Note:

• This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
• It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.

Set up OpenVPN for Remote Access in a Single Region on Oracle Cloud Infrastructure

Introduction

With remote work and cloud adoption on the rise, secure access to company resources has never been more critical. A Remote Access VPN allows users to connect to their organization’s network from anywhere, encrypting all data to protect it from unauthorized access. Whether working from a remote office, home, or on the go, a Virtual Private Network (VPN) ensures that connections remain private and secure.

In this tutorial series, we will take you step-by-step through the process of building the architecture outlined in the following image.

VPN in Oracle Cloud Infrastructure (OCI)

VPN is essential for establishing secure communication between your on-premises data center, another cloud environment your organization uses, or remote offices, with your OCI setup. In OCI, there are two types of VPNs you might need, each suited for different use cases.

• Site-to-Site VPN: Connects entire networks, making it ideal for linking multiple offices or branches securely with OCI. Site-to-Site VPN is a native service that is available in OCI, it uses industry standard IPSec protocol to provide private, secure connectivity from your corporate networks and sites to OCI using your existing internet connection.

• Remote Access VPN (Point-to-Site VPN): Unlike Site-to-Site VPN, which connects entire networks with each other, Remote Access VPN establishes a secure connection between a single device (user) and the destination network using a VPN client application. At this time, OCI does not offer a native Remote Access VPN service. However, it can be achieved by utilizing marketplace images like OpenVPN which you can deploy on a compute instance.

Note: This tutorial focuses only on setting up Remote Access VPN using OpenVPN.

Overview of OpenVPN

OpenVPN is a widely used VPN solution that is available in multiple flavors to suit different needs. In this tutorial, we will focus on:

• OpenVPN Access Server: Designed specifically for businesses, it protects data communication, secures Internet of Things (IoT), and provides secure remote access to on-premises, data center, or public cloud resources. It includes a web-based management interface and is ideal for businesses seeking a reliable, enterprise-grade VPN. OpenVPN Access Server is free to install and use for two simultaneous VPN connections. You will deploy it on an OCI Compute instance from the marketplace in this tutorial.

• OpenVPN Connect: The official VPN client for Windows, macOS, iOS, and Android. By the end of this tutorial, you will install OpenVPN Connect and use it to connect to the OpenVPN Access Server, and then test connectivity to your target private resources in the cloud.

For more information about different OpenVPN products, see Which OpenVPN product is right for you?.

Objectives

• Provision OpenVPN Access Server from OCI marketplace and do the initial setup.

• Configure OpenVPN Access Server for remote access.

• Configure the required OCI routing and security to access your target virtual machine (VM) in the same region as the OpenVPN (Toronto).

• Install OpenVPN Connect on your PC and test access to the target VM.

Final Architecture for the first part of the tutorial

You will build the following environment from scratch.

Prerequisites

• Access to an OCI tenancy and permissions to manage the required network and compute services.

• Basic understanding of VPN.

• Basic understanding of OCI network routing and security and their functionalities: Virtual Cloud Network (VCN), Route Tables, Dynamic Routing Gateway (DRG), and Security Lists.

Task 1: Create a Dynamic Routing Gateway

• Log in to the OCI Console and click the hamburger menu (≡) from the upper left corner.

  

  1. Click Networking.
  2. Click Dynamic routing gateway.

  

• Click Create dynamic routing gateway.

  

  1. Enter a Name for DRG.
  2. Click Create dynamic routing gateway.

  

• DRG is created successfully.

  

• We are adding every component we are provisioning at the end of each task to the architecture. So, you can see how our environment looks like until now.

  

Task 2: Set up a Spoke Virtual Cloud Network

Task 2.1: Create a VCN

• Click the hamburger menu (≡) from the upper left corner.

  

  1. Click Networking.
  2. Click Virtual cloud networks.

  

• Click Create VCN.

  

  1. Enter a Name for the VCN.
  2. Enter 10.1.0.0/24 as IPv4 CIDR Block.
  3. Click Create VCN.

  

• The Spoke-VCN-1 VCN is created successfully.

