VPN Gateway

VPN Gateway is a network service that provides a secure virtual private network (VPN).
The primary goal of the service is to provide users and developers with an easy and secure way to access their cloud account resources through a VPN.

When you create an account, a multifunctional Cloud Gateway virtual machine is automatically created, which plays the role of a VPN server (or VPN gateway). To connect to the VPN service, the device must have a Wireguard client.

VPN Gateway functionality:

  • creating VPN connections and adding VPN client devices;
  • Remote Gateway allows you to combine account networks in different locations if the client uses the ICDC Platform in several regions;
  • NAT Mapping - IP address translation to solve subnet crossing problems.

VPN Gateways

The VPN tab displays a list of VPN Gateways.

A VPN Gateway is a type of virtual network gateway that is provided on top of a CloudGateway virtual machine that is managed by the platform.

The VPN Gateway has a public Wireguard key that is used for all connections. Each VPN Gateway has its own Public address, and by default, the first Gateway receives the Public Hostname - account_name.vpn.location_name.icdc.io.
Here you can also set the NAT Subnet - this is an additional subnet that does not exist in the location and on user devices, for the IP-addresses of which its addresses are translated into the internal IP addresses of virtual machines.
This allows you to bypass the problem of crossing IP ranges on client devices and account networks.

Users can view the VPN Gateway Details by opening it from the list.

VPN Details specify:

  • Cloud Gateway Instance - indicates the instance in which the Gateway is running;
  • Public key - public Wireguard key;
  • Public Hostname - account_name.vpn.location_name.icdc.io;
  • Internal address - Cloud Gateway address in the internal infrastructure, needed to configure internal routes. (For example, if you need to send traffic to another location through Cloud Gateway, then you need to know the internal IP address of the Gateway);
  • NAT Subnet - an additional subnet whose IP addresses are translated into internal IP addresses of virtual machines.

The user can edit the name of the VPN gateway and NAT Subnet using the side menu.

To make changes, the user needs to enter new data and click the Save or Cancel button - in case of canceling the changes.

Client Connections

The user can define one or more client connections (for example, for different user groups).
In the client connection, the user must specify the subnet (and VPN Gateway IP address within it) that will be used to allocate IP addresses to client devices. This subnet must not intersect with existing VPC networks and subnets on client devices.

Note: Also, in the VPC Networks application, in the Routing tab, the user needs to add a new route (use Create button) to the selected subnet through the internal address of the VPN Gateway (usually 198.18.0.2).

The Client Connections tab displays:

  • Name of connection - used to generate the name of the VPN and NIC network connections on the client device;
  • Subnet - range of IP addresses from which IP addresses will be allocated to devices;
  • Endpoint - public Endpoint to which the connection is made.

Users can add a connection by clicking the corresponding button - Add connection.

To add a connection, you need to specify:

  • Name of connection;
  • IP with subnet prefix - IP address of VPN Gateway on client connection subnet;
    Usually, the first IP address of the subnet is specified, for example: 10.0.0.1/24.
  • Port - UDP port on the public IP address;
    By default, for the first connection, traffic to port 2200/udp is pre-configured and allowed.
  • MTU - maximum transmission unit.

Click Add.

Note: To allow VPN traffic to another port, the user needs to create a Port-Forwarding to the VPN Gateway’s internal address (usually 198.18.0.2) and allow incoming UDP traffic in the Firewall application to that port:
Firewall tab, select the <loc>_<acc>_cloud_gateways group in the Security Groups list and click Add rule.

Peer Gateways (Remote Gateways)

Information on remote gateway can be found in the Peer Gateways (Remote Gateways) tab:

  • Name - name of the gateway;
  • IP address - IP address of the gateway;
  • Peer endpoint - public Endpoint to which the connection is made;
  • Public key - Wireguard public key;
  • Route Subnets - subnets that need to be routed from a remote location so that traffic from remote networks reaches the current account.

Adding a remote gateway allows to quickly integrate account networks located in different remote locations. It can also be used to connect the account’s networks to a remote Wireguard VPN server, for example, installed in the customer’s branch office.

To create network visibility in two different locations (for example, loc1 and loc2), you need to configure static routing:

  • add routing in loc1 location:
  1. Go to VPC Networks page, select the Routes tab and configure Route subnets on subnets from loc2;
  2. Go to the VPN page, select Gateway, and then select the Peer (Remote) Gateways tab and configure Route subnets on subnets from loc2.
  • add routing in loc2 location:
  1. Go to VPC Networks page, select the Routes tab and configure Route subnets on subnets from loc1;
  2. Go to the VPN page, select Gateway, and then select the Client Connections tab in the required Device configure Route subnets on subnets from loc1.

Users can add a peer gateway by clicking the corresponding button - Add Peer Gateway.

To add a remote gateway, fill in the required fields and click Add.

NAT Mapping

Network Address Translation (NAT) allows replacing IP addresses from a free IP range of a NAT subnet to the IP address of virtual machines located in non-routable cloud subnets of an account. This may be needed if the client device already has overlapping IP address ranges.

For each NAT mapping, DNS records of the following type are also automatically created:
<hostname>.<acc>.vpn.<loc>.icdc.io

The NAT Mapping tab displays a list of added NAT mappings.

Each mapping contains:

  • Hostname - automatically highlighted - account_name.loc.icdc.io;
  • VPN IP;
  • Local IP - any internal ip-address within the location.

Users can add a Nat Mapping by clicking the corresponding button - Add Nat Mapping.

To add NAT mapping, enter the necessary data in the modal window and click Add.