documentation about real-world setup would be useful

[ideasculptor]

I'm the first to admit I don't know much of anything about ipsec, but I have gone through the vpn docs, and I'm still unable to get my local host to connect, despite a config that seems to make sense. I have the following config for my module:

module "vpn" {
  source = "git@github.com:terraform-google-modules/terraform-google-vpn.git"
  project_id    = data.terraform_remote_state.vpc.outputs.project_id
  network       = data.terraform_remote_state.vpc.outputs.network_name
  region        = var.region
  gateway_name       = "vpn-gw-us-ce1-static"
  tunnel_name_prefix = "vpn-tn-us-ce1-static"
  shared_secret      = "some_shared_secret_here"
  tunnel_count       = 1
  # This is the public ip address of the router on my home network.  
  peer_ips           = ["w.x.y.z"]
  
  route_priority     = 1000

  /* 
  remote_subnet is NOT a subnet range configured in the VPC.  
  VPC has configured subnets [
    10.1.0.0/24, 10.10.10.0/24, 10.10.11.0/24, 10.10.12.0/24
  ]
  with secondary ranges only for the second to last subnet - [192.168.0.0/22, 192.168.16.0/20]
  My assumption was that when the VPN connection is made, it will be allocated an address from
  the following remote_subnet:
  */
  remote_subnet      = ["10.10.254.0/24"]
} 

Then I configure the VPN connection on my Mac as follows:

Using the address provided as output by the module, along with the configured shared secret.

I can ping the address:

$ ping 146.148.32.72
PING 146.148.32.72 (146.148.32.72): 56 data bytes
64 bytes from 146.148.32.72: icmp_seq=0 ttl=40 time=67.785 ms
64 bytes from 146.148.32.72: icmp_seq=1 ttl=40 time=68.840 ms
64 bytes from 146.148.32.72: icmp_seq=2 ttl=40 time=68.057 ms
64 bytes from 146.148.32.72: icmp_seq=3 ttl=40 time=68.763 ms

But attempts to connect fail instantly, with no useful error message or logging that I can find

[ideasculptor]

And yes, I do understand that single host tunnels are not really the intended use-case, but it would sure be handy if it could be made to work, since some of the private GKE cluster modules really want to have direct connection to the VPC for running kubectl against the private endpoint of the cluster, and neither my router nor my wifi access point have IPSEC/IKEv2 support, so host config is my fastest route to connection.

[ideasculptor]

Looked all over for any kind of log entry that would explain the connection failures, but I can't find anything anywhere.

[morgante]

My understanding is that Cloud VPN is meant for connecting from a peer VPN (such as one of the devices listed here), not connecting from a client host. But admittedly we don't have any documentation on why this isn't supported.

Unfortunately I'm not a networking expert, so not sure what it would take to make this work.

[ideasculptor]

Yeah - I think the biggest issue is that if you had multiple client hosts on the same network behind a NAT, you'd need multiple VPN tunnels to the same address, which would be problematic. The same problem exists at the other cloud provider I've encountered this problem at. There, I use a 3rd party module which brings up an (open source, not the commercial server) openVPN instance in the VPC, along with a pubsub-style pipeline which the server monitors and writes to which can provision individual credentials. That way I can configure as many sets of credentials as I like.

I'll get around to building something like that sooner or later, probably sooner. If you leave this issue open, I'll just add a module here which does all of that (or in the bastion repo, since it acts as something of a bastion). It's pretty handy for casually connecting to a VPC from anywhere. I do a lot of work on the move, so I find it very useful

Does google have a preference for supported linux distros? I lean toward ubuntu/debian, by default. openvpn package installation makes it fairly challenging to support multiple distros, at least on a first pass.

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days