Configure the tunnel

This page describes how to add a tunnel from one VPN gateway to another.

Generate a PSK

A PSK (Pre-Shared Key) is a shared secret password that is used to authenticate and encrypt communication between two devices. It is a form of symmetric encryption.

Use the following methods to generate a strong 32-character pre-shared key.

OpenSSL

For more information about OpenSSL, see https://www.openssl.org/. On a Linux or macOS system, run the following OpenSSL command:

openssl rand -base64 24

/dev/urandom

On a Linux or macOS system, you can also use /dev/urandom as a pseudorandom source to generate a pre-shared key:

  • On Linux or macOS, send the random input to base64:

    head -c 24 /dev/urandom | base64
    
  • Pass the random input through a hashing function, such as sha256:

    • On Linux:

      head -c 4096 /dev/urandom | sha256sum | cut -b1-32
      
    • On macOS:

      head -c 4096 /dev/urandom | openssl sha256 | cut -b1-32
      

JavaScript

Generate the pre-shared key directly in a document by using JavaScript with the W3C Web Cryptography API. For more information, see https://www.w3.org/TR/WebCryptoAPI/#Crypto-method-getRandomValues

This API uses the Crypto.getRandomValues() method detailed here: https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues which provides a cryptographically sound way of generating a pre-shared key.

The following code creates an array of 24 random bytes, and then base64 encodes those bytes to produce a random 32-character string:

  var a = new Uint8Array(24);
  window.crypto.getRandomValues(a);

  console.log(btoa(String.fromCharCode.apply(null, a)));

Create the secret

Create a secret with a PSK key:

kubectl --kubeconfig ORG_ADMIN_CLUSTER_KUBECONFIG create secret -n platform generic PSK_NAME --from-literal=psk=PSK

Replace the following:

  • ORG_ADMIN_CLUSTER_KUBECONFIG: the org admin cluster's kubeconfig path.
  • PSK_NAME: The name of the PSK key.
  • PSK: The value of the PSK key.

Create a VPN tunnel

Reference the VPNGateway, PeerGateway, VPNBGPPeer, and Secret resources created in the previous steps to create the tunnel.

kubectl --kubeconfig ORG_ADMIN_CLUSTER_KUBECONFIG create -n platform -f - <<EOF
apiVersion: networking.gdc.goog/v1
kind: VPNTunnel
metadata:
  name: VPN_TUNNEL_NAME
spec:
  vpnInterface:
    name: VPN_GW_NAME
    namespace: platform
    interface: VPN_INTERFACE_NAME
  peerInterface:
    name: PEER_GW_NAME
    namespace: platform
    interface: PEER_INTERFACE_NAME
  vpnBGPPeer:
    name: VPN_BGP_PEER_NAME
    namespace: platform
  ikeKey:
    name: PSK_NAME
    namespace: platform
EOF

Replace the following:

  • ORG_ADMIN_CLUSTER_KUBECONFIG: the org admin cluster's kubeconfig path.
  • VPN_TUNNEL_NAME: the name of the VPN tunnel being used.
  • VPN_GW_NAME: the name of the VPN gateway.
  • VPN_INTERFACE_NAME: the name of the VPN interface.
  • PEER_GW_NAME: the name of the peer VPN gateway.
  • PEER_INTERFACE_NAME: the name of the peer VPN gateway interface.
  • VPN_BGP_PEER_NAME: the name of the VPN BGP peer. For more information, see Create a VPN BGP session.
  • PSK_NAME: the name of the PSK you created in Generate a PSK.

Verify that the VPN_TUNNEL_NAME object was correctly reconciled by examining the Status field.

Get the details of the VPN tunnel:

kubectl --kubeconfig ORG_ADMIN_CLUSTER_KUBECONFIG describe -n platform vpntunnel VPN_TUNNEL_NAME

Examine the output, it must look similar to the following example:

Status:
  Conditions:
    Last Transition Time:  2024-05-10T00:33:31Z
    Message:               Ready
    Observed Generation:   1
    Reason:                Ready
    Status:                True
    Type:                  Reconciled
    Last Transition Time:  2024-05-10T00:33:31Z
    Message:               Ready
    Observed Generation:   1
    Reason:                Ready
    Status:                True
    Type:                  Ready
    Last Transition Time:  2024-05-10T00:33:31Z
    Message:               Tunnel is established.
    Observed Generation:   1
    Reason:                Ready
    Status:                True
    Type:                  TunnelEstablished
  State:                   Established

The VPNGateway, PeerGateway, and VPNBGPPeer objects must have updated statuses after being referenced by a VPNTunnel. For example, if you verify that the VPNBGPPeer was correctly reconciled again, you should see updated status values:

Get the details of the VPNBGPPeer object:

kubectl --kubeconfig ORG_ADMIN_CLUSTER_KUBECONFIG describe -n platform vpnbgppeer VPN_BGP_PEER_NAME

Examine the output, the status values should now be updated:

Status:
  Advertised:
    Prefix:  10.0.0.16/28
    Prefix:  10.0.1.32/27
    Prefix:  172.16.0.0/14
    Prefix:  172.20.0.0/17
    Prefix:  172.20.128.0/17
    Prefix:  2002:4860:100e:fa00::/58
  Conditions:
    Last Transition Time:  2024-05-10T00:36:38Z
    Message:               Ready
    Observed Generation:   1
    Reason:                Ready
    Status:                True
    Type:                  ValidIPs
    Last Transition Time:  2024-05-10T00:36:38Z
    Message:               Ready
    Observed Generation:   1
    Reason:                Ready
    Status:                True
    Type:                  TunnelsAttached
    Last Transition Time:  2024-05-10T00:36:38Z
    Message:               Ready
    Observed Generation:   1
    Reason:                Ready
    Status:                True
    Type:                  Reconciled
    Last Transition Time:  2024-05-10T00:36:38Z
    Message:               Ready
    Observed Generation:   1
    Reason:                Ready
    Status:                True
    Type:                  AdvertisedRoutesReady
    Last Transition Time:  2024-05-10T00:36:38Z
    Message:               Ready
    Observed Generation:   1
    Reason:                Ready
    Status:                True
    Type:                  ReceivedRoutesValid
    Last Transition Time:  2024-05-10T00:36:38Z
    Message:               Ready
    Observed Generation:   1
    Reason:                Ready
    Status:                True
    Type:                  ReceivedRoutesReady
    Last Transition Time:  2024-05-10T00:36:38Z
    Message:               Ready
    Observed Generation:   1
    Reason:                Ready
    Status:                True
    Type:                  Ready
  Received:
    Prefix:  192.168.100.0/24
    Prefix:  193.188.200.0/24
  State:     Established