Virtual Private Networks

When your clouds or servers reside in a network that sits behind a restrictive firewall or use a private IP range, you will need to set up a Virtual Private Network between ClearGLASS and your network to be able to manage them through the ClearGLASS service.

ClearGLASS's VPN functionality is based on the OpenVPN protocol, which implements a Virtual Private Network (VPN) in order to create secure point-to-point connections to remote access areas. OpenVPN is capable of accessing private networks by traversing network address translators (NATs) and firewalls, while utilizing the exchange of keys in order to secure its VPN connections (or tunnels).

Setting up the VPN using the UI

To set up a new VPN, visit the Tunnels section from your dashboard menu and click on the Add your tunnels button. Type in a name for your tunnel, and optionally a description. Then, on the CIDRs field, add the private IP range that the cloud that you want to manage resides in. ClearGLASS will choose two random IPv4 addresses for the endpoints of the VPN tunnel. If you want to exclude some of the addresses of the network to avoid IP conflicts, you can fill them in on the excluded CIDRs field. You also have the option to choose between UDP and TCP protocol


Once you’re done, click on the Add button. ClearGLASS will create the tunnel. Click on it, and ClearGLASS will provide you with a bash script that you’ll need to run on your VPN client - usually one of the machines or the router of your private network.


When deploying your VPN client, make sure that there are no firewall rules blocking incoming or forwarded Internet traffic. Your VPN client needs to allow incoming data and outgoing data to ClearGLASS. The UDP port that is used can be seen in the page above. Additionally, make sure that the machine where the VPN client resides can forward packets to your local VMs. Please, ensure your firewall and IPtables rules (if any) have been properly configured.

As soon as you have established your VPN tunnels, you can go ahead and add your infrastructure in ClearGLASS. Your private network IPs will be accessible for you by the ClearGLASS service as if they were public. Just go ahead and add your private clouds and perform actions on private VMs like you would normally do.


To confirm that the tunnel has been established on your VPN client, run ifconfig and make sure you can see the vpn-tunXYZ interface, where XYZ is a number. Example

vpn-tun114 Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:  P-t-P:  Mask:
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)


The tunnel is up and we should be able to ping the P-t-P ip (in my case this is

On the tunnel page we can also see the port on the remote side that is assigned for our VPN client. Make sure that outgoing traffic to this port is allowed (UDP to port 1319 in my case).


Setting up the VPN using the command-line interface

All VPN related actions have been also integrated into the ClearGLASS CLI, which can be installed by simply running pip install ClearGLASS. The available VPN related commands are:

  • List tunnels

You can retrieve a list of your established tunnels by invoking: ClearGLASS list-tunnels. You can optionally add the –pretty argument to the aforementioned command in order to print the output in a nicely formatted table.

  • Add tunnel

In order to add a new tunnel you need to use the ClearGLASS add- tunnelcommand . The arguments accepted by the aforementioned command include:

name: a required parameter denoting the unique name of the tunnel

cidrs: a required list of the CIDRs to be routed over the particular VPN tunnel

exclude_cidrs: an optional parameter specifying a list of CIDRs that you may wish to be excluded from the tunnel establishment process in order to avoid potential routing conflicts due to the allocation of already locally existing IP addresses to the VPN endpoints

description: an argument to optionally add a description to the newly created tunnel

Now, let's see a couple of examples adding new VPN tunnels:

root@ubuntu:~ $ ClearGLASS add-tunnel --name MyTunnel --cidrs --exclude-cidrs --description 'This is just an example'

The first command requests the establishment of a VPN tunnel named “MyTunnel” via which the ClearGLASS service will be able to reach the private networks and Additionally, the network has been specified as a network to be excluded from the allocation process of IP addresses for the two VPN endpoints in order to avoid routing conflicts. For example, the CIDR could represent a network that is directly attached to your VPN client, thus you would like to avoid an existing 172.16.150.x IP to be allocated to your VPN interface, as well. Finally, the newly established tunnel comes with the description “This is just an example”. The description and exclude- cidrs fields are optional.

As soon as the newly requested VPN interface has been established on the server-side (the ClearGLASS side), the ClearGLASS add-tunnel command will return the configuration script that needs to be executed on the client-side in order for the tunnel establishment to be completed. At this point, the client-side configuration comes in two forms. Firstly, a bash script will be returned, which needs to be run on your VPN client and will take care of downloading the necessary dependencies, setting up the VPN configuration files and security key, and starting the OpenVPN service. All you have to do is copy and paste the bash script on your VPN client, make it executable, and run it.

The second option consists of a single curl command, which you can execute on you VPN client and will take care of automatically downloading and executing the configuration script.

Your VPN client can be any machine sitting in your private network, including your own router.

After the configuration's execution has been successfully completed, you should have a new interface up and running similar to:

	vpn-tun1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00    inet addr:  P-t-P:  Mask:

inet addr is the IP address allocated to your VPN endpoint, while P-T-P is the server-side IP address.

  • Edit tunnel

The ClearGLASS CLI also allows you to edit an already established tunnel. The ClearGLASS edit-tunnel command allows you edit the name, description, and list of accessible CIDRs. However, you cannot edit the list of excluded CIDRs. For instance, let's edit tunnel “MyTunnel”:

root@ubuntu:~ $ ClearGLASS edit-tunnel e63fddace687u754aa9e66e4g56th257 --name EditedTunnel --cidrs --description 'This is just an example'

The above command will edit the tunnel with tunnel ID e63fddace687u754aa9e66e4g56th257. Once you run it, the tunnel's name will be changed to “MyEditedTunnel” and ClearGLASS will also be able to access machines that sit in the network.

All tunnel IDs can be retrieved by calling the ClearGLASS list-tunnels command. Tunnel IDs are required in order to perform actions on existing tunnels, such as editing, deleting, or retrieving a tunnel's configuration script.

  • Get the client configuration script

For every already established tunnel you can explicitly request the corresponding VPN client's configuration script. All you need to provide is the tunnel's ID as follows:

root@ubuntu:~ $ ClearGLASS tunnel-script e63fddace687u754aa9e66e4g56th257
  • Get the shell command

Similarly, you may request the corresponding curl command for a more automated deployment. Again, the tunnel's ID is all that needs to be provided to the shell command:

root@ubuntu:~ $ ClearGLASS tunnel-command e63fddace687u754aa9e66e4g56th257
  • Delete tunnel

Finally, you can tear down an existing VPN tunnel using the ClearGLASS delete-tunnel command, as follows:

root@ubuntu:~ $ ClearGLASS delete-tunnel e63fddace687u754aa9e66e4g56th257
content/en_us/cg_virtual-private-networks.txt · Last modified: 2018/03/14 20:31 by admin2