Tutorial: Setting Up a VPN connection With OKS

In this tutorial, you learn how to configure a VPN connection between your client gateway and the network of your OKS project.

You can set up a VPN connection to enable secure communication between these networks, and ensure that their applications are not exposed publicly. For more information, see About VPN Connections.

Configuring a VPN Connection

A VPN connection is a resource that belongs to a project, and is controlled by a cluster-level custom resource.

  • Due to the virtual gateway limitations, you can create up to 5 VPN connections per project.

  • As service discovery is automatic, the VPN connection is discovered and set up in every cluster of the project.

To set up a VPN connection, you need to create a custom object manifest following this structure:

VpnConnection Manifest Sample
apiVersion: oks.dev/v1beta
kind: VpnConnection
metadata:
  name: NAME_OF_VPNC
spec:
  publicIP: 50.60.70.80
  bgpASN: 65500
  staticRoutesOnly: true
  vpnRoutes:
  - 192.168.0.0/16
  clientGatewayConfigurationStorage:
    namespace: VPNC-STORAGE-NAMESPACE
    configMapName: NAME_OF_VPNC-config
    secretName: NAME_OF_VPNC-secret
  vpnOptions:
    tunnelInsideIpRange: 169.254.254.1/30
    phase2Options:
      preSharedKey:
        secretName: NAME_OF_VPNC-secret
        secretNamespace: NAME_OF_VPNC-namespace
        secretKey: VPNC_PSK

This sample contains the following parameters that you need to specify:

  • publicIP: The public IP of the client gateway. This cannot be changed after creation.

  • bgpASN: The autonomous system number (ASN) for the Border Gateway Protocol (BGP) of the client gateway’s IP. This cannot be changed after creation. If you do not have an ASN, you can choose one between 64512 and 65534, or between 4200000000 and 4294967295.

  • (optional) staticRoutesOnly: Whether the routing is set to static (true | false). By default, false.

  • (optional) vpnRoutes: An array of static routes for the VPN connection, in CIDR notation. Only available if staticRoutesOnly is set to true.

  • (optional) clientGatewayConfigurationStorage: Defines the storage location for the client gateway information and the pre-shared key provided by IaaS.

    • namespace: The namespace for the ConfigMap and Secret objects containing information provided by IaaS. By default, default.

    • configMapName: The name of the ConfigMap for the client gateway configuration. By default, [NAME_OF_VPNC]-config.

    • secretName: The name of the Secret containing the pre-shared key. By default, [NAME_OF_VPNC]-secret.

  • (optional) vpnOptions: Allows you to provide additional parameters for the VPN connection.

    • tunnelInsideIpRange: The IP range inside of the tunnel. This must be a /30 CIDR block from the 169.254.254.0/24 range. This range must be different for each tunnel.

    • (optional) phase2Options: Defines the phase 2 parameters.

      • preSharedKey: One or multiple existing pre-shared keys, between 8 and 64 characters. A key must contain only a-z, A-Z, 0-9, and ._ characters, and must not begin with 0.

        Each object must refer to an existing Secret, namespace and key.

        Secret sample
        apiVersion: v1
data:
  PRE_SHARED_KEY: VPNC_PSK
kind: Secret
metadata:
  name: NAME_OF_VPNC-secret
  namespace: default

        • secretName: The name of the existing Secret containing the pre-shared key.

        • secretNamespace: The name of the namespace where the Secret is located.

        • secretKey: The name of the key associated with the pre-shared key in the Secret.

Getting Information About Your VPN Connection

You can get information about your VpnConnection resource using kubectl, in the object status field.

The kubectl get vpnc command allows you to retrieve the VpnConnection status:

Request sample
$ kubectl get vpnc NAME_OF_VPNC \
-o yaml

This command contains the following option that you may need to specify:

  • (optional) output: The output format for the response (json | yaml | wide).

    Using the wide value returns a detailed table output that contains two additional fields: CGW PUBLIC IP and BGP ASN.
Result sample
...
status:
  clientGatewayId: cgw-de3cb41f
  clientGatewayState: available
  storage:
    configMapName: NAME_OF_VPNC-config
    namespace: default
    secretName: NAME_OF_VPNC-secret
  vgwTelemetries:
    - AcceptedRouteCount: 0
      LastStateChangeDate: "2025-07-29T08:08:16.078Z"
      OutsideIpAddress: 142.44.57.51
      State: DOWN
      StateDescription: IPSEC IS DOWN
  virtualGatewayId: vgw-c3ee9e3f
  virtualGatewayLinkState: attached
  virtualGatewayState: available
  vpnConnectionId: vpn-e2f2c082
  vpnConnectionState: available

The kubectl get vpnc command returns the following elements:

  • clientGatewayId: The ID of the client gateway used for VPN connection.

  • clientGatewayState: The state of the client gateway used for VPN connection.

