Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
LANs connected to a given VPN gateway must all belong to the same Virtual datacenter (VDC).
Currently, only static routing is supported; dynamic routing and BGP routing are not available.
Interface IP is not DHCP aware. Ensure that you use private LAN IP addresses that are not already assigned via DHCP or are outside the DHCP range (.2-.10).
Tunnel endpoint and Gateway IP addresses are IPv4 only.
PSK and keypairs are not auto-created by the product. Hence, ensure that you provide them wherever necessary.
Remember to delete the VPN gateway before deleting the connected VDC.
Hybrid Cloud Connectivity: Connects on-premises data centers or offices to Virtual Data Center (VDC) private LANs securely.
Cloud Migration: Facilitates transferring or copying data from on-premise networks to IONOS Cloud.
Multi-region Deployment: Facilitates communication between VDC private LANs deployed across different regions.
Traffic Encryption: Ensures confidentiality of data transmitted over public networks, safeguarding against eavesdropping and tampering.
Secure Connectivity: Establishes encrypted tunnels using industry-standard VPN protocols (IPsec and WireGuard) to ensure secure data transmission. Supports various authentication methods, including certificates and pre-shared keys, providing flexibility in securing connections. Utilizes strong encryption algorithms such as AES-256 to protect data in transit.
Connection Stability: Implements redundancy and failover mechanisms to maintain continuous connectivity. Supports dynamic scaling to adjust to varying network demands, allowing for seamless addition or removal of VPN connections without service interruption.
Scalability: Supports scalable VPN configurations to accommodate growing network demands and increasing traffic. Customizable bandwidth settings optimize performance for different applications and services.
Improved Security: Ensures all transmitted data is encrypted, protecting against unauthorized access and cyber threats. Helps meet regulatory compliance requirements by securing sensitive data in transit.
Cost Efficiency: Reduces the need for costly hardware investments by leveraging cloud-based VPN solutions and scalable pricing models. Minimizes operational costs associated with network maintenance and downtime.
Enhanced Connectivity: Facilitates seamless communication between multiple office locations, partners, and remote sites worldwide. Supports secure remote access for employees, enabling them to connect to corporate resources from any location securely.
Global Reach: Enables organizations to extend network connectivity across different regions without major reconfigurations. Enhances application performance by optimizing latency for cross-region connections.
Reliability: Implements failover mechanisms to ensure high availability and minimize downtime. Distributes traffic across multiple VPN connections to optimize performance and prevent bottlenecks.
Flexibility: Integrates with existing network infrastructure, providing a flexible and scalable solution for diverse connectivity needs. Simplifies management with centralized interfaces for configuration and monitoring of VPN connections.
WireGuard is a modern VPN protocol known for its simplicity and efficiency. It aims to provide a faster and more secure VPN solution compared to traditional protocols like IPSec. Key features include:
Primary Function: Establishes secure point-to-point connections over the internet, using state-of-the-art cryptography.
Importance for VPN Solutions: WireGuard is important due to its simplicity, high performance, and strong security features. It offers fast connection times and efficient use of network resources.
IPSec is a suite of protocols used to secure internet communications by authenticating and encrypting each IP packet of a communication session. It includes protocols like Authentication Header (AH) and Encapsulating Security Payload (ESP). Key features include:
Primary Function: Provides secure communication channels between devices over the internet, ensuring data confidentiality, integrity, and authentication.
Importance for VPN Solutions: IPSec is widely used in enterprise environments for its robust security capabilities, scalability, and compatibility across different platforms.
Security
Uses modern cryptographic techniques like ChaCha20 for encryption and Curve25519 for key exchange.
Offers strong encryption standards (AES, DES) and authentication methods (SHA-256).
Performance
Lightweight design results in faster connection times and lower overhead.
May have higher overhead due to encapsulation and additional protocol layers.
Ease of Use
Simple configuration and fewer lines of code make setup and management easier.
Configuration can be complex, especially for setting up tunnels and policies.
Suitability
Ideal for environments prioritizing speed, simplicity, and efficient resource usage.
Suitable for large organizations needing robust security, scalability, and compliance with standards.
Scalability
Handles dynamic IP addresses and changing networks more effectively.
Offers scalable solutions with support for complex network topologies and large-scale deployments.
Security: Both protocols offer strong security features, but WireGuard is praised for its simplicity and modern cryptographic approach.
Performance: WireGuard typically outperforms IPSec in terms of connection speed and resource efficiency.
Ease of Use: WireGuard is easier to set up and manage due to its minimalist design and straightforward configuration.
Suitability for Large Organizations: IPSec is well-suited for large enterprises requiring extensive scalability, compliance, and robust security measures.
Choose WireGuard if you prioritize simplicity, speed, and efficient resource usage. Opt for IPSec if you need extensive scalability, compatibility with existing infrastructure, and adherence to industry standards.
Prerequisite: You need administrative privileges to create and assign user privileges using the Cloud API.
To set user privileges via the Cloud API for creating and managing VPN Gateways, follow these steps:
Authenticate to the Cloud API using your API credentials. For more information, see Get Started with IONOS API.
Create a user using the POST /cloudapi/v6/um/users endpoint.
Set the following required parameters for the user: user's name, email address, and password.
Create a group using the POST /cloudapi/v6/um/groups endpoint.
Set accessAndManageVpn privilege to true.
Assign the user to the created group using POST /cloudapi/v6/um/groups/{groupId}/users endpoint.
Note: Remember to provide the user ID in the request body as shown in the example: id: <userID>
Result: The privilege to create and manage VPN Gateway is granted to the user.
This endpoint enables retrieving all WireGuard Gateways using pagination and optional filters.
To retrieve all the WireGuard Gateways, perform a GET request.
Use a region-specific endpoint to retrieve all WireGuard Gateways: https://vpn.{region}.ionos.com/wireguardgateways.
Below is the list of optional Path Parameters:
offset
integer
The first element (of the total list of elements) to include in the response. Use together with limit for pagination. Default: 0
0
limit
integer
The maximum number of elements to return. Use together with offset for pagination. Default: 100
100
To make authenticated requests to the API, the following fields are mandatory in the request header:
Authorization
yes
string
The Bearer token enables requests to authenticate using a JSON Web Token (JWT).
Content-Type
no
string
Set this to application/json.
200 Successful operation
Result: All existing WireGuard Gateways and their details are successfully obtained.
Returns the WireGuard Gateway by ID.
To retrieve the WireGuard Gateway, perform a GET request.
Use a region-specific endpoint to retrieve a WireGuard Gateway: https://vpn.{region}.ionos.com/wireguardgateways/{gatewayId}.
Note: The following request contains a sample gatewayId. Replace them with the gatewayId value, whose information you want to retrieve.
You can update the gatewayId value to get a specific WireGuard Gateway:
gatewayId
string
The ID (UUID) of the WireGuard Gateway.
85c79b4b-5b40-570a-b788-58dd46ea71e2
To make authenticated requests to the API, the following fields are mandatory in the request header:
Authorization
yes
string
The Bearer token to enable requests to authenticate using a JSON Web Token (JWT).
Content-Type
no
string
Set this to application/json.
200 Successful operation
Result: The WireGuard Gateway and its details for the specified gatewayId are successfully obtained.
Creates a new WireGuard Gateway.
The full WireGuard Gateway needs to be provided to create the object. Optional data will be filled with defaults or left empty.
To create a WireGuard Gateway, perform a POST request.
Use a region-specific endpoint to create a WireGuard Gateway: https://vpn.{region}.ionos.com/wireguardgateways.
Below is the list of mandatory body parameters for creating a WireGuard Gateway:
metadata
no
object
Metadata
{}
properties
yes
object
Properties with all data needed to create a new WireGuard Gateway.
properties.name
yes
string
The human readable name of your WireGuard Gateway.
My Company Gateway
properties.description
no
string
Human readable description of the WireGuard Gateway.
This gateway allows connections to Datacenter LAN X.
properties.gatewayIP
yes
string
Public IP address to be assigned to the gateway.
192.0.2.0
properties.interfaceIPv4CIDR
no
string
The IPV4 address (with CIDR mask) to be assigned to the WireGuard interface.
172.16.0.1/32
properties.interfaceIPv6CIDR
no
string
The IPV6 address (with CIDR mask) to be assigned to the WireGuard interface.
2001:0db8:85a3::/128
properties.connections
yes
array
The network connection for your gateway.
[ { "datacenterId": "5a029f4a-72e5-11ec-90d6-0242ac120003", "lanId": "2", "ipv4CIDR": "192.168.1.100/24", "ipv6CIDR": "2001:0db8:85a3::/24" } ]
properties.privateKey
yes
string
PrivateKey used for WireGuard Server.
0HpE4BNwGHabeaC4aY/GFxB6fBSc0d49Db0qAzRVSVc=
properties.listenPort
no
integer
Port that WireGuard Server will listen on.
51820
To make authenticated requests to the API, the following fields are mandatory in the request header:
Authorization
yes
string
The Bearer token enables requests to authenticate using a JSON Web Token (JWT).
