Note:
- This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
- It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.
Establish a VPN with Oracle Cloud Infrastructure using a Dynamic Public IP Address
Introduction
Oracle Cloud Infrastructure (OCI) does not support the use of Domain Name System (DNS) for configuring the Customer Premises Equipment (CPE) as the VPN tunnel endpoint. This tutorial aims to enable small businesses that do not have access to a static public IP address to use the IPSec service even with a dynamic address. The strategy involves deploying a script capable of automatically generating a new OCI tunnel whenever the public IP of the Customer Premises Equipment (CPE) changes.
Note: In this tutorial, the last two lines in the shell script file are used to update the IP address and shared secret of the new endpoint created on OCI within my router (MikroTik). Depending on your router, you need to update it to reflect these two values.
Objective
- Create a new Oracle Cloud Infrastructure Site-to-Site VPN tunnel with the new updated CPE IP address.
Prerequisites
-
A dynamically updated DNS record that points to your public CPE IP address.
-
A Linux virtual machine (VM).
-
Install
sshpass
into the Linux VM. In this tutorial, this will be used to send commands to the MikroTik router. -
Install and configure the Oracle Cloud Infrastructure Command Line Interface (OCI CLI).
-
Generate an API key. For more information, see How to Generate an API Signing Key.
Set up a VPN with Oracle Cloud Infrastructure
-
To achieve a stable VPN IPSec connection with OCI for a CPE IP address update, you have to set up a dynamically updated DNS record. There are several public DNS providers that support this feature. Select your favorite and configure it. (Example: Cloudns.net)
After you have registered and configured a public dynamic DNS record, you can set up your linux VM.
-
Once the Linux VM is up and running, install OCI CLI to operate on your OCI tenancy from this machine. For more information, see install and configure the OCI CLI.
-
Install the
sshpass
application in case you need to use it for updating your private Mikrotik router settings.sudo apt-get install sshpass
-
Create the
.sh
file and copy the following script in the file and make it executable. Remember to modify the script with your data, the compartment ID, DRG ID and DNS name that points to your CPE.Note: You can find the oci path executing this command into your terminal:
which oci
Note: The last section of the script, dedicated to the MikroTik router, is only necessary if you are using a MikroTik router. Otherwise you have to implement the commands to update the OCI tunnel endpoint IP address and the shared secret into your router.
nano VPN_update.sh
#!/bin/bash #OCI variables export compartment_id=ocid1.compartment.oc1… #your OCI compartment ID export drg_id=ocid1.drg.oc1.eu-frankfurt-1… #your DRG ID export DNS_cpe=YOUR_DYNAMIC_DNS_RECORD_POINT_TO_YOUR_CPE #(example: your-domain.com) #Mikrotik variables export static_routes=192.168.1.0/24 #(YOUR PRIVATE SUBNET) export router_ip=192.168.1.1 #(YOUR ROUTER PRIVATE IP ADDRESS) export router_user=USER #(YOUR ROUTER USER) export router_password=PWD #(YOUR ROUTER PASSWORD) #oci command path (to find the path of oci command type 'which oci' into the terminal) export oci_path=PATH #(YOUR oci COMMAND PATH. example: /home/ubuntu/bin/oci) export ip_address=$(ping -c 1 $DNS_cpe | gawk -F'[()]' '/PING/{print $2}') check_out=$($oci_path network ip-sec-connection list --compartment-id $compartment_id --all --query "data[?\"cpe-local-identifier\"=='$ip_address']" | sed 's|[[]]||g') if [[ -n $check_out ]] then printf -- "%s\n" "IP of the CPE is not changed - EXIT" exit else printf -- "%s\n" "create new IPSEC tunnel" cpe_id=$($oci_path network cpe create --compartment-id $compartment_id --ip-address $ip_address --query data.id --raw-output) $oci_path network cpe update --cpe-id $cpe_id ipsc_id=$($oci_path network ip-sec-connection create --compartment-id $compartment_id --cpe-id $cpe_id --drg-id $drg_id --static-routes '["$static_routes"]' --query data.id --raw-output) $oci_path network ip-sec-connection update --ipsc-id $ipsc_id tunnel_id1=$($oci_path network ip-sec-tunnel list --ipsc-id=$ipsc_id --all --query 'data[0].id' --raw-output) tunnel_id2=$($oci_path network ip-sec-tunnel list --ipsc-id=$ipsc_id --all --query 'data[1].id' --raw-output) ip_sec_psk1=$($oci_path network ip-sec-psk get --ipsc-id=$ipsc_id --tunnel-id=$tunnel_id1 | grep -oP '(?<="shared-secret": ").*(?=")') ip_sec_psk2=$($oci_path network ip-sec-psk get --ipsc-id=$ipsc_id --tunnel-id=$tunnel_id2 | grep -oP '(?<="shared-secret": ").*(?=")') vpn_ip1=$($oci_path network ip-sec-tunnel list --ipsc-id=$ipsc_id --all --query 'data[0]."vpn-ip"' --raw-output) vpn_ip2=$($oci_path network ip-sec-tunnel list --ipsc-id=$ipsc_id --all --query 'data[1]."vpn-ip"' --raw-output) echo OCI TUNNEL 1 IP and SHARED SECRET echo $vpn_ip1 echo $ip_sec_psk1 echo OCI TUNNEL 2 IP and SHARED SECRET echo $vpn_ip2 echo $ip_sec_psk2 #Mikrotik router update section. (Execute the sshpass command before run this script). Avoid and delete these two rows if you don't need it. sshpass -p '$router_password' ssh $router_user@$router_ip "/ip ipsec/ identity/ set number=0 secret=$ip_sec_psk1" sshpass -p '$router_password' ssh $router_user@$router_ip "/ip ipsec/ peer/ set number=0 address=$vpn_ip1"
chmod +x VPN_update.sh
Note: The script can create the tunnels but cannot terminate the old ones. Sometimes you have to log in to the OCI Console and terminate the unused old OCI Site-to-Site VPN tunnels or implement this function into it.
-
Add the script to the
crontab
if you want automatically execute it.Crontab -e
Note: Add the frequency and the script path into the last line of the
crontab
. The following command is intended to be executed every 15 minutes.*/15 * * * * YOUR_SCRIPT_PATH/VPN_update.sh
Next time your CPE IP address changes, the OCI tunnel will be recreated with the new IP address and shared secret within a maximum of 15 minutes.
Related Links
Acknowledgments
- Author - Marco Santucci (EMEA Enterprise Cloud Solution Architect)
More Learning Resources
Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.
For product documentation, visit Oracle Help Center.
Establish a VPN with Oracle Cloud Infrastructure using a Dynamic Public IP Address
F96473-01
April 2024