From 3f07aeee4bb8001124a9bd335a8697c2c82fdf42 Mon Sep 17 00:00:00 2001 From: Samy OUBOUAZIZ Date: Tue, 31 Mar 2026 11:14:15 +0200 Subject: [PATCH 01/16] docs(s2svpn): add strongswan tutorial --- tutorials/s2s-vpn-strongswan/index.mdx | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 tutorials/s2s-vpn-strongswan/index.mdx diff --git a/tutorials/s2s-vpn-strongswan/index.mdx b/tutorials/s2s-vpn-strongswan/index.mdx new file mode 100644 index 0000000000..b37d2e9309 --- /dev/null +++ b/tutorials/s2s-vpn-strongswan/index.mdx @@ -0,0 +1,17 @@ +--- +title: Connecting Private Networks using Site-to-Site VPN and strongSwan +description: +tags: vpn strongswan public gateway customer gateway secure tunnel +products: + - site-to-site-vpn +dates: + validation: 2026-03-31 + posted: 2026-03-31 + validation_frequency: 12 +difficulty: beginner +usecase: + - security +ecosystem: + - third-party +--- + From 6a7a0672718df8abe4d00e5b978b3c6d9a3084b1 Mon Sep 17 00:00:00 2001 From: Samy OUBOUAZIZ Date: Wed, 1 Apr 2026 14:53:49 +0200 Subject: [PATCH 02/16] docs(s2svpn): update --- tutorials/s2s-vpn-strongswan/index.mdx | 248 ++++++++++++++++++++++++- 1 file changed, 247 insertions(+), 1 deletion(-) diff --git a/tutorials/s2s-vpn-strongswan/index.mdx b/tutorials/s2s-vpn-strongswan/index.mdx index b37d2e9309..c66de4a9bb 100644 --- a/tutorials/s2s-vpn-strongswan/index.mdx +++ b/tutorials/s2s-vpn-strongswan/index.mdx @@ -1,6 +1,6 @@ --- title: Connecting Private Networks using Site-to-Site VPN and strongSwan -description: +description: Learn how to establish a secure connection between private networks using Site-to-Site VPN with strongSwan on Scaleway. tags: vpn strongswan public gateway customer gateway secure tunnel products: - site-to-site-vpn @@ -15,3 +15,249 @@ ecosystem: - third-party --- +In this tutorial, you will learn how to establish a secure connection between two private networks using Site-to-Site VPN with strongSwan on Scaleway. You will create a connection between a Scaleway VPC and a customer network, enabling communication between private servers in each network. + +## Requirements + +To complete the actions presented below, you must have: + +- A Scaleway account logged into the [console](https://console.scaleway.com) +- [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization +- Two separate Scaleway Projects (one for Scaleway side, one for customer side) +- Basic knowledge of VPC and Private Network concepts + +## Overview of the setup + +### Network 1 (Scaleway side) + +- Private Network: 176.16.0.0/22 +- S2S VPN configured via Scaleway console +- Private server instance (without public IP address): scw-srv + +### Network 2 (Customer side) + +- Private Network: 176.16.16.0/22 +- Gateway instance (Debian running strongSwan): customer-gw +- Private server instance (without public IP address): customer-srv + +## Goal + +Be able to ping scw-srv from customer-srv. + +## About ASNs + +Both networks are created as different projects in the Scaleway console. The documentation and interface warn about it not being possible due to BGP limitation to route between different ASs. This limitation is worked around by attributing a private ASN (65000) to the customer's gateway. + +## Step-by-step procedure + +### Setup the "customer" project + +1. Create a VPC containing only one Private Network (Advanced -> custom IP block: 172.16.16.0/22) + +2. Create the instance customer-gw: + - Debian OS + - Public IP address (51.15.82.244 in this example, adapt to your IP) + - Attached to the Private Network with IP 172.16.16.2/22 + +3. Create the instance customer-srv: + - Debian OS + - No public IP address + - Attached to the Private Network with IP 172.16.16.3/22 + +### Setup the "scw" project + +1. Create a VPC containing only one Private Network (Advanced -> custom IP block: 172.16.0.0/22) + +2. Create the instance scw-srv: + - Debian OS + - No public IP address + - Attached to the Private Network with IP 172.16.0.2/22 + +3. Create the VPN gateway scw-gw: + - Public IP address (212.47.229.0 in this example, adapt to your IP) + - Attached to the Private Network with IP 172.16.0.3/22 + +4. Create the customer gateway: + - IP address: customer-gw's IP (51.15.82.244/32 in this example) + - ASN: 65000 + +5. Create the routing policy: + - IPv4 + - Incoming whitelist: 172.16.16.0/22 + - Outgoing whitelist: 172.16.0.0/22 (or set both to 0.0.0.0/0 for maximum flexibility) + +6. Create the connection linking everything together: + - Configure with "connection Initiated by the customer gateway" + - Select recommended "Security proposal": "IKE2: aes256gcm16-sha384-curve25519 - ESP: aes256gcm16" + +### Setup BGP service on customer-gw + +1. Install required packages: + ```bash + apt-get install frr frr-pythontools + ``` + +2. In `/etc/frr/daemons`, set `bgpd=yes` + +3. Create `/etc/frr/frr.conf` with the following content: + ``` + log syslog informational + + ! + router bgp 65000 + # Example values: + # 169.254.0.7: "Interconnection subnet" IP in Scaleway console -> connection overview -> BGP session + # 169.254.0.6: The other IP in the same subnet as above + # 172.16.16.0/22: The subnet this server (customer-gw) serves + bgp router-id 169.254.0.7 + neighbor 169.254.0.6 remote-as 12876 + neighbor 169.254.0.6 description TransitProvider + ! + address-family ipv4 unicast + #network 172.16.16.0/22 # let commented to announce all your routes, uncomment to select the routes to announce + redistribute connected + exit-address-family + ! + ``` + +4. Restart FRR service: + ```bash + systemctl restart frr + ``` + +### Setup strongSwan on customer-gw + +1. Create an XFRM interface to tag BGP session's packets: + ```bash + ip link add type xfrm if_id 1 dev ens2 + ip addr add 169.254.0.7/31 dev xfrm0 + ip link set xfrm0 up + ``` + +2. Install strongSwan packages: + ```bash + apt-get install strongswan strongswan-pki libstrongswan-standard-plugins libstrongswan-extra-plugins strongswan-libcharon + ``` + +3. Create `/etc/swanctl/conf.d/moon.conf`: + ``` + connections { + gw-gw { + local_addrs = 51.15.82.244 # customer-gw's IP + remote_addrs = 212.47.229.0 # scw-gw's IP + + local { + auth = psk + id = 51.15.82.244 + } + remote { + auth = psk + id = 51.15.82.244 + } + children { + net-net { + local_ts = 0.0.0.0/0 + remote_ts = 0.0.0.0/0 + + if_id_in = 1 + if_id_out = 1 + + updown = /usr/lib/ipsec/_updown + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes256gcm16 # Copy the ESP part of your connection's "Security proposal" + } + } + version = 2 + mobike = no + reauth_time = 10800 + proposals = aes256gcm16-sha384-curve25519 # Copy the IKE part of your connection's "Security proposal" + } + } + + secrets { + ike-scaleway-psk { + id = 51.15.82.244 + secret = "*****" # PSK available from Scaleway's console, in "Security & Identity -> Secret Manager" + } + } + ``` + +4. Load configurations and initiate connection: + ```bash + swanctl --load-conns + swanctl --load-creds + swanctl --initiate --child net-net + ``` + +At this point: +- The S2S VPN connection should have a green status in Scaleway console +- Both the "Tunnel via IPv4" and the BGP session should be OK +- From customer-gw, you can ping scw-gw using its BGP session's IP (169.254.0.6 in this case) +- We cannot ping scw-gw using its private IP (172.16.0.3) because BGP routes are not yet exchanged + +### Exchange routes via BGP + +1. In the Scaleway console, activate "Route propagation" in the S2S VPN connection + +2. Modify `/etc/frr/frr.conf` to add prefix lists and route maps: + ``` + log syslog informational + + ! + ip prefix-list PROV_1_IN seq 10 permit 172.16.0.0/22 + ip prefix-list PROV_1_OUT seq 10 permit any + ! + route-map PROV_1_IN permit 10 + match ip address prefix-list PROV_1_IN + exit + ! + route-map PROV_1_OUT permit 10 + match ip address prefix-list PROV_1_OUT + exit + ! + router bgp 65000 + # Example values: + # 169.254.0.7: "Interconnection subnet" IP in Scaleway console -> connection overview -> BGP session + # 169.254.0.6: The other IP in the same subnet as above + # 172.16.16.0/22: The subnet this server (customer-gw) serves + bgp router-id 169.254.0.7 + neighbor 169.254.0.6 remote-as 12876 + neighbor 169.254.0.6 description TransitProvider + ! + address-family ipv4 unicast + #network 172.16.16.0/22 # let commented to announce all your routes, uncomment to select the routes to announce + redistribute connected + neighbor 169.254.0.6 route-map PROV_1_IN in + neighbor 169.254.0.6 route-map PROV_1_OUT out + exit-address-family + ! + ``` + +3. Restart FRR service: + ```bash + systemctl restart frr + ``` + +At this point: +- On customer-gw, `ip route` shows the new route for 172.16.0.0/22 subnet +- We can ping scw-gw and scw-srv from customer-gw +- We cannot ping scw-* from customer-srv because it is missing gateway configuration + +### Setup a gateway in customer network + +1. On customer-gw, activate packet forwarding: + ```bash + sysctl -w net.ipv4.ip_forward=1 + ``` + +2. On customer-srv, add the route using the gateway: + ```bash + ip route add 172.16.0.0/22 via 172.16.16.2 + ``` + +At this point: +- Everything works as expected, we can ping a private server from the other +- Test it by connecting to customer-srv and issuing `ping 172.16.0.2` +- Congratulations! \ No newline at end of file From 94d7a6f899e709b6b3c13bae4d22f3ae9c460954 Mon Sep 17 00:00:00 2001 From: Samy OUBOUAZIZ Date: Thu, 2 Apr 2026 17:26:36 +0200 Subject: [PATCH 03/16] docs(s2svpn): update --- tutorials/s2s-vpn-strongswan/index.mdx | 66 +++++++++++--------------- 1 file changed, 29 insertions(+), 37 deletions(-) diff --git