Content-Type
yes
string
Set this to application/json.
201 Successful operation
Result: The WireGuard Gateway is successfully created. the id and other details of the created WireGuard Gateway are provided in the response.
This endpoint enables retrieving all WireGuard Peers using pagination and optional filters.
To retrieve all the WireGuard Peers, perform a GET request.
Use a region-specific endpoint to retrieve all WireGuard peers: https://vpn.{region}.ionos.com/wireguardgateways/{gatewayId}/peers.
Below is the list of optional Path Parameters:
offset
integer
The first element (of the total list of elements) to include in the response. Use together with limit for pagination. Default: 0
0
limit
integer
The maximum number of elements to return. Use together with offset for pagination. Default: 100
100
To make authenticated requests to the API, the following fields are mandatory in the request header:
Authorization
yes
string
The Bearer token enables requests to authenticate using a JSON Web Token (JWT).
Content-Type
no
string
Set this to application/json.
200 Successful operation
Result: All existing WireGuard Peers and their details are successfully obtained.
Deletes the specified WireGuard Gateway.
To delete a WireGuard Gateway, perform a DELETE request with the gatewayId of the WireGuard Gateway.
Use a region-specific endpoint to delete the WireGuard Gateway: https://vpn.{region}.ionos.com/wireguardgateways/{gatewayId}.
Note: The following request contains a sample gatewayId. Replace them with the gatewayId value, whose information you want to delete.
You can update the gatewayId value to delete a specific WireGuard Gateway:
gatewayId
string
The ID (UUID) of the WireGuard Gateway.
85c79b4b-5b40-570a-b788-58dd46ea71e2
To make authenticated requests to the API, the following fields are mandatory in the request header:
Authorization
yes
string
The Bearer token enable requests to authenticate using an JSON Web Token (JWT).
202 Successful operation
Result: The WireGuard Gateway with the specified gatewayId is successfully deleted.
Ensures that the WireGuard Gateway with the provided ID is created or modified. Remember to provide the full WireGuard Gateway specification to ensure the WireGuard Gateway with the respective ID is created or updated. When left empty, they are filled with default values or remain empty; previously provided values are not used for these empty fields.
To ensure that the WireGuard Gateway with the provided ID is created or modified, perform PUT request.
Note: If WireGuard Gateway for a given gatewayId does not exist, a new one is created instead.
Use a region-specific endpoint to ensure that the WireGuard Gateway is created or modified: https://vpn.{region}.ionos.com/wireguardgateways/{gatewayId}.
Note: The following request contains a sample gatewayId. Replace them with the gatewayId value whose information you want to update.
Below is the list of mandatory path parameters:
gatewayId
string
The ID (UUID) of the WireGuard Gateway.
85c79b4b-5b40-570a-b788-58dd46ea71e2
Below is the list of mandatory body parameters for updating a WireGuard Gateway:
id
yes
string
The ID (UUID) of the WireGuard Gateway to update.
85c79b4b-5b40-570a-b788-58dd46ea71e2
metadata
no
object
Metadata
{}
properties
yes
object
Properties with all data needed to update the WireGuard Gateway.
properties.name
yes
string
The human readable name of your WireGuard Gateway.
My Company Gateway
properties.description
no
string
Human readable description of the WireGuard Gateway.
This gateway allows connections to Datacenter LAN X.
properties.gatewayIP
yes
string
Public IP address to be assigned to the gateway.
192.0.2.0
properties.interfaceIPv4CIDR
no
string
The IPV4 address (with CIDR mask) to be assigned to the WireGuard interface.
172.16.0.1/32
properties.interfaceIPv6CIDR
no
string
The IPV6 address (with CIDR mask) to be assigned to the WireGuard interface.
2001:0db8:85a3::/128
properties.connections
yes
array
The network connection for your gateway.
[ { "datacenterId": "5a029f4a-72e5-11ec-90d6-0242ac120003", "lanId": "2", "ipv4CIDR": "192.168.1.100/24", "ipv6CIDR": "2001:0db8:85a3::/24" } ]
properties.privateKey
yes
string
PrivateKey used for WireGuard Server.
0HpE4BNwGHabeaC4aY/GFxB6fBSc0d49Db0qAzRVSVc=
properties.listenPort
no
integer
Port that WireGuard Server will listen on.
51820
To make authenticated requests to the API, the following fields are mandatory in the request header:
Authorization
yes
string
The Bearer token enables requests to authenticate using a JSON Web Token (JWT).
Content-Type
yes
string
Set this to application/json.
200 Successful operation
Following is an example of when a WireGuard Gateway is successfully created.
Result: The WireGuard Gateway is successfully updated or created.
Creates a new WireGuard Peer.
The full WireGuard Peer needs to be provided to create the object. Optional data will be filled with defaults or left empty.
To create a WireGuard Peer, perform a POST request.
Use a region-specific endpoint to create a WireGuard Peer: https://vpn.{region}.ionos.com/wireguardgateways/{gatewayId}/peers.
Below is the list of mandatory body parameters for creating a WireGuard Peer:
metadata
no
object
Metadata related to the WireGuard peer.
{}
properties
yes
object
Properties with all data needed to create a new WireGuard peer. Note: There is a limit of 20 peers per gateway.
properties.name
yes
string
The human-readable name of the WireGuard peer.
My Company Gateway Peer
properties.description
no
string
Human-readable description of the WireGuard peer.
Allows local machine A to connect to Datacenter LAN Y.
properties.endpoint
yes
object
Properties needed to define the WireGuard endpoint.
properties.endpoint.host
yes
string
Hostname or IPV4 address that the WireGuard Server will connect to.
198.51.100.0/24
properties.endpoint.port
yes
integer
Port that the WireGuard Server will connect to.
51820
properties.allowedIPs
yes
array
The subnet CIDRs that are allowed to connect to the WireGuard Gateway. Specify "a.b.c.d/xy" for an individual IP address. Specify "0.0.0.0/0" or "::/0" for all IP addresses.
["198.51.100.0/24"]
properties.publicKey
yes
string
The public key for the WireGuard peer.
no8iaSEoqfbI6PVYsdEiUU5efYdtKX8VAhKity19MWI=
You can update the gatewayId value to get a specific WireGuard Gateway:
gatewayId
string
The ID (UUID) of the WireGuard Gateway.
85c79b4b-5b40-570a-b788-58dd46ea71e2
To make authenticated requests to the API, the following fields are mandatory in the request header:
Authorization
yes
string
The Bearer token to enable requests to authenticate using a JSON Web Token (JWT).
Content-Type
yes
string
Set this to application/json.
201 Successful operation
Result: The WireGuard Peer is successfully created. the id and other details of the created WireGuard Peer are provided in the response.
Ensures that the WireGuard Peer with the provided ID is created or modified. Remember to provide the full WireGuard Peer specification to ensure the WireGuard Peer with the respective ID is created or updated. When left empty, they are filled with default values or remain empty; previously provided values are not used for these empty fields.
To ensure that the WireGuard Peer with the provided ID is created or modified, perform PUT request.
Note: If WireGuard Peer for a given peerId does not exist, a new one is created instead.
Use a region-specific endpoint to ensure that the WireGuard Peer is created or modified: https://vpn.{region}.ionos.com/wireguardgateways/{gatewayId}/peers/{peerId}.
Note: The following request contains a sample gatewayId and peerId. Replace them with the gatewayId and peerId values whose information you want to update.
Below is the list of mandatory path parameters:
gatewayId
string
The ID (UUID) of the WireGuard Gateway.
85c79b4b-5b40-570a-b788-58dd46ea71e2
peerId
string
The ID (UUID) of the WireGuard Peer.
b62b3a40-adee-5b6c-b98d-be20bfcbdd91
Below is the list of fields returned in the response for a WireGuard Peer:
id
string
The unique identifier (UUID) for the WireGuard Peer.
b62b3a40-adee-5b6c-b98d-be20bfcbdd91
metadata
object
Metadata related to the WireGuard Peer.
{}
properties
object
Properties of the WireGuard Peer.
properties.name
string
The human-readable name of the WireGuard Peer.
My Company Gateway Peer
properties.description
string
Human-readable description of the WireGuard Peer.
Allows local machine A to connect to Datacenter LAN Y.
properties.endpoint
object
Endpoint details for the WireGuard Peer.
properties.endpoint.host
string
The host IP address or domain for the WireGuard Peer.
198.51.100.0/24
properties.endpoint.port
integer
The port number for the WireGuard Peer.
51820
properties.allowedIPs
array
The subnet CIDRs that are allowed to connect to the WireGuard Gateway.
["198.51.100.0/24"]
properties.publicKey
string
The public key for the WireGuard Peer.
no8iaSEoqfbI6PVYsdEiUU5efYdtKX8VAhKity19MWI=
To make authenticated requests to the API, the following fields are mandatory in the request header:
Authorization
yes
string
The Bearer token enables requests to authenticate using a JSON Web Token (JWT).
Content-Type
yes
string
Set this to application/json.
200 Successful operation
Following is an example of when a WireGuard Peer is successfully created.
