Cloud VPN connection to on-prem

Denseley · 02-19-2024 06:33 AM

Hello Team,

I have a cloud instance that I am trying to connect to an on-premise server through a VPN tunnel. I have created the Cloud VPN tunnel and managed to establish a successful connection to the on-premise server. However, when I try to reach the on-premise server, It only shows the internal/private IP address of the cloud instance.

How can I get the external/public IP address to be sent to the on-premise server through the Cloud VPN instead of the private/internal IP of the instance?

Marvin_Lucero

Hi @Denseley ,

You can try creating a static route that directs traffic for the on-premise server to the Cloud VPN tunnel. First, you need to take note of the VPC network's details (region, name, subnet name). After determining the region of your VPC network, name and subnet name, create a regional static route that directs traffic for the on-premise server to the Cloud VPN tunnel. Replace EXTERNAL_IP with the actual external IP address of your on-premise server, and VPN_GATEWAY with the name of your VPN gateway. You can refer to my example command below:

gcloud compute routes create route-to-on-premise \
  --region=REGION \
  --network=VPC_NETWORK \
  --destination-range=EXTERNAL_IP/32 \
  --next-hop-gateway=VPN_GATEWAY \
  --priority=1000

Then, verify if the static route was created:

gcloud compute routes list \
--filter="network:$(gcloud compute networks describe VPC_NETWORK --format='value(name)')"

When you try to reach the on-premise server, it should show the external/public IP address of the cloud instance instead of the private/internal IP.

Let me know if this helps.

Denseley

Hello @Marvin_Lucero ,

Thanks very much for the assistance. However, I tried using this in the command line interface and I was getting an error with the "--region" parameter as such, I proceeded to use the Cloud Console to create this but I'm still not able to reach the on-premise server with the instance's public IP.

Kindly advise, what I could be missing or doing wrong.

Aidap

Hi @Marvin_Lucero

We have the same issue, and we followed the Google Cloud Network Connectivity VPN tutorial , but the connectivity test failed because of the following error:

Policy-based VPN tunnel nn-tunnel-default-route-1 local selector doesn't match packet's source IP address 10.142.0.3.

But after we added the static route that directs traffic for the on-premise server to the Cloud VPN tunnel:

NETWORK: default

DEST_RANGE: 65.X.X.X/32

NEXT_HOP: us-central1/vpnTunnels/nn-vpn-default-tunnel1

PRIORITY: 1000

NAME: peering-route-1******

we could successfully run the connectivity test.

From the connectivity test, after we added the static route as you suggested, we got the following result:

Spoofing approved.

Sending or receiving packets under a foreign IP address is allowed due to IP forwarding being enabled.

Does this mean the IP is going through the VPN tunnel? If yes, why can't we still send the traffic from the VM to the peer on-premises?

Aidap

In another post, I saw that if we want the public address advertised, we need to deploy a combination of features such as Cloud NAT and routing configuration to achieve this. But what is the next step to creating the static route with the public IP of NAT to route to the VPN?

Aidap

Posting it here for whoever is stuck like me. The correct command is :

gcloud compute routes create route-to-on-premise --network=net-number-nnsr --destination-range= EXTERNAL-IP/32 --next-hop-vpn-tunnel=tunnel --priority=1000

I can't define the gateway as the next hop because, according to Google Docs, the only gateway available is Google support in the form of an internet gateway (IGW). I'm not sure if this solution will work, but I will keep you posted in this thread so that others can benefit from it.

Aidap

Hello @DamianS

Can you validate the following configuration?

VM Configuration:

The VM should have no external IP.
Cloud Router with NAT Gateway:
A Cloud Router is set up.
A NAT Gateway is configured to provide an external IP.
Static Route:
A static route is established to ensure all traffic is routed through the VPN.
VPN Gateway:
The VPN Gateway is configured with the destination gateway.
Tunnel Configuration:
The tunnel is set up with the destination IP range.
The source IP address for the tunnel is the external IP provided by the NAT Gateway.

DamianS

Hi @Aidap , I'm not that much familiar with hybrid network, but for me looks good. What I would to double check:
1. Make sure your on-premise firewall is configured to allow traffic from the public IP address of your NAT gateway.
2. If you have other routes configured, make sure the static route for the VPN has a higher priority to ensure traffic is routed through the VPN.

Aidap

Hello @DamianS

Thank you so much for your response; I wrote the complete post here that shows I already did that, and the peer assured us that their on-premise firewall is configured to allow traffic from the public IP address of our NAT gateway. Do you know anyone who is more familiar with a hybrid network? That might help. We have been blocked for about a week now for this.

DamianS

@Marvin_Lucero or @alexmoore do you know who could help here?

Aidap

@Marvin_Lucero @alexmoore

The problem is how we should define the static route to route the Nated traffic to the VPN tunnel I created this because this one NAT to another NAT but still, traffic gets aborted

@Denseleydid you get this figure out we are trying to get this to work over the week now with no luck

Aidap

I found the solution, and I posted it here :