a/tutorials/s2s-vpn-strongswan/index.mdx b/tutorials/s2s-vpn-strongswan/index.mdx index c66de4a9bb..2e9e996eaf 100644 --- a/tutorials/s2s-vpn-strongswan/index.mdx +++ b/tutorials/s2s-vpn-strongswan/index.mdx @@ -15,11 +15,13 @@ ecosystem: - third-party --- -In this tutorial, you will learn how to establish a secure connection between two private networks using Site-to-Site VPN with strongSwan on Scaleway. You will create a connection between a Scaleway VPC and a customer network, enabling communication between private servers in each network. +import Requirements from '@macros/iam/requirements.mdx' -## Requirements +In this tutorial, you will learn how to establish a secure connection between two private networks using Scaleway Site-to-Site VPN with strongSwan. You will create a VPN connection between a Scaleway Instance attached to a Private Network, and a customer virtual server, located in a distinct network, enabling communication between the two resources. -To complete the actions presented below, you must have: +This tutorial is intended for demonstration and testing purposes, and may not be adapted to specific production environments. + + - A Scaleway account logged into the [console](https://console.scaleway.com) - [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization @@ -28,57 +30,47 @@ To complete the actions presented below, you must have: ## Overview of the setup -### Network 1 (Scaleway side) - -- Private Network: 176.16.0.0/22 -- S2S VPN configured via Scaleway console -- Private server instance (without public IP address): scw-srv - ### Network 2 (Customer side) -- Private Network: 176.16.16.0/22 +- Private Network: 176.16.0.0/22 - Gateway instance (Debian running strongSwan): customer-gw - Private server instance (without public IP address): customer-srv -## Goal - -Be able to ping scw-srv from customer-srv. - ## About ASNs Both networks are created as different projects in the Scaleway console. The documentation and interface warn about it not being possible due to BGP limitation to route between different ASs. This limitation is worked around by attributing a private ASN (65000) to the customer's gateway. -## Step-by-step procedure +## Setting up the Scaleway Project + +### Setting up the Instance and Private Network + +This section will guide you through the creation of the required Scaleway resources. +For safety reasons, we recommend creating resources in a dedicated Scaleway Project. -### Setup the "customer" project +1. [Create a new VPC](/vpc/how-to/create-vpc/) in the desired region. -1. Create a VPC containing only one Private Network (Advanced -> custom IP block: 172.16.16.0/22) +2. [Create a new Private Network](/vpc/how-to/create-private-network/) within the VPC you just created. Define a custom IPv4 CIDR block with range `172.16.0.0/22`. -2. Create the instance customer-gw: - - Debian OS - - Public IP address (51.15.82.244 in this example, adapt to your IP) - - Attached to the Private Network with IP 172.16.16.2/22 +3. [Create a Scaleway Instance](/instances/how-to/create-an-instance/) with the following parameters: + - Same region as the previously created Private Network + - Debian OS image + - No public IPv4 connectivity + - No public IPv6 connectivity -3. Create the instance customer-srv: - - Debian OS - - No public IP address - - Attached to the Private Network with IP 172.16.16.3/22 +4. [Attach the Instance](/vpc/how-to/attach-resources-to-pn/) to the Private Network you just created. A private IP address will be allocated automatically. + +### Configuring Site-to-Site VPN ### Setup the "scw" project 1. Create a VPC containing only one Private Network (Advanced -> custom IP block: 172.16.0.0/22) -2. Create the instance scw-srv: - - Debian OS - - No public IP address - - Attached to the Private Network with IP 172.16.0.2/22 - 3. Create the VPN gateway scw-gw: - Public IP address (212.47.229.0 in this example, adapt to your IP) - Attached to the Private Network with IP 172.16.0.3/22 4. Create the customer gateway: - - IP address: customer-gw's IP (51.15.82.244/32 in this example) + - IP address: customer-gw's IP (52.15.82.244/32 in this example) - ASN: 65000 5. Create the routing policy: @@ -143,16 +135,16 @@ Both networks are created as different projects in the Scaleway console. The doc ``` connections { gw-gw { - local_addrs = 51.15.82.244 # customer-gw's IP - remote_addrs = 212.47.229.0 # scw-gw's IP + local_addrs = 52.15.82.244 # customer-gw's IP + remote_addrs = xxx.47.229.0 # scw-gw's IP local { auth = psk - id = 51.15.82.244 + id = 52.15.82.244 } remote { auth = psk - id = 51.15.82.244 + id = 52.15.82.244 } children { net-net { @@ -178,7 +170,7 @@ Both networks are created as different projects in the Scaleway console. The doc secrets { ike-scaleway-psk { - id = 51.15.82.244 + id = xxx.15.82.244 secret = "*****" # PSK available from Scaleway's console, in "Security & Identity -> Secret Manager" } } @@ -194,7 +186,7 @@ Both networks are created as different projects in the Scaleway console. The doc At this point: - The S2S VPN connection should have a green status in Scaleway console - Both the "Tunnel via IPv4" and the BGP session should be OK -- From customer-gw, you can ping scw-gw using its BGP session's IP (169.254.0.6 in this case) +- From customer-gw, you can ping scw-gw using its BGP session's IP (xxx.254.0.6 in this case) - We cannot ping scw-gw using its private IP (172.16.0.3) because BGP routes are not yet exchanged ### Exchange routes via BGP From a721895e07eed7df3ec6f6fae9ab13ad0000f244 Mon Sep 17 00:00:00 2001 From: Samy OUBOUAZIZ Date: Tue, 7 Apr 2026 14:06:28 +0200 Subject: [PATCH 04/16] docs(s2svpn): update --- tutorials/s2s-vpn-strongswan/index.mdx | 33 ++++++++++++++++---------- 1 file changed, 20 insertions(+), 13 deletions(-) diff --git a/tutorials/s2s-vpn-strongswan/index.mdx b/tutorials/s2s-vpn-strongswan/index.mdx index 2e9e996eaf..f196d3fb7c 100644 --- a/tutorials/s2s-vpn-strongswan/index.mdx +++ b/tutorials/s2s-vpn-strongswan/index.mdx @@ -17,7 +17,25 @@ ecosystem: import Requirements from '@macros/iam/requirements.mdx' -In this tutorial, you will learn how to establish a secure connection between two private networks using Scaleway Site-to-Site VPN with strongSwan. You will create a VPN connection between a Scaleway Instance attached to a Private Network, and a customer virtual server, located in a distinct network, enabling communication between the two resources. +In this tutorial, you will learn how to establish a secure connection between two private networks using Scaleway Site-to-Site VPN and strongSwan. + +You will create two Projects in the [Scaleway console](https://console.scaleway.com/), called **Customer Project** and **Scaleway Project**. + +The **Customer Project** will act as the customer infrastructure holdng , and will contain the following resources: + +- A Private Network within a VPC +- A first Instance, acting as a a customer server +- A second Instance, acting as a customer gateway that will hold the BGB and stronSwan configurations + +The **Scaleway Project** will contain the following resources + +- A Private Network within a VPC +- An Instance that we will reach from the customer server +- A Site-to-site VPN to handle traffic between the two networks + + +BGP does not allow routing between devices with the same ASN. We will therefore assign a private ASN (`65000`) to the customer gateway. + This tutorial is intended for demonstration and testing purposes, and may not be adapted to specific production environments. @@ -30,23 +48,12 @@ This tutorial is intended for demonstration and testing purposes, and may not be ## Overview of the setup -### Network 2 (Customer side) - -- Private Network: 176.16.0.0/22 -- Gateway instance (Debian running strongSwan): customer-gw -- Private server instance (without public IP address): customer-srv - -## About ASNs - -Both networks are created as different projects in the Scaleway console. The documentation and interface warn about it not being possible due to BGP limitation to route between different ASs. This limitation is worked around by attributing a private ASN (65000) to the customer's gateway. +## Setting up the Customer Project ## Setting up the Scaleway Project ### Setting up the Instance and Private Network -This section will guide you through the creation of the required Scaleway resources. -For safety reasons, we recommend creating resources in a dedicated Scaleway Project. - 1. [Create a new VPC](/vpc/how-to/create-vpc/) in the desired region. 2. [Create a new Private Network](/vpc/how-to/create-private-network/) within the VPC you just created. Define a custom IPv4 CIDR block with range `172.16.0.0/22`. From 408dba2803a9bff7410a4d5c5c6208a11be56530 Mon Sep 17 00:00:00 2001 From: Samy OUBOUAZIZ Date: Tue, 7 Apr 2026 15:02:22 +0200 Subject: [PATCH 05/16] docs(s2svpn): update --- tutorials/s2s-vpn-strongswan/index.mdx | 40 +++++++++++++++++--------- 1 file changed, 27 insertions(+), 13 deletions(-) diff --git a/tutorials/s2s-vpn-strongswan/index.mdx b/tutorials/s2s-vpn-strongswan/index.mdx index f196d3fb7c..8f35f5f11a 100644 --- a/tutorials/s2s-vpn-strongswan/index.mdx +++ b/tutorials/s2s-vpn-strongswan/index.mdx @@ -46,15 +46,31 @@ This tutorial is intended for demonstration and testing purposes, and may not be - Two separate Scaleway Projects (one for Scaleway side, one for customer side) - Basic knowledge of VPC and Private Network concepts -## Overview of the setup - ## Setting up the Customer Project +1. In the Scaleway Console, create a new Project called "Customer Project". + +2. [Create