Result: The WireGuard Peer is successfully updated or created.
Returns the WireGuard Peer by ID.
To retrieve the WireGuard Peer, perform a GET request.
Use a region-specific endpoint to retrieve a WireGuard Peer: https://vpn.{region}.ionos.com/wireguardgateways/{gatewayId}/peers/{peerId}.
You can update the gatewayId and peerId values to get a specific WireGuard Peer for a given gateway:
gatewayId
string
The ID (UUID) of the WireGuard Gateway.
85c79b4b-5b40-570a-b788-58dd46ea71e2
peerId
string
The ID (UUID) of the WireGuard Peer.
b62b3a40-adee-5b6c-b98d-be20bfcbdd91
To make authenticated requests to the API, the following fields are mandatory in the request header:
Authorization
yes
string
The Bearer token to enable requests to authenticate using a JSON Web Token (JWT).
Content-Type
no
string
Set this to application/json.
200 Successful operation
Result: The WireGuard Peer and its details for the specified gatewayId and peerId are successfully obtained.
Deletes the specified WireGuard Peer.
To delete a WireGuard Peer, perform a DELETE request with the gatewayId of the WireGuard Gateway and peerId of the WireGuard Peer.
Use a region-specific endpoint to delete the WireGuard Peer: https://vpn.{region}.ionos.com/wireguardgateways/{gatewayid}/peers/{peerId}.
Note: The following request contains a sample gatewayId and peerId. Replace them with the gatewayId and peerId value, whose information you want to delete.
You can update the gatewayId and peerId values to delete a specific WireGuard Peer for a given gateway:
gatewayId
string
The ID (UUID) of the WireGuard Gateway.
85c79b4b-5b40-570a-b788-58dd46ea71e2
peerId
string
The ID (UUID) of the WireGuard Peer.
b62b3a40-adee-5b6c-b98d-be20bfcbdd91
To make authenticated requests to the API, the following fields are mandatory in the request header:
Authorization
yes
string
The Bearer token to enable requests to authenticate using a JSON Web Token (JWT).
202 Successful operation
Result: The WireGuard Peer with the specified gatewayId and peerId is successfully deleted.
-Operations to create and manage IPSec VPN Gateways. -This tag groups all operations for ipsecgateways.
To retrieve all the IPSec Gateways, perform a GET request.
Use a region-specific endpoint to retrieve all IPSec Gateways: https://vpn.{region}.ionos.com/ipsecgateways.
Below is the list of optional Path Parameters:
offset
integer
The first element (of the total list of elements) to include in the response. Use together with limit for pagination. Default: 0
0
limit
integer
The maximum number of elements to return. Use together with offset for pagination. Default: 100
100
To make authenticated requests to the API, the following fields are mandatory in the request header:
Authorization
yes
string
The Bearer token enables requests to authenticate using a JSON Web Token (JWT).
Content-Type
no
string
Set this to application/json.
200 Successful operation
Result: All existing IPSec Gateways and their details are successfully obtained.
Returns the IPSec Gateway by ID.
To retrieve the IPSec Gateway, perform a GET request.
Use a region-specific endpoint to retrieve IPSec Gateway: https://vpn.{region}.ionos.com/ipsecgateways/{gatewayId}.
Note: The following request contains a sample gatewayId. Replace them with the gatewayId value, whose information you want to retrieve.
You can update the gatewayId value to get a specific IPSec Gateway:
gatewayId
string
The ID (UUID) of the IPSec Gateway.
66a114c7-2ddd-5119-9ddf-5a789f5a5a44
To make authenticated requests to the API, the following fields are mandatory in the request header:
Authorization
yes
string
The Bearer token to enable requests to authenticate using a JSON Web Token (JWT).
Content-Type
no
string
Set this to application/json.
200 Successful operation
Result: The IPSec Gateway and its details for the specified gatewayId are successfully obtained.
The full IPSec Gateway needs to be provided to create the object. Optional data will be filled with defaults or left empty.
To create a IPSec Gateway, perform a POST request.
Use a region-specific endpoint to create IPSec Gateway: https://vpn.{region}.ionos.com/ipsecgateways.
Below is the list of mandatory body parameters for creating an IPSec Gateway:
metadata
no
object
Metadata
{}
properties
yes
object
Properties with all data needed to create a new IPSec Gateway.
properties.name
yes
string
The human readable name of your IPSec Gateway.
My Company IPSec Gateway
properties.description
no
string
Human readable description of the IPSec Gateway.
This gateway connects site A to VDC X.
properties.gatewayIP
yes
string
Public IP address to be assigned to the gateway.
192.0.2.0
properties.connections
yes
array
The network connection for your gateway.
[ { "datacenterId": "5a029f4a-72e5-11ec-90d6-0242ac120003", "lanId": "2", "ipv4CIDR": "192.168.1.100/24", "ipv6CIDR": "2001:0db8:85a3::/24" } ]
properties.version
no
string
The IKE version that is permitted for the VPN tunnels. Default: "IKEv2".
IKEv2
To make authenticated requests to the API, the following fields are mandatory in the request header:
Authorization
yes
string
The Bearer token enables requests to authenticate using a JSON Web Token (JWT).
Content-Type
yes
string
Set this to application/json.
201 Successful operation
Result: The IPSec Gateway is successfully created. the id and other details of the created IPSec Gateway are provided in the response.
This endpoint Deletes the specified IPSec Gateway.
To delete a IPSec Gateway, perform a DELETE request with the gatewayId of the IPSec Gateway.
Use a region-specific endpoint to delete IPSec Gateway: https://vpn.{region}.ionos.com/ipsecgateways/{gatewayId}.
Note: The following request contains a sample gatewayId. Replace them with the gatewayId value, whose information you want to delete.
You can update the gatewayId value to delete a specific IPSec Gateway:
gatewayId
string
The ID (UUID) of the IPSec Gateway.
85c79b4b-5b40-570a-b788-58dd46ea71e2
To make authenticated requests to the API, the following fields are mandatory in the request header:
Authorization
yes
string
The Bearer token enable requests to authenticate using an JSON Web Token (JWT).
202 Successful operation
Result: The IPSec Gateway with the specified gatewayId is successfully deleted.
Enables retrieving all IPSec Tunnels using pagination and optional filters.
To retrieve all the IPSec Tunnels, perform a GET request.
Use a region-specific endpoint to retrieve all IPSec Tunnels: https://vpn.{region}.ionos.com/ipsecgateways/{gatewayId}/tunnels.
Below is the list of optional Path Parameters:
offset
integer
The first element (of the total list of elements) to include in the response. Use together with limit for pagination. Default: 0
0
limit
integer
The maximum number of elements to return. Use together with offset for pagination. Default: 100
100
To make authenticated requests to the API, the following fields are mandatory in the request header:
Authorization
yes
string
The Bearer token enables requests to authenticate using a JSON Web Token (JWT).
Content-Type
no
string
Set this to application/json.
200 Successful operation
Result: All existing IPSec Tunnels and their details are successfully obtained.
Deletes the specified IPSecTunnel.
To delete a IPSec Tunnel, perform a DELETE request with the gatewayId of the IPSecGateway and tunnelId of the IPSec Tunnel.
Use a region-specific endpoint to delete IPSec Tunnel: https://vpn.{region}.ionos.com/ipsecgateways/{gatewayid}/tunnels/{tunnelId}.
Note: The following request contains a sample gatewayId and tunnelId. Replace them with the gatewayId and tunnelId value, whose information you want to delete.
You can update the gatewayId and tunnelId values to delete a specific IPSec Tunnel for a given gateway:
gatewayId
string
The ID (UUID) of the IPSecGateway.
66a114c7-2ddd-5119-9ddf-5a789f5a5a44
tunnelId
string
The ID (UUID) of the IPSecTunnel.
c28b2d3e-7b15-53ca-ae88-6ae9378d6efe
To make authenticated requests to the API, the following fields are mandatory in the request header:
Authorization
yes
string
The Bearer token to enable requests to authenticate using a JSON Web Token (JWT).
202 Successful operation
Result: The IPSec Tunnel with the specified gatewayId and tunnelId is successfully deleted.
Ensures that the IPSecGateway with the provided ID is created or modified. The full IPSecGateway needs to be provided to ensure (either update or create) the IPSecGateway. Non present data will only be filled with defaults or left empty, but not take previous values into consideration.
To ensure that the IPSecGateway with the provided ID is created or modified, perform PUT request.
Note: If IPSecGateway for a given gatewayId does not exist, a new one is created instead.
Use a region-specific endpoint to ensure IPSecGateway is created or modified: https://vpn.{region}.ionos.com/ipsecgateways/{gatewayId}.
Note: The following request contains a sample gatewayId. Replace them with the gatewayId value whose information you want to update.
Below is the list of mandatory path parameters for updating an IPSecGateway:
gatewayId
string
The ID (UUID) of the IPSecGateway.
66a114c7-2ddd-5119-9ddf-5a789f5a5a44
Below is the list of mandatory body parameters for updating an IPSecGateway:
id
yes
string
The ID (UUID) of the IPSec Gateway.
