Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Learn how to assign and manage user privileges for VPN Gateway operations, ensuring that users have the appropriate access to perform their tasks.
Learn how to create VPN Gateway.
Learn how to create IPSec Tunnels or a WireGuard Peers for a VPN Gateway.
Learn how to view VPN Gateways, including details on their configuration and status.
Learn how to update the settings and configurations of existing VPN Gateway to meet evolving needs.
Learn how to download the configuration file and view its details.
Learn how to update tunnels or peers associated with an existing VPN Gateway.
Learn how to delete IPSec Tunnels or WireGuard Peers associated with a VPN Gateway.
Learn how to safely remove VPN Gateway when it is no longer needed.
Users need appropriate privileges to create and manage VPN Gateways. The VPN Gateway has a specific group privilege called Access and manage VPN Gateway. When you enable this privilege for a group, its members inherit it through group settings, allowing them to manage the VPN gateways.
Prerequisite: Make sure you have one or more Groups in the User Manager. To create one, see .
To set user privileges to manage VPN Gateways, follow these steps:
1. In the DCD, go to Menu > Management > Users & Groups under Users. 2. Select the Groups tab in the User Manager window. 3. Select the appropriate group to assign relevant privileges. 4. In the Privileges tab, select Access and manage VPN Gateway.
Note: You can remove the privileges from the group by clearing Access and manage VPN Gateway.
Result: The privilege to manage VPN Gateways is granted to all the members in the selected group.
You can revoke a user's Access and manage VPN Gateway privilege by removing the user from all the groups that have this privilege enabled.
Warning: You can revoke a user from this privilege by disabling Access and manage VPN Gateway for every group the user belongs to. In this case, all the members in the respective groups would also be revoked from this privilege.
To revoke this privilege from a contract administrator, disable the administrator option on the user account. On performing this action, the contract administrator gets the role of a contract user, and the privileges that were set up for the user before being an administrator will then be in effect.
Once a VPN Gateway is successfully created, the gateway is listed on the VPN Gateways page.
To view the VPN Gateways, follow these steps:
1. In the DCD, go to Menu > Network > VPN Gateway under Connectivity.
Result: A list of VPN Gateways created is displayed. For every VPN Gateway listed, you can view the following details:
NAME (PROTOCOL): Displays the name of the VPN Gateway and its chosen protocol.
REGION: Displays the region where the respective VPN Gateway is located.
STATE: Displays the state of the VPN Gateway. Possible values are as follows:
Provisioning: The VPN Gateway is still in creation.
Available: The VPN Gateway is available and functioning properly.
Unavailable: The VPN Gateway is unavailable and not in use.
Destroying: The VPN Gateway is being deleted.
TIER: Displays the plan chosen for the respective VPN Gateway.
LAST MODIFIED: Displays the date when the VPN Gateway details were last updated.
CREATE TUNNELS (IPSEC) / CREATE PEERS (WIREGUARD): Select to create .
OPTIONS: Provides additional actions you can perform on the VPN Gateway, such as modifying or deleting the VPN Gateway.
For the selected VPN Gateway, you can view the System information, Setup & LAN connections, and Tunnels associated with it.
In Tunnels, you have the following options:
Add Tunnels: Option to add new tunnels.
Existing Tunnels: A list of existing tunnels with their names and options to edit or delete each tunnel.
The VPN Gateways page lists all your VPN Gateways.
Note: During the scheduled maintenance, you can only update the VPN gateway's name and description. You must wait until the maintenance process is finished before modifying the other details.
To update the VPN Gateway details, follow these steps:
1. In the DCD, go to Menu > Network > VPN Gateway under Connectivity.
2. In the VPN Gateways window, click on the name of the VPN Gateway to update its details. Alternatively, you can also click and select Details and Edit from the OPTIONS column.
3. Update the selected VPN Gateway details:
System information: Displays the state of the VPN Gateway, creation and modification details, UUID and the resource URN.
Setup & LAN connections: You can modify the properties, upgrade from the current plan or change to high-availability or vice-versa, LAN connections, or the maintenance schedule.
4. Select Save to update the VPN Gateway details with the changes made.
Result: The VPN Gateway is successfully updated.
1. For the selected VPN Gateway, you can choose Tunnels tab to view tunnels for selected VPN Gateway.
2. Select Edit to update selected Tunnel.
4. Click Save to update the VPN Gateway Tunnel details with the changes made.
Result: The selected Tunnel for VPN IPSec Gateway is successfully updated.
1. For the selected VPN Gateway, you can choose Peers tab to view peers for selected VPN Gateway.
2. Click on Edit to update selected Peer.
4. Click Save to update the VPN Gateway Peer details with the changes made.
Result: The selected Peer for VPN WireGuard Gateway is successfully updated.
In Setup & LAN connections, you can view its properties, chosen tier and protocol, LAN connections associated with it, and the maintenance schedule. You can view or these details. For more information, see .
Download Configuration: Select this option to manually download the configuration details of the selected VPN Gateway. For more information, see .