  

Task 2.2: Attach the VCN to the DRG

• Go to the Virtual Cloud Networks Details page.

  1. Click Dynamic Routing Gateways Attachments.
  2. Click Create DRG Attachment.

  

  1. Enter a Name for the attachment.
  2. Select Current tenancy as DRG Location.
  3. Select DRG created in Task 1.
  4. Click Create DRG Attachment.

  

• VCN is attached successfully to the DRG.

  

Task 2.3: Create a Private Subnet

• In the Virtual Cloud Networks Details page, click Create Subnet.

  

  1. Enter a Name for the subnet.
  2. Select Regional.
  3. Enter 10.1.0.0/27 as IPv4 CIDR Block.

  

  1. Select Default Route Table in Route Table.
  2. Select Private Subnet.

  

  1. Select Default Security List in Security List.
  2. Click Create Subnet.

  

• Private subnet is created successfully.

  

Task 2.4: Configure Routing and Security on the Subnet

• In the Virtual Cloud Networks Details page, click the private subnet.

  

• Click Route Table which is an assigned route table.

  

• Make sure to add the following rule.

  • 192.168.0.0/24 - DRG: Route traffic destined to Hub-Public-Subnet which will have the OpenVPN Access Server to the DRG.

  

• The routing part for Spoke-VCN-1 subnet is finished, let us do the security now. Go to the Subnet Details page and click the assigned security list.

  

• Make sure to allow ingress traffic.

  • Echo requests (ping traffic) from Hub-Public-Subnet (ICMP, type 8). This is for testing at the end.

  

• Make sure to allow all the egress traffic.

  

• The current environment should look like this.

  

Task 3: Provision a Test VM (Target-Instance-1)

Task 3.1: Generate SSH Key Pair with PuTTY Key Generator (Optional)

Notes:

1. We are using PuTTY in this tutorial to generate SSH keys and to access the VMs, but feel free to use any other similar tool of your choice.
2. This is needed only if SSH access is required to the instance. In this tutorial, we are going to test by only pinging the instance.

• Install PuTTY from here: Download PuTTY.

• Open PuTTY Key Generator and click Generate.

  

• Keep hovering your mouse cursor over the blank area until the key generation is completed.

  

• Click Save private key. This will be used when accessing the instance.

  

  1. Enter a Name for the private key file.
  2. Click Save.

  

• Copy the Public key, and paste it on a text file, we need it during the VM creation.

  

Task 3.2: Provision Target-Instance-1 Compute Instance

• Click the hamburger menu (≡) from the upper left corner.

  

  1. Click Compute.
  2. Click Instances.

  

• Click Create instance.

  

• Enter a Name for the instance.

  

• Keep the Image and Shape settings as default.

  

• In Primary network, enter the following information.

  1. Select the Spoke-VCN-1 VCN.
  2. Select the private subnet.

  

  1. Select Manually assign private IPv4 address.
  2. Enter the private IPv4 address for the instance 10.1.0.30.

  

  1. Paste the public key generated in Task 3.1.
  2. Click Create.

  

Note: In the previous step, select “No SSH keys” option if you are not planning to access the instance.

• The Target-Instance-1 compute instance is created successfully.

  

• The current environment should look like this.

  

Task 4: Set up Hub Virtual Cloud Network

Task 4.1: Create a VCN

• Click the hamburger menu (≡) from the upper left corner.

  

  1. Click Networking.
  2. Click Virtual cloud networks.

  

• Click Create VCN.

  

  1. Enter a Name for the VCN.
  2. Enter 192.168.0.0/16 as IPv4 CIDR Block.
  3. Click Create VCN.

  

• The Hub-VCN VCN is created successfully.

  

Task 4.2: Attach the VCN to the DRG

• Go to the Virtual Cloud Networks Details page.