66a114c7-2ddd-5119-9ddf-5a789f5a5a44
metadata
no
object
Metadata
{}
properties
yes
object
Properties with all data needed to update the IPSec Gateway.
properties.name
yes
string
The human readable name of your IPSec Gateway.
My Company IPSec Gateway
properties.description
no
string
Human readable description of the IPSec Gateway.
This gateway connects site A to VDC X.
properties.gatewayIP
yes
string
Public IP address to be assigned to the gateway.
192.0.2.0
properties.connections
yes
array
The network connection for your gateway.
[ { "datacenterId": "5a029f4a-72e5-11ec-90d6-0242ac120003", "lanId": "2", "ipv4CIDR": "192.168.1.100/24", "ipv6CIDR": "2001:0db8:85a3::/24" } ]
properties.version
no
string
The IKE version that is permitted for the VPN tunnels. Default: "IKEv2".
IKEv2
To make authenticated requests to the API, the following fields are mandatory in the request header:
Authorization
yes
string
The Bearer token enables requests to authenticate using a JSON Web Token (JWT).
Content-Type
yes
string
Set this to application/json.
200 Successful operation
Result: The IPSec Gateway is successfully updated or created.
Returns the IPSec Tunnel by ID.
To retrieve the IPSec Tunnel, perform a GET request.
Use a region-specific endpoint to retrieve IPSec Tunnel: https://vpn.{region}.ionos.com/ipsecgateways/{gatewayId}/tunnels/{tunnelId}.
You can update the gatewayId and tunnelId values to get a specific IPSec Tunnel for a given gateway:
gatewayId
string
The ID (UUID) of the IPSec Gateway.
66a114c7-2ddd-5119-9ddf-5a789f5a5a44
tunnelId
string
The ID (UUID) of the IPSec Tunnel.
c28b2d3e-7b15-53ca-ae88-6ae9378d6efe
To make authenticated requests to the API, the following fields are mandatory in the request header:
Authorization
yes
string
The Bearer token to enable requests to authenticate using a JSON Web Token (JWT).
Content-Type
no
string
Set this to application/json.
200 Successful operation
Result: The IPSec Tunnel and its details for the specified gatewayId and tunnelId are successfully obtained.
Ensures that the IPSec Tunnel with the provided ID is created or modified. The full IPSec Tunnel needs to be provided to ensure (either update or create) the IPSec Tunnel. Non present data will only be filled with defaults or left empty, but not take previous values into consideration.s
To ensure that the IPSec Tunnel with the provided ID is created or modified, perform PUT request.
Note: If IPSec Tunnel for a given tunnelId does not exist, a new one is created instead.
Use a region-specific endpoint to ensure that IPSec Tunnel is created or modified: https://vpn.{region}.ionos.com/ipsecgateways/{gatewayId}/tunnels/{tunnelId}.
Note: The following request contains a sample gatewayId and tunnelId. Replace them with the gatewayId and tunnelId values whose information you want to update.
You can update the gatewayId and tunnelId values to specify the IPSec Gateway and Tunnel:
gatewayId
string
The ID (UUID) of the IPSec Gateway.
66a114c7-2ddd-5119-9ddf-5a789f5a5a44
tunnelId
string
The ID (UUID) of the IPSec Tunnel.
c28b2d3e-7b15-53ca-ae88-6ae9378d6efe
Below is the list of mandatory body parameters for updating an IPSec Tunnel:
id
yes
string
The ID (UUID) of the IPSec Tunnel.
c28b2d3e-7b15-53ca-ae88-6ae9378d6efe
metadata
no
object
Metadata
{}
properties
yes
object
Properties with all data needed to update an IPSec Tunnel. Note: There is a limit of 20 tunnels per IPSec Gateway.
properties.name
yes
string
The human-readable name of your IPSec Gateway Tunnel.
My Updated Tunnel
properties.description
no
string
Human-readable description of the IPSec Gateway Tunnel.
Updated tunnel connecting site A to site B.
properties.remoteHost
yes
string
The remote peer host fully qualified domain name or IPV4 IP to connect to.
203.0.113.1
properties.auth
yes
object
Properties with all data needed to define IPSec Authentication.
properties.auth.method
yes
string
The Authentication Method to use for IPSec Authentication. Default: "PSK". Options: PSK
PSK
properties.auth.psk
yes
object
Properties needed to define IPSec Authentication PSK. This is required if the method is PSK.
{ "secret": "your-psk-value" }
properties.ike
no
object
Settings for the initial security exchange phase.
{ "encryption": "AES-256", "hash": "SHA256" }
properties.esp
no
object
Settings for the IPSec SA (ESP) phase.
{ "encryption": "AES-256", "auth": "SHA256" }
properties.cloudNetworkCIDRs
yes
array
The network CIDRs on the "Left" side that are allowed to connect to the IPSec tunnel, that is, the CIDRs within your IONOS Cloud LAN.
["10.0.0.0/24", "203.0.113.0/24"]
properties.peerNetworkCIDRs
yes
array
The network CIDRs on the "Right" side that are allowed to connect to the IPSec tunnel.
["10.0.1.0/24", "198.51.100.0/24"]
To make authenticated requests to the API, the following fields are mandatory in the request header:
Authorization
yes
string
The Bearer token to enable requests to authenticate using a JSON Web Token (JWT).
Content-Type
yes
string
Set this to application/json.
200 Successful operation
Following is an example of when a IPSec Tunnel is successfully created.
Result: The IPSec Tunnel is successfully updated or created.
Action
Description
Learn how to set User privileges for VPN Gateway via the API.
Action
Description
Endpoint to retrieve all WireGuard VPN Gateways using pagination and optional filters.
Creates a new WireGuard VPN Gateway. The full configuration needs to be provided.
Retrieves details of a specific WireGuard VPN Gateway.
Ensures that a WireGuard VPN Gateway with the provided ID is created or modified.
Deletes the specified WireGuard Gateway.
Action
Description
Endpoint to retrieve all WireGuard Peers associated with a VPN Gateway using pagination and optional filters.
Creates a new WireGuard Peer. The full configuration needs to be provided.
Retrieves details of a specific WireGuard Peer.
Ensures that a WireGuard Peer with the provided ID is created or modified.
Deletes the specified WireGuard Peer.
Action
Description
Endpoint to retrieve all IPSec VPN Gateways using pagination and optional filters.
Creates a new IPSec VPN Gateway. The full configuration needs to be provided.
Retrieves details of a specific IPSec VPN Gateway.
Ensures that an IPSec VPN Gateway with the provided ID is created or modified.
Deletes the specified IPSec Gateway.
Action
Description
Endpoint to retrieve all IPSec VPN Tunnels associated with an IPSec VPN Gateway using pagination and optional filters.
Creates a new IPSec VPN Tunnel associated with an IPSec VPN Gateway. The full configuration needs to be provided.
Retrieves details of a specific IPSec VPN Tunnel.
Ensures that an IPSec VPN Tunnel with the provided ID is created or modified.
Deletes the specified IPSec Tunnel.
A regional endpoint is necessary to interact with the VPN Gateway REST API endpoints. For more information, see the API specification file.
Note: To prevent any failed requests, make sure to use the regional endpoint that corresponds to the location of the VDC where your VPN Gateway has been established.
IONOS supports the following endpoints for various locations:
Berlin, Germany: https://vpn.de-txl.ionos.com/clusters
Frankfurt, Germany: https://vpn.de-fra.ionos.com/clusters
Logroño, Spain: https://vpn.es-vit.ionos.com/clusters
London, Great Britain: https://vpn.gb-lhr.ionos.com/clusters
Newark, United States: https://vpn.us-ewr.ionos.com/clusters
Las Vegas, United States: https://vpn.us-las.ionos.com/clusters
Lenexa, United States: https://vpn.us-mci.ionos.com/clusters
Paris, France: https://vpn.fr-par.ionos.com/clusters
A Site-to-Site VPN Gateway is a network solution that establishes a secure, encrypted connection between two or more networks over the internet. This setup allows an on-premises network to connect securely with cloud resources, enabling seamless data transfer while ensuring data privacy and integrity. For example, IONOS VPN Gateway is a fully managed service that connects your data center or branch office to your IONOS Cloud resources using IPSec tunnels or WireGuard peers.
Our VPN Gateway supports both IPSec and WireGuard protocols. IPSec is widely used for its robust security features and flexibility, while WireGuard is known for its simplicity and high performance. These options allow you to choose the protocol that best suits your network's security and performance needs.
A Site-to-Site VPN enhances network security by encrypting data traffic between your on-premises network and your cloud resources. This encryption protects data from interception and tampering during transit, ensuring that sensitive information remains confidential and secure. It also provides a secure connection for applications and services that require a high level of security.
Setting up a Site-to-Site VPN Gateway with IPSec involves several key steps:
Reserve a public IPv4 address via our Data Center Designer (DCD) or Cloud API.
Create an IPSec VPN gateway, configuring it with a relevant tier, high availability, IP address, virtual data center, and LANs that will use the gateway.
Configure the IPSec tunnels by specifying parameters such as the pre-shared key (PSK), IKE version, encryption, and integrity algorithms.
Set up your on-premises VPN device to match these parameters.
Establish the connection and verify that the tunnel is active by checking the tunnel status and logs.
Setting up a Site-to-Site VPN Gateway with WireGuard involves these steps:
Reserve a public IPv4 address via our DCD or Cloud API.
Create a WireGuard VPN gateway, configuring it with the tier, high availability, IP address, virtual data center, and LANs that will use the gateway. You can also define a maintenance period.
Generate public and private keys for your WireGuard peers.
Configure the WireGuard interface by adding peers, allowed IPs, and endpoints.
Sync the configuration with your on-premises WireGuard devices.
Establish the connection and verify its status by checking the tunnel status and logs.
Yes, you can use both IPSec and WireGuard tunnels simultaneously to connect resources between the same virtual data center networks and remote networks. This setup requires creating and configuring separate VPN gateway instances for each protocol, allowing you to take advantage of the unique benefits of each protocol.
An IPSec Tunnel or a Wireguard Peer allows for extensive connectivity options while maintaining manageable configurations.
Ensure that all LANs belong to the same VDC, ensuring streamlined management and configuration.
Yes, we provide a comprehensive VPN Gateway API, along with a GO SDK and Terraform tooling. These tools enable automation of various gateway-related tasks, ensuring seamless integration with your DevOps workflow and simplifying the management of VPN gateways.
Yes, our VPN Gateway supports both IPv4 and IPv6, allowing your traffic to be sent across both network types. This capability helps future-proof your services and ensures broad accessibility. Note that tunnel endpoint and Gateway IP addresses are IPv4 only.
Currently, only static routing is available for the VPN gateway. Dynamic routing protocols like BGP are not supported at this time.
Yes, you can connect virtual data centers (VDCs) across different IONOS locations or regions. There are no region constraints, allowing one VDC to connect to another, regardless of their geographical location.
A private key in WireGuard is a critical component of the VPN security framework. It is used to encrypt and decrypt packets sent between IONOS Cloud and your remote infrastructure, ensuring that only authorized users can read the data transmitted over the VPN.
You will need either of the following command line tools:
WireGuard Tools (WG): This provides the necessary commands to manage WireGuard configurations. Execute the following command in the command line tool to generate a private key:
Result: This single command does the following:
— Generates a private key and saves it to the private_key file.
— Passes the private key to wg pubkey, which outputs the corresponding public key to the public_key file.
OpenSSL: The command-line tool is useful for managing SSL/TLS and cryptography. Execute the following command to generate a private key:
Result: The command generates a private key file named private_key and a public key file named public_key:
— openssl genpkey -algorithm X25519 -outform der -out private_key.der; generates a private key file named private_key.
— openssl pkey -inform der -in private_key.der -pubout -outform der -out public_key.der; can be used to obtain the corresponding public key after generating the private key. In this example, this command creates a public key file named public_key.
The keys are in base64 format, a standard method for representing binary data as an ASCII string, which makes them easy to configure and transport.
Permissions: Ensure that the private key file has the correct file permissions to restrict access.
Backup: Keep a secure backup of your private key, but ensure it is stored safely to prevent unauthorized access.
Do not share it: Never share your private key with anyone. Only the public key is safe to share with peers.
We recommend generating a new key pair and updating your configurations to use the new keys.
Our VPN Gateway employs industry-standard encryption techniques to ensure data security. IPSec uses strong encryption algorithms such as AES-256, while WireGuard leverages modern cryptographic primitives like ChaCha20 and Poly1305. These methods provide high levels of data security, protecting your information during transit.
Yes, you can customize the encryption and integrity algorithms used in IPSec tunnels. Supported algorithms include AES-128, AES-256, SHA-256, SHA-384, and SHA-512. These settings can be configured in the DCD or through the Cloud API, allowing you to tailor security to your specific requirements.
The VPN Gateway supports multiple encryption algorithms to suit different security and performance requirements:
AES-128 CCM12 with AES-XCBC: This encryption method is optimized for maximum throughput. It provides a good level of security while allowing for faster data transfer speeds, making it suitable for environments where performance is prioritized.
AES-256-GCM16 with SHA256: This combination offers a balance of speed and security. AES-256-GCM16 is widely regarded as secure and efficient, while SHA256 provides a robust integrity check for the data being transmitted.
AES-256-GCM16 with SHA384/SHA512: For environments where maximum security is essential, this option utilizes AES-256-GCM16 for encryption, complemented by SHA384 or SHA512 for stronger hashing. This setup is ideal for sensitive data transfers that require the highest level of protection.
The VPN Gateway ensures data integrity through cryptographic hashing algorithms like SHA-256, SHA-384, and SHA-512. These algorithms verify that data has not been altered during transit, providing a secure communication channel and maintaining data integrity.
Our VPN gateway uses PSK (Pre-Shared Key) authentication. To authenticate your IPSec VPN tunnel, you must generate a pre-shared key (PSK) and provide it during the creation of the tunnel. For security, it is recommended to use a strong 32-character pre-shared key.
Our IPSec VPN gateway supports IKEv2, a modern and secure version of the Internet Key Exchange protocol.
Additionally, you can view audit logs for VPN operations via the Activity log functionality, ensuring transparency and accountability.
No, our VPN service does not store or process customer data. It is designed to provide secure and private connections without handling or retaining user data.
WireGuard is known for its high performance and simplicity, offering lower overhead and faster connection setup times. IPSec, while more established, provides robust security and broader configurability but may have higher processing overhead. The choice between IPSec and WireGuard depends on your specific use cases and performance requirements.
For optimal VPN Gateway performance, consider the following:
Ensure appropriate bandwidth on both ends of the connection.
Select the right encryption and integrity algorithms based on your performance needs.
Regularly monitor your VPN connections and adjust configurations as needed to handle traffic load.
Each tunnel supports a maximum throughput of up to 1 Gbps, providing high-speed connectivity for data-intensive applications.
Several factors can influence VPN connection throughput, including the capability of your remote gateway, the bandwidth capacity of your connection, the average packet size, the protocol in use (TCP vs. UDP), and the network latency between the VPN Gateway and the remote network.
If the VPN connection is down, follow these troubleshooting steps:
Verify that the configuration settings on both sides of the tunnel match.
Check network connectivity, static routes, and firewall rules.
Ensure that the pre-shared keys and encryption algorithms are correctly configured.
Review logs on your on-premises gateway for any error messages and diagnostic information.
If issues persist, contact our support team for further assistance.
The Managed VPN Gateway service offers secure and scalable connectivity, enabling encrypted communication between your IONOS cloud resources in a VDC and remote networks, such as on-premises setups, multi-cloud environments, and private LANs in other VDCs.
Explore the key use cases for provisioning a VPN Gateway.
Learn how to set up VPN Gateway and manage VPN connections via the DCD.
Learn how to configure and manage WireGuard and IPSec VPN Gateways via the API, including creating, retrieving, updating, and deleting gateways and peers for secure network connectivity.
Learn how to use VPN Gateway for remote connectivity use cases.
To get answers to the most commonly encountered questions about VPN Gateway, see FAQs.
A VPN Gateway is a critical component in network infrastructure that facilitates secure, encrypted connections between different networks over the internet. It provides robust security features, including strong encryption, to protect data in transit. You can use it to connect on-premises networks to cloud networks or to connect different cloud networks. Organizations can use a VPN Gateway to ensure their sensitive data is transmitted securely over the internet, thus meeting compliance and regulatory requirements.
IONOS VPN Gateway supports IPSec and WireGuard VPN protocols, ensuring secure and reliable communication across geographically dispersed networks via IPSec tunnels or WireGuard peers, respectively. Based on the chosen VPN protocol, it supports multiple VPN tunnels/peers, allowing for scalable and flexible network architectures.
Note: You can set up a maximum of three VPN gateways in each region. To increase the quota for your contract, please contact IONOS Cloud Support.
When a user or a device initiates a connection to a network through a VPN Gateway, the gateway establishes a secure, encrypted tunnel/peer between the user and the target network. This process involves:
Authentication: The user or device is authenticated using certificates or pre-shared keys to ensure only authorized users can access the network.
Encryption: VPN Gateway encrypts data packets using protocols like IPsec or WireGuard to ensure secure transmission over the internet.
Tunneling/Peering: The encrypted data packets are encapsulated within another packet, creating a secure tunnel/peer through which the data travels. This tunnel/peer protects the data from being intercepted or tampered with during transmission.
Routing: VPN Gateway routes the encrypted data packets to the appropriate destination within the target network. Once the data reaches its destination, it is decrypted and delivered to the intended recipient.
Maintaining Connectivity: VPN Gateway continuously monitors the connection to ensure stability and performance. It implements failover mechanisms to switch to backup connections if the primary connection is disrupted, ensuring continuous connectivity.
