Skip to main content

VPN Service

Joining the environment VPN will join your machine to the private network of the environment. This gives you the choice to never expose critical container instances (like databases) to public internet.

VPN Dashboard

vpn dashboard

  1. The VPN tab, available once a user has selected an environment to manage, brings up the VPN dashboard - where users can enable, update, and further configure the environments VPN service.
  2. Each VPN service has its own client connection files that must be downloaded, unzipped, & added to a VPN client. Users can download these files by clicking "Request VPN Files".
  3. The Access Control section of the page is where users will take actions that effect account management. This is where users can toggle on/off the types of accounts they want to have access to this VPN.

Configuring the VPN Service

The service is automatically created in every environment, but as per Cycle's security philosophy, it is disabled by default.

To configure the VPN service, follow these steps:

  1. Click the Environments tab on the navigation menu to the left.
  2. Select the environment who's VPN service you wish to configure from the list.
  3. Check to see if the load balancer service is running. If not, click on the link to the load balancer container from the list of services below container count and start it manually by holding the start button located at the top of the page.
  4. Select the VPN tab underneath the environment name.
  5. Click the Enable button.
VPN Certificate

The certificate generated by the VPN service is good for 1,000 days. If the certificate expires the user should:

  1. Use the two-way console to log into the VPN container.
  2. Delete the following folder /usr/share/easy-rsa/pki .
  3. Restart the VPN container.
  4. Redownload the VPN config and install the new connection.

User Login

For simplicity, the VPN service provides the option to allow any Cycle user with permission to access the environment, permission to access the VPN as well. They will be able to log in with their Cycle username/password. Check the box that says "Allow Cycle User Access", then click "Update".

The VPN service also provides the option to use an Access Control List (ACL) to limit who can connect. Specify a username and password for the user and add them to the list. Enabling either form of user authentication requires you to click the checkbox next to your preferred method on the VPN dashboard.

vpn manage

UPDATE VPN ACCESS

Always click the "Update VPN Access" button after making changes to the user access controls.

Interacting with Your Environment while Connected to the VPN

Now that you are connected to the environment VPN, your local machine is a part of the private network group. If you want to reach a container you can access it via hostname. Try using ping hostname where hostname = the container instance your trying to reach or if your containers are a part of a Cycle network try ping hostname.network to reach an instance in another environment. If your container is a browser based program, you can access it via the browser by using the address http://hostname.cycle:port.

Cycle TLD

You may need to append the .cycle TLD to your container hostname. The reason would be to let your terminal or browser know that you want to use the Cycle discovery service explicitly instead of letting it decide on its own.