VPN Customer Gateway
⏱️ Estimated reading time: 6 minutes
What is a VPN Customer Gateway?
A VPN Customer Gateway on the Cloud Portal allows you to establish a secure, encrypted connection between your cloud-based VPC or Isolated Network and an external device or network.
- For VPCs, use Site-to-Site IPsec VPN
- For Isolated Networks, use Remote Access VPN (L2TP over IPsec)
📡 Site-to-Site VPN for VPC (Customer Gateway)
For hybrid cloud or branch-office connections.To configure a Site-to-Site VPN for a VPC, follow these steps:
Step 1: Access the VPN Gateway Settings
- Log in to the Cloud Portal.
- Go to Networks > VPN Customer Gateway
- Click the ➕ icon to create a new gateway
Step 2: Fill in the Configuration Parameters
Refer to the original section above for parameters like:
- CIDR List
- Gateway IP
- IKE & ESP settings
- Pre-shared key
Once done, click Save.
Step 3: Connect VPC to the Gateway
- Go to your VPC > VPN Connections
- Click + Add Site-to-Site VPN
- Choose the VPN Gateway you created
- Click Save
🔐 Remote Access VPN for Isolated Networks
For securely connecting individual devices (laptops/desktops) to a cloud-based isolated network.Step 1: Enable Remote Access VPN
- Navigate to Networks > Isolated Networks
- Click on your desired network
- Under the VPN tab, click Enable Remote Access VPN
- A public IP will be automatically associated (or choose one if required)
⚠️ You can only enable Remote Access VPN on networks with a public IP assigned.
Step 2: Add VPN Users
- Go to Network > [Your Isolated Network] > VPN Users
- Click ➕ Add User
- Fill in:
- Username
- Password
- Click OK
✅ Credentials will be used for client-side VPN login
macOS VPN Client Setup
-
Open System Settings > VPN
-
Click Add VPN Configuration
-
Choose L2TP over IPsec
-
Enter the following:
- Server Address: Public IP from Cloud Portal
- Account Name: VPN Username
- Password: VPN Password
- Shared Secret: Pre-shared key (displayed after enabling VPN)
- Send all traffic over VPN: (Optional)
-
Click Create, then connect
Windows VPN Client Setup
-
Open Settings > Network & Internet > VPN
-
Click Add a VPN Connection
-
Enter the following:
- VPN provider: Windows (built-in)
- Connection name: Cloud4India VPN
- Server name or address: Public IP
- VPN type: L2TP/IPsec with pre-shared key
- Pre-shared key: As shown in Cloud Portal
- Username/Password: As created earlier
- Ensure below settings:
- Type of VPN - Layer 2 Tunneling Protocol with IPSec (L2TP/IPsec) add preshared key (In Advanced Settings under Type of VPN)
- Data Encryption - Require Encryption (disconnect if server declines)
- Allow these protocols - Microsoft CHAP Version 2 is checked.
-
Click Save
-
From the VPN list, click Connect
Split Tunnel for Windows
- Connect to the VPN.
- Go to Control Panel > Network and Sharing Center > Change adapter settings.
- Right-click your VPN adapter → Properties → Networking tab.
- Select Internet Protocol Version 4 (TCP/IPv4) → Properties → Advanced.
- Uncheck “Use default gateway on remote network” → OK → Save.
Linux (Ubuntu) VPN Client Setup
Ubuntu supports L2TP over IPsec via strongSwan and xl2tpd. Follow the steps below.
🔧 Install Required Packages
Open a terminal and run:
sudo apt update sudo apt install strongswan xl2tpd network-manager-l2tp-gnome
💡
network-manager-l2tp-gnomeprovides a graphical interface for easier setup via Network Manager.
🖥️ GUI Method (Recommended)
-
Open Settings > Network > VPN
-
Click ➕ Add VPN
-
Choose Layer 2 Tunneling Protocol (L2TP)
-
Enter the following details:
- Gateway: Public IP from Cloud Portal
- Username: VPN username
- Password: VPN password
-
Click IPsec Settings and:
- Enable Use IPsec tunnel
- Enter the Pre-shared key
- Leave other options as default
-
Click Save, then select the VPN from the list and click Connect
🧪 CLI Method (Advanced)
⚠️ Use CLI only if you prefer manual configuration or are automating the setup.
-
Create or edit
/etc/ipsec.conf:config setup charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
conn vpn-connection keyexchange=ikev1 authby=secret type=transport left=%defaultroute leftprotoport=17/1701 right=
<PUBLIC_IP>rightprotoport=17/1701 auto=start -
Add the shared secret to
/etc/ipsec.secrets:: PSK "your-pre-shared-key"
-
Edit
/etc/xl2tpd/xl2tpd.conf:[global] port = 1701
[lns default] ip range = 192.168.1.100-192.168.1.105 local ip = 192.168.1.1 require chap = yes refuse pap = yes require authentication = yes name = l2tpd ppp debug = yes pppoptfile = /etc/ppp/options.l2tpd.client length bit = yes
-
Create
/etc/ppp/options.l2tpd.client:name your-username password your-password refuse pap require chap require-mschap-v2 noccp noauth mtu 1410 mru 1410 connect-delay 5000
-
Start VPN services:
sudo ipsec restart sudo xl2tpd -D
Enabling Split-Tunnel Mode
By default, the VPN sends all your internet and cloud traffic through the tunnel (full tunnel). Split tunnel allows you to send only Cloud network traffic through the VPN, keeping other internet traffic direct.
This is useful when:
- You want faster internet for non-cloud traffic.
- You don’t want to load the VPN for regular browsing.
Split Tunnel for macOS
- When creating the VPN in System Settings > VPN > L2TP over IPsec, leave “Send all traffic over VPN” unchecked.
- After connecting, check your routing table:
netstat -nr
📝 Notes
-
Ensure outbound UDP 500, 4500, and 1701 are allowed
-
Restart Network Manager if needed:
sudo systemctl restart NetworkManager
-
Logs can be checked at:
/var/log/syslog journalctl -u NetworkManager
🧠 Best Practices
- Keep VPN user credentials secure and rotate them regularly
- Ensure the network ACLs allow L2TP/IPsec protocols (UDP 500, 1701, 4500)
- For corporate environments, consider setting DNS servers in your VPN configuration
- Disconnect VPN when not in use to reduce unnecessary tunnel usage
If connection fails:
- Check your firewall or router is not blocking IPsec ports
- Confirm public IP is reachable
- Ensure the shared secret and credentials match exactly