Users need appropriate privileges to create and manage VPN Gateways. The VPN Gateway has a specific group privilege called Access and manage VPN Gateway. When you enable this privilege for a group, its members inherit it through group settings, allowing them to manage the VPN gateways.
Prerequisite: Make sure you have one or more Groups in the User Manager. To create one, see Create a group.
To set user privileges to manage VPN Gateways, follow these steps:
1. In the DCD, go to Menu > Management > Users & Groups under Users. 2. Select the Groups tab in the User Manager window. 3. Select the appropriate group to assign relevant privileges. 4. In the Privileges tab, select Access and manage VPN Gateway.
Note: You can remove the privileges from the group by clearing Access and manage VPN Gateway.
Result: The privilege to manage VPN Gateways is granted to all the members in the selected group.
You can revoke a user's Access and manage VPN Gateway privilege by removing the user from all the groups that have this privilege enabled.
Warning: You can revoke a user from this privilege by disabling Access and manage VPN Gateway for every group the user belongs to. In this case, all the members in the respective groups would also be revoked from this privilege.
To revoke this privilege from a contract administrator, disable the administrator option on the user account. On performing this action, the contract administrator gets the role of a contract user, and the privileges that were set up for the user before being an administrator will then be in effect.
Once a VPN Gateway is successfully created, the gateway is listed on the VPN Gateways page.
To view the VPN Gateways, follow these steps:
1. In the DCD, go to Menu > Network > VPN Gateway under Connectivity.
Result: A list of VPN Gateways created is displayed. For every VPN Gateway listed, you can view the following details:
NAME (PROTOCOL): Displays the name of the VPN Gateway and its chosen protocol.
REGION: Displays the region where the respective VPN Gateway is located.
STATE: Displays the state of the VPN Gateway. Possible values are as follows:
Provisioning: The VPN Gateway is still in creation.
Available: The VPN Gateway is available and functioning properly.
Unavailable: The VPN Gateway is unavailable and not in use.
Destroying: The VPN Gateway is being deleted.
TIER: Displays the plan chosen for the respective VPN Gateway.
LAST MODIFIED: Displays the date when the VPN Gateway details were last updated.
CREATE TUNNELS (IPSEC) / CREATE PEERS (WIREGUARD): Select to create tunnels for the IPSec or peers for the WireGuard protocols.
OPTIONS: Provides additional actions you can perform on the VPN Gateway, such as modifying or deleting the VPN Gateway.
For the selected VPN Gateway, you can view the System information, Setup & LAN connections, and Tunnels associated with it.
In Setup & LAN connections, you can view its properties, chosen tier and protocol, LAN connections associated with it, and the maintenance schedule. You can view or edit these details. For more information, see Create a VPN Gateway.
In Tunnels, you have the following options:
Add Tunnels: Option to add new tunnels.
Existing Tunnels: A list of existing tunnels with their names and options to edit or delete each tunnel.
The VPN Gateways page lists all your VPN Gateways.
Note: During the scheduled maintenance, you can only update the VPN gateway's name and description. You must wait until the maintenance process is finished before modifying the other details.
To update the VPN Gateway details, follow these steps:
1. In the DCD, go to Menu > Network > VPN Gateway under Connectivity.
2. In the VPN Gateways window, click on the name of the VPN Gateway to update its details. Alternatively, you can also click and select Details and Edit from the OPTIONS column.
3. Update the selected VPN Gateway details:
System information: Displays the state of the VPN Gateway, creation and modification details, UUID and the resource URN.
Download Configuration: Select this option to manually download the configuration details of the selected VPN Gateway. For more information, see Download Configuration.
Setup & LAN connections: You can modify the properties, upgrade from the current plan or change to high-availability or vice-versa, LAN connections, or the maintenance schedule.
Tunnels: You can update the details of an existing tunnel/peer or click Add Tunnels or Add Peers based on the chosen VPN Gateway protocol to add a new tunnel. For more information, see Update IPSec Tunnel and WireGuard Peer.
4. Select Save to update the VPN Gateway details with the changes made.
Result: The VPN Gateway is successfully updated.
1. For the selected VPN Gateway, you can choose Tunnels tab to view tunnels for selected VPN Gateway.
2. Select Edit to update selected Tunnel.
3. Update the selected VPN Gateway Tunnel details. To add a new tunnel, select Add Tunnels and specify the details.
4. Click Save to update the VPN Gateway Tunnel details with the changes made.
Result: The selected Tunnel for VPN IPSec Gateway is successfully updated.
1. For the selected VPN Gateway, you can choose Peers tab to view peers for selected VPN Gateway.
2. Click on Edit to update selected Peer.
3. Update the selected VPN Gateway Peer details. To add a new Peer, select Add Peers and specify the details.
4. Click Save to update the VPN Gateway Peer details with the changes made.
Result: The selected Peer for VPN WireGuard Gateway is successfully updated.
You can manually export the configuration settings of your VPN gateway. This is suitable for remote or on-premise VPN configuration, backup purposes, troubleshooting, or migrating VPN settings to another system or location. The configuration file typically includes essential details such as network settings, authentication methods, encryption protocols, and routing information.
You can download the configuration file in a standard format and import it into compatible systems or modify it as needed for future use.
Note: — The configuration is specific to the chosen VPN Gateway protocol: IPSec or WireGuard. — The downloaded file is not a ready-to-use configuration for peers.
1. In the DCD, go to Menu > Network > VPN Gateway under Connectivity.
2. In the VPN Gateways window, click on the name of the VPN Gateway to update its details. Alternatively, you can also click and select Details and Edit from the OPTIONS column.
3. In the Gateway window, click Download Configuration.
Result: The file is downloaded into your local system and you can use an editor of your choice to view its details.
A VPN Gateway provides a secure way to access your data center, protecting your network and sensitive information.
To create a VPN Gateway, follow these steps:
1. In the DCD, go to Menu > Network > VPN Gateway under Connectivity.
2. Click Create VPN Gateway from the VPN Gateways page.
3. Enter the following details to configure your VPN Gateway:
4. Click Save to create the VPN gateway.
Result: Your VPN gateway's STATE is set to PROVISIONING during creation. When provisioning is finished, it becomes AVAILABLE. You can create IPSec Tunnels or WireGuard Peers when the VPN Gateway is still in PROVISIONING or after its STATE changes to AVAILABLE.
To define VPN Gateway properties, specify the following: 1. Name: Enter a name for the VPN Gateway. 2. Description: (Optional). You can add additional information about the VPN Gateway. 3. Location: Select a location of your preference from the drop-down list. 4. IP Address: Select the IP Address from the drop-down list.
Note: Ensure that: — you have reserved IP addresses for the respective location using IP Management. — the IP Address and the chosen data center are in the same location.
The number of LANs and tunnels/peers differ for each tier. You can couple a tier with high availability to configure an active-passive mode for an uninterrupted connection during a failover.
When you enable High Availability for the chosen tier, the virtual machines operate in an active-passive mode to minimize the downtime during a failover.
1. Based on your needs, you can choose a tier from the following:
Tier
Resources
Description
— Standard VPN — Standard VPN + High Availability
A maximum of five LANs and 10 IPSec Tunnels or Wireguard Peers.
You can upgrade the tier to Enhanced VPN or Premium VPN with or without high availability.
— Enhanced VPN — Enhanced VPN + High Availability
A maximum of 10 LANs and 20 IPSec Tunnels or Wireguard Peers.
You can upgrade the tier to Premium VPN with or without high availability.
— Premium VPN — Premium VPN + High Availability
A maximum of 15 LANs and 30 IPSec Tunnels or Wireguard Peers. It is highly recommended for mission-critical or production workloads.
Note: — You can upgrade the tiers as described, but downgrading is not allowed. — The chosen tier in addition to the selection of a HA determines the cost of the VPN Gateway. For more information, see FAQs.
2. High Availability: Select the checkbox to ensure high availability and redundancy for the VPN connections so that the downtime is minimal in case of failures. Redundant VPN tunnels automatically take over during failures.
You can create VPN Gateways using either the IPSec or WireGuard® protocols.
Prerequisites:
IPSec requires Tunnels before they can be used.
WireGuard requires Peers.
Each protocol offers different features and requires distinct configuration steps:
For IPSec, the Version is set to IKEv2, by default.
Enter the following details:
Private Key: Enter the Private Key. For more information about generating a private key, see FAQs.
Interface IPv4 IP: Mandatory if IPv6 is not provided.
Interface IPv6 IP: Mandatory if IPv4 is not provided.
Listen Port (optional): Specifies the UDP port on which a WireGuard interface will listen for incoming encrypted VPN packets.
You can specify the LANs you want to connect to the data center in the VDC. You can add new ones, delete, or edit existing ones.
Note: — Ensure that the selected Private IP address is not already in use within the VDC. — We recommend using an IP address from the LAN allocated CIDR range from .2 to .9.
1. Datacenter: Select a data center from the drop-down list to associate it with the VPN Gateway. The available data centers in the drop-down list vary according to the chosen Location.