a new VPC](/vpc/how-to/create-vpc/) in the desired region. + +3. [Create a new Private Network](/vpc/how-to/create-private-network/) within the VPC you just created. Define a custom IPv4 CIDR block with the range `172.16.16.0/22`. + +4. [Create a Scaleway Instance](/instances/how-to/create-an-instance/) with the parameters below. It will serve as the customer gateway. + - Same region as the previously created Private Network + - Debian OS image + - Public IPv4 connectivity + - Attached to the previously created Private Network + +5. [Create a Scaleway Instance](/instances/how-to/create-an-instance/) with the parameters below. It will serve as the customer server. + - Same region as the previously created Private Network + - Debian OS image + - No public IPv4/IPv6 connectivity + - Attached to the previously created Private Network + ## Setting up the Scaleway Project ### Setting up the Instance and Private Network -1. [Create a new VPC](/vpc/how-to/create-vpc/) in the desired region. +1. [Create a new VPC](/vpc/how-to/create-vpc/) in the same region as the VPC in the customer Project. 2. [Create a new Private Network](/vpc/how-to/create-private-network/) within the VPC you just created. Define a custom IPv4 CIDR block with range `172.16.0.0/22`. @@ -68,19 +84,17 @@ This tutorial is intended for demonstration and testing purposes, and may not be ### Configuring Site-to-Site VPN -### Setup the "scw" project - -1. Create a VPC containing only one Private Network (Advanced -> custom IP block: 172.16.0.0/22) +1. Access **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. -3. Create the VPN gateway scw-gw: - - Public IP address (212.47.229.0 in this example, adapt to your IP) - - Attached to the Private Network with IP 172.16.0.3/22 +3. [Create a VPN gateway](/site-to-site-vpn/how-to/create-manage-vpn-gateway/) with the following parameters: + - Public IP address + - Attached to the Private Network with the IP `172.16.0.3/22` -4. Create the customer gateway: - - IP address: customer-gw's IP (52.15.82.244/32 in this example) +4. [Create a customer gateway](/site-to-site-vpn/how-to/create-manage-customer-gateway/) with the following parameters: + - IP address: same as the actual customer gateway created earlier - ASN: 65000 -5. Create the routing policy: +5. [Create a routing policy](/site-to-site-vpn/how-to/create-manage-customer-gateway/) with the following parameters: - IPv4 - Incoming whitelist: 172.16.16.0/22 - Outgoing whitelist: 172.16.0.0/22 (or set both to 0.0.0.0/0 for maximum flexibility) @@ -89,7 +103,7 @@ This tutorial is intended for demonstration and testing purposes, and may not be - Configure with "connection Initiated by the customer gateway" - Select recommended "Security proposal": "IKE2: aes256gcm16-sha384-curve25519 - ESP: aes256gcm16" -### Setup BGP service on customer-gw +## Setting up the BGP service on the customer gateway 1. Install required packages: ```bash From c469b74759441c737fbc17da858d17116a0afdd3 Mon Sep 17 00:00:00 2001 From: Samy OUBOUAZIZ Date: Thu, 9 Apr 2026 15:37:05 +0200 Subject: [PATCH 06/16] docs(s2svpn): update --- tutorials/s2s-vpn-strongswan/index.mdx | 93 ++++++++++++++++---------- 1 file changed, 59 insertions(+), 34 deletions(-) diff --git a/tutorials/s2s-vpn-strongswan/index.mdx b/tutorials/s2s-vpn-strongswan/index.mdx index 8f35f5f11a..4fe43add10 100644 --- a/tutorials/s2s-vpn-strongswan/index.mdx +++ b/tutorials/s2s-vpn-strongswan/index.mdx @@ -99,32 +99,44 @@ This tutorial is intended for demonstration and testing purposes, and may not be - Incoming whitelist: 172.16.16.0/22 - Outgoing whitelist: 172.16.0.0/22 (or set both to 0.0.0.0/0 for maximum flexibility) -6. Create the connection linking everything together: - - Configure with "connection Initiated by the customer gateway" - - Select recommended "Security proposal": "IKE2: aes256gcm16-sha384-curve25519 - ESP: aes256gcm16" +6. [Create the connection](/site-to-site-vpn/how-to/create-manage-vpn-connection/) with the following parameters: + - The VPN gateway you just created + - The customer gateway you just created + - The IPv4 routing policy you just created + - Connection "Initiated by the customer gateway" + - Security proposal: "IKE2: aes256gcm-sha384-curve25519 - ESP: aes256gcm" -## Setting up the BGP service on the customer gateway +The Site-to-Site VPN setup is now complete. You can check its status from the **Overview** tab of the connection. + +## Setting up BGP and strongSwan on the customer gateway + +### Configuring the BGP service + +1. Log in to the customer gateway using SSH. Make sure to replace the placeholder with the appropriate value: + + ```bash + ssh root@ + ``` -1. Install required packages: - ```bash - apt-get install frr frr-pythontools - ``` -2. In `/etc/frr/daemons`, set `bgpd=yes` +1. Install the required packages: -3. Create `/etc/frr/frr.conf` with the following content: + ```bash + apt-get install frr frr-pythontools + ``` + +2. Access the `/etc/frr/daemons` file, and set the `bgpd=yes` parameter. + +3. Create the `/etc/frr/frr.conf` file, and add the following content to it: + ``` log syslog informational ! router bgp 65000 - # Example values: - # 169.254.0.7: "Interconnection subnet" IP in Scaleway console -> connection overview -> BGP session - # 169.254.0.6: The other IP in the same subnet as above - # 172.16.16.0/22: The subnet this server (customer-gw) serves - bgp router-id 169.254.0.7 - neighbor 169.254.0.6 remote-as 12876 - neighbor 169.254.0.6 description TransitProvider + bgp router-id 169.254.0.7 # BGP session IPv4 Interconnection subnet + neighbor 169.254.0.6 remote-as 12876 # Other IP from the subnet specified above + neighbor 169.254.0.6 description TransitProvider # Other IP from the subnet specified above ! address-family ipv4 unicast #network 172.16.16.0/22 # let commented to announce all your routes, uncomment to select the routes to announce @@ -133,31 +145,43 @@ This tutorial is intended for demonstration and testing purposes, and may not be ! ``` -4. Restart FRR service: +4. Run the following command to restart the `frr` service: + ```bash systemctl restart frr ``` -### Setup strongSwan on customer-gw +The BGP service is now configured on the customer gateway. + +### Setting up strongSwan on the customer gateway + +1. Log in to the customer gateway using SSH. Make sure to replace the placeholder with the appropriate value: + + ```bash + ssh root@ + ``` + +1. Run the following commands to create an XFRM interface to tag the BGP session's packets: -1. Create an XFRM interface to tag BGP session's packets: ```bash ip link add type xfrm if_id 1 dev ens2 ip addr add 169.254.0.7/31 dev xfrm0 ip link set xfrm0 up ``` -2. Install strongSwan packages: +2. Run the following command to install the required strongSwan packages: + ```bash apt-get install strongswan strongswan-pki libstrongswan-standard-plugins libstrongswan-extra-plugins strongswan-libcharon ``` -3. Create `/etc/swanctl/conf.d/moon.conf`: +3. Create the `/etc/swanctl/conf.d/moon.conf` file, and add the content below to it. Make sure to replace the placeholders with the appropriate values: + ``` connections { gw-gw { - local_addrs = 52.15.82.244 # customer-gw's IP - remote_addrs = xxx.47.229.0 # scw-gw's IP + local_addrs = + remote_addrs = local { auth = psk @@ -179,25 +203,26 @@ This tutorial is intended for demonstration and testing purposes, and may not be rekey_time = 5400 rekey_bytes = 500000000 rekey_packets = 1000000 - esp_proposals = aes256gcm16 # Copy the ESP part of your connection's "Security proposal" + esp_proposals = aes256gcm # Copy the ESP part of your connection's "Security proposal" } } version = 2 mobike = no reauth_time = 10800 - proposals = aes256gcm16-sha384-curve25519 # Copy the IKE part of your connection's "Security proposal" + proposals = aes256gcm-sha384-curve25519 # Copy the IKE part of your connection's "Security proposal" } } secrets { ike-scaleway-psk { id = xxx.15.82.244 - secret = "*****" # PSK available from Scaleway's console, in "Security & Identity -> Secret Manager" + secret = "" # PSK available in Secret Manager in the Scaleway console } } ``` -4. Load configurations and initiate connection: +4. Run the commands below to load the strongSwan configuration and initiate the connection: + ```bash swanctl --load-conns swanctl --load-creds @@ -205,12 +230,12 @@ This tutorial is intended for demonstration and testing purposes, and may not be ``` At this point: -- The S2S VPN connection should have a green status in Scaleway console -- Both the "Tunnel via IPv4" and the BGP session should be OK -- From customer-gw, you can ping scw-gw using its BGP session's IP (xxx.254.0.6 in this case) -- We cannot ping scw-gw using its private IP (172.16.0.3) because BGP routes are not yet exchanged +- The Site-to-Site VPN connection status is **Active** in the Scaleway console. +- Both the "Tunnel via IPv4" and the BGP session are up. +- You can ping the Scaleway gateway from the customer gateway using its BGP session's IP. +- You cannot ping scw-gw using its private IP (172.16.0.3) because the BGP routes are not yet exchanged. -### Exchange routes via BGP +### Exchanging routes via BGP 1. In the Scaleway console, activate "Route propagation" in the S2S VPN connection @@ -258,7 +283,7 @@ At this point: - We can ping scw-gw and scw-srv from customer-gw - We cannot ping scw-* from customer-srv because it is missing gateway configuration -### Setup a gateway in customer network +### Setting up a gateway in the customer Private Network 1. On customer-gw, activate packet forwarding: ```bash From 