User Guide - VPN with multiple VPN Egress locations

Sign Up For OpenVPN Cloud

Overview

In this document, we examine a VPN setup to meet the needs of a fictitious company. A startup has a sales team in the USA and Europe. Their sales force is often at customer sites or traveling to customer sites. They access the Internet from hotels, cafes, airports, and other public Internet sites. The sales team relies on SaaS tools like Salesforce.

Owen is in charge of IT and Networking for this company. Owen is cognizant of the security risks that come with the use of public hotspots to access the Internet and is looking for a VPN solution that the sales team can use for secure access to the Internet. He does not want to manage, install and maintain VPN servers but wants to ensure that the company has control over the route to the Internet so that additional protections (for example, use of CASB) can be added later. The public IP address of the internet gateways can also be used in configuring login whitelists in some SaaS providers.

To improve internet access performance, Owen wants to route internet traffic via the Chicago VPN region for employees that connect in the USA. To improve internet access performance, Owen wants to route internet traffic via the London VPN region for employees that connect in Europe. This optimized routing will automatically be taken care of by the smart routing feature of OpenVPN Cloud.

Owen completes the signup process as shown here. During the signup process, Owen selects technop.openvpn.cloud as the web domain for the user portal. This domain uniquely identifies the VPN that will be set up by Owen and is used by Connect Client applications (VPN Client software) to identify the VPN that it needs to connect to.

Setup

To route traffic that has entered the VPN to destinations on the Internet, Owen needs to setup one or more Networks configured with VPN Egress turned ON. Each Network configured for VPN Egress can have one or more Connectors. OpenVPN Cloud will use Smart Routing to route internet traffic from Networks, Hosts, and User Groups that have their Internet Access set to Split Tunnel Off to one of the connectors belonging to VPN Egress Networks based on:

  • The geographic proximity of the VPN Region that is the source of the traffic to the VPN Region of the VPN Egress Network’s Connector
  • Network characteristics of the connectivity between source and destination VPN Regions
  • Load balancing is used when multiple destination Connectors are connected to the same VPN Region

Owen followed the steps shown below to setup his VPN to accept traffic to the Internet and route it to the Internet via two Networks configured as VPN Egress:

  1. Configured two Networks to act as VPN Egress. As these network’s sole purpose is to act as an internet gateway, Subnets for the Network was not added and VPN Egress was turned ON. He set the VPN Region of the Connector for one of the Networks as Chicago and the other Network as London. See, How to add a Network and Adding VPN Egress
  2. Owen decided to run a server using a Virtual Private Server (VPS) hosting provider that had a hosting region near Chicago. He installed the Connector for the Chicago Network on it and configured the server to act as the Internet Gateway. The server was assigned a public IP address of 104.248.61.65. See, Connecting Networks to OpenVPN Cloud Using Connectors on how to install Connectors and the corresponding settings to enable routing and NAT. We recommend using Linux operating system.
  3. Owen decided to run a server using a Virtual Private Server (VPS) hosting provider that had a hosting region near London. He installed the Connector for the London Network on it and configured the server to act as the Internet Gateway. The server was assigned a public IP address of 167.71.139.124 See, Connecting Networks to OpenVPN Cloud Using Connectors on how to install Connectors and the corresponding settings to enable routing and NAT. We recommend using Linux operating system.
  4. After the Network came online, Owen changed the Internet Access setting for User Groups to Split Tunnel OFF. See, Changing User Group’s Internet Access
  5. Owen connected to the Ashburn, Virginia VPN Region of OpenVPN Cloud (see, Connecting to OpenVPN Cloud). On connection, Owen checked that the public IP address of his device running the Connect Client showed up to be the same as the public IP address of the Chicago Connector instance proving that smart routing is working.
  6. Owen connected to the Frankfurt VPN Region of OpenVPN Cloud (see, Connecting to OpenVPN Cloud). On connection, Owen checked that the public IP address of his device running the Connect Client showed up to be the same as the public IP address of the London Connector instance proving that smart routing is working.

Demonstration Video

This VPN has two Networks configured for VPN Egress. One Network has a Connector connected to London VPN Region. The Connector is configured to NAT and has the public IP address of 167.71.139.124. All traffic exiting from this Connector will have IP address 167.71.139.124 as the source IP address

The other Network has a Connector connected to Chicago VPN Region. The Connector is configured to NAT and has the public IP address of 104.248.61.65. All traffic exiting from this Connector will have IP address 104.248.61.65 as the source IP address

User Connects to Ashburn, Virginia VPN Region and accesses a test web server running on the internet. The web server log will show access coming from public IP address of Chicago Connector (104.248.61.65)

User Connects to Frankfurt VPN Region and accesses a test web server running on the internet. The web server log will show access coming from public IP address of London Connector (167.71.139.124)