2. Connections: Select Add LAN Connection to choose a LAN for the data center. You can select an IPv4 CIDR (and an IPv6 CIDR, which is optional) for your LAN connection.
The DCD offers a visual representation of the LANs that are connected to the VPN Gateway.
Your chosen start time (UTC) plus four hours is the maintenance time.
Note: — We recommend choosing the day and time appropriately because the maintenance occurs in a 4-hour-long window. — During the scheduled maintenance, you can only update the VPN gateway's name and description. You must wait until the maintenance process is finished before modifying the other details.
1. DAY: Select a day from the drop-down list to set a day for maintenance.
Note: During the scheduled maintenance, you can only update the VPN gateway's name and description. You must wait until the maintenance process is finished before modifying the other details.
To update an IPSec Tunnel or a WireGuard Peer, follow these steps:
1. In the DCD, go to Menu > Network > VPN Gateway under Connectivity.
2. In the VPN Gateways window, click on the name of the VPN Gateway to update its associated Tunnels or Peers. Alternatively, you can also click and select Details and Edit from the OPTIONS column.
3. For the selected VPN Gateway, you can choose:
Tunnels tab to view tunnels for selected VPN Gateway.
Peers tab to view peers for selected VPN Gateway.
4. Select Edit to update selected Tunnel or Peer.
5. Update the necessary details.
6. To add a new:
Tunnel, select Add Tunnels and specify the details.
Peer, select Add Peers and specify the details.
7. Click Save to update the details with the changes made.
Result: The selected Tunnel or Peer is successfully updated.
Note:
You cannot delete LANs or a VDC containing VPN Gateway-connected LANs. Remember to delete the VPN gateway before deleting the connected VDC.
VPN Gateways that are in the Provisioning state can be deleted via the DCD or via the Cloud API.
To delete a VPN Gateway, follow these steps:
1. In the DCD, go to Menu > Network > VPN Gateway under Connectivity.
2. In the OPTIONS column for the selected distribution, click and select Delete Gateway.
3. Select Delete to confirm deletion.
Result: The STATE of the respective VPN Gateway is set to DESTROYING before it is completely deleted.
After creating a VPN Gateway, you can create a Tunnel or a Peer based on your chosen VPN Gateway protocol.
To create tunnels or peers, follow these steps:
1. In the DCD, go to Menu > Network > VPN Gateway under Connectivity.
2. On the VPN Gateways page, click Create Tunnels or Create Peers based on the chosen VPN Gateway protocol.
3. Enter the following details:
Enter the following details in the Create IPSec Tunnel page:
Tunnel name: Enter a tunnel name.
Description: (Optional). Enter a description.
Remote host: Enter a valid public IPv4 address or an Fully Qualified Domain Name (FQDN).
Pre-shared key (PSK): Enter a valid key or click Generate to automatically generate a key.
Select an appropriate value from the drop-down list for the following:
Diffie-Hellman Group
Encryption Algorithm
Integrity Algorithm
Lifetime: Specify a value starting from 3600 seconds to a maximum of 604800 seconds.
Select an appropriate value from the drop-down list for the following:
Diffie-Hellman Group
Encryption Algorithm
Integrity Algorithm
Lifetime: Specify a value starting from 600 seconds to a maximum of 86400 seconds.
Enter the following details:
Cloud Network CIDRs: Specify up to 20 IPv4 or IPv6 network addresses, separated by commas, on IONOS Cloud that can connect to the tunnel.
Peer Network CIDRs: Specify up to to 20 IPv4 or IPv6 addresses, separated by commas, on the peer side that can connect to the tunnel.
Enter the following details in the Create WireGuard peer page:
Peer Name: Enter a peer name.
Description: (Optional). Enter a description.
You can specify the following optional details to enable the peer to use the specified IP address to connect with its remote peer. The peer connects via any available IP address when you do not specify the IP address.
Endpoint host: Enter a public IPv4 address or an FQDN.
Endpoint port: Enter a port number or you can also use the up or down arrows to choose a port number from the list. The port number indicates the UDP port on which a WireGuard interface will listen for incoming encrypted VPN packets.
Specify the following details to establish a secure connection.
Allowed IPs: Specify up to 20 IPv4 or IPv6 network addresses, separated by commas from which the traffic must be allowed to reach the respective peer. Traffic from all IP addresses are sent to the peer if you do not specify the network addresses.
Public Key: Remember to specify a public key for a secure transmission. The key is used to validate the sender and encrypt the data.
4. Click Save to save the configuration.
You can delete the tunnel/peer that is associated with the chosen VPN Gateway protocol.
1. In the DCD, go to Menu > Network > VPN Gateway under Connectivity.
2. In the VPN Gateways window, click on the name of the VPN Gateway to delete an associated peer/tunnel. Alternatively, you can also click and select Details and Edit from the OPTIONS column.
3. Follow these steps to delete a tunnel or a peer:
1. For the selected VPN Gateway, you can choose Tunnels tab to view tunnels for selected VPN Gateway.
2. Select Delete to delete selected Tunnel.
3. Select Delete to confirm the deletion.
Result: The selected Tunnel is deleted and it is no longer associated with the VPN IPSec Gateway.
1. For the selected VPN Gateway, you can choose Peers tab to view peers for selected VPN Gateway.
2. Select Delete to delete selected Peer.
3. Select Delete to confirm the deletion.
Result: The selected Peer is deleted and it is no longer associated with the VPN WireGuard Gateway.
A VPN Gateway enables secure, encrypted communications between roaming users, on-premise networks, and cloud resources. This tutorial demonstrates how you can configure VPN Gateway in IONOS Cloud to create a site-to-site setup between an IONOS Cloud VDC and a simulated on-prem installation.
The primary goal of this tutorial is to configure a site-to-site VPN between IONOS Cloud and your on-premise setup by utilising a Managed VPN Gateway in the IONOS Cloud and a user-managed on-prem gateway.
This tutorial demonstrates the use of two VDCs:
de/txl as IONOS's VDC
gb/lhr simulates your on-prem setup.
Instead of two managed gateways per the VDC to VDC use case, this demonstration uses:
a single managed gateway in de/txl.
For user-managed gateway, we use an on-prem simulation, install the components and manually configure IPSec on a virtual server to complete the setup.
The following information is necessary to set up a connection between an IPSec VDC and an on-prem VDC:
Each VPN Gateway must be assigned a public IP address. Ensure you have an IPBlock with at least one free IP to assign to each gateway before proceeding.
This tutorial uses 10.10.1.0/24 and 10.10.2.0/24 for private LANs in the IONOS Cloud. Each gateway must be assigned an IP Address from the subnet. We will use .5 as the VPN Gateway is not DHCP aware. You should assign an IP address outside of the DHCP Pool ranging from .2 to .9.
Note: gb/lhr is a user-managed gateway and it uses its LAN host address of .10 instead. Hence the above statement does not apply to this data center.
Our current IPSec implementation supports PSK (expected to support certificates in the future). When provisioning gateways with DCD, ensure to generate a PSK that is at least 32 characters long. The following explain how to generate your own PSK:
Linux
openssl rand -base64 48
head -c 32 /dev/urandom | base64
Windows
[System.Convert]::ToBase64String((New-Object byte[] 32))| Set-Content -Path .\psk.txt -Encoding ASCII
The execution process is divided into the following steps:
Below are some screenshots from the DCD that contains the required VDCs.
Two virtual servers are provisioned on IONOS Cloud connected to each other via a private LAN. In this instance, LAN1 uses a custom subnet of 10.10.1.0/24.
We address these two servers as .10 and .11 respectively.
Imagine, the gb/lhr VDC as your site. Two virtual servers are provisioned, host 1 has been configured with internet access and will be the on-prem host acting as your managed gateway. We address these two servers as .10 and .11 respectively.
In the DCD, go to Menu > Network > VPN Gateway under Connectivity.
Click Create VPN Gateway from the VPN Gateways window.
Enter the following details:
The IPSec protocol is selected by default and no other configuration parameters are required.
Attach a VPN Gateway to LANs in IONOS Cloud. Note that it is only possible to connect to LANs present in the same location that the VPN Gateway was provisioned. Let us look at the parameters required:
Once a Datacenter has been selected, click Add LAN Connection to launch an additional pop-up window to set the following properties:
Click Save and wait for the gateway to complete provisioning. This will typically take 10-15 minutes but further operations on the gateway will be instantaneous.
Now that the VPN Gateway instance is provisioned, next step is to configure a tunnel to permit the two sides to talk with each other. We will need to configure a tunnel on both gateways but the on-prem will be configured using IPSec configuration files.
Click Create Tunnels to begin configuring a new tunnel.
Enter the following details to configure a tunnel:
Set the PSK as shown:
Note: Typically, both sites will have the same exchange settings. If, however, the configuration differs on both sides, the two gateways will negotiate to agree on the most secure settings.
Here you can set the various encryption and integrity algorithms, Diffie-Hellman Group and lifetimes for the IKE exchange phase. The available options here are aligned with BSI best practices, for the purposes of the demonstration. However, we will accept the default selections.
