.. Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information# regarding copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. .. _remote-access-vpn: Remote Access VPN ----------------- CloudStack account owners can create virtual private networks (VPN) to access their virtual machines. If the guest network is instantiated from a network offering that offers the Remote Access VPN service, the virtual router (based on the System VM) is used to provide the service. CloudStack provides a L2TP-over-IPsec-based remote access VPN service to guest virtual networks. Since each network gets its own virtual router, VPNs are not shared across the networks. VPN clients native to `Windows, Mac OS X `_ and iOS can be used to connect to the guest networks. The account owner can create and manage users for their VPN. CloudStack does not use its account database for this purpose but uses a separate table. The VPN user database is shared across all the VPNs created by the account owner. All VPN users get access to all VPNs created by the account owner. .. note:: Make sure that not all traffic goes through the VPN. That is, the route installed by the VPN should be only for the guest network and not for all traffic. - **Road Warrior / Remote Access**. Users want to be able to connect securely from a home or office to a private network in the cloud. Typically, the IP address of the connecting client is dynamic and cannot be preconfigured on the VPN server. - **Site to Site**. In this scenario, two private subnets are connected over the public Internet with a secure VPN tunnel. The cloud user's subnet (for example, an office network) is connected through a gateway to the network in the cloud. The address of the user's gateway must be preconfigured on the VPN server in the cloud. Note that although L2TP-over-IPsec can be used to set up Site-to-Site VPNs, this is not the primary intent of this feature. For more information, see ":ref:`setting-s2s-vpn-conn`". Configuring Remote Access VPN ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To set up VPN for the cloud: #. Log in to the CloudStack UI as an administrator or end user. #. In the left navigation, click Global Settings. #. Set the following global configuration parameters. - remote.access.vpn.client.ip.range - The range of IP addresses to be allocated to remote access VPN clients. The first IP in the range is used by the VPN server. - remote.access.vpn.psk.length - Length of the IPSec key. - remote.access.vpn.user.limit - Maximum number of VPN users per account. To enable VPN for a particular network: #. Log in as a user or administrator to the CloudStack UI. #. In the left navigation, click Network. #. Click the name of the network you want to work with. #. Click View IP Addresses. #. Click one of the displayed IP address names. #. Click the Enable VPN button. |vpn-icon.png| The IPsec key is displayed in a popup window. Configuring Remote Access VPN in VPC ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ On enabling Remote Access VPN on a VPC, any VPN client present outside the VPC can access VMs present in the VPC by using the Remote VPN connection. The VPN client can be present anywhere except inside the VPC on which the user enabled the Remote Access VPN service. To enable VPN for a VPC: #. Log in as a user or administrator to the CloudStack UI. #. In the left navigation, click Network. #. In the Select view, select VPC. All the VPCs that you have created for the account is listed in the page. #. Click the Configure button of the VPC. For each tier, the following options are displayed: - Internal LB - Public LB IP - Static NAT - Virtual Machines - CIDR The following router information is displayed: - Private Gateways - Public IP Addresses - Site-to-Site VPNs - Network ACL Lists #. In the Router node, select Public IP Addresses. The IP Addresses page is displayed. #. Click Source NAT IP address. #. Click the Enable VPN button. |vpn-icon.png| Click OK to confirm. The IPsec key is displayed in a pop-up window. Now, you need to add the VPN users. #. Click the Source NAT IP. #. Select the VPN tab. #. Add the username and the corresponding password of the user you wanted to add. #. Click Add. #. Repeat the same steps to add the VPN users.