Creating a Software VPN Headend in OCI with Terraform

Shall you need to tune the bits of a VPN connection because the complexities of the left, right or both sides of the tunnel, one cheap option is to build a software solution. In this particular case we are utilising Libreswan.


The current construct has been done with terraform, which provides automation and reduces the likelihood of making mistakes. Let’s hands on!

Step 1

Clone this repo from github

Step 2

Create following stuff in OCI

  • Compartment
  • User

Setup following stuff in your local machine

  • oci cli
  • a private/pub key file for the vm
  • working directory

Grab the following info from OCI and local setup and put in file

  • private_key_path: the directory in which OCI CLI is configured
  • tenancy_ocid: the ocid of your tenancy (Administration->Tenancy Details)
  • user_ocid: the ocid of an existing user (Identity->Users)
  • fingerprint: cat .oci/config 
  • private_key: cat .oci/oci_api_key.pem
  • api_public_key: cat .oci/oci_api_key_public.pem
  • ssh_public_key: the public key of the vm
  • ssh_private_key: the private key of the vm machine
  • adnumber: a number between 1 and 3
  • compartmentocid: The ocid of your compartment
  • imageshape: the shae of the image
  • vmimageocid: the ocid of a linux image
  • region: the cloud region

Step 3

Design and agree networking settings with your peer

Step 4

Execute creation script

Review created files before continue:

If everything is fine press Y

Take note of the private and public ip’s created. This IP’s have been reserved so it won’t change unless you destroy the stuff.

Step 5

Go to the vm image created

Comoute VM created

Get the ocid of the private ip related to the vnic attached to the vm

Uncomment the block where the vpnroute resorce is located and put the ocid of the private ip previously mentioned

Execute ./ again

Check that the route to the peer network gets created

ssh to the vpn vm, sudo -i, change to directory /etc/ipdec.d, vi myvpn.conf

and put the value your public IP in leftid parameter

vi myvpn.secrets and put the value your public IP

Restart vpn service and see what happens

systemctl restart ipsec.service
ipsec auto --add myvpn
ipsec auto --up myvpn
ipsec status
ipsec barf

Start a collaboration session with your peer. You will probably need yo adjust some values in your settings, be patient, and good luck 😉

Hope this helps! Enjoy 🙂


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.