Adding a Network | OpenVPN Cloud

Networks can contain the resources to serve private applications (for example, web servers). They can also provide access to internet Applications (e.g. public websites and SaaS apps). These Applications can be addressed using domain names or IP addresses.

If these Applications are to be accessible via the WPC, either an Application or Route must be configured for that Network. 

For an application that needs to be accessible using IP address, a Route needs to be configured. In order to define granular services for access control to the services accessible from the IP subnets configured in Route, IP Service can be configured.

The Add Network configuration starts with an intention-based configuration wizard that can be skipped to continue with the form-based Network configuration.

It is recommended that you use the Wizard for the following reasons:

  • Configuration steps are tailored based on your intention(s) behind connecting your network to OpenVPN Cloud so that no needed configuration is missed
  • Collection of information and sequencing of actions is done in a logical progression making it easier to understand and get your network connected
  • Connector installation and testing is integrated as one of the steps
  • Additional steps outside of network configuration are also included to ensure proper setup

Add A Network Using Wizard

To Configure a Network using the setup wizard, follow the procedures below:

Sign in to the OpenVPN Cloud administration portal at https://cloud.openvpn.com.

  1. Navigate to Networks.
  2. Click Add Network. You may click Skip Wizard and Add A Network Using Form-based Configuration.
  3. Select one or multiple scenarios:

Remote Access – Connect your private resources to OpenVPN Cloud. Provide remote access to your resources, which are Networked on IaaS Cloud, and on-premises resources. Read more.

Site-to-Site – Connect multiple private networks to OpenVPN Cloud (site-to-site connectivity). This wizard will assist you in adding a single network. Repeatedly use this wizard to connect all your networks. Read more.

Secure Internet Access – Provide secure access to public resources. Use this network as an Internet Gateway for all Internet traffic or only for selected public resources. You can then apply whitelisting rules on your public resources. Read more.

Define Network Details

  1. Enter a Network Name.
  2. (Optional) Enter a Description.

Note The Wizard sets up only one Network. For additional Networks, you will need to perform the Add Network task once for every site.

Add Connector

A Connector is an unattended device that provides constant connectivity to OpenVPN Cloud. You can create multiple network Connectors for high availability and load balancing. It is recommended to choose the closest region to the location, where your Connector will be deployed.

  1. Enter a Name to identify the Connector.
  2. Select the Region closest to your Network. Note: The default Region is automatically selected.
  3. (Optional) Enter a Description.

Deploy Network Connector

To deploy the Connector onto your Network, follow the procedure below:

  1. Select the Connector Type.
    • Choose where you would like to deploy your Connector
    • Follow the setup wizard to deploy your Connector
  2. Click Next.

Configure Internet Access (Secure Internet Access scenario)

  1. Select Internet Access:
    • All Internet traffic
    • Selected Applications and IP Services
  2. Select User Groups, Networks and Hosts, which will use this Network for all internet traffic.

Note: Internet Access will be set to Split Tunnel Off for selected User Groups, Networks and Hosts. If you remove selection, Internet Access will be set to Split Tunnel On

Configure Routing

When you connect a site to a WPC, you must ensure clients from the site are able to route traffic to other sites and remote clients. This can be achieved by adding static routes to your gateway router. This requires adding routes to WPC Subnets and Subnets of other Networks. Read More

This screen lists routes that should be configured with the private IP address of the Connector as a target.

Important: To route traffic to your Network, you will need to configure at least one Application or IP Service.

To add a route to either an Application or IP Service, follow the procedures below:

(Optional) Add a Network Application

If you choose to add an IP Service instead, click Next.

An Application must be configured to make a domain accessible from a Network (for public domains accessible from the Network, or private domains served within the Network). To configure an Application using the setup wizard, follow the procedure below:

Note: You may also specify subdomains.

  1. Enter an Application Name.
  2. Enter a Domain (ex: myNetwork.example.com) Note: You may also specify subdomains here.
  3. Select an Application Type (Protocols and/or Ports):
    • All
    • Custom
      • Click Save
  4. (Optional) enter a Description.
  5. Click Add.
    • To add additional Applications, click the Add Applications button
  6. Click Next.

(Optional) Add Route and Network IP Services

Route and IP Service must be configured to make an IP service accessible from a Network (for public IP addresses or subnets accessible from a Network, or private IP addresses or subnets that are a part of your Network). To configure an IP Service using the setup wizard, follow the procedure below:

Add Route

  1. Enter an IP Address or Subnet.
  2. (Optional) Enter a Description.
  3. Click Create.

Add IP Service

  1. Enter a corresponding IP Address or Subnet.
  2. Select the Service Type (Protocols and/or Ports):
    • All
    • Custom
      • Click Save
  3. Toggle Use as Source to ON to use IP Service as a Network source and to configure granular access controls to filter traffic from this Network. Note: The IP Service will appear in both the Source and Destination columns in Access Groups.
  4. (Optional) enter a Description.
  5. Click Add.
    • To add additional IP Services, click the Add IP Service button
  6. Click Next.

Configure Access Group (Optional)

Access Groups are used to define access control policies between Sources (i.e. Who?) User Groups, Networks, and Destinations (i.e. What?) Applications/IP Services.

