Note:

• This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
• It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.

Set up OpenVPN for Remote Access Across Multiple Regions on Oracle Cloud Infrastructure

Introduction

With remote work and cloud adoption on the rise, secure access to company resources has never been more critical. A Remote Access VPN allows users to connect to their organization’s network from anywhere, encrypting all data to protect it from unauthorized access. Whether working from a remote office, home, or on the go, a VPN ensures that connections remain private and secure.

In this tutorial series, we will take you step-by-step through the process of building the architecture outlined in the following image.

Objectives

• Configure OpenVPN Access Server for remote access to the new VCN in DR region.

• Configure the required OCI routing and security to access your target virtual machine (VM) in the DR region (Montreal) which we will connect to Toronto using Remote Peering Connection (RPC).

• Test access to the target VM.

Final Architecture for the second part of the tutorial

You will continue from the last task in Tutorial 1: Set up OpenVPN for Remote Access in a Single Region on Oracle Cloud Infrastructure and complete building the following environment.

Prerequisites

• Access to an OCI tenancy and permissions to manage the required network and compute services.

• Basic understanding of VPN.

• Basic understanding of OCI network routing and security and their functionalities: Virtual Cloud Network (VCN), Route Tables, Dynamic Routing Gateway (DRG), and Security Lists.

• Complete Tutorial 1: Set up OpenVPN for Remote Access in a Single Region on Oracle Cloud Infrastructure, where you should have already built the following architecture.

  

Task 1: Create a Dynamic Routing Gateway (DRG)

• Click the hamburger menu (≡) from the upper left corner.

  

  1. Click Networking.
  2. Click Dynamic routing gateway.

  

• Click Create dynamic routing gateway.

  

  1. Enter a Name for the DRG.
  2. Click Create dynamic routing gateway.

  

• DRG is created successfully.

  

• We are adding every component we are provisioning at the end of each task to the architecture. So, you can see how the environment looks like until now.

  

Task 2: Establish Remote Peering Connection (RPC) between the Primary and DR Regions

Remote Peering Connection (RPC) enables Virtual Cloud Networks (VCNs) in different regions to communicate privately through their respective DRGs. In this task, we will create an RPC in each of the DRGs in order to establish the connection, allowing seamless private connectivity between VCNs in both regions.

• Go to DRG-1 in primary region (Toronto) created in Tutorial 1.

  1. Click Remote peering connection attachments.
  2. Click Create remote peering connection.

  

  1. Enter a Name for the RPC.
  2. Click Create remote peering connection.

  

• RPC attachment is created successfully.

  

• Click the RPC name.

  

  1. Note that status is New (not peered), after we create the other RPC in the Montreal region and establish the connection, we will see the status as Peered.
  2. Copy the RPC OCID into a text file, we will use it when establishing the connection in the next few steps.

  

• Go to DRG-2 in Montreal region created in Task 1.

  1. Click Remote peering connection attachments.
  2. Click Create remote peering connection.

  

  1. Enter a Name for the RPC.
  2. Click Create remote peering connection.

  

• RPC attachment is created successfully.

  

• Click the RPC name, as we are going to establish the connection with RPC-1.

  

  1. Note that status is New (not peered).
  2. Click Establish connection.

  

• Note that we can establish the connection from either region. Here we are going to do it from DR region (Montreal).

  1. Select ca-toronto-1 as Region.
  2. In Remote peering connection OCID, paste the RPC-1 OCID copied in previous step.
  3. Click Establish connection.

  

• Status is Pending.

  

• Connection is established successfully. You can see the status is now Peered.

  

• You will see the same Peered status in Toronto region.

  

• The current environment should look like this.

  

Task 3: Set up Spoke Virtual Cloud Network (VCN)

Task 3.1: Create a VCN

• Click the hamburger menu (≡) from the upper left corner.

  

  1. Click Networking.
  2. Click Virtual cloud networks.

  

• Click Create VCN.

  

  1. Enter a Name for the VCN.
  2. Enter 10.2.0.0/24 as IPv4 CIDR Block.
  3. Click Create VCN.

  

• The Spoke-VCN-2 VCN is created successfully.

  

Task 3.2: Attach the VCN to the DRG

• Go to the VCN details page.

  1. Click Dynamic Routing Gateways Attachments.
  2. Click Create DRG Attachment.

  

  1. Enter a Name for the attachment.
  2. Select Current tenancy as DRG Location.
  3. Select DRG created in Task 1.
  4. Click Create DRG Attachment.

  

• VCN is attached successfully to the DRG.

  

Task 3.3: Create a Private Subnet

• In the VCN details page, click Create Subnet.