Note: Typically, both sites will have the same ESP settings. If, however, the configuration differs on both sides, the two gateways will negotiate to agree on the most secure settings.
Here you can set the various encryption and integrity algorithms, Diffie-Hellman Group and lifetimes for the ESP phase. The available options here are aligned with BSI best practices, for the purposes of the demonstration. However, we will accept the default selections.
Configure the appropriate subnets in CIDR format that are permitted to connect to the tunnel.
Click Save to save the tunnel configuration. This operation should typically be completed within a minute or two.
In this tutorial, Host 1 in gb/lhr acts as user-managed gateway. The host has internet access and thus SSH can be used instead of the web console. Start by establishing an SSH connection to the public IPv4 address of host 1 in London.
Currently, it is impossible to automate the addition of routes to LAN hosts to route the required subnets over the VPN Gateway. In this section, we will manually add the required routes. Remember to add them to the LAN hosts in both VDCs.
Note: In the above example, we added routes that will not persist during a reboot. You must determine how to set persistent routes for their choice of operating system.
de/txl RouteYou should now be able to ping hosts in the simulated on-prem setup in gb/ldn from cloud hosts in de/txl and vice-versa.
You have successfully configured a site-to-site VPN between the IONOS Cloud and your on-premise setup by utilising a Managed VPN Gateway in the cloud and a user-managed on-prem gateway.
The tutorials guide you in navigating the common use cases for remote connectivity.
Creates a new IPSec Tunnel.
The full IPSec Tunnel needs to be provided to create the object. Optional data will be filled with defaults or left empty.
To create a IPSec Tunnel, perform a POST request.
Use a endpoint to create IPSec Tunnel: https://vpn.{region}.ionos.com/ipsecgateways/{gatewayId}/tunnels.
You can update the gatewayId value to get a specific IPSecGateway:
Below is the list of mandatory body parameters for updating an IPSec Tunnel:
To make authenticated requests to the API, the following fields are mandatory in the request header:
201 Successful operation
Result: The IPSec Tunnel is successfully created. the id and other details of the created IPSec Tunnel are provided in the response.
The cost of a VPN Gateway is determined by the chosen , HA selection, instance lifetime, and the amount of egress traffic. For detailed pricing information, refer to the . You can also compare the prices using the .
Yes, the number of LANs, IPSec Tunnels, or WireGuard Peers varies based on the chosen tier. For more information about the limitations, see .
Yes, contract owners and administrators can enable necessary privileges for sub-users via the or the .
Yes, VPN Gateway supports automatic failover. For more information, see .
2. TIME: Enter a time using the pre-defined format (hh:mm:ss) to schedule the maintenance task. You can also click the icon to set a time.
Components
Left (de/txl)
Right (gb/lhr)
Gateway Public Address
212.132.124.163
194.164.123.149
LAN ID
1
2 (Not applicable in this use case)
LAN Subnet
10.10.1.0/24
10.10.2.0/24
Gateway LAN Address
10.10.1.5
10.10.2.10
Pre-Shared Key
Remember to use your key.
Example: vP7ypxAiVbmXv8mCwLMpYcsCCzZBwu/nbhxUImkb8ks=
Left (de/txl) Gateway Public Address
Right (gb/lhr) Gateway Public Address
212.132.124.163
194.164.123.149
Components
Left (de/txl)
Right (gb/lhr)
LAN ID
1
2 (But not applicable here)
LAN Subnet
10.10.1.0/24
10.10.2.0/24
Gateway LAN Address
10.10.1.5
10.10.2.10
Components
Description
Example
Description
A descriptive text for the gateway. It is limited to 1024 characters.
IP Address
A drop-down list of available public IPv4 Addresses.
212.132.124.163
Location
A drop-down list of available locations for VPN Gateway.
de/txl
Name
A descriptive name for the gateway instance. This does not need to be globally unique, but is restricted to 255 characters.
site_to_site
Components
Description
Example
Datacenter
A drop-down that lists VDCs in the same location as the gatweway
de/txl
Connections
A list of connected LANs and the LAN addresses
See Below
Components
Description
Example
LAN
The ID of the LAN to connect to
1
IPv4 CIDR
The LAN IPv4 address assigned to the gateway for this subnet in CIDR notation
10.10.1.5/24
IPv6 CIDR
The LAN IPv6 address assigned to the gateway for this subnet in CIDR Notation
Not applicable
Components
Description
Example
Tunnel Name
Specify a name for the tunnel. It does not need to be globally unique and is limited to 255 characters.
customer_site
Description
More descriptive text for the peer, limited to 1024 characters
Not applicable
Remote Host
The Gateway Public IPv4 address of the remote VPN Gateway
194.164.123.149
Components
Description
Example
Pre-Shared Key
A strong key with a minimum of 32 characters.
vP7ypxAiVbmXv8mCwLMpYcsCCzZBwu/nbhxUImkb8ks=
Components
Description
Example
Diffe-Hellman
The Diffie-Hellman (DH) key exchange algorithm is a method used to make a shared encryption key available to two entities without an exchange of the key. The encryption key for the two devices is used as a symmetric key for encrypting data. Only the two parties involved in the DH key exchange can deduce the shared key, and the key is never sent over the wire.
15-MODP3072
Encryption Algorithm
Encryption algorithms protect the data so it cannot be read by a third-party while in transit.
AES128-CTR
Integrity Algorithm
Integrity algorithms provide authentication of messages and randomness, ensuring that packets are authentic and were not altered by a third party before arriving, and also for constructing keying material for encryption.
SHA256
Lifetime
The length of time (in seconds) that a negotiated IKE SA key is effective. Before the key lifetime expires, the SA must be re-keyed; otherwise, upon expiration, the SA must begin a new IKEv2 IKE SA re-key.
86400
Components
Description
Example
Diffe-Hellman
The Diffie-Hellman (DH) key exchange algorithm is a method used to make a shared encryption key available to two entities without an exchange of the key. The encryption key for the two devices is used as a symmetric key for encrypting data. Only the two parties involved in the DH key exchange can deduce the shared key, and the key is never sent over the wire.
15-MODP3072
Encryption Algorithm
Encryption algorithms protect the data so it cannot be read by a third-party while in transit.
AES128-CTR
Integrity Algorithm
Integrity algorithms provide authentication of messages and randomness, ensuring that packets are authentic and were not altered by a third party before arriving, and also for constructing keying material for encryption.
SHA256
Lifetime
The ESP SA determines how long the keys generated during the IKE negotiation are valid for encrypting and authenticating the actual data packets being transmitted.
3600
Components
Description
Example
Cloud Network CIDRs
Network addresses on the cloud side that are permitted to connect to the tunnel
10.10.1.0/24
Peer Network CIDRs
Network addresses on the cloud side that are permitted to connect to the tunnel
10.10.2.0/24
gatewayId
string
The ID (UUID) of the IPSec Gateway.
66a114c7-2ddd-5119-9ddf-5a789f5a5a44
metadata
no
object
Metadata
{}
properties
yes
object
Properties with all data needed to update an IPSec Tunnel. Note: There is a limit of 20 tunnels per IPSec Gateway.
properties.name
yes
string
The human-readable name of your IPSec Gateway Tunnel.
My Tunnel
properties.description
no
string
Human-readable description of the IPSec Gateway Tunnel.
Tunnel connecting site A to site B.
properties.remoteHost
yes
string
The remote peer host fully qualified domain name or IPV4 IP to connect to.
203.0.113.1
properties.auth
yes
object
Properties needed to define IPSec Authentication.
properties.auth.ike
yes
object
Settings for the initial security exchange phase.
{ "encryption": "AES-256", "hash": "SHA256" }
properties.auth.esp
yes
object
Settings for the IPSec SA (ESP) phase.
{ "encryption": "AES-256", "auth": "SHA256" }
properties.cloudNetworkCIDRs
yes
array
The network CIDRs on the "Left" side that are allowed to connect to the IPSec tunnel.
["10.0.0.0/24", "203.0.113.0/24"]
properties.peerNetworkCIDRs
yes
array
The network CIDRs on the "Right" side that are allowed to connect to the IPSec tunnel.
["10.0.1.0/24", "198.51.100.0/24"]
Authorization
yes
string
The Bearer token to enable requests to authenticate using a JSON Web Token (JWT).
Content-Type
yes
string
Set this to application/json.
Learn how to create an IPSec Tunnel between a VDC and an On-Prem.
Learn how to assign and manage user privileges for VPN Gateway operations, ensuring that users have the appropriate access to perform their tasks.
Learn how to create VPN Gateway.
Learn how to create IPSec Tunnels or a WireGuard Peers for a VPN Gateway.
Learn how to view VPN Gateways, including details on their configuration and status.
Learn how to update the settings and configurations of existing VPN Gateway to meet evolving needs.
Learn how to download the configuration file and view its details.
Learn how to update tunnels or peers associated with an existing VPN Gateway.
Learn how to delete IPSec Tunnels or WireGuard Peers associated with a VPN Gateway.
Learn how to safely remove VPN Gateway when it is no longer needed.
