User-based Access on OCI using OpenVPN

May 9, 2024 | 8 minute read
Aditya Kulkarni
Cloud Solution Technologist, Networking
Text Size 100%:

 

Introduction:

Oracle offers a native site-site VPN solution to connect your on-premises network to the OCI. However, many OCI customers have remote users who need private access to the OCI resources. OpenVPN is one of the solutions that customers can use in these types of cases. OCI Marketplace has OpenVPN access server which customers can deploy in a VCN. Remote users can then download the OpenVPN client software to connect to the OCI.

Considering that the customers need to use OpenVPN for the above reason, this blog applies to the following use cases:

  1. Customer is an ISV that caters to multiple independent customers and wants to configure user-based access control to the networks on OCI.
  2. The customer has multiple organizations/departments/project structures requiring user-based access control to the OCI.

 

Network Diagram:

Network DiagramIn this setup,

  1. The OpenVPN access server has been provisioned in its own VCN inside a public subnet. I have also downloaded OpenVPN client software on my local machine to test the connections. For the step-by-step instructions, please refer: https://blogs.oracle.com/developers/post/launching-your-own-free-private-vpn-in-the-oracle-cloud
  2. Customer-VCN-1 and Customer-VCN-2 host virtual machines for 2 different customers.
  3. All the VCNs are attached to the DRG via VCN attachments.
  4. All the users connect to the OpenVPN access server using OpenVPN client software.

The following are the requirements:

  1. Customer-1-Users should only be able to connect to the resources inside Customer-1-VCN.
  2. Customer-2-Users should only be able to connect to the resources inside Customer-2-VCN.
  3. Admin users can connect to all the resources.
  4. Customer-1-VCN and Customer-2-VCN cannot connect.

 

Configuration:

First, let’s have a look at the OpenVPN configuration.

OpenVPN Access Server configuration:

  1. We want traffic routed through VPN, but we don’t wish for VPN clients to have default access to the private subnets in OpenVPN VCN.

Hence, in the VPN configuration tab, make sure the following options are selected:

VPN Settings

 

  1. Create groups for both the customers:

Under User Management Group Permissions, create a new group for each user group (Customer-1, Customer-2, and Admin) and click on ‘More Settings’.

Under ‘Access Control’, select ‘yes’ and enter the CIDR block of the respective VCN.

For example, in our case,

for Customer-1 group, enter CIDR block of the Customer-1-VCN:

 

Customer 1 Group

for the Customer-2 group, enter the CIDR block of the Customer-2-VCN:

 

Customer 2 Group

Admin Group has access to all the networks:

Admin Group

  1. Create users for each group:

For this blog, I have created a single user for each user group and added them to the appropriate group that we created in the previous step:

 

Users

To set up a password for each user, follow the ‘Create a User’ section in this blog: https://blogs.oracle.com/developers/post/launching-your-own-free-private-vpn-in-the-oracle-cloud

 

OCI Configuration:

  1. Subnet Routing:

Add route rules in the route table of the OpenVPN Access Server public subnet:

  • Traffic to the customer VCNs is sent to the DRG.
  • Default route pointing to Internet Gateway.

 

OpenVPN Route Table

Add a route rule in the route table of the customer VCNs to enable traffic to the OpenVPN VCN:

Virtual Machine Route Table

 

  1. DRG Routing:

Isolate individual VCNs from each other such that:

    1. Customer-1-VCN and Customer-2-VCN cannot talk to each other, but only to OpenVPN VCN.
    2. OpenVPN VCN can talk to any VCN.

To implement this, we will take advantage of the import route distribution and customized route table feature of the DRG.

First, we create separate import route distribution importing only OpenVPN VCN:

Import Route Distribution.

Then, we create a new common DRG route table for both the customer VCN attachments and add the import route distribution above as follows:

 

DRG Customer Route Table

The last step is to attach this route table to both the Customer-1-VCN and Customer-2-VCN attachments. OpenVPN VCN attachment can be kept associated with the default autogenerated route table:

DRG Route Table Summary

 

 

Verification:

Let’s verify our network reachability against the requirements mentioned at the start.

1. Customer-1 users can only access customer-1-VM.

 

 

 

Customer 1 User Connected

Customer 1 VM

Customer-2-VM

2. Customer-2 users can only access customer-2-VM.

            Customer 2 User Connected

             Customer 1 VM

Customer 2 VM

3. Admin user can access both customer-1-VM and customer-2-VM.

           Admin User Connected

    Customer 1 VM

Customer 2 VM

4. Customer-1-VM and Customer-2-VM cannot access each other.     

   Customer 1 VM

Customer 2 VM

 

Conclusion:

In this blog, we demonstrated how to implement user-based access control to OCI using OpenVPN and DRG.

To get started with OpenVPN on OCI, watch the video:

Watch the companion video of this blog post below:

 

 

 

 

 

 

 

 

 

 

 

Aditya Kulkarni

Cloud Solution Technologist, Networking


Previous Post

Oracle Fusion Cloud Bill Management – External User Setup

Manoj Shetty | 5 min read

Next Post


Setting up SAML Federation using the Python SDK

Vinay Kalra | 5 min read