Tom works for a company A. Tom’s network administrator has set up IPSec site-to-site VPN to Oracle Cloud Infrastructure (OCI) for Tom to connect to OCI when he’s in the office. But when he works from home, Tom needs to connect directly to virtual machines (VMs) hosted in OCI’s private network. So, he’s trying to set up OpenVPN so that he has an SSL VPN to connect to those VMs.

This blog post shows you the steps to set up OpenVPN to remotely connect to VMs, just like Tom.

Server setup

Deploy a Compute VM in a public network in OCI.

Install openvpn.x86_64 and easy-rsa rpms.
 yum install -y openvpn.x86_64 easy-rsa

Copy the sample server config file /usr/share/doc/openvpn*/sample/sample-config-files/server.conf to /etc/openvpn. Add the following DNS server details to push to clients connecting to the OpenVPN server.

dh /etc/openvpn/keys/dh.pem
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

These DNS servers are just examples. You can use any public DNS server.

Copy all the files stored in /usr/share/easy-rsa/<version>/ to /etc/openvpn/easy-rsa. Create the /etc/openvpn/easy-rsa/vars file with contents similar to the following code block:

export KEY_COUNTRY="US"
export KEY_PROVINCE="Virginia"
export KEY_CITY="Ashburn"
export KEY_ORG="eg"
export KEY_EMAIL="admin@eg.cld"
export KEY_OU="IT"

Source the variables and then run the following commands in the /etc/openvpn/easy-rsa directory:

  • ./easyrsa build-ca

  • ./easyrsa build-server-full <prefixYouLike>

  • ./easyrsa gen-dh

Copy the certificates and keys to the key directory. Update /etc/openvpn/server/serverudp.conf with the following information:

ca keys/ca.crt
cert keys/<prefix>.crt
key keys/<prefix>.key
dh keys/dh.pem
askpass p.txt
push "route 10.0.0.0 255.255.255.0"
keepalive 10 20
inactive 600

In this example, our virtual cloud network (VCN) CIDR is 10.0.0/24. OpenVPN pushes routes in the client machine so that any network packet with the target IP in 10.0.0/24 CIDR is pushed through VPN tunnel.

Create /etc/openvpn/server/p.txt with a password of your choice.

Run the command easyrsa build-client-full <username> in the /etc/openvpn/server. Share the user key, certificate, ca certificate, and p.txt with the client machine.

Client setup

Update /etc/openvpn/client/clientudp.conf with the following information:

remote <public IP of openvpn server>
ca ca.crt
cert <username>.crt
key <username>.key
askpass p.txt
keepalive 10 60

For Windows client setup, download Windows 64-bit MSI installer. Rename clientudp.conf to clientudp.ovpn.

Now, the Windows client can connect to OpenVPN server, and you can access individual VMs in OCI.

Conclusion

This setup can now help Tom and his colleagues (and you!) connect to Oracle Cloud Infrastructure VMs using OpenVPN community edition.

For more information, see the following resources: