VK Cloud logo
Support
en
Updated atJuly 12, 2023   01:52 PM

Creating a VPN connection

To create a VPN connection, create a file vpn.tf, which will describe the configuration of the connection being created. Add the text from the examples below, and correct the setting values for your connection.

Create a virtual network

To create a VPN connection, we need a virtual network with a router. If you already have an existing network and router, then go to the "Creating a VPN connection" step.

Create a network with the following objects:

  1. Resources (resource):
  • vkcs_networking_network — network where the VM will be created. In the example below, a network is created with the name "extnet".
  • vkcs_networking_subnet — subnet from the network. In the example: "subnet".
  • vkcs_networking_router — a router for an external network and interaction with the outside world. In the example: router.
  • vkcs_networking_router_interface — connect the router to the internal network.
  1. Data sources (data source):
  • vkcs_networking_network — external network for obtaining public IP (Floating IP).
1data "vkcs_networking_network" "extnet" {
2   name="extnet"
3}
4
5resource "vkcs_networking_network" "network" {
6   name="vpnaas_network"
7}
8
9resource "vkcs_networking_subnet" "subnet" {
10  network_id = "${vkcs_networking_network.network.id}"
11  cidr="192.168.199.0/24"
12}
13
14resource "vkcs_networking_router" "router" {
15   name="router"
16   external_network_id = data.vkcs_networking_network.extnet.id
17}
18
19resource "vkcs_networking_router_interface" "router_interface" {
20  router_id = "${vkcs_networking_router.router.id}"
21  subnet_id = "${vkcs_networking_subnet.subnet.id}"
22}

Create a VPN connection

  1. vkcs_vpnaas_service — manages the VPN service inside VK Cloud. Includes the following setting:
  • router_id — router ID. Changing the value of this parameter creates a new service. If you need to use an existing router, then specify its id (data.vkcs_networking_router.router.id) using the data source:
1data "vkcs_networking_router" "router" {
2   name="router_1"
3}
  1. vkcs_vpnaas_ipsec_policy — controls the IPSec policy of the resource inside VK Cloud. The following option is included:
  • name — name of the created policy. Changing the value of this parameter changes the name of an existing policy.
  1. vkcs_vpnaas_ike_policy — controls the IKE policy of the resource inside VK Cloud. Includes the following setting:
  • name — name of the created policy. Changing the value of this parameter changes the name of an existing policy.
  1. vkcs_vpnaas_endpoint_group — manages the "endpoint group" resource inside VK Cloud. Includes the following option:
  • type — type of endpoints in the group. Accepts subnet, cidr, network, router, or vlan types. Changing the value of this parameter creates a new group.
  • endpoints — a list of endpoints of the same type included in the endpoint group. The type of values depends on the type of endpoints. Changing the value of this parameter creates a new group.
  1. vkcs_vpnaas_site_connection — manages the site IPSec connection resource inside VK Cloud. Includes the following options:

  • name — connection name. Changing the value of this parameter changes the name of an existing connection.

  • ikepolicy_id — ID of the IKE policy. Changing the value of this parameter creates a new connection.

  • ipsecpolicy_id — ID of the IPsec policy. Changing the value of this parameter creates a new connection.

  • vpnservice_id — VPN service ID. Changing the value of this parameter creates a new connection.

  • psk — public key. Accepts any value of type "string".

  • peer_address — public IPv4 or IPv6 address of the peer gateway, or FQDN.

  • peer_id — peer router ID for authentication. Type values are accepted: IPv4 address, IPv6 address, e-mail, key ID, FQDN. Typically, the value of this parameter is the same as the value of the peer_address parameter. Changing the value of this parameter changes the policy of an existing connection.

  • local_ep_group_id — ID of the endpoint group, which includes the private subnets of the local connection. Requires the peer_ep_group_id parameter to be specified unless backward compatibility mode is enabled, where peer_cidrs are already provided with the subnet_id of the VPN service. Changing the value of this parameter changes the existing connection.

  • peer_ep_group_id — ID of the endpoint group, which includes the private CIDR addresses of the peer connection in the format <net_adress>/<prefix>. Requires local_ep_group_id to be specified unless backward compatibility mode is enabled, where peer_cidrs are already provided with the subnet_id of the VPN service.

  • dpd — settings dictionary for the Dead Peer Detection(DPD) protocol. Includes the following resources:

  • action — DPD action. Possible values: clear, hold, restart, disabled, restart-by-peer. Default value: hold.

  • timeout — DPD timeout in seconds. Positive integer data is accepted, the values of which are greater than iinterval. Default value: 120.

  • interval — DPD interval in seconds. Positive integer data type is accepted. Default value: 30.

  • depends_on — The VPN connection will not start until the specified resources have been created.

1resource "vkcs_vpnaas_service" "service" {
2   router_id = "${vkcs_networking_router.router.id}"
3}
4
5resource "vkcs_vpnaas_ipsec_policy" "policy_1" {
6name="ipsec-policy"
7}
8
9resource "vkcs_vpnaas_ike_policy" "policy_2" {
10   name="ike-policy"
11}
12
13resource "vkcs_vpnaas_endpoint_group" "group_1" {
14type="cidr"
15endpoints = ["10.0.0.24/24", "10.0.0.25/24"]
16}
17resource "vkcs_vpnaas_endpoint_group" "group_2" {
18type="subnet"
19endpoints = [ "${vkcs_networking_subnet.subnet.id}" ]
20}
21
22resource "vkcs_vpnaas_site_connection" "connection" {
23name="connection"
24ikepolicy_id = "${vkcs_vpnaas_ike_policy.policy_2.id}"
25ipsecpolicy_id = "${vkcs_vpnaas_ipsec_policy.policy_1.id}"
26vpnservice_id = "${vkcs_vpnaas_service.service.id}"
27psk="secret"
28peer_address = "192.168.10.1"
29peer_id = "192.168.10.1"
30local_ep_group_id = "${vkcs_vpnaas_endpoint_group.group_2.id}"
31peer_ep_group_id = "${vkcs_vpnaas_endpoint_group.group_1.id}"
32dpd {
33action = "restart"
34timeout = 42
35interval = 21
36}
37depends_on = ["vkcs_networking_router_interface.router_interface"]
38}

Add both parts of the example to the vpn.tf file and run the following commands:

terraform init
terraform apply

Did not find your answer? Write to us

    © 2023 VK Cloud
    Privacy Policy