?

The VPN Gateway supports multiple encryption algorithms to suit different security and performance requirements:

  • AES-128 CCM12 with AES-XCBC: This encryption method is optimized for maximum throughput. It provides a good level of security while allowing for faster data transfer speeds, making it suitable for environments where performance is prioritized.

  • AES-256-GCM16 with SHA256: This combination offers a balance of speed and security. AES-256-GCM16 is widely regarded as secure and efficient, while SHA256 provides a robust integrity check for the data being transmitted.

  • AES-256-GCM16 with SHA384/SHA512: For environments where maximum security is essential, this option utilizes AES-256-GCM16 for encryption, complemented by SHA384 or SHA512 for stronger hashing. This setup is ideal for sensitive data transfers that require the highest level of protection.

How does the VPN Gateway ensure data integrity over the connection?

The VPN Gateway ensures data integrity through cryptographic hashing algorithms like SHA-256, SHA-384, and SHA-512. These algorithms verify that data has not been altered during transit, providing a secure communication channel and maintaining data integrity.

How does my IPSec VPN tunnel get authenticated?

Our VPN gateway uses PSK (Pre-Shared Key) authentication. To authenticate your IPSec VPN tunnel, you must generate a pre-shared key (PSK) and provide it during the creation of the tunnel. For security, it is recommended to use a strong 32-character pre-shared key.

Which IKE version is supported for the IPSec VPN gateway?

Our IPSec VPN gateway supports IKEv2, a modern and secure version of the Internet Key Exchange protocol.

Yes, contract owners and administrators can enable necessary privileges for sub-users via the DCD or the API.

Additionally, you can view audit logs for VPN operations via the Activity log functionality, ensuring transparency and accountability.

Does the VPN service store or process customer data?

No, our VPN service does not store or process customer data. It is designed to provide secure and private connections without handling or retaining user data.

Performance and Scalability

What are the performance considerations for using IPSec vs. WireGuard?

WireGuard is known for its high performance and simplicity, offering lower overhead and faster connection setup times. IPSec, while more established, provides robust security and broader configurability but may have higher processing overhead. The choice between IPSec and WireGuard depends on your specific use cases and performance requirements.

Does the VPN Gateway support automatic failover?

Yes, VPN Gateway supports automatic failover. For more information, see Define Tier.

What should I consider for optimal VPN Gateway performance?

For optimal VPN Gateway performance, consider the following:

  • Ensure appropriate bandwidth on both ends of the connection.

  • Select the right encryption and integrity algorithms based on your performance needs.

  • Regularly monitor your VPN connections and adjust configurations as needed to handle traffic load.

What is the approximate maximum throughput of a Site-to-Site VPN connection?

Each tunnel supports a maximum throughput of up to 1 Gbps, providing high-speed connectivity for data-intensive applications.

What factors affect the throughput of my VPN connection?

Several factors can influence VPN connection throughput, including the capability of your remote gateway, the bandwidth capacity of your connection, the average packet size, the protocol in use (TCP vs. UDP), and the network latency between the VPN Gateway and the remote network.

Troubleshooting

What should I do if the VPN connection is down?

If the VPN connection is down, follow these troubleshooting steps:

  1. Verify that the configuration settings on both sides of the tunnel match.

  2. Check network connectivity, static routes, and firewall rules.

  3. Ensure that the pre-shared keys and encryption algorithms are correctly configured.

  4. Review logs on your on-premises gateway for any error messages and diagnostic information.

  5. If issues persist, contact our support team for further assistance.

Last updated