Note:

Establish a VPN with Oracle Cloud Infrastructure using a Dynamic Public IP Address

Introduction

Oracle Cloud Infrastructure (OCI) does not support the use of Domain Name System (DNS) for configuring the Customer Premises Equipment (CPE) as the VPN tunnel endpoint. This tutorial aims to enable small businesses that do not have access to a static public IP address to use the IPSec service even with a dynamic address. The strategy involves deploying a script capable of automatically generating a new OCI tunnel whenever the public IP of the Customer Premises Equipment (CPE) changes.

Note: In this tutorial, the last two lines in the shell script file are used to update the IP address and shared secret of the new endpoint created on OCI within my router (MikroTik). Depending on your router, you need to update it to reflect these two values.

Objective

Prerequisites

Set up a VPN with Oracle Cloud Infrastructure

  1. To achieve a stable VPN IPSec connection with OCI for a CPE IP address update, you have to set up a dynamically updated DNS record. There are several public DNS providers that support this feature. Select your favorite and configure it. (Example: Cloudns.net)

    After you have registered and configured a public dynamic DNS record, you can set up your linux VM.

  2. Once the Linux VM is up and running, install OCI CLI to operate on your OCI tenancy from this machine. For more information, see install and configure the OCI CLI.

  3. Install the sshpass application in case you need to use it for updating your private Mikrotik router settings.

    sudo apt-get install sshpass

  4. Create the .sh file and copy the following script in the file and make it executable. Remember to modify the script with your data, the compartment ID, DRG ID and DNS name that points to your CPE.

    Note: You can find the oci path executing this command into your terminal:

    which oci

    Note: The last section of the script, dedicated to the MikroTik router, is only necessary if you are using a MikroTik router. Otherwise you have to implement the commands to update the OCI tunnel endpoint IP address and the shared secret into your router.

    nano VPN_update.sh

    #!/bin/bash

#OCI variables
export compartment_id=ocid1.compartment.oc1…  #your OCI compartment ID
export drg_id=ocid1.drg.oc1.eu-frankfurt-1… #your DRG ID
export DNS_cpe=YOUR_DYNAMIC_DNS_RECORD_POINT_TO_YOUR_CPE #(example: your-domain.com)

#Mikrotik variables
export static_routes=192.168.1.0/24 #(YOUR PRIVATE SUBNET)
export router_ip=192.168.1.1 #(YOUR ROUTER PRIVATE IP ADDRESS)
export router_user=USER #(YOUR ROUTER USER)
export router_password=PWD #(YOUR ROUTER PASSWORD)

#oci command path (to find the path of oci command type 'which oci' into the terminal)
export oci_path=PATH #(YOUR oci COMMAND PATH. example: /home/ubuntu/bin/oci)


export ip_address=$(ping -c 1 $DNS_cpe | gawk -F'[()]' '/PING/{print $2}')
check_out=$($oci_path network ip-sec-connection list --compartment-id $compartment_id --all --query "data[?\"cpe-local-identifier\"=='$ip_address']" | sed 's|[[]]||g')

if [[ -n $check_out ]]
then
    printf -- "%s\n" "IP of the CPE is not changed - EXIT"
    exit

else
    printf -- "%s\n" "create new IPSEC tunnel"


cpe_id=$($oci_path network cpe create --compartment-id $compartment_id --ip-address $ip_address --query data.id --raw-output)
$oci_path network cpe update --cpe-id $cpe_id

ipsc_id=$($oci_path network ip-sec-connection create --compartment-id $compartment_id --cpe-id $cpe_id --drg-id $drg_id --static-routes '["$static_routes"]' --query data.id --raw-output)
$oci_path network ip-sec-connection update --ipsc-id $ipsc_id

tunnel_id1=$($oci_path network ip-sec-tunnel list --ipsc-id=$ipsc_id --all --query 'data[0].id' --raw-output)
tunnel_id2=$($oci_path network ip-sec-tunnel list --ipsc-id=$ipsc_id --all --query 'data[1].id' --raw-output)

ip_sec_psk1=$($oci_path network ip-sec-psk get --ipsc-id=$ipsc_id --tunnel-id=$tunnel_id1 | grep -oP '(?<="shared-secret": ").*(?=")')
ip_sec_psk2=$($oci_path network ip-sec-psk get --ipsc-id=$ipsc_id --tunnel-id=$tunnel_id2 | grep -oP '(?<="shared-secret": ").*(?=")')

vpn_ip1=$($oci_path network ip-sec-tunnel list --ipsc-id=$ipsc_id --all --query 'data[0]."vpn-ip"' --raw-output)
vpn_ip2=$($oci_path network ip-sec-tunnel list --ipsc-id=$ipsc_id --all --query 'data[1]."vpn-ip"' --raw-output)

echo OCI TUNNEL 1 IP and SHARED SECRET
echo $vpn_ip1
echo $ip_sec_psk1

echo OCI TUNNEL 2 IP and SHARED SECRET
echo $vpn_ip2
echo $ip_sec_psk2

#Mikrotik router update section. (Execute the sshpass command before run this script). Avoid and delete these two rows if you don't need it.

sshpass -p '$router_password' ssh $router_user@$router_ip "/ip ipsec/ identity/ set number=0 secret=$ip_sec_psk1"
sshpass -p '$router_password' ssh $router_user@$router_ip "/ip ipsec/ peer/ set number=0 address=$vpn_ip1"


    chmod +x VPN_update.sh

    Note: The script can create the tunnels but cannot terminate the old ones. Sometimes you have to log in to the OCI Console and terminate the unused old OCI Site-to-Site VPN tunnels or implement this function into it.

  5. Add the script to the crontab if you want automatically execute it.

    Crontab -e

    Note: Add the frequency and the script path into the last line of the crontab. The following command is intended to be executed every 15 minutes.

    */15 * * * * YOUR_SCRIPT_PATH/VPN_update.sh

Next time your CPE IP address changes, the OCI tunnel will be recreated with the new IP address and shared secret within a maximum of 15 minutes.

Acknowledgments

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.