Ordering a free VPN service

Ordering your own vrack VPN is quick and can be done in just a few easy steps!
.

Pre-requirements

  • Before ordering VPN/Router, make sure you have a vrack service and know your vrack name (pn-XXXX).
  • Go here to check available periods of your VPN service called durations. Remember that you can always renew your service.
Both of these values will be required in the next step
.

Ordering Router

Before creating a VPN service you have to order an "ROUTER". Router is a bucket of new features (eg. VPN.) provided by OVH.
You can create Router for your vrack by placing an order here [with details from prerequirements].

After placing an order you need to confirm it. Open the receipt URL link available in your order . At the bottom of the receipt there is a button to finalize your order.

You should receive an e-mail with confirmation and further instructions after a few minutes.

Configuration

If you're here, you've probably ordered our Router service. Congratulations!

Go to our OVH API Console to see new additional features for your vrack.
.

Creating your VPN using API

Discovering the OVH API
To create a new VPN, you should first add an IP in private network which will be configured on the router on vrack-side interface. In the next step this will be chosen for VPN service (as a *serverPrivNet* value).

  • POST /router/{serviceName}/network

description Your network description
ipNet IP/Network that will be mounted on your OVH router (eg. 10.1.0.1/16).This network is probably used on your vrack-servers. You will need to configure gateway IP (in this example 10.1.0.1) as a gateway between vrack servers and VPN network. Note that you will need to manually add routes on vrack servers.
vlanTag (optional) VLAN tag to be used with this network. This allows you to connect with your vlan-tagged infrastructure in vrack >=2.0 (DedicatedCloud for example)

  • POST /router/{serviceName}/vpn with params described below:

psk Your VPN password used when connecting to the service
clientIp IP you're connecting from. Access to the VPN will be allowed only from this address. You can leave it as null to disable IP restriction
serverPrivNet Vrack private network and gateway declaration selected from /router/{serviceName}/network (from the step before)
clientPrivNet Client private network and gateway declaration (eg. 10.2.0.1/16). In site2site mode gateway IP (in this example 10.2.0.1) and private network should be configured manually on your client device interface.
After successfully creating a VPN using API, you will be assigned a VPN serverIp. It will be shown in the API call result and you should be able to connect to it right away
You will also receive a free subdomain vrackXXXX.vrackvpn.ovh.net that you can connect to from Windows clients (other devices should use *serverIp* instead)
If you ever delete and recreate your VPN, serverIp might change, but your domain address will remain the same

VRACK setup

.

Vrack connected servers setup

Installing routes
If you want to have connection between servers in your vrack and VPN clients, you have to manually add routes:
example.com|vrack9999:~# ip route add *clientPrivNet* via *serverPrivNetIP*

NOTE: VRACK servers should have IPs from serverPrivNet pool assigned on VRACK interfaces.

Remote Site Configuration

There are two connection modes are available (configurable in VPN-client):
  • client mode - only single machine is connected to VPN.
  • site2site mode - whole remote network is connected to VPN (mainly implemented on routers/gateways).
.

Linux (ikev2+psk) - site2site mode

Installing StrongSwan
First, you need to install and configure StrongSwan.
apt-get install strongswan
Configuring StrongSwan
[root@example.com ~] cat /etc/ipsec.conf
conn %default
  ikelifetime=60m
  keylife=20m
  rekeymargin=3m
  keyingtries=1
  authby=secret
  keyexchange=ikev2
  mobike=no

# Add your connections here.

conn vrack9999_psk
  auto=add
  type=tunnel
  dpdaction=restart
  dpddelay=30s
  dpdtimeout=120s
  right=*serverIp*
  rightsubnet=*serverPrivNet*
  left=*clientIp*
  leftsubnet=*clientPrivNet*
  leftid=site2site_mode
Notes:
  • 9999 is your vrack ID
  • serverIp is OVH provided VPN endpoint IP address. This is the one to which vrack9999.vrackvpn.ovh.net points and has to be entered numerically in all setups but Windows, which is the only one that uses domain name connection
  • clientIp can be either a valid IP address, or "%any"
Adding IPSec password:
[root@example.com ~] cat /etc/ipsec.secrets
*clientIp* *serverIp* : PSK "*psk*"
Reloading ipsec
[root@example.com ~] ipsec restart
If necessary - mounting clientPrivNet IP on your system
[root@example.com ~] ip addr add *clientPrivNet* dev eth1
Connecting to the VPN
Call ipsec up with your connection name
[root@example.com ~] ipsec up vrack9999_psk
Check if everything works afterwards:
example.com|vrack9999:~# ping *clientPrivNetIP*
...
[root@example.com ~] ping *serverPrivNetIP*
...
.