  1. Click Dynamic Routing Gateways Attachments.
  2. Click Create DRG Attachment.

  

  1. Enter a Name for the attachment.
  2. Select Current tenancy as DRG Location.
  3. Select DRG created in Task 1.
  4. Click Create DRG Attachment.

  

• VCN is attached successfully to the DRG.

  

Task 4.3: Create an Internet Gateway

• Go to the Virtual Cloud Networks Details page.

  1. Click Internet Gateways.
  2. Click Create Internet Gateway.

  

  1. Enter a Name for the internet gateway.
  2. Click Create Internet Gateway.

  

• Internet gateway is created successfully.

  

Task 4.4: Create a Public Subnet

• In the Virtual Cloud Networks Details page, click Create Subnet.

  

  1. Enter a Name for the subnet.
  2. Select Regional.
  3. Enter 192.168.0.0/24 as IPv4 CIDR Block.

  

  1. Select Default Route Table in Route Table.
  2. Select Public Subnet.

  

  1. Select Default Security List in Security List.
  2. Click Create Subnet.

  

• Public subnet is created successfully.

  

Task 4.5: Configure Routing and Security on the Subnet

• In the Virtual Cloud Networks Details page, click the public subnet.

  

• Click Route Table which is an assigned route table.

  

• Make sure to add the following rules.

  • 0.0.0.0/0 - IGW: To have bi-directional access with the Internet, this is needed for us to access the public OpenVPN server.

  • 10.1.0.0/27 - DRG: Route traffic destined to Spoke-Private-Subnet which has the target test instance to the DRG.

  

• As we have finished the routing part for Hub-VCN subnet, let us do the security now. Go to the Subnet Details page and click the assigned security list.

  

• Make sure to allow ingress traffic related to OpenVPN Access Server.

  • TCP traffic from anywhere (port 443 and port 943).
  • UDP traffic from anywhere (port 1194).

  

• Make sure to allow all the egress traffic.

  

• The current environment should look like this.

  

Task 5: Provision and Configure OpenVPN Access Server

Task 5.1: Provision OpenVPN from marketplace

• Click the hamburger menu (≡) from the upper left corner.

  

  1. Click Marketplace.
  2. Click All Applications.

  

  1. Enter OpenVPN in search bar.
  2. Select OpenVPN Access Server BYOL.

  

  1. Note that with this image you will get two simultaneous connections for FREE.
  2. Select version.
  3. Click Launch Instance.

  

• Enter a Name for the instance.

  

• Keep the Image and Shape settings as default.

  

• In Primary network, enter the following information.

  1. Select the Hub-VCN VCN.
  2. Select the public subnet.

  

  1. Select Manually assign private IPv4 address.
  2. Enter 192.168.0.2 as the private IPv4 address for the instance.
  3. Select Automatically assign public IPv4 address.

  

  1. Paste the public key generated in Task 3.1.
  2. Click Create.

  

• The OpenVPN compute instance is created successfully.

  1. Note the Public IP address of the instance.
  2. The default Username is ubuntu. However, we will not use it when logging into the instance.

  

Task 5.2: Access OpenVPN VM from PuTTY and Complete the Initial Setup

• Open PuTTY Configuration.

  1. Click Credentials.
  2. Upload the private key downloaded in Task 3.1.

  

  1. Click Session.
  2. Enter the following information.
     • Host Name: Enter public IP address of the OpenVPN instance.
     • Connection type: Select SSH.
     • Port: Enter 22.
  3. Click Open.

  

• Click Accept.

  

• Enter openvpnas as Username.

  

  1. Enter yes to agree on the terms.
  2. Press Enter as we do not intend to have more than one access server.
  3. Press Enter.

  

  1. Press Enter to select the default algorithm (RSA).
  2. Press Enter to select the default key size (2048).
  3. Press Enter to select the default algorithm (RSA).

  

  1. Press Enter to select the default key size (2048).
  2. Press Enter to select the default port number (943).
  3. Press Enter to select the default port number (443).
  4. Press Enter to confirm.
  5. Press Enter to confirm.
  6. Press Enter to confirm.