You can create a new Access Group or update existing Access Group to define access to newly created Network and/or Applications/IP Services.

By default, an Access Group WPC topology is set to Full-Mesh, which means that all connected devices can freely access each other. You can edit or delete the default group only when more than one group exists. To configure granular access controls, change your WPC topology to Custom.

Create a new Access Group

  1. Click Create Access Group.
  2. Enter an Access Group Name.
  3. (Optional) Enter a Description.
  4. Select a Source (Who gets the access).
  5. Select a Destination ((What gets accessed).
  6. Click Create.
  7. After configuring an Access Group(s) click Finish. You will be redirected to the newly created Network Overview screen.

Add A Network Using Form-based Configuration

To add a Network from the form-based Network configuration, follow the procedures below:

Sign in to the OpenVPN Cloud administration portal at https://cloud.openvpn.com.

  1. Sign in to the OpenVPN Cloud administration portal at https://cloud.openvpn.com.
  2. Click Add Network.
  3. Click Skip Wizard.
  4. Enter a Network name.
  5. Select the Internet Access for your Network from the drop-down menu:
    • Split Tunnel On (Level-1 Security) — Private and trusted internet traffic is tunneled, all other internet traffic uses local internet
    • Split Tunnel Off (Level-2 Security) — All traffic is tunneled, internet traffic exits from selected Internet Gateways
    • Restricted Internet (Level-3 Security) — Private and trusted internet traffic is tunneled, all other internet traffic is blocked
      • Trusted internet traffic — public domains and public subnets used as routes for remote Networks. Read more about security levels
  6. To configure this Network as an egress, toggle the Internet Gateway button to ON. Please make sure that the following configuration is done when you enable Internet Gateway (Egress):
    • Network Connector is installed
    • Routing and NAT are configured on Network Connector
    • Connector is online
  7. (Optional) Enter a Description.

Important: To establish a connection with your Network, you must specify at least one Application or IP Service / Route.

Add Connector

  1. Click Add Connector
  2. Enter a Name to identify the Connector.
  3. Select a Region closest to your Network. Note: The default Region will be selected.
  4. (Optional) Description.
  5. Click Add.

(Optional) Add a Network Application

To add an Application, follow these procedures:

  1. Click the Applications tab.
  2. Click Add Application.
  3. Enter the Application Domain (ex: myNetwork.example.com).
    1. This Domain will append the selected Network domain name (ex: domain.myNetwork.example.com).
  4. (Optional) Toggle Allow Embedded IP to ON. Note: Embedded IP enables implicit domain resolution. This is useful for IoT / IIoT devices which can allow remote SSH access. You can use the private IP address of the device and the Network Application Domain Name to create a hostname without configuring a DNS record. For example: SSH@<private ip address>.Network Application Domain Name.
  5. Select a Service Type:
    • All
    • Custom
      • Click Save
  6. (Optional) enter a Description.
  7. Click Add.

(Optional) Add a Network IP Service

IP Services are defined as access to specific IP address ranges and protocols

  1. Enter a Name to identify the IP Service.
  2. Select a Service Type:
    • All
    • Custom
      • Click Save
  3. Toggle Use as Source to ON to use IP Service as a Network source and to configure granular access controls to filter traffic from this Network. Note: The IP Service will appear in both the Source and Destination columns in Access > Groups.
  4. (Optional) enter a Description.
  5. Click Add.

Configure Access Groups

To learn more abut access control policies for the newly created Host, see OpenVPN Cloud Access Group.

Update a Network

You may update or delete a Network, its Applications, IP Services, and Connectors. To do so, follow the procedures below:

  1. Navigate to Networks.
  2. Click the edit icon (pencil) of the Network to be updated.
  3. Click Update when complete.

Delete a Network

  1. Navigate to Networks.
  2. Select the checkbox of the Network to be deleted.
  3. Click the delete icon (trash can).
  4. Click Remove.

Update an Application

  1. Navigate to Networks > Applications.
  2. Click the edit icon (pencil) of the Application to be updated.
  3. Click Update when complete.

Delete an Application

  1. Navigate to Networks > Applications.
  2. Click the delete icon (trash can) of the Application to be removed.
  3. Click Remove.

Update IP Services

  1. Navigate to Networks > IP Services.
  2. Click the edit icon (pencil) next to the IP Service to be updated.
  3. Click Update when complete.

Delete an IP Service

  1. Navigate to Networks > IP Services.
  2. Click the delete icon (trash can) of the IP Service to be deleted.
  3. Click Remove.

Update Route

  1. Navigate to Networks > IP Services.
  2. Click the edit icon (pencil) next to the Route to be updated.
  3. Click Update when complete.

Delete Route

  1. Navigate to Networks > IP Services.
  2. Click the delete icon (trash can) of the Route to be deleted.
  3. Click Remove.

Update Connectors

  1. Navigate to Networks > Connectors.
  2. Click the edit icon (pencil) next to the Connector to be updated.
  3. Click Update when complete.

Delete a Connector

  1. Navigate to Network > Connectors.
  2. Click the kebab menu (three dots) of the Connector to be deleted.
  3. Click Delete.