Linux (ikev2+psk) - single client mode

Installing StrongSwan
First, you need to install and configure StrongSwan.
apt-get install strongswan
Configuring StrongSwan
[root@example.com ~] cat /etc/ipsec.conf
conn %default
  ikelifetime=60m
  keylife=20m
  rekeymargin=3m
  keyingtries=1
  authby=secret
  keyexchange=ikev2
  mobike=no

# Add your connections here.

conn vrack9999_psk
  auto=add
  type=tunnel
  dpdaction=restart
  dpddelay=30s
  dpdtimeout=120s
  right=*serverIp*
  rightsubnet=*serverPrivNet*
  leftsourceip=%config
Notes:
  • 9999 is your vrack ID
Adding IPSec password:
[root@example.com ~] cat /etc/ipsec.secrets
*clientIp* *serverIp* : PSK "*psk*"
Notes:
  • serverIp is OVH provided VPN endpoint IP address (must be numerical not DNS name).
  • clientIp can be either a valid local IP address or "%any"
Reloading ipsec
[root@example.com ~] ipsec restart
Connecting to the VPN
Call ipsec up with your connection name
[root@example.com ~] ipsec up vrack9999_psk
Check if everything works afterwards:
[root@example.com ~] ping *serverPrivNetIP*
.

Windows 7+ (ikev2+eap-mschapv2) - available only in client mode

Configuring Windows
For Windows, use
vrackXXXX.vrackvpn.ovh.net
as your VPN address, instead of VPN serverIp. XXXX is your vrackID.

Please follow this guide to set up your VPN.
Notes:
  • Make sure to use ovhvpn as your user name
  • Make sure there is plain "IKEv2" and "EAP-MSCHAPv2" selected in security tab
  • Make sure to uncheck "Use as a default gateway" in Network -> IPv4 -> Advanced
.

iOS (ikev1+xauth-psk) - available only in client mode

Simply go to your iOS VPN configuration and use IPSec connection:
Server your.vpn.server.ip.or.domain
Account ovhvpn
Pass *psk*
Group name ovhvpn
Shared password *psk*

Cisco devices client setup in site2site mode

.

Cisco ASA Devices

Common Begin
object network net-local
 subnet *clientPrivNet*

object network net-remote
 subnet *serverPrivNet*

access-list outside_1_cryptomap permit ip *serverPrivNet* *clientPrivNet*
access-list outside_1_cryptomap permit ip *clientPrivNet* *serverPrivNet*
Configuring Ikev1
crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 3600

tunnel-group *serverIp* type ipsec-l2l
tunnel-group *serverIp* ipsec-attributes
 ikev1 pre-shared-key *psk*
 isakmp identity key-id site2site_mode
 isakmp keepalive threshold 30 retry 5

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer *serverIp*
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
Configuring Ikev2
crypto ikev2 policy 1
 encryption aes-256
 group 2
 prf sha
 lifetime seconds 3600

crypto ipsec ikev2 ipsec-proposal site2site_mode
 protocol esp encryption 3des aes-256 des
 protocol esp integrity sha-1

tunnel-group *serverIp* type ipsec-l2l
tunnel-group *serverIp* ipsec-attributes
 ikev2 local-authentication pre-shared-key 0 *psk*
 ikev2 remote-authentication pre-shared-key 0 *psk*
 isakmp keepalive threshold 30 retry 5

isakmp identity key-id site2site_mode 

crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer *serverIp*
crypto map outside_map 1 set ikev2 ipsec-proposal site2site_mode
crypto map outside_map interface outside
Common End
crypto ipsec security-association lifetime seconds 1200
nat (inside,outside) 1 source static net-local net-local destination static net-remote net-remote
route outside *serverPrivNet*  *serverIp*
crypto ikev1 enable outside
.

Cisco Router 19xx/29xx Devices

Common Begin
ip access-list extended outside_1_cryptomap
 permit ip *serverPrivNet* *clientPrivNet*
 permit ip *clientPrivNet* *serverPrivNet*
Configuring Ikev1
crypto ipsec transform-set ESP-AES-SHA esp-aes  esp-sha-hmac
 mode tunnel

crypto keyring s2skeyring
 pre-shared-key address  *serverIp* key 0 *psk*

crypto isakmp key 0 *psk* address  *serverIp* no-xauth
crypto isakmp keepalive 30 5 on-demand

crypto isakmp policy 1
 authentication pre-share
 encryption aes 256
 hash sha
 group 2
 lifetime 3600

crypto isakmp profile profile1
 local-address *clientIp*
 match identity address  *serverIp*
 keyring s2skeyring
 self-identity fqdn site2site_mode

crypto map outside_map 1 ipsec-isakmp 
 set peer  *serverIp*
 set transform-set ESP-AES-SHA 
 set isakmp-profile profile1
 match address outside_1_cryptomap
Configuring Ikev2
crypto ikev2 proposal aes-cbc-256-proposal
 encryption aes-cbc-256
 integrity sha1
 group 2

