5 Configuring a GRE Tunnel on a Guest Instance in Oracle Cloud
To complete the VPN setup, configure a GRE tunnel between your guest instances in Oracle Cloud and your Corente Services Gateway instance in Oracle Cloud.
Topics
Oracle Cloud services certified to use Corente-based VPN solutions
You can configure a GRE tunnel only on instances of the following Oracle Cloud services:
-
Oracle Cloud Infrastructure Compute Classic
-
Oracle Database Cloud Service
-
Oracle Java Cloud Service
Creating a New Linux Instance and Configuring a GRE Tunnel
You must configure a Generic Routing Encapsulation (GRE) tunnel on your Compute Classic instances to complete the VPN setup.
Follow the instructions provided in this section to create a guest instance using the provided corente-guest-launchplan.json
template and configure a GRE tunnel on the newly created guest instance. To set up a GRE tunnel on running instances, see Configuring a GRE Tunnel on Running Linux Instances.
Create a Linux Client Compute Cloud Service Instance
Create your guest instance using the sample orchestration, corente-guest-launchplan.json
.
-
Create a bootable storage volume. Use an image that is Oracle Linux 6.6 or later versions as only these versions support GRE tunneling. See Creating a Bootable Storage Volume in Using Oracle Cloud Infrastructure Compute Classic.
Note:
A persistent boot disk is required to retain data and patches that are applied to your instance.
-
Download the sample orchestration,
corente-guest-launchplan.json
, to create a guest instance. This sample orchestration is included in thegreconf_orchsamples.zip
file at the following location:http://www.oracle.com/technetwork/topics/cloud/downloads/network-cloud-service-2952583.html
-
Modify values in the sample orchestration file based on your environment. While modifying
corente-guest-launchplan.json
, take care of the following requirements:-
Ensure that you create the guest instance using the bootable storage volume you have created in step 1.
-
The client instance and the gateway instance should be in the same security list.
In this example, a Compute instance in the Corente network is assigned to an internal security list,
vpn-CSG1-secrules
. -
Ensure that the
ha_policy
of the orchestration is set toactive
. -
The GRE tunnel addresses (both local and cloud gateway) should not be in the
10.x.x.x
subnet. -
If you have set up the VPN connection using the Compute Classic user interface, specify the default value
172.16.254.1
.
-
-
Upload the modified orchestration to Compute Classic, and then start the orchestration. For information about uploading and starting an orchestration, see Managing Orchestrations in Using Oracle Cloud Infrastructure Compute Classic.
-
After creating the instance ensure that the instance is running.
-
Note the DNS hostname assigned to the cloud gateway instance. You will need this hostname later, when running the configuration script. This is needed for HA. The cloud gateway hostname is automatically populated, and should point to the private IP address of the cloud gateway.
Sample Orchestration with Corente Tunnel Arguments
{
"name": "/Compute-myIdentityDomain/john.doe@example.com/corente-guest-instance",
"label": "corente-guest",
"description": "Corente guest instance",
"oplans": [
{
"obj_type": "launchplan",
"label": "corente-guest-launchplan-1",
"ha_policy: "active",
"objects": [
{
"instances": [
{
"name": "/Compute-myIdentityDomain/john.doe@example.com/corente-guest",
"networking": {
"eth0": {
"model": "e1000",
"dns": [
"corente-guest"
],
"seclists": [
"/Compute-myIdentityDomain/john.doe@example.com/vpn-CSG1-secrules"
],
"nat": "ippool:/oracle/public/ippool"
}
},
"boot_order": [
1
],
"storage_attachments": [
{
"index": 1,
"volume": "/Compute-myIdentityDomain/john.doe@example.com/corente-guest-boot-vol"
}
],
"label": "corente-guest",
"shape": "oc3",
"attributes": {
"userdata": {
"corente-tunnel-args": "--local-tunnel-address=172.16.1.4 --csg-hostname=c9fcb5.compute-acme.oraclecloud.internal. --csg-tunnel-address=172.16.254.1 --onprem-subnets=10.2.3.0/24,10.3.2.0/24"
}
},
"sshkeys": [
"/Compute-myIdentityDomain/john.doe@example.com/adminkey"
]
}
]
}
]
}
]
}
Create a GRE Tunnel
To create a GRE tunnel on your newly created Compute Classic instances:
-
SSH to the instance where you want to create a GRE tunnel.
