Description of image

How to Create VPN Gateways

Validated on 14 Dec 2023 • Last edited on 13 Feb 2024 network | vpn | endpoint | key | core machine | bare metal

Machines are high-performing computing for scaling AI applications.

Use our IPSec VPN tunnels to connect to your Private Network from your office or third-party site. VPN Gateways can be attached to your Private Network, establishing a site-to-site VPN tunnel. This enables two-way communication between your Paperspace machines and devices in your office or third-party site.

This feature can be added anytime by clicking the VPN tab in the console.

VPN dialog

Paperspace site-to-site VPN Gateways leverage the Internet Protocol security (IPsec) protocol.

Create a VPN gateway

Prerequisites

A Private Network is required in order to provision a VPN Gateway. The VPN Gateway is added to this Private Network.

Configuring Paperspace

  1. Navigate to the Network tab in the Paperspace console
  2. Select the VPN tab
  3. Click Create VPN to open the VPN Gateway dialog
  4. Enter the Public IP Address of the border device for your side of the tunnel
  5. Enter a Pre-Shared Key to be used to securely establish the tunnel
  6. Supply a list of internal networks that should be accessible over the tunnel
  7. Click Create VPN

Configuring your end

Supply the following parameters when configuring your side of the VPN tunnel:

Paperspace gateway IP

The Gateway IP (the tunnel endpoint on the Paperspace side) is specific to your Region. West Region: 64.62.255.10 East Region: 184.105.3.10 Europe: 74.82.28.10

Paperspace subnet

The subnet of your Paperspace Private Network is listed under the Network tab of the console in CIDR format, for example 10.30.254.0/24.

Key exchange

Recommended: IKEv2 Fallback: IKEv1

Encryption & authentication algorithms — for Phase 1 & Phase 2

Recommended: AES256 (AES256-CBC), SHA2 (SHA256) Fallback: AES128, SHA1, MD5

Not supported: DES, 3DES, SHA256-96 AES256-GCM

Phase1 & Phase2 DH (Diffie-Hellman) groups*

Recommended: 14 Fallback: 2, 5, 15-18, 22, 23, 24

  • Specifying a DH group for Phase 2 is also known as Perfect Forward Secrecy (PFS). Some devices require this to be explicitly enabled prior to specifying a DH group for Phase 2. Paperspace VPNs utilize PFS to maximize security.

Lifetime

Key life is the time each tunnel takes until it regenerates a new renegotiated key pair. This is performed to maintain the highest security between the two tunnels. While generally, key life need not match between tunnel endpoints, setting your key lifetimes to the below guarantees smooth operation and prevents the possibility of premature tunnel tear-downs.

Phase 1: 10800 seconds

Phase 2: 3600 seconds

Connecting from behind a firewall

Please white list the respective Paperspace Gateway IP allowing it connections on UDP ports 500 and 4500.

Connecting via NAT/local ID

Each IPSEC tunnel endpoint has a unique identifier. In most cases, this is automatically set to be the same as the actual tunnel endpoint IP address. However, there exist scenarios where this may not be the case (detailed below). In such a case you are required to specify a “Local ID” for your IPSEC tunnel. Please set this ID by hand to match the external (Internet IP address) of your end of the tunnel. When in doubt, set a “Local ID” by hand.

The cases where one might be required to perform this are:

  1. Your IPSEC device is behind a NAT – therefore your tunnel ID defaults to an internal IP on your network.
  2. Your IPSEC device generates a unique identifier based on other criteria than IP address.

This can be set on most devices by specifying “LocalID” (sometimes called “ID”), typically found under the authentication portion of the configuration.

Testing end-to-end connectivity

  • Launch a machine into your Private Network
  • After the machine is running, find its private IP address (for example, 10.0.0.3) on the machine details page.
  • Ensure ICMP (ping) is enabled on the machine’s firewall settings
  • From a computer in your network, ping the machine’s private IP address. A successful response is similar to the following:
PROMPT> ping 10.0.0.3  Pinging 10.0.0.3 with 32 bytes of data:
Reply from 10.0.0.3: bytes=32 time<1ms TTL=128
Reply from 10.0.0.3: bytes=32 time<1ms TTL=128
Reply from 10.0.0.3: bytes=32 time<1ms TTL=128
Ping statistics for 10.0.0.3:
Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
Approximate round trip times in milliseconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Control Panel Blog Pricing Careers Terms Privacy Status API Docs Tutorials Support