  

  1. Enter a Name for the subnet.
  2. Select Regional as Subnet Type.
  3. Enter 10.2.0.0/27 as IPv4 CIDR Block.

  

  1. Select Default Route Table in Route Table.
  2. Select Private Subnet as Subnet Access.

  

  1. Select Default Security List in Security List.
  2. Click Create Subnet.

  

• Private subnet is created successfully.

  

Task 3.4: Configure Routing and Security on the Subnet

• Go to the VCN details page and click the private subnet.

  

• Click Route Table which is an assigned route table.

  

• Make sure to add the following rule.

  • 192.168.0.0/24 - DRG: Route traffic destined to Hub-Public-Subnet which contains the OpenVPN Access Server to the DRG.

  

• As we have finished the routing part for Spoke-VCN-2 subnet, let us do the security now. Go to the Subnet Details page and click the assigned security list.

  

• Make sure to allow ingress traffic.

  • Echo requests (ping traffic) from Hub-Public-Subnet (ICMP, type 8). This is for testing at the end.

  

• Make sure to allow all the egress traffic.

  

• The current environment should look like this.

  

Task 4: Provision a Test VM (Target-Instance-2)

• We generated an SSH key pair in Tutorial 1, you can use the same public key when creating Target-Instance-2.

  Note: We are not going to access the instance with SSH, we are just going to ping it, so you can just select No SSH keys for the sake of this tutorial. If SSH access is needed, follow the steps in this link to generate the keys Task 3.1: Generate SSH Key Pair with PuTTY Key Generator

• Click the hamburger menu (≡) from the upper left corner.

  

  1. Click Compute.
  2. Click Instances.

  

• Click Create instance.

  

• Enter a Name for the instance.

  

• Keep the Image and Shape settings as default.

  

• In Primary network, enter the following information.

  1. Select Spoke-VCN-2.
  2. Select the private subnet.

  

  1. Select Manually assign private IPv4 address.
  2. Enter the private IPv4 address for the instance 10.2.0.30.

  

  1. Paste the public key.
  2. Click Create.

  

• The Target-Instance-2 compute instance is created successfully.

  

• The current environment should look like this.

  

Task 5: Configure Routing on Hub-VCN

• Go to the VCN details page and click the public subnet.

  

• Click Route Table which is an assigned route table.

  

• Make sure to add the following rule.

  • 10.2.0.0/27 - DRG: Route traffic destined to Spoke-Private-Subnet in Montreal region which has the second target test instance to the DRG.

  

• We already have a default egress security rule that allows all traffic.

Task 6: Configure Remote Access on OpenVPN to Spoke-VCN-2 VCN

• Open a browser tab.

  1. Access the following URL: https://<publicip>/admin, ensure to replace <publicip> with the public IP address of the OpenVPN instance you created.
  2. Click Advanced.
  3. Click Proceed.

  

  1. Enter openvpn as Username.
  2. Enter the password.
  3. Click Sign In.

  

  1. Click Configuration.
  2. Click VPN Settings.
  3. Under Routing, add the private subnet of Spoke-VCN-2 (10.2.0.0/27) which we plan to access through VPN.
  4. Click Save Settings.

  

• Click Update Running Server.

  

Task 7: Test and Validate

• The following image shows the test scenario we want to achieve.

  

• We will use OpenVPN Connect which you installed and configured on your PC in Tutorial 1: Set up OpenVPN for Remote Access in a Single Region on Oracle Cloud Infrastructure.

• Open OpenVPN Connect, and connect to the profile you have already created.

  

  1. You are CONNECTED now.
  2. Note that you will be disconnected from the Internet when connected through VPN.

  

• Ping Target-Instance-2 (10.2.0.30). As you can see, the test is successful.

  

• If you check the spoke subnet logs, you can see traffic coming from OpenVPN (192.168.0.2) to Target-Instance-2 (10.2.0.30) and the response sent back.

  

Conclusion

In this tutorial series, you have learned how to deploy and configure OpenVPN for remote access to your OCI resources, whether you need access from a remote office, home, or while on the go. We covered how to set up OpenVPN to connect to resources within the same region as the OpenVPN or in a different region. Detailed explanations were provided for the necessary OCI configurations, including enabling communication from your PC to the OpenVPN public server, and from there to virtual machines in the primary or DR region, we also explored key OCI components while doing that such as the DRG and how to leverage it for RPC between regions.

Acknowledgments

• Author - Anas Abdallah (Cloud Networking Specialist)

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

Set up OpenVPN for Remote Access Across Multiple Regions on Oracle Cloud Infrastructure

G27891-02

Copyright ©2025, Oracle and/or its affiliates.