Skip to main content

VPN Gateway

Overview

VPN Gateway provides secure WireGuard-based VPN connectivity for VPC networks. It supports two connection types:

  • Road-Warrior (Remote Access) -- End users connect their devices (laptops, phones) to VPC resources over the internet using any standard WireGuard client.
  • Site-to-Site -- Persistent encrypted tunnels between a VPC and external networks such as on-premises data centers or other cloud providers.
tip

VPN gateways are also the building block for VPC Peering -- connecting two VPC networks so instances in both can communicate directly.

Key characteristics:

  • One gateway per VPC -- Each VPC can have at most one VPN gateway.
  • Instant config updates -- Peer changes are applied immediately without dropping active connections.
  • Hourly billing -- Gateways are billed per hour with optional per-GB bandwidth charges via the Cloud Service billing system.

Admin Setup

Prerequisites

Before users can create VPN gateways, an administrator must:

  1. Prepare a VPN gateway image -- Upload or create an OS image with WireGuard and qemu-guest-agent pre-installed, and set its purpose to vpn_gateway under Images.
  2. Create VPN gateway plans -- Define resource plans (CPU, RAM, storage) under Connectivity → VPN Gateway Plans.
  3. Create a plan group -- Organize plans into a plan group and assign the VPN gateway plans to it.
  4. Enable VPN Gateway on a hypervisor group -- Link the plan group and configure pricing.

Enabling VPN Gateway on a Hypervisor Group

  1. Navigate to the Hypervisor Group settings page
  2. Enable the VPN Gateway toggle
  3. Configure pricing:
    • Credit Value -- Monthly base cost in credits (divided by hours in the month for hourly rate)
    • Bandwidth Rate -- Per-GB traffic cost in credits
    • Bandwidth Accounting -- Which direction(s) to meter: uploads, downloads, or both
    • Bandwidth Overage -- What happens when a user exceeds their bandwidth allowance:
      • none -- No limit enforced
      • charge_overage -- Charge per-GB for traffic above the plan limit
      • revoke_access -- Suspend the gateway until bandwidth resets
  4. Optionally select a specific VPN Gateway Image (otherwise the system uses any enabled image with purpose vpn_gateway)
  5. Link the VPN Gateway Plan Group
  6. Save

Managing Gateways (Admin)

Admins can view all VPN gateways across all users at Connectivity → VPN Gateways. The page supports:

  • Search by gateway name, VPC name, or user name/email
  • Filter by status
  • View gateway details, including owner, hypervisor, and plan

Admins can also create VPN gateways directly from a VPC detail page under VPC → [VPC Name] → VPN Gateway.

User Limits

The maximum number of VPN gateways per user is configured on the user profile:

  1. Navigate to Users → [User] → Edit
  2. Set Max VPN Gateways (default: 5, set to 0 for unlimited)

User Guide

Creating a VPN Gateway

  1. Navigate to Networking → VPN Gateways in the sidebar
  2. Click Create VPN Gateway
  3. Select a VPC from the dropdown
  4. Select a VPC Subnet (must be a public subnet with available IPs)
  5. Select a Plan
  6. Optionally set a Name (auto-generated if left blank)
  7. Optionally customize the Tunnel Subnet (default: 10.99.0.0/24) and Listen Port (default: 51820)
  8. Click Create

The gateway will be provisioned with a dedicated public IP address. Deployment typically takes 1--2 minutes, after which the status changes to Active.

info

Only VPCs in locations where VPN Gateway is enabled will appear in the dropdown. If no VPCs are listed, the feature has not been enabled for any of your locations.

Gateway Details

Once active, the gateway detail page displays:

FieldDescription
NameGateway name
StatusCurrent state -- Deploying, Active, Error, or Suspended
VPCAssociated VPC network
Public IPThe gateway's internet-facing IP address -- use this as the WireGuard endpoint
Tunnel SubnetIP range used for WireGuard tunnel addresses (e.g., 10.99.0.0/24)
Listen PortWireGuard UDP port (default: 51820)
Public KeyThe gateway's WireGuard public key -- click the copy icon to copy
Bandwidth UsedCurrent billing cycle bandwidth consumption

Road-Warrior Peers (Remote Access)

Road-warrior peers connect individual devices to the VPC. This is the most common use case for accessing VPC resources remotely.

Adding a Peer

  1. On the gateway detail page, click Add Road-Warrior Peer
  2. Enter a Name (e.g., "My Laptop")
  3. Enter the device's WireGuard Public Key
  4. Optionally specify a Tunnel IP (auto-allocated if left blank)
  5. Optionally set DNS servers and Keepalive interval
  6. Click Add Peer

Generating a WireGuard Key Pair

If a key pair hasn't been generated yet, use the WireGuard tools on the client device:

wg genkey | tee privatekey | wg pubkey > publickey

Paste the contents of publickey when creating the peer. Keep privatekey safe -- it's needed for the client configuration.

