VPN Gateway

VPN Gateway is a network service that provides a secure virtual private network (VPN).
The primary goal of the service is to provide users and developers with an easy and secure way to access their cloud account resources through a VPN.

When you create an account, a multifunctional Cloud Gateway virtual machine is automatically created, which plays the role of a VPN server (or VPN gateway). To connect to the VPN service, the device must have a Wireguard client.

VPN Gateway functionality:

  • creating VPN connections and adding VPN client devices;
  • Remote Gateway allows you to combine account networks in different locations if the client uses the ICDC Platform in several regions;
  • NAT Mapping - IP address translation to solve subnet crossing problems.

VPN Gateways

The VPN tab displays a list of VPN Gateways.

A VPN Gateway is a type of virtual network gateway that is provided on top of a CloudGateway virtual machine that is managed by the platform.

The VPN Gateway has a public Wireguard key that is used for all connections. Each VPN Gateway has its own Public address, and by default, the first Gateway receives the Public Hostname - account_name.vpn.location_name.icdc.io.
Here you can also set the NAT Subnet - this is an additional subnet that does not exist in the location and on user devices, for the IP-addresses of which its addresses are translated into the internal IP addresses of virtual machines.
This allows you to bypass the problem of crossing IP ranges on client devices and account networks.

Users can view the VPN Gateway Details by opening it from the list.

VPN Details specify:

  • Cloud Gateway Instance - indicates the instance in which the Gateway is running;
  • Public key - public Wireguard key;
  • Public Hostname - account_name.vpn.location_name.icdc.io;
  • Internal address - Cloud Gateway address in the internal infrastructure, needed to configure internal routes. (For example, if you need to send traffic to another location through Cloud Gateway, then you need to know the internal IP address of the Gateway);
  • NAT Subnet - an additional subnet whose IP addresses are translated into internal IP addresses of virtual machines. (optional)

The user can edit the name of the VPN gateway and NAT Subnet using the side menu.

To make changes, the user needs to enter new data and click the Save or Cancel button - in case of canceling the changes.

Client Connections

The user can define one or more client connections (for example, for different user groups).
In the client connection, the user must specify the subnet (and VPN Gateway IP address within it) that will be used to allocate IP addresses to client devices. This subnet must not intersect with existing VPC networks and subnets on client devices.

Note: Also, in the VPC Networks application, in the Routing tab, the user needs to add a new route (use Create button) to the selected subnet through the internal address of the VPN Gateway (usually 198.18.0.2).

The Client Connections tab displays:

  • Name of connection - used to generate the name of the VPN and NIC network connections on the client device;
  • Subnet - range of IP addresses from which IP addresses will be allocated to devices;
  • Endpoint - public Endpoint to which the connection is made.

Connection adding

Users can add a connection by clicking the corresponding button - Add connection.

To add a connection, you need to specify:

  • Name of connection;
  • IP with subnet prefix - IP address of VPN Gateway on client connection subnet;
    Usually, the first IP address of the subnet is specified, for example: 10.0.0.1/24.
  • Port - UDP port on the public IP address;
    We recommend using port 2200/udp for the 1st connection, as it is preconfigured and allowed. For the following connections within the account - contact with support servicce to configure the port.
  • MTU - maximum transmission unit, the recommended value - 1420.

Click Add.

Note: If you need an additional connection within the same account - contact with support service.

Device adding

Clicking on the name of a Client connection takes the user to a detail page where they can add device(s) to the client connection by clicking on the corresponding button.

To add a device, you need to specify:

  • Name of device, e.g. John-laptop, Maria-phone;
  • IP-address of the device, which is generated based on the IP address of the subnet of the client connection;
  • Public key - public key that is generated on the device when creating a new connection in the Wireguard software;
  • Route Subnets (optional) - only used if the device is a remote location VPN gateway.
    Here you specify the subnets that need to be routed from a remote location so that traffic from remote networks reaches the networks of the current account;
  • Keep Alive (optional) - time interval during which a packet is sent to maintain a connection to the device’s UDP port.
    The network firewall behind which the user device is located closes unused connections after a certain interval (usually 30 seconds). Therefore, the common value is 25 seconds.

Click Add.

Peer Gateways (Remote Gateways)

Information on remote gateway can be found in the Peer Gateways (Remote Gateways) tab:

  • Name - name of the gateway;
  • IP address - IP address of the gateway;
  • Peer endpoint - public Endpoint to which the connection is made;
  • Public key - Wireguard public key;
  • Route Subnets - subnets that need to be routed from a remote location so that traffic from remote networks reaches the current account.

Adding a remote gateway allows to quickly integrate account networks located in different remote locations. It can also be used to connect the account’s networks to a remote Wireguard VPN server, for example, installed in the customer’s branch office.

To create network visibility in two different locations (for example, loc1 and loc2), you need to configure static routing:

  • add routing in loc1 location:
  1. Go to VPC Networks page, select the Routes tab and configure Route subnets on subnets from loc2;
  2. Go to the VPN page, select Gateway, and then select the Peer (Remote) Gateways tab and configure Route subnets on subnets from loc2.
  • add routing in loc2 location:
  1. Go to VPC Networks page, select the Routes tab and configure Route subnets on subnets from loc1;
  2. Go to the VPN page, select Gateway, and then select the Client Connections tab in the required Device configure Route subnets on subnets from loc1.

Users can add a peer gateway by clicking the corresponding button - Add Peer Gateway.

To add a remote gateway, fill in the required fields and click Add.

NAT Mapping

Network Address Translation (NAT) allows replacing IP addresses from a free IP range of a NAT subnet to the IP address of virtual machines located in non-routable cloud subnets of an account. This may be needed if the client device already has overlapping IP address ranges.

For each NAT mapping, DNS records of the following type are also automatically created:
<hostname>.<acc>.vpn.<loc>.icdc.io

The NAT Mapping tab displays a list of added NAT mappings.

Each mapping contains:

  • Hostname - automatically highlighted - account_name.loc.icdc.io;
  • VPN IP;
  • Local IP - any internal ip-address within the location.

Users can add a Nat Mapping by clicking the corresponding button - Add Nat Mapping.

To add NAT mapping, enter the necessary data in the modal window and click Add.