Tunnels: You can update the details of an existing tunnel/peer or click Add Tunnels or Add Peers based on the chosen VPN Gateway protocol to add a new tunnel. For more information, see .
3. Update the selected VPN Gateway Tunnel details. To add a new tunnel, select Add Tunnels and .
3. Update the selected VPN Gateway Peer details. To add a new Peer, select Add Peers and .
A VPN Gateway provides a secure way to access your data center, protecting your network and sensitive information.
To create a VPN Gateway, follow these steps:
1. In the DCD, go to Menu > Network > VPN Gateway under Connectivity.
2. Click Create VPN Gateway from the VPN Gateways page.
3. Enter the following details to configure your VPN Gateway:
4. Click Save to create the VPN gateway.
Result: Your VPN gateway's STATE is set to PROVISIONING during creation. When provisioning is finished, it becomes AVAILABLE. You can create IPSec Tunnels or WireGuard Peers when the VPN Gateway is still in PROVISIONING or after its STATE changes to AVAILABLE.
To define VPN Gateway properties, specify the following: 1. Name: Enter a name for the VPN Gateway. 2. Description: (Optional). You can add additional information about the VPN Gateway. 3. Location: Select a location of your preference from the drop-down list. 4. IP Address: Select the IP Address from the drop-down list.
Note: Ensure that: — you have reserved IP addresses for the respective location using IP Management. — the IP Address and the chosen data center are in the same location.
The number of LANs and tunnels/peers differ for each tier. You can couple a tier with high availability to configure an active-passive mode for an uninterrupted connection during a failover.
When you enable High Availability for the chosen tier, the virtual machines operate in an active-passive mode to minimize the downtime during a failover.
1. Based on your needs, you can choose a tier from the following:
Tier
Resources
Description
— Standard VPN — Standard VPN + High Availability
A maximum of five LANs and 10 IPSec Tunnels or Wireguard Peers.
You can upgrade the tier to Enhanced VPN or Premium VPN with or without high availability.
— Enhanced VPN — Enhanced VPN + High Availability
A maximum of 10 LANs and 20 IPSec Tunnels or Wireguard Peers.
You can upgrade the tier to Premium VPN with or without high availability.
— Premium VPN — Premium VPN + High Availability
A maximum of 15 LANs and 30 IPSec Tunnels or Wireguard Peers. It is highly recommended for mission-critical or production workloads.
Note: — You can upgrade the tiers as described, but downgrading is not allowed. — The chosen tier in addition to the selection of a HA determines the cost of the VPN Gateway. For more information, see FAQs.
2. High Availability: Select the checkbox to ensure high availability and redundancy for the VPN connections so that the downtime is minimal in case of failures. Redundant VPN tunnels automatically take over during failures.
You can create VPN Gateways using either the IPSec or WireGuard® protocols.
Prerequisites:
IPSec requires Tunnels before they can be used.
WireGuard requires Peers.
Each protocol offers different features and requires distinct configuration steps:
For IPSec, the Version is set to IKEv2, by default.
Enter the following details:
Private Key: Enter the Private Key. For more information about generating a private key, see FAQs.
Interface IPv4 IP: Mandatory if IPv6 is not provided.
Interface IPv6 IP: Mandatory if IPv4 is not provided.
Listen Port (optional): Specifies the UDP port on which a WireGuard interface will listen for incoming encrypted VPN packets.
You can specify the LANs you want to connect to the data center in the VDC. You can add new ones, delete, or edit existing ones.
Note: — Ensure that the selected Private IP address is not already in use within the VDC. — We recommend using an IP address from the LAN allocated CIDR range from .2 to .9.
1. Datacenter: Select a data center from the drop-down list to associate it with the VPN Gateway. The available data centers in the drop-down list vary according to the chosen Location.
2. Connections: Select Add LAN Connection to choose a LAN for the data center. You can select an IPv4 CIDR (and an IPv6 CIDR, which is optional) for your LAN connection.
The DCD offers a visual representation of the LANs that are connected to the VPN Gateway.
Your chosen start time (UTC) plus four hours is the maintenance time.
Note: — We recommend choosing the day and time appropriately because the maintenance occurs in a 4-hour-long window. — During the scheduled maintenance, you can only update the VPN gateway's name and description. You must wait until the maintenance process is finished before modifying the other details.
1. DAY: Select a day from the drop-down list to set a day for maintenance.
Note:
You cannot delete LANs or a VDC containing VPN Gateway-connected LANs. Remember to delete the VPN gateway before deleting the connected VDC.
VPN Gateways that are in the Provisioning state can be deleted via the DCD or via the Cloud API.
To delete a VPN Gateway, follow these steps:
1. In the DCD, go to Menu > Network > VPN Gateway under Connectivity.
2. In the OPTIONS column for the selected distribution, click and select Delete Gateway.
3. Select Delete to confirm deletion.
Result: The STATE of the respective VPN Gateway is set to DESTROYING before it is completely deleted.
You can manually export the configuration settings of your VPN gateway. This is suitable for remote or on-premise VPN configuration, backup purposes, troubleshooting, or migrating VPN settings to another system or location. The configuration file typically includes essential details such as network settings, authentication methods, encryption protocols, and routing information.