  • storage: The location of the configuration and pre-shared key.

    • configMapName: The name of the ConfigMap containing the configuration.

    • secretName: The name of the Secret containing the pre-shared key.

    • namespace: The namespace containing the ConfigMap and the secret objects.

  • vgwTelemetries: An array of tunnel status details.

    • AcceptedRouteCount: The number of accepted routes.

    • LastStateChangeDate: The date on which the state was last changed.

    • OutsideIpAddress: The public IP of the virtual gateway.

    • State: The state of the tunnel.

    • StateDescription: The description of the current state.

  • virtualGatewayId: The ID of the virtual gateway.

  • virtualGatewayLinkState: The state of the virtual gateway.

  • vpnConnectionId: The ID of the VPN connection.

  • vpnConnectionState: The state of the connection.

Configuring Your VPN Encryption

Getting Your Client Gateway Configuration

The client gateway configuration is stored in its ConfigMap status in the CGW_CONFIGUTATION_JSON field.

The kubectl get configmap command allows you to retrieve the configmap:

Request sample
$ kubectl get configmap NAME_OF_VPNC-config \
-n default \
-o yaml | yq -r '.data.CGW_CONFIGURATION_JSON' | jq

This command returns a YAML output containing the following information:

Client Gateway Configuration Sample
{
  "ClientGatewayId": "cgw-de3cb41f",
  "ConnectionType": "ipsec.1",
  "Tunnels": [
    {
      "ClientGateway": {
        "Bgp": {
          "Asn": 65500,
          "HoldTime": 30
        },
        "TunnelInside": {
          "IpRange": "169.254.254.2/30"
        },
        "TunnelOutside": {
          "IpAddress": "50.60.70.80"
        }
      },
      "Ike": {
        "AuthenticationProtocole": "SHA2_256_128 HMAC",
        "EncryptionProtocol": "256-bit AES-CBC",
        "Lifetime": 28800,
        "Mode": "main",
        "PerfectForwardSecrecyGroup": 16
      },
      "Ipsec": {
        "AuthenticationProtocol": "SHA2_256_128 HMAC",
        "ClearDfBit": true,
        "DeadPeerDetection": {
          "Interval": 30,
          "Retries": 3
        },
        "EncryptionProtocol": "256-bit AES-CBC",
        "FragmentationBeforeEncryption": true,
        "Lifetime": 3600,
        "Mode": "tunnel",
        "PerfectForwardSecercyGroup": 16,
        "Protocol": "esp",
        "TcpMssAdjustment": 1387
      },
      "VirtualGateway": {
        "Bgp": {
          "Asn": 50624,
          "HoldTime": 30
        },
        "TunnelInside": {
          "IpRange": "169.254.254.1/30"
        },
        "TunnelOutside": {
          "IpAddress": "142.44.57.51"
        }
      }
    }
  ],
  "VirtualGatewayId": "vgw-c3ee9e3f"
}

Use Case: Connecting Your VPN to External Resources Using StrongSwan

You can use your client gateway configuration to configure a VPN connection using StrongSwan. For more information, see the StrongSwan documentation.

/etc/ipsec.conf File Sample
config setup
    charondebug="all"
    uniqueids=yes
    strictcrlpolicy=no

conn oks-tunnel
    type=tunnel
    auto=start
    keyexchange=ikev1
    authby=secret
    left=%defaultroute
    # leftid contains client gateway public IP - provided by the user
    leftid=50.60.70.80
    # leftsubnet contains client gateway subnet
    leftsubnet=192.168.0.0/16
    # right contains virtual gateway public IP - provided by OKS
    right=142.44.57.51
    # rightsubnet contains OKS project CIDR - can be retrieved via OKS CLI: https://docs.outscale.com/en/userguide/Getting-Information-About-a-Specific-Project.html
    rightsubnet=10.50.0.0/16
    ike=aes256-sha256-modp4096!
    ikelifetime=28800s
    esp=aes256-sha256-modp4096!
    lifetime=3600s
    margintime=9m
    keyingtries=%forever
    dpddelay=30s
    dpdtimeout=120s
    dpdaction=restart
/etc/ipsec.secrets File Sample
50.60.70.80 142.44.57.51 : PSK "VPNC_PSK"

Deleting a VPN Connection

To delete a VPN connection, you need to delete the corresponding object in any of the project’s clusters. Otherwise, the VPN connection is only deleted upon project deletion.

When deleting a VpnConnection resource, its automatically created ConfigMap and Secrets are also deleted.

The kubectl delete vpnc command allows you to delete your VPN connection:

Request sample
$ kubectl delete vpnc NAME_OF_VPNC

Your VPN connection is deleted when the following message is returned:

Result sample
vpnconnection.oks.dev "NAME_OF_VPNC" deleted

Related Pages

Export to PDF