crypto ikev2 keyring s2skeyring
 peer  *serverIp*
  address  *serverIp*
  pre-shared-key *psk*

crypto isakmp keepalive 30 5 on-demand

crypto ikev2 policy policy1 
 match address local *clientIp*
 proposal aes-cbc-256-proposal

crypto ikev2 profile profile1
 description IKEv2 profile
 match address local *clientIp*
 match identity remote address  *serverIp* 
 authentication local pre-share
 authentication remote pre-share
 keyring local s2skeyring
 identity local key-id site2site_mode

crypto ipsec transform-set ESP-AES-SHA esp-aes 256 esp-sha-hmac
 mode tunnel

crypto map outside_map 1 ipsec-isakmp 
 set peer  *serverIp*
 set transform-set ESP-AES-SHA 
 set pfs group2
 set ikev2-profile profile1
 match address outside_1_cryptomap
Common End
crypto ipsec security-association lifetime seconds 1200

interface *OutsideRouterInterface* 
 crypto map outside_map
.

Cisco ASR/CSR Devices

Common Begin
ip access-list extended outside_1_cryptomap
 permit ip *serverPrivNet* *clientPrivNet*
 permit ip *clientPrivNet* *serverPrivNet*
Configuring Ikev1
crypto ipsec transform-set ESP-AES-SHA esp-aes  esp-sha-hmac
 mode tunnel

crypto keyring s2skeyring
 pre-shared-key address  *serverIp*  key 0 *psk*

crypto isakmp key 0 *psk* address  *serverIp*  no-xauth
crypto isakmp keepalive 30 5 on-demand

crypto isakmp policy 1
 authentication pre-share
 encryption aes 256
 hash sha
 group 2
 lifetime 3600

crypto isakmp profile profile1
 local-address *clientIp*
 match identity address  *serverIp* 
 keyring s2skeyring
 self-identity fqdn site2site_mode

crypto map outside_map 1 ipsec-isakmp 
 set peer  *serverIp* 
 set transform-set ESP-AES-SHA 
 set isakmp-profile profile1
 match address outside_1_cryptomap
Configuring Ikev2
crypto ikev2 proposal aes-cbc-256-proposal
 encryption aes-cbc-256
 integrity sha1
 group 2

crypto ikev2 keyring s2skeyring
 peer  *serverIp* 
  address  *serverIp* 
  pre-shared-key *psk*

crypto isakmp keepalive 30 5 on-demand

crypto ikev2 policy policy1 
 match address local *clientIp*
 proposal aes-cbc-256-proposal

crypto ikev2 profile profile1
 description IKEv2 profile
 match address local *clientIp*

 match identity remote address  *serverIp* 
 authentication local pre-share
 authentication remote pre-share
 keyring local s2skeyring
 identity local key-id site2site_mode

crypto ipsec transform-set ESP-AES-SHA esp-aes 256 esp-sha-hmac
 mode tunnel

crypto map outside_map 1 ipsec-isakmp 
 set peer  *serverIp* 
 set transform-set ESP-AES-SHA 
 set pfs group2
 set ikev2-profile profile1
 match address outside_1_cryptomap
Common End
crypto ipsec security-association lifetime seconds 1200
no crypto xauth *OutsideRouterInterface*
ip route *serverPrivNet*  *serverIp* 
interface *OutsideRouterInterface* 
 crypto map outside_map

Other Vendors

.

Miktotik

Configuring Ikev1 on MikroTik RouterOS 6.28
/ip route  add dst-address=*serverPrivNet* gateway=*serverIp*

/ip ipsec proposal add name="site2site_mode" auth-algorithms=sha1 \
enc-algorithms=aes-256-cbc lifetime=20m pfs-group=none
 
/ip ipsec policy group add name=site2site_mode
 
/ip ipsec policy add group=site2site_mode src-address=*clientPrivNet* \
dst-address=*serverPrivNet* sa-dst-address=*serverIp* tunnel=yes \
action=encrypt proposal=site2site_mode 
 
/ip ipsec peer add address=*serverIp* hash-algorithm=sha1 nat-traversal=yes\
secret=YOUR_SECRET_PASSWORD policy-template-group=site2site_mode \
dh-group=modp2048 enc-algorithm=aes-256 dpd-interval=30s \
send-initial-contact=no my-id=fqdn:site2site_mode exchange-mode=main-l2tp lifetime=20m
.

Linksys

Configuring Ikev1
.

site2site mode important notes

In most cases while configuring VPN you should set appropriate Local ID for proper mode selection.
- Local Identifier Type : FQDN
- Local Identifier : site2site_mode
You're good to go!