External network gateway#

The external network gateway (external_net) role provides connectivity between VPN and VxLAN tunnels and the local project. Client connections across these tunnels may access ports in the RG’s backend network (srv).



An OpenVPN gateway listens on the standard port (1194/udp) on the gateway’s frontend network (fe). The standard configuration requires two levels of authentication: both a certificate and a valid FC login must be presented on connection initiation. The certificate is fixed for all users of a given RG and is mostly used to keep out dictionary attackers. This authentication scheme requires that users connecting to the gateway have a valid login for this RG.


The external network gateway contains also provisions to interconnect the local RG with a remote network via VxLAN. Contact the Support for details.


As a courtesy, external network gateways run a mosh server by default.



An OpenVPN server needs correct DNS settings (forward and reverse names). Contact the Support to get this set up. Additional options (like address pools) can be set in /etc/local/openvpn/networks.json. The README file in the same directory contains a detailed description of available options.

By default, OpenVPN allocates client addresses from the pools and fd3e:65c4:fc10::/48.


Our OpenVPN servers push routes for the whole location (data center). This means that opening VPN connections to external network gateways in several RGs at once may not be a good idea.


A VxLAN tunnel is created if the file /etc/local/vxlan/config.json exists. See the accompanying README file for details.


A default client configuration file (*.ovpn) is provided on OpenVPN gateways in the directory /etc/local/openvpn. Import this configuration file into your OpenVPN client of choice.


Currently, OpenVPN server processes are checked for liveness.