Can I set up a VPN between my droplets in digital ocean and my LAN?

Question

Answer 1

gparent May 24, 2016

[deleted]

Reply Report

Answer 2

talonx May 24, 2016

And if so - can someone point me how to do this? These would be CentOS droplets.

Reply Report

Answer 3

timboswell May 25, 2016

Try here: https://www.digitalocean.com/community/tags/vpn?type=tutorials

A point to note - I’m running OpenVPN on a Ubuntu droplet, and I’ve discovered that other droplets cannot route directly to VPN clients using your OpenVPN droplet’s Private IP as a gateway - DO has security in place preventing your Private IP from reaching anything apart from other Private IPs. You would need to have an additional VPN connection from your other servers into your VPN server, and allow client-to-client communication if this is a requirement.

Reply Report

talonx May 25, 2016

Thanks! Sorry if I am a little dense here… I’m not quite sure how VPN on a server works.... I’ve only really done site to site VPN where I set up the VPN on the firewalls at each site and then I can reach the local subnets as if they were all in one location. Is there not a way to set up a VPN between my firewall and my DO account and thus all droplets in my account? Or would I have to set up VPN software on each server, and set up a new VPN on my firewall for each droplet?

BTW - in the articles I see mention of “OpenVPN Server” and “OpenVPN Access Server”… whats the difference there?
Reply Report
talonx May 25, 2016

Actually also… now that I think about it… What about firewall control? Is my only option to configure firewalls on each server? What I’d really like is a cloud hosting provider where I can make VM’s easily, have them all be on a private network in the cloud, and have control of an effective firewall that #1 I can set up a site to site VPN between my firewall and it. and #2 I can easily control in one place traffic policies for my cloud LAN just like I do on my firewall for my local LAN.

Or am I thinking about this all wrong? Perhaps I want that just because that’s what I am used to but really I should be going some other direction. :-)
Reply Report
- timboswell May 26, 2016
  
  The way I do it is this:
  
  I have a single, 512MB Ubuntu droplet which acts as an OpenVPN “gateway” Server. Any traffic between my home network and my droplets goes via this server. I personally have a dedicated VM acting as an OpenVPN client, but there’s no reason why you can’t do this with a router which has this functionality.
  
  What this does is allows everything on my home network to reach all my droplets using their Private IPs. The only limitation I have found is what I describe above - DO droplets can’t initiate a connection over their Private interface to any RFC1918 IP which doesn’t belong to one of your droplets, even if the route is configured so that the gateway IS one of your droplets. For example, my Exchange server at home can send outbound mail via my Postfix droplet without any problems, but Postfix can’t reach the Exchange server to route inbound mail to it.
  
  There are two ways to deal with that - configure all your droplets as OpenVPN clients so everything connects to your one “gateway” server, and allow client-to-client connections in your OpenVPN configuration; or use NAT on your OpenVPN server to route traffic back to your local network. I’ve opted for the latter approach because I don’t want to install any additional software on my other droplets. In the example above, that means that my Postfix droplet sends inbound mail directly to my OpenVPN server, and I have Nginx on the OpenVPN server to relay port 25 traffic back to my Exchange server.
  
  Hope this helps.
  
  Reply Report
  
  talonx May 26, 2016
  
  Thanks much! :-)
  
  Reply Report

Answer 4

talonx May 25, 2016

Thanks! Sorry if I am a little dense here… I’m not quite sure how VPN on a server works.... I’ve only really done site to site VPN where I set up the VPN on the firewalls at each site and then I can reach the local subnets as if they were all in one location. Is there not a way to set up a VPN between my firewall and my DO account and thus all droplets in my account? Or would I have to set up VPN software on each server, and set up a new VPN on my firewall for each droplet?

BTW - in the articles I see mention of “OpenVPN Server” and “OpenVPN Access Server”… whats the difference there?
Reply Report
talonx May 25, 2016

Actually also… now that I think about it… What about firewall control? Is my only option to configure firewalls on each server? What I’d really like is a cloud hosting provider where I can make VM’s easily, have them all be on a private network in the cloud, and have control of an effective firewall that #1 I can set up a site to site VPN between my firewall and it. and #2 I can easily control in one place traffic policies for my cloud LAN just like I do on my firewall for my local LAN.

Or am I thinking about this all wrong? Perhaps I want that just because that’s what I am used to but really I should be going some other direction. :-)
Reply Report
- timboswell May 26, 2016
  
  The way I do it is this:
  
  I have a single, 512MB Ubuntu droplet which acts as an OpenVPN “gateway” Server. Any traffic between my home network and my droplets goes via this server. I personally have a dedicated VM acting as an OpenVPN client, but there’s no reason why you can’t do this with a router which has this functionality.
  
  What this does is allows everything on my home network to reach all my droplets using their Private IPs. The only limitation I have found is what I describe above - DO droplets can’t initiate a connection over their Private interface to any RFC1918 IP which doesn’t belong to one of your droplets, even if the route is configured so that the gateway IS one of your droplets. For example, my Exchange server at home can send outbound mail via my Postfix droplet without any problems, but Postfix can’t reach the Exchange server to route inbound mail to it.
  
  There are two ways to deal with that - configure all your droplets as OpenVPN clients so everything connects to your one “gateway” server, and allow client-to-client connections in your OpenVPN configuration; or use NAT on your OpenVPN server to route traffic back to your local network. I’ve opted for the latter approach because I don’t want to install any additional software on my other droplets. In the example above, that means that my Postfix droplet sends inbound mail directly to my OpenVPN server, and I have Nginx on the OpenVPN server to relay port 25 traffic back to my Exchange server.
  
  Hope this helps.
  
  Reply Report
  
  talonx May 26, 2016
  
  Thanks much! :-)
  
  Reply Report

Related

Question

Can I set up a VPN between my droplets in digital ocean and my LAN?

Related

Leave a comment

Looking for something else?

Sign up for our newsletter

Related

Question

Can I set up a VPN between my droplets in digital ocean and my LAN?

Related

Leave a comment

Related

question

How can I use a droplet with a VPN router? Linksys3200ACM

question

How much is a vpn server going to cost using a droplet having it on permentantly.

question

I want to setup an openvpn server on my DO droplet but a little confused on needing two machines

question

Would it be safe to...

Looking for something else?