Downloading Client Configuration

After adding a peer, click Download Config to get a ready-to-use .conf file. Import it into any WireGuard client:

  • Windows / macOS / Linux -- WireGuard desktop app
  • iOS / Android -- WireGuard mobile app
info

Private keys are never stored on the server. The downloaded configuration includes a placeholder -- replace [YOUR_PRIVATE_KEY] with the private key that corresponds to the public key provided when creating the peer.

Example: Connecting from a Laptop

  1. Install the WireGuard client on the device
  2. Create a road-warrior peer on the gateway and download the config
  3. Open the config file and replace [YOUR_PRIVATE_KEY] with the device's private key
  4. Import the config into the WireGuard client
  5. Activate the tunnel -- VPC instances are now reachable by their private IPs

Site-to-Site Peers

Site-to-site peers create permanent encrypted tunnels between a VPC and an external network.

Adding a Peer

  1. Click Add Site-to-Site Peer
  2. Enter a Name (e.g., "Office Network")
  3. Enter the remote side's Public Key
  4. Enter the Endpoint -- the remote side's public IP and port (e.g., 203.0.113.1:51820)
  5. Configure Allowed IPs -- the remote network CIDRs to route through the tunnel (e.g., 192.168.0.0/16)
  6. Optionally set a Preshared Key for additional security
  7. Click Add Peer

Configuring the Remote Side

On the remote WireGuard endpoint, add a peer with:

  • Public Key -- The gateway's public key (shown on the detail page)
  • Endpoint -- The gateway's public IP and listen port
  • Allowed IPs -- The VPC subnet CIDRs

Once both sides are configured, the tunnel establishes automatically.

Managing Peers

Enable / Disable

Each peer has a toggle to enable or disable it. Disabled peers cannot connect but their configuration is preserved -- useful for temporarily revoking access without deleting the peer.

Editing

Click the edit button on any peer to modify its settings. Changes take effect immediately without disrupting other active peers.

Removing

Click the delete button and confirm removal.

Bandwidth and Billing

VPN gateways are billed hourly through the Cloud Service billing system, the same way as NAT Gateways and Load Balancers.

Hourly Cost

Gateways are charged a base hourly rate for every hour they are active. The rate depends on the plan and location.

Bandwidth

Depending on the plan and location configuration, bandwidth may be:

  • Unlimited -- No bandwidth cap or additional charges
  • Included allowance -- A set amount of bandwidth included per billing cycle, with overage charges or access suspension if exceeded

The gateway detail page shows current bandwidth usage. When a limit applies, usage is displayed as a fraction (e.g., "1.5 GB / 10 GB"). With no limit, an infinity symbol is shown.

Usage Reports

VPN gateway charges appear in the Cloud Service → Usage Report under a dedicated VPN Gateways section, showing hours active, base charges, and bandwidth charges.

Retry Failed Deployments

If a gateway deployment fails (status shows Error), a Retry Deploy button appears. Retrying cleans up the failed deployment and starts fresh, preserving the gateway name and settings.

Deleting a VPN Gateway

To delete a gateway, click Delete Gateway on the detail page or use the delete action on the gateway list.

Deleting a gateway:

  • Bills any remaining hours for the current period
  • Removes all peers, including any VPC peering connections on both sides
  • Permanently removes all configuration

Troubleshooting

Gateway stuck in "Deploying"

If the gateway doesn't become active within a few minutes:

  1. Check the deployment task for errors in the admin panel
  2. Try the Retry Deploy button to start a fresh deployment
  3. Verify the hypervisor has sufficient resources (RAM, storage, available public IPs)
  4. Confirm a VPN gateway image with purpose vpn_gateway exists and is enabled

Peers cannot connect

  1. Verify the gateway status is Active
  2. Confirm the client configuration has the correct:
    • Gateway public key (copy from the detail page)
    • Endpoint (gateway's public IP + listen port)
    • Private key (replace the placeholder in the downloaded config)
  3. Ensure UDP traffic on the listen port (default: 51820) is not blocked by firewalls or ISP
  4. For site-to-site: verify the remote endpoint is reachable and its public key matches

"No VPCs available" when creating a gateway

VPN Gateway has not been enabled on the hypervisor group where the VPC resides. Enable it in the hypervisor group settings and ensure a VPN gateway plan group is linked.

"This VPC already has a VPN gateway"

Each VPC supports one VPN gateway. Use the existing gateway, or delete it first to create a new one.