In the portal, the environment VPN is managed through the VPN container modal.
To get there:
- Select Environments from the main, left-hand navigation.
- Select the environment from the first column.
- Scroll down the environment dashboard and click on the Manage button next to VPN.
Dependency on Load Balancer
To use the VPN the environment load balancer must be running.
VPN Dashboard
The service is automatically created in every environment, but as per Cycle's security philosophy, it is disabled by default.
To configure:
- Check to see if the load balancer service is running. If not, click on the link to the load balancer container from the list of services below container count and start it manually by holding the start button located at the top of the page.
- Select the VPN tab underneath the environment name.
- Click the Enable button.
- Choose Generate VPN Files, then Download VPN files.
- Unzip the download and add the connection to a local OpenVPN compatible client.
Renewing VPN Certificate
The certificate generated by the VPN service is good for 1,000 days. If the certificate expires the user should:
- Use the two-way console to log into the VPN container.
- Delete the following folder
/usr/share/easy-rsa/pki. - Restart the VPN container.
- Redownload the VPN config and install the new connection.
Configuring Authentication
For simplicity, the VPN service provides the option to allow any Cycle user with permission to access the environment, permission to access the VPN as well. They will be able to log in with their Cycle username/password. Check the box that says "Allow Cycle User Access", then click "Update".
The VPN service also provides the option to use an Access Control List (ACL) to limit who can connect. Specify a username and password for the user and add them to the list. Enabling either form of user authentication requires the checkbox next to the preferred method on the VPN dashboard.
Authentication Resets and Migration
If a VPN container needs to be migrated, it is possible to do so. However, after a migration has taken place the configuration and authentication must be reset and re-downloaded in order for the client to connect to the container.
Another pattern that makes sense is to delete the VPN container instance and use the create new button at the bottom of the instances page to create a new VPN container instance on the new serer being targeted. Each of these approaches requires a re-downloading of the client config.
Default Configuration Reference
Examples Below
Some of the samples below, in both server and client, like IP CIDRs and addresses are examples. These are not hard coded values that persist in all networks.
Server-Side Defaults
While the server side directives can be customized (see below), the following are the default settings for Cycle VPN services:
Category | Directive | Default Value | Notes |
|---|---|---|---|
Network | port | 1194 | Listening port |
proto | tcp6 | IPv6 TCP; accepts IPv4-mapped clients | |
dev | tun | Routed IP tunnel (not bridged) | |
Addressing | server | 10.204.252.0 255.255.255.0 | IPv4 client pool |
server-ipv6 | fd00::bcdb:876:fd00:0/112 | IPv6 client pool | |
ifconfig-pool-persist | ipp.txt | Persists client IP assignments across restarts | |
Routing | push “route-ipv6 ...” | fd00::bcdb:0:0:0/80 | Pushes environment’s private IPv6 network to clients |
push “dhcp-option DOMAIN ...” | cycle | Search domain for .cycle TLD resolution | |
push “dhcp-option DNS ...” | fd00::bcdb:4d4c:1:1 | Cycle discovery service DNS | |
redirect-gateway | not set | Split tunnel by default | |
Clients | client-to-client | enabled | VPN clients can reach each other directly |
duplicate-cn | enabled | Same user can connect from multiple devices | |
max-clients | 25 | Concurrent client connection cap | |
Connection | keepalive | 10 120 | Ping every 10s; declare peer down after 120s |
Compression | comp-lzo | enabled | LZO compression (deprecated in OpenVPN 2.6+) |
Auth | auth-user-pass-verify | Cycle login script | Validates against Cycle credentials or ACL |
username-as-common-name | enabled | Uses authenticated username as cert CN | |
script-security | 3 | Allows external auth script execution | |
TLS | ca | /usr/share/easy-rsa/pki/ca.crt | Certificate authority |
cert | /usr/share/easy-rsa/pki/issued/server.crt | Server certificate | |
key | /usr/share/easy-rsa/pki/private/server.key | Server private key | |
dh | /usr/share/easy-rsa/pki/dh.pem | Diffie-Hellman parameters | |
tls-version-min | not set | Falls back to OpenVPN default | |
cipher / data-ciphers | not set | Falls back to OpenVPN negotiated default | |
Hardening | user / group | nobody / nobody | Daemon drops privileges after init |
persist-key | enabled | Keeps key in memory across restarts | |
persist-tun | enabled | Keeps tun device across restarts | |
Logging | status | openvpn-status.log | Current-connections status file |
verb | 2 | Log verbosity level | |
mute | 10 | Suppresses repeating messages after 10 |
Client-Side Defaults
After downloading the VPN connection zip and unzipping it, opening the config.conf file the following defaults are present:
Category | Directive | Default Value | Notes |
|---|---|---|---|
Connection | remote | <environment-ip> 1194 tcp-client | Generated per environment |
nobind | enabled | No local port binding | |
resolv-retry | 5 | Retry DNS for 5s before failing | |
Device | dev | tun | Matches server tun mode |
Persistence | persist-tun | enabled | Keeps tun device across reconnects |
persist-key | enabled | Keeps key in memory across reconnects | |
Pull | pull | enabled | Accepts routes/DNS pushed by server |
Auth | auth-user-pass | enabled | Prompts for username and password |
tls-client | enabled | Acts as TLS client in handshake | |
ca | ca.crt | Bundled in the downloaded config | |
cert | client.crt | Bundled in the downloaded config | |
key | client.key | Bundled in the downloaded config | |
DNS | dhcp-option DOMAIN | cycle | Pushed from server |
dhcp-option DNS | fd00::bcdb:4d4c:1:1 | Pushed from server | |
Compression | compress lzo | enabled | Matches server compression |
comp-lzo | adaptive | Adaptive LZO compression mode |
Customizing VPN Server Configuration
Users with granular needs over the VPN configuration can set additional directives via the form on the **Config** tab located on the main left-hand navigation of the VPN modal.