Can I set up a VPN between my droplets in digital ocean and my LAN?

Posted May 24, 2016 14.8k views

Can I set up a VPN between my droplets in digital ocean and my LAN?

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
3 answers

And if so - can someone point me how to do this? These would be CentOS droplets.

Try here:

A point to note - I’m running OpenVPN on a Ubuntu droplet, and I’ve discovered that other droplets cannot route directly to VPN clients using your OpenVPN droplet’s Private IP as a gateway - DO has security in place preventing your Private IP from reaching anything apart from other Private IPs. You would need to have an additional VPN connection from your other servers into your VPN server, and allow client-to-client communication if this is a requirement.

  • Thanks! Sorry if I am a little dense here… I’m not quite sure how VPN on a server works.... I’ve only really done site to site VPN where I set up the VPN on the firewalls at each site and then I can reach the local subnets as if they were all in one location. Is there not a way to set up a VPN between my firewall and my DO account and thus all droplets in my account? Or would I have to set up VPN software on each server, and set up a new VPN on my firewall for each droplet?

    BTW - in the articles I see mention of “OpenVPN Server” and “OpenVPN Access Server”… whats the difference there?

  • Actually also… now that I think about it… What about firewall control? Is my only option to configure firewalls on each server? What I’d really like is a cloud hosting provider where I can make VM’s easily, have them all be on a private network in the cloud, and have control of an effective firewall that #1 I can set up a site to site VPN between my firewall and it. and #2 I can easily control in one place traffic policies for my cloud LAN just like I do on my firewall for my local LAN.

    Or am I thinking about this all wrong? Perhaps I want that just because that’s what I am used to but really I should be going some other direction. :-)

    • The way I do it is this:

      I have a single, 512MB Ubuntu droplet which acts as an OpenVPN “gateway” Server. Any traffic between my home network and my droplets goes via this server. I personally have a dedicated VM acting as an OpenVPN client, but there’s no reason why you can’t do this with a router which has this functionality.

      What this does is allows everything on my home network to reach all my droplets using their Private IPs. The only limitation I have found is what I describe above - DO droplets can’t initiate a connection over their Private interface to any RFC1918 IP which doesn’t belong to one of your droplets, even if the route is configured so that the gateway IS one of your droplets. For example, my Exchange server at home can send outbound mail via my Postfix droplet without any problems, but Postfix can’t reach the Exchange server to route inbound mail to it.

      There are two ways to deal with that - configure all your droplets as OpenVPN clients so everything connects to your one “gateway” server, and allow client-to-client connections in your OpenVPN configuration; or use NAT on your OpenVPN server to route traffic back to your local network. I’ve opted for the latter approach because I don’t want to install any additional software on my other droplets. In the example above, that means that my Postfix droplet sends inbound mail directly to my OpenVPN server, and I have Nginx on the OpenVPN server to relay port 25 traffic back to my Exchange server.

      Hope this helps.