This page describes how to add a tunnel from one VPN gateway to another.
Generate a PSK
A PSK (Pre-Shared Key) is a shared secret password that is used to authenticate and encrypt communication between two devices. It is a form of symmetric encryption.
Use the following methods to generate a strong 32-character pre-shared key.
OpenSSL
For more information about OpenSSL, see https://www.openssl.org/. On a Linux or macOS system, run the following OpenSSL command:
openssl rand -base64 24
/dev/urandom
On a Linux or macOS system, you can also use /dev/urandom
as a pseudorandom
source to generate a pre-shared key:
On Linux or macOS, send the random input to
base64
:head -c 24 /dev/urandom | base64
Pass the random input through a hashing function, such as
sha256
:On Linux:
head -c 4096 /dev/urandom | sha256sum | cut -b1-32
On macOS:
head -c 4096 /dev/urandom | openssl sha256 | cut -b1-32
JavaScript
Generate the pre-shared key directly in a document by using JavaScript with the W3C Web Cryptography API. For more information, see https://www.w3.org/TR/WebCryptoAPI/#Crypto-method-getRandomValues
This API uses the
Crypto.getRandomValues()
method detailed here: https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues
which provides a cryptographically sound way of generating a pre-shared key.
The following code creates an array of 24 random bytes, and then base64 encodes those bytes to produce a random 32-character string:
var a = new Uint8Array(24); window.crypto.getRandomValues(a); console.log(btoa(String.fromCharCode.apply(null, a)));
Create the secret
Create a secret with a PSK key:
kubectl --kubeconfig ORG_ADMIN_CLUSTER_KUBECONFIG create secret -n platform generic PSK_NAME --from-literal=psk=PSK
Replace the following:
ORG_ADMIN_CLUSTER_KUBECONFIG
: the org admin cluster's kubeconfig path.PSK_NAME
: The name of the PSK key.PSK
: The value of the PSK key.
Create a VPN tunnel
Reference the VPNGateway
, PeerGateway
, VPNBGPPeer
, and Secret resources
created in the previous steps to create the tunnel.
kubectl --kubeconfig ORG_ADMIN_CLUSTER_KUBECONFIG create -n platform -f - <<EOF
apiVersion: networking.gdc.goog/v1
kind: VPNTunnel
metadata:
name: VPN_TUNNEL_NAME
spec:
vpnInterface:
name: VPN_GW_NAME
namespace: platform
interface: VPN_INTERFACE_NAME
peerInterface:
name: PEER_GW_NAME
namespace: platform
interface: PEER_INTERFACE_NAME
vpnBGPPeer:
name: VPN_BGP_PEER_NAME
namespace: platform
ikeKey:
name: PSK_NAME
namespace: platform
EOF
Replace the following:
ORG_ADMIN_CLUSTER_KUBECONFIG
: the org admin cluster's kubeconfig path.VPN_TUNNEL_NAME
: the name of the VPN tunnel being used.VPN_GW_NAME
: the name of the VPN gateway.VPN_INTERFACE_NAME
: the name of the VPN interface.PEER_GW_NAME
: the name of the peer VPN gateway.PEER_INTERFACE_NAME
: the name of the peer VPN gateway interface.VPN_BGP_PEER_NAME
: the name of the VPN BGP peer. For more information, see Create a VPN BGP session.PSK_NAME
: the name of the PSK you created in Generate a PSK.
Verify that the VPN_TUNNEL_NAME
object was correctly reconciled by examining the Status
field.
Get the details of the VPN tunnel:
kubectl --kubeconfig ORG_ADMIN_CLUSTER_KUBECONFIG describe -n platform vpntunnel VPN_TUNNEL_NAME
Examine the output, it must look similar to the following example:
Status:
Conditions:
Last Transition Time: 2024-05-10T00:33:31Z
Message: Ready
Observed Generation: 1
Reason: Ready
Status: True
Type: Reconciled
Last Transition Time: 2024-05-10T00:33:31Z
Message: Ready
Observed Generation: 1
Reason: Ready
Status: True
Type: Ready
Last Transition Time: 2024-05-10T00:33:31Z
Message: Tunnel is established.
Observed Generation: 1
Reason: Ready
Status: True
Type: TunnelEstablished
State: Established
The VPNGateway
, PeerGateway
, and VPNBGPPeer
objects must have updated statuses after being referenced by a VPNTunnel
. For example, if you verify that the VPNBGPPeer
was correctly reconciled again, you should see updated status values:
Get the details of the VPNBGPPeer
object:
kubectl --kubeconfig ORG_ADMIN_CLUSTER_KUBECONFIG describe -n platform vpnbgppeer VPN_BGP_PEER_NAME
Examine the output, the status values should now be updated:
Status:
Advertised:
Prefix: 10.0.0.16/28
Prefix: 10.0.1.32/27
Prefix: 172.16.0.0/14
Prefix: 172.20.0.0/17
Prefix: 172.20.128.0/17
Prefix: 2002:4860:100e:fa00::/58
Conditions:
Last Transition Time: 2024-05-10T00:36:38Z
Message: Ready
Observed Generation: 1
Reason: Ready
Status: True
Type: ValidIPs
Last Transition Time: 2024-05-10T00:36:38Z
Message: Ready
Observed Generation: 1
Reason: Ready
Status: True
Type: TunnelsAttached
Last Transition Time: 2024-05-10T00:36:38Z
Message: Ready
Observed Generation: 1
Reason: Ready
Status: True
Type: Reconciled
Last Transition Time: 2024-05-10T00:36:38Z
Message: Ready
Observed Generation: 1
Reason: Ready
Status: True
Type: AdvertisedRoutesReady
Last Transition Time: 2024-05-10T00:36:38Z
Message: Ready
Observed Generation: 1
Reason: Ready
Status: True
Type: ReceivedRoutesValid
Last Transition Time: 2024-05-10T00:36:38Z
Message: Ready
Observed Generation: 1
Reason: Ready
Status: True
Type: ReceivedRoutesReady
Last Transition Time: 2024-05-10T00:36:38Z
Message: Ready
Observed Generation: 1
Reason: Ready
Status: True
Type: Ready
Received:
Prefix: 192.168.100.0/24
Prefix: 193.188.200.0/24
State: Established