VPN Access Server service

VPN
1

Does OCI provide a VPN-AS as a service? I see the site-to-site. I’ve built OpenVPN AS.

I’ve been told there is a new access server like is on EVERY other cloud. Have I just not found it?

2

Were you told publicly, e.g., pointed to an OCI doc or blog article? If privately was it an OCI staffer? OpenVPN AS will provide what you want, yes you use a VM and need an AS license if you exceed the free limit rather than having a service provided by the cloud that’s seemingly but not actually free.

3

With the new VCN gateway ingress routing enhancements ( https://blogs.oracle.com/cloud-infrastructure/post/oci-intra-vcn-routing-and-vcn-gateway-ingress-routing-enhancements ) it should be fairly simple to set up a custom VPN install on always-free compute and route traffic through it in whatever pattern you wish.

Have set up s2s with IPSec and with wireguard from on-prem to OCI, remote-access OpenVPN and WG on-prem, and remote-access wireguard in OCI…

Spend a bit of time learning how to do WG and don’t look back at OpenVPN. The throughout performance gains and reduction in CPU overhead are a huge win that can offset the manual configuration and maintenance burden for onboarding remote-access peers.

That said, I just can’t recommend injecting a 3rd-party like Tailscale into the net/opsec landscape, even with rotating keys. Keep it safe, keep it to yourself.

4

I have a couple of guys I chat with that talk smack about any cloud…other than AWS. That’s my source of truth/BS. Actually, I dive here and the documents whenever they call out OCI.

5

u/u8dcN7vx, I re-read your comment. Perhaps you should do the same with mine.

My guys were giving me shit about needing to set up OpenVPN on OCI. They asserted that other clouds had that as a service, already.

After your comment, I checked for myself and think I understand that:

  • both AWS and Azure have VPN services for remote client connections that appear to save the set up of the VPN AS. Good. It’s a simple task, but OCI doesn’t (it would be nice to have a terraform script wrapped in Resource Manager beneath a “Deploy to OCI” button)
  • Google has something (I need a month to understand it)
  • Azure VPN Gateway Point-to-Site (P2S) client seems to be OpenVPN rebranded
  • AWS Client VPN is available for download and is OpenVPN, also.

So, OpenVPN appears to have cornered simple remote connections. My buddies assertion that EVERY CSP has this is BS. Besides, even if they did, it would just be an OpenVPN installation

6

Thanks! I’ve not done WG BUT, I’ll give it a try.

I have built a IPSec tunnel between AWS & OCI.

7

So. I can put a route table on

  • VCN,
  • subnet,
  • DRG, plus the new items:
  • intra-VCN,
  • IGW,
  • NAT, and
  • SGW

How does this help me encrypt traffic between home and my free-instance?

8

Yes, so far as I know it would indeed be OpenVPN AS whether you see it because you installed, configured, and manage it, or whether because you activated the service and indirectly manage (only) its use. Sometimes I like that a cloud deals with service details (mostly scale-out related) which is a major reason to spend on cloud, but sometimes I don’t which is usually because I know what they’re using has a capability but the cloud doesn’t expose it or does but poorly.

OCI Cloud Marketplace has an OpenVPN AS stack ready to deploy using BYOL, though I haven’t used it myself, see https://cloudmarketplace.oracle.com/marketplace/listing/67830324. BYOL = 2 connections are free, thereafter it’s between $12 and $1 per connection per year depending on commitment.