I have been searching for any updates to this, but everything I have found so far is years old. Can we do a site to site OpenVPN between networks with the new private networking updates? Or does the system still filter out packets from foreign networks?

With the number of droplets and I create and destroy, it would be nice to just have one VPN server between my local network and my DO private network that they can communicate back and forth with.

Thanks.

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
2 answers

Hi @knightcrusader ,

I understand what you mean, most of the tutorials and documents are still usable however. Have you taken a look at the tinc daemon to setup this connection?
https://www.digitalocean.com/community/tutorials/how-to-install-tinc-and-set-up-a-basic-vpn-on-ubuntu-14-04

by Mitchell Anicas
In this tutorial, we will go over how to use Tinc, an open source Virtual Private Network (VPN) daemon, to create a secure VPN that your servers can communicate on as if they were on a local network. We will also demonstrate how to use Tinc to set up a secure tunnel into a private network. We will be using Ubuntu 14.04 servers, but the configurations can be adapted for use with any other OS.
  • Yes, I read that, but that doesn’t change anything for what I need. Right now I have a VPN connection for each droplet I create, I just want to eliminate that extra annoying step.

    I just want to be able to create a droplet and have it reach the other side of the vpn network without having to go through the trouble of having to set up each one individually.

    I was hoping with the new VPC update that maybe that limitation was relaxed. There should be a way to add trusted networks to the VPC for situations like this, or better yet, set up a VPN connection to the VPC right from the interface, even if it does cost extra a month, I’d pay for it.

Hi @knightcrusader,

I have recently (and successfully) configured VPN connection between my DO droplets and home office (with OpenVPN). I do not know if it is a result of any changes made by DO on VPC because I have never configured VPN with DO before. Take a look at my configuration, please. I guess your configuration might be similar.

 ------------------                          ------------------
|   DO Droplet 1   |     10.8.0.0/24        |   Home Office    |
|    (CentOS 8)    |_________VPN_______     |   ISP's router   |
| Internet gateway |-------------------\----| Internet gateway |
|    VPN Server    |          |         \    ------------------
| Front-end Server |          |          \____  |
 ------------------        Internet           | |LAN 192.168.0.0/24
          |                                   | |------------
          |VPC                                | |            |
          |10.106.0.0/20                     -------------   | 
          |                                 |     PC 1    |  |
 -----------------                          | VPN Client/ |  |
|  DO Droplet 2   |                         | VPN Gateway |  |
|  (Ubuntu 20.4)  |                         |  (CentOS 7) |  |
|   VPN Access    |                          -------------   |
 -----------------                                           |
                                             -------------   |
                                            |     PC 2    |  |
                                            |  VPN Access |--
                                            | (Windows 10)|
                                             -------------

I can reach both droplets from my home office, and both PCs from the droplets.

Configuring VPN connection I generally based on DO’s doc:
https://www.digitalocean.com/docs/networking/vpc/resources/droplet-as-gateway/

and OpenVPN community How To:
https://community.openvpn.net/openvpn/wiki/HOWTO

I put some tips below which can be useful during setting VPN up.

1. If you use DO cloud firewall, you need to add the inbound rule to access particular service available in VPC (behind VPN Server); e.g. to get/send echo from/to DO VPC you need to add following rule

Type    Protocol    Port Range     Sources
ICMP    ICMP                       10.106.0.0/20
                                   10.8.0.0/24
                                   192.168.0.0/24

2. Check the firewall settings on each node of VPN network. If it is necessary, add/modify rules to get an access to needed services through VPN network. Just for testing, you can disable firewalls temporarily.

3. Add static routes, if it is necessary. I did it because there were different network devices for Internet and VPN access in my Home Office network. I had to do that directly on PC 2 because it was not possible to add the routes and propagate them with my Home Office router (it is ISP’s router, and I have an access to its basic GUI only). I added static routes for destinations 10.106.0.0/20 and 10.8.0.0/24.

In case of any questions, do not hesitate, ask them here :)

  • So you can ping each device on both ends with their local IP addresses without a problem? The old documents said this was not possible, so if you can, my hunch that they changed the way the private networking is correct. I will have to create a small cloud of droplets to try it out.

    • @knightcrusader wrote
      So you can ping each device on both ends with their local IP addresses without a problem?
      

      Yes, exactly. I can ping every PC/droplet from anywhere inside VPN network, using their local IP adressess. To achieve that, the firewalls’ settings and static routes (in my configuration) were essential.

  • I was able to get it to work. Thanks for the help!

Submit an Answer