You can download the configuration file in a standard format and import it into compatible systems or modify it as needed for future use.
Note: — The configuration is specific to the chosen VPN Gateway protocol: IPSec or WireGuard. — The downloaded file is not a ready-to-use configuration for peers.
1. In the DCD, go to Menu > Network > VPN Gateway under Connectivity.
2. In the VPN Gateways window, click on the name of the VPN Gateway to update its details. Alternatively, you can also click and select Details and Edit from the OPTIONS column.
3. In the Gateway window, click Download Configuration.
Result: The file is downloaded into your local system and you can use an editor of your choice to view its details.
Note: During the scheduled maintenance, you can only update the VPN gateway's name and description. You must wait until the maintenance process is finished before modifying the other details.
To update an IPSec Tunnel or a WireGuard Peer, follow these steps:
1. In the DCD, go to Menu > Network > VPN Gateway under Connectivity.
2. In the VPN Gateways window, click on the name of the VPN Gateway to update its associated Tunnels or Peers. Alternatively, you can also click and select Details and Edit from the OPTIONS column.
3. For the selected VPN Gateway, you can choose:
Tunnels tab to view tunnels for selected VPN Gateway.
Peers tab to view peers for selected VPN Gateway.
4. Select Edit to update selected Tunnel or Peer.
5. Update the necessary details.
6. To add a new:
7. Click Save to update the details with the changes made.
Result: The selected Tunnel or Peer is successfully updated.
After creating a VPN Gateway, you can create a Tunnel or a Peer based on your chosen VPN Gateway protocol.
To create tunnels or peers, follow these steps:
1. In the DCD, go to Menu > Network > VPN Gateway under Connectivity.
2. On the VPN Gateways page, click Create Tunnels or Create Peers based on the chosen VPN Gateway protocol.
3. Enter the following details:
Enter the following details in the Create IPSec Tunnel page:
Tunnel name: Enter a tunnel name.
Description: (Optional). Enter a description.
Remote host: Enter a valid public IPv4 address or an Fully Qualified Domain Name (FQDN).
Pre-shared key (PSK): Enter a valid key or click Generate to automatically generate a key.
Select an appropriate value from the drop-down list for the following:
Diffie-Hellman Group
Encryption Algorithm
Integrity Algorithm
Lifetime: Specify a value starting from 3600 seconds to a maximum of 604800 seconds.
Select an appropriate value from the drop-down list for the following:
Diffie-Hellman Group
Encryption Algorithm
Integrity Algorithm
Lifetime: Specify a value starting from 600 seconds to a maximum of 86400 seconds.
Enter the following details:
Cloud Network CIDRs: Specify up to 20 IPv4 or IPv6 network addresses, separated by commas, on IONOS Cloud that can connect to the tunnel.
Peer Network CIDRs: Specify up to to 20 IPv4 or IPv6 addresses, separated by commas, on the peer side that can connect to the tunnel.
Enter the following details in the Create WireGuard peer page:
Peer Name: Enter a peer name.
Description: (Optional). Enter a description.
You can specify the following optional details to enable the peer to use the specified IP address to connect with its remote peer. The peer connects via any available IP address when you do not specify the IP address.
Endpoint host: Enter a public IPv4 address or an FQDN.
Endpoint port: Enter a port number or you can also use the up or down arrows to choose a port number from the list. The port number indicates the UDP port on which a WireGuard interface will listen for incoming encrypted VPN packets.
Specify the following details to establish a secure connection.
Allowed IPs: Specify up to 20 IPv4 or IPv6 network addresses, separated by commas from which the traffic must be allowed to reach the respective peer. Traffic from all IP addresses are sent to the peer if you do not specify the network addresses.
Public Key: Remember to specify a public key for a secure transmission. The key is used to validate the sender and encrypt the data.
4. Click Save to save the configuration.
You can delete the tunnel/peer that is associated with the chosen VPN Gateway protocol.
1. In the DCD, go to Menu > Network > VPN Gateway under Connectivity.
2. In the VPN Gateways window, click on the name of the VPN Gateway to delete an associated peer/tunnel. Alternatively, you can also click and select Details and Edit from the OPTIONS column.
3. Follow these steps to delete a tunnel or a peer:
1. For the selected VPN Gateway, you can choose Tunnels tab to view tunnels for selected VPN Gateway.
2. Select Delete to delete selected Tunnel.
3. Select Delete to confirm the deletion.
Result: The selected Tunnel is deleted and it is no longer associated with the VPN IPSec Gateway.
1. For the selected VPN Gateway, you can choose Peers tab to view peers for selected VPN Gateway.
2. Select Delete to delete selected Peer.
3. Select Delete to confirm the deletion.
Result: The selected Peer is deleted and it is no longer associated with the VPN WireGuard Gateway.
2. TIME: Enter a time using the pre-defined format (hh:mm:ss) to schedule the maintenance task. You can also click the icon to set a time.
Tunnel, select Add Tunnels and .
Peer, select Add Peers and .
