VPN Setup

Configuration guide for the CoreWeave end of the VPN tunnel.

IPSec VPN setup

Site-to-Site VPNs are configured through the CoreWeave Cloud UI. The IPSec VPN Server is provided through our application catalogue. To set up the IPSec VPN server, first navigate to the Catalog page from the CoreWeave Cloud UI main menu.

Important

The VPC must be created before the VPN is deployed.

Installation

Find and select the vpn-ipsec-server in the applications Catalog:

Configuration

Selecting the VPN application from the catalog exposes its configuration options, shown and detailed below.

Configuration Options

Proposals

First, select a proposal that best suits your implementation. Broadly, aes256gcm16-sha256-modp2048 is recommended for the highest performance.

Pre Shared Key

32-64 alphanumeric random string

Peer IP

The remote VPN device IP or hostname

Peer network

The remote network(s) that you need to reach from your VPC network. This can be a single network, specified as a single address, e.g.: 10.0.0.0/16, or multiple networks, specified as a comma separated list, e.g.: 10.0.0.0/16, 192.168.0.0/24.

Tunnel IP

The local-side IP address of the VPN tunnel

IKE version

VPC configuration

Under the Network Settings portion of the IPSec VPN setup page are the configuration fields for your VPC.

The fields provided are:

VPC Name

The name of your VPC. This has to be created before the VPN gateway

Static IP for VPC

If there is no VPC DHCP service available, a static IP in the VPC network can be specified

Proposals

CoreWeave currently supports four different Proposals for Phase 1 and Phase 2:

Phase 1

ProposalEncryptionIntegrityDH-Group

aes128gcm16-sha256-modp2048​

aes128gcm16

sha2-256 (prf)

14

aes256gcm16-sha256-modp2048

aes256gcm16

sha2-256 (prf)

14

aes128gcm16-sha256-ecp256

aes128gcm16

sha2-256 (prf)

19

aes256gcm16-sha256-ecp256

aes256gcm16

sha2-256 (prf)

19

aes256gcm16-sha384-ecp384

aes256gcm16

sha2-384 (prf)

20

aes128-sha256-modp2048

aes128

sha2-256

14

aes256-sha256-modp2048

aes256

sha2-256

14

Phase 2

ProposalEncryptionIntegrityDH-Group

aes128gcm16-sha256-modp2048​

aes128gcm16

-

14

aes256gcm16-sha256-modp2048

aes256gcm16

-

14

aes128gcm16-sha256-ecp256

aes128gcm16

-

19

aes256gcm16-sha256-ecp256

aes256gcm16

-

19

aes256gcm16-sha384-ecp384

aes256gcm16

-

20

aes128-sha256-modp2048

aes128

sha2-256

14

aes256-sha256-modp2048

aes256

sha2-256

14

Tip

The most performant proposal has been benchmarked to beaes128gcm16-sha256-modp2048.

Finally, create a user account on the VPN Gateway Virtual Server in the final fields of the configuration screen.

Launching the VPN

Once the settings for your VPN have been configured, click the Deploy button at the bottom of the screen to deploy the VPN server to your cluster!

Configure routes

After the VPN is set up, you will need to configure routing for the subnet that you want to reach on the other end of the tunnel. The easiest way to configure this is to use the DHCP on L2VPC, available in the Application Catalog.

Note

If you are running your own DHCP server you will need to implement RFC3442 (classless static routes) in your DHCP server's configuration.

Last updated