  

  1. Press Enter to use openvpn as the default username when logging into the Admin UI.
  2. Fill your new Password and press Enter.
  3. Fill the password again and press Enter.
  4. Press Enter.

  

  1. The configuration is done.
  2. Note down the Admin UI URL: https://192.168.0.2:943/admin.
  3. Note down the Client UI URL: https://192.168.0.2:943/.

  Note: We will use the public IP address to access the Admin UI instead of the private one shown in the following screenshot.

  

Task 5.3: Configure Remote Access

• Open a browser tab.

  1. Access the following URL: https://<publicip>/admin, ensure to replace <publicip> with the public IP address of the OpenVPN instance you created.
  2. Click Advanced.
  3. Click Proceed.

  

  1. Enter openvpn as Username.
  2. Enter the password.
  3. Click Sign In.

  

• Click Agree.

  

• As we mentioned earlier, you are granted two free VPN connections at the same time.

  

  1. Click Configuration.
  2. Click Network Settings.
  3. Enter the public IP address for the OpenVPN instance in Hostname or IP Address.
  4. Click Save Settings.

  

• Click Update Running Server.

  

  1. Click Configuration.
  2. Click VPN Settings.
  3. Under Routing, add the private subnet of Spoke-VCN-1 (10.1.0.0/27) which we plan to access through VPN.
  4. Click Save Settings.

  

• Click Update Running Server.

  

• Set up your username which you are going to use when connecting to VPN from OpenVPN Client on your device.

  1. Click User Management.
  2. Click User Permissions.
  3. Enter your new Username.
  4. Select Allow Auto-login.
  5. Click More Settings.
  6. Enter Password.
  7. Click Save Settings.

  

• Click Update Running Server.

  

• Username is created successfully.

  

• Now all components are provisioned as showed in the architecture and ready to test.

  

Task 6: Test and Validate

• The following image shows the test scenario we want to complete.

  

Task 6.1: Install OpenVPN Connect

• Download OpenVPN Connect in your local machine from here: OpenVPN Connect for Windows.

  

  1. Run the downloaded .msi file.
  2. Click Next.

  

  1. Select I accept the terms in the License Agreement.
  2. Click Next.

  

• Click Install.

  

• Click Finish.

  

Task 6.2: Set up OpenVPN Connect

• Click Agree.

  

  1. In Type Server Address or Cloud ID, enter the public IP address of OpenVPN server as https://<publicip>.
  2. Click Next.

  

• Click Accept.

  

• In Import Profile, use the profile information you provided in Task 5.3.

  1. Enter Username.
  2. Enter Password.
  3. Profile Name is filled automatically.
  4. Select Import autologin profile.
  5. Select Connect after import.
  6. Click Import.

  

  1. You are CONNECTED now.
  2. Note that you will be disconnected from the Internet when connected through VPN.

  

Task 6.3: Ping Target-Instance-1 Instance

• Ping Target-Instance-1 (10.1.0.30). As you see the test is successful.

  

• Turn off VPN when you finish testing.

  

• Click Confirm.

  

• You are DISCONNECTED now.

  

• If you try to ping again, you will notice that the ping fails.

  

• If you check the spoke subnet logs, you can see traffic coming from OpenVPN (192.168.0.2) to Target-Instance-1 (10.1.0.30) and the response sent back.

  

Next Steps

In the second part of the tutorial Set up OpenVPN for Remote Access Across Multiple Regions on Oracle Cloud Infrastructure, we are going to extend the same setup to include another region which we will connect with remote peering connection. You will use the same OpenVPN Access Server to connect to resources in the new Disaster Recovery region after setting up the required network configuration.

Acknowledgments

• Author - Anas abdallah (Cloud Networking Specialist)

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

Set up OpenVPN for Remote Access in a Single Region on Oracle Cloud Infrastructure

G27610-02

Copyright ©2025, Oracle and/or its affiliates.