-
Download the
oc-config-corente-tunnel
script onto this instance. This script is included inGreconf_orchsamples.zip
file which is available at the following location:http://www.oracle.com/technetwork/topics/cloud/downloads/network-cloud-service-2952583.html
-
Extract the contents of the
greconf_orchsamples.zip
file. -
After extracting, copy the
oc-config-corente-tunnel
file from theConfig and Orchestration
directory to the/usr/bin
directory.Note:
You'll need superuser privileges to copy to
/usr/bin
. -
Make the
oc-config-corente-tunnel
script executable:sudo chmod 550 oc-config-corente-tunnel
-
Run the
oc-config-corente-tunnel
script:sudo bash /usr/bin/oc-config-corente-tunnel
-
Add the following entry to
/etc/rc.local
so that the script runs automatically every time the instance boots:bash /usr/bin/oc-config-corente-tunnel
About Configuration Script Arguments
The oc-config-corente-tunnel
configuration script accepts arguments from the userdata
attribute corente-tunnel-args
in a launch plan (refer to corente-guest-launchplan.json
). The value of that attribute should be in the form of a command line with the following syntax (showing only required arguments):
--local-tunnel-address=<addr> --csg-hostname=<hostname> --csg-tunnel-address=<addr> --onprem-subnets=<subnet_cidrs>
Parameter | Description | Example |
---|---|---|
|
The host name of the cloud gateway instance is based on the value specified for the VPN gateway name while creating the cloud gateway. To identify this name, see the Instances page in the Compute Classic web console. Mandatory. No default value. No limit. The value for this parameter should follow the format: |
|
|
If you have set up the VPN connection using theCompute Classic user interface, specify the default value Mandatory. |
|
|
GRE tunnel address of the Compute instance. Local address of the GRE tunnel to Corente Services Gateway instance on the Cloud. Specify the IP address that you want to assign to the GRE interface on the Linux instance. This IP address will be used to communicate with Corente Services Gateway, instances in your on-premise environment, and other IP addresses you define. Specify an IP address from the Mandatory. No default value. |
|
|
List of on-premise networks participating in VPN. This should be in the form of one or more comma-separated CIDRs. Mandatory. No default value. No limit. |
|
|
Number of pings of the cloud gateway tunnel end point in one iteration of health check. Optional. Default is 3. 2 is minimum. |
|
|
Timeout for each of the pings to the cloud gateway (in seconds). Optional. Default is 2. 1 is minimum. |
|
|
Interval between pings to the cloud gateway (in seconds). Optional. Default is 10. 3 is minimum. |
|
Configuring a GRE Tunnel on Running Linux Instances
You can set up a GRE tunnel to the Corente Services Gateway on existing instances of Compute Classic instances. You can use the procedure described in this chapter to set up a GRE tunnel on running Linux instances without having to restart orchestrations.
Ensure that the service instance on Oracle Cloud (where the GRE script runs) and the cloud gateway instance (the one it is paired with) are part of the same security list.
Do the following:
-
Install dig utility if it is not available. The dig utility is used for DNS resolution.
yum install bind-utils
-
Create
opc-compute
directory in/var/log
for Corente log files.cd /var/log mkdir opc-compute
-
Go to the
/usr/bin
directory.cd /usr/bin
-
Ensure that the script is executable. Run the following command:
sudo chmod 550 oc-config-corente-tunnel
-
Run the following commands:
$ sudo bash $ nohup ./oc-config-corente-tunnel --local-tunnel-address=172.16.2.2 --csg-hostname=csgdbaas-1.root.oraclecloud.internal --csg-tunnel-address=172.16.254.1 --onprem-subnets=192.168.39.0/24 &
Note:
You may have to wait up to 1 minute before the GRE tunnel is up.For a description of the configuration parameters, see About Configuration Script Arguments.
Note:
Customize the command-line parameters, as needed (same syntax as thecorente-tunnel-args userdata
attribute). You must run the script in background, as the script won’t exit. -
Verify that the GRE tunnel is functional by running the
ping
command to any live IP address within your data center network directly. -
Add the following entry to the
/etc/rc.local
file.nohup bash /usr/bin/oc-config-corente-tunnel --local-tunnel-address=172.16.2.2 --csg-hostname=csgdbaas-1.root.oraclecloud.internal --csg-tunnel-address=172.16.254.1 --onprem-subnets=192.168.39.0/24 &
Note:
Customize the command-line parameters, as needed. The values of the parameters should match what you entered in step 4.