4ff51d009ee184642e58301b23185e85c1cdb61a Mon Sep 17 00:00:00 2001 From: Samy OUBOUAZIZ Date: Thu, 9 Apr 2026 16:02:09 +0200 Subject: [PATCH 07/16] docs(s2svpn): update --- tutorials/s2s-vpn-strongswan/index.mdx | 256 +++++++++++++------------ 1 file changed, 129 insertions(+), 127 deletions(-) diff --git a/tutorials/s2s-vpn-strongswan/index.mdx b/tutorials/s2s-vpn-strongswan/index.mdx index 4fe43add10..87ffff6796 100644 --- a/tutorials/s2s-vpn-strongswan/index.mdx +++ b/tutorials/s2s-vpn-strongswan/index.mdx @@ -74,7 +74,7 @@ This tutorial is intended for demonstration and testing purposes, and may not be 2. [Create a new Private Network](/vpc/how-to/create-private-network/) within the VPC you just created. Define a custom IPv4 CIDR block with range `172.16.0.0/22`. -3. [Create a Scaleway Instance](/instances/how-to/create-an-instance/) with the following parameters: +3. [Create a Scaleway Instance](/instances/how-to/create-an-instance/) with the parameters below. It will serve as the Scaleway server: - Same region as the previously created Private Network - Debian OS image - No public IPv4 connectivity @@ -129,27 +129,27 @@ The Site-to-Site VPN setup is now complete. You can check its status from the ** 3. Create the `/etc/frr/frr.conf` file, and add the following content to it: - ``` - log syslog informational - - ! - router bgp 65000 - bgp router-id 169.254.0.7 # BGP session IPv4 Interconnection subnet - neighbor 169.254.0.6 remote-as 12876 # Other IP from the subnet specified above - neighbor 169.254.0.6 description TransitProvider # Other IP from the subnet specified above + ``` + log syslog informational + + ! + router bgp 65000 + bgp router-id 169.254.0.7 # BGP session IPv4 Interconnection subnet + neighbor 169.254.0.6 remote-as 12876 # Other IP from the subnet specified above + neighbor 169.254.0.6 description TransitProvider # Other IP from the subnet specified above + ! + address-family ipv4 unicast + #network 172.16.16.0/22 # let commented to announce all your routes, uncomment to select the routes to announce + redistribute connected + exit-address-family ! - address-family ipv4 unicast - #network 172.16.16.0/22 # let commented to announce all your routes, uncomment to select the routes to announce - redistribute connected - exit-address-family - ! - ``` + ``` 4. Run the following command to restart the `frr` service: - ```bash - systemctl restart frr - ``` + ```bash + systemctl restart frr + ``` The BGP service is now configured on the customer gateway. @@ -163,71 +163,71 @@ The BGP service is now configured on the customer gateway. 1. Run the following commands to create an XFRM interface to tag the BGP session's packets: - ```bash - ip link add type xfrm if_id 1 dev ens2 - ip addr add 169.254.0.7/31 dev xfrm0 - ip link set xfrm0 up - ``` + ```bash + ip link add type xfrm if_id 1 dev ens2 + ip addr add 169.254.0.7/31 dev xfrm0 + ip link set xfrm0 up + ``` 2. Run the following command to install the required strongSwan packages: - ```bash - apt-get install strongswan strongswan-pki libstrongswan-standard-plugins libstrongswan-extra-plugins strongswan-libcharon - ``` + ```bash + apt-get install strongswan strongswan-pki libstrongswan-standard-plugins libstrongswan-extra-plugins strongswan-libcharon + ``` 3. Create the `/etc/swanctl/conf.d/moon.conf` file, and add the content below to it. Make sure to replace the placeholders with the appropriate values: - ``` - connections { - gw-gw { - local_addrs = - remote_addrs = - - local { - auth = psk - id = 52.15.82.244 - } - remote { - auth = psk - id = 52.15.82.244 - } - children { - net-net { - local_ts = 0.0.0.0/0 - remote_ts = 0.0.0.0/0 - - if_id_in = 1 - if_id_out = 1 - - updown = /usr/lib/ipsec/_updown - rekey_time = 5400 - rekey_bytes = 500000000 - rekey_packets = 1000000 - esp_proposals = aes256gcm # Copy the ESP part of your connection's "Security proposal" - } - } - version = 2 - mobike = no - reauth_time = 10800 - proposals = aes256gcm-sha384-curve25519 # Copy the IKE part of your connection's "Security proposal" - } - } - - secrets { - ike-scaleway-psk { - id = xxx.15.82.244 - secret = "" # PSK available in Secret Manager in the Scaleway console - } - } - ``` + ``` + connections { + gw-gw { + local_addrs = + remote_addrs = + + local { + auth = psk + id = 52.15.82.244 + } + remote { + auth = psk + id = 52.15.82.244 + } + children { + net-net { + local_ts = 0.0.0.0/0 + remote_ts = 0.0.0.0/0 + + if_id_in = 1 + if_id_out = 1 + + updown = /usr/lib/ipsec/_updown + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes256gcm # Copy the ESP part of your connection's "Security proposal" + } + } + version = 2 + mobike = no + reauth_time = 10800 + proposals = aes256gcm-sha384-curve25519 # Copy the IKE part of your connection's "Security proposal" + } + } + + secrets { + ike-scaleway-psk { + id = xxx.15.82.244 + secret = "" # PSK available in Secret Manager in the Scaleway console + } + } + ``` 4. Run the commands below to load the strongSwan configuration and initiate the connection: - ```bash - swanctl --load-conns - swanctl --load-creds - swanctl --initiate --child net-net - ``` + ```bash + swanctl --load-conns + swanctl --load-creds + swanctl --initiate --child net-net + ``` At this point: - The Site-to-Site VPN connection status is **Active** in the Scaleway console. @@ -237,65 +237,67 @@ At this point: ### Exchanging routes via BGP -1. In the Scaleway console, activate "Route propagation" in the S2S VPN connection - -2. Modify `/etc/frr/frr.conf` to add prefix lists and route maps: - ``` - log syslog informational - - ! - ip prefix-list PROV_1_IN seq 10 permit 172.16.0.0/22 - ip prefix-list PROV_1_OUT seq 10 permit any - ! - route-map PROV_1_IN permit 10 - match ip address prefix-list PROV_1_IN - exit - ! - route-map PROV_1_OUT permit 10 - match ip address prefix-list PROV_1_OUT - exit - ! - router bgp 65000 - # Example values: - # 169.254.0.7: "Interconnection subnet" IP in Scaleway console -> connection overview -> BGP session - # 169.254.0.6: The other IP in the same subnet as above - # 172.16.16.0/22: The subnet this server (customer-gw) serves - bgp router-id 169.254.0.7 - neighbor 169.254.0.6 remote-as 12876 - neighbor 169.254.0.6 description TransitProvider +1. Activate "Route propagation" for your Site-to-Site VPN connection in the Scaleway console. + +2. Update the `/etc/frr/frr.conf` file in the customer gateway to add prefix lists and route maps: + ``` + log syslog informational + ! - address-family ipv4 unicast - #network 172.16.16.0/22 # let commented to announce all your routes, uncomment to select the routes to announce - redistribute connected - neighbor 169.254.0.6 route-map PROV_1_IN in - neighbor 169.254.0.6 route-map PROV_1_OUT out - exit-address-family - ! - ``` - -3. Restart FRR service: - ```bash - systemctl restart frr - ``` + ip prefix-list PROV_1_IN seq 10 permit 172.16.0.0/22 + ip prefix-list PROV_1_OUT seq 10 permit any + ! + route-map PROV_1_IN permit 10 + match ip address prefix-list PROV_1_IN + exit + ! + route-map PROV_1_OUT permit 10 + match ip address prefix-list PROV_1_OUT + exit + ! + router bgp 65000 + # Example values: + # 169.254.0.7: "Interconnection subnet" IP in Scaleway console -> connection overview -> BGP session + # 169.254.0.6: The other IP in the same subnet as above + # 172.16.16.0/22: The subnet this server (customer-gw) serves + bgp router-id 169.254.0.7 + neighbor 169.254.0.6 remote-as 12876 + neighbor 169.254.0.6 description TransitProvider + ! + address-family ipv4 unicast + #network 172.16.16.0/22 # let commented to announce all your routes, uncomment to select the routes to announce + redistribute connected + neighbor 169.254.0.6 route-map PROV_1_IN in + neighbor 169.254.0.6 route-map PROV_1_OUT out + exit-address-family + ! + ``` + +4. Run the following command to restart the `frr` service: + + ```bash + systemctl restart frr + ``` At this point: -- On customer-gw, `ip route` shows the new route for 172.16.0.0/22 subnet -- We can ping scw-gw and scw-srv from customer-gw -- We cannot ping scw-* from customer-srv because it is missing gateway configuration +- In the customer gateway, the `ip route` command shows the new route for the `172.16.0.0/22` subnet. +- You can ping the VPN gateway and Scaleway server from the customer gateway. +- you cannot ping resources in the Scaleway Project from the customer server yet, because it misses the gateway configuration. + +### Setting up the gateway in the customer Private Network + +1. In the customer gateway, run the following command to enable packet forwarding: -### Setting up a gateway in the customer Private Network + ```bash + sysctl -w net.ipv4.ip_forward=1 + ``` -1. On customer-gw, activate packet forwarding: - ```bash - sysctl -w net.ipv4.ip_forward=1 - ``` +2. In the customer server, run the following command to add the route that gateway: -2. On customer-srv, add the route using the gateway: - ```bash - ip route add 172.16.0.0/22 via 172.16.16.2 - ``` + ```bash + ip route add 172.16.0.0/22 via 172.16.16.2 + ``` At this point: - Everything works as expected, we can ping a private server from the other -- Test it by connecting to customer-srv and issuing `ping 172.16.0.2` -- Congratulations! \ No newline at end of file +- Test it by connecting to customer-srv and issuing `ping 172.16.0.2` \ No newline at end of file From 5a3007d7ffd4769cdcd7eb14af0a3eec7b7e4678 Mon Sep 17 00:00:00 2001 From: Samy OUBOUAZIZ Date: Thu, 9 Apr 2026 16:06:34 +0200 Subject: [PATCH 08/16] docs(s2svpn): update --- tutorials/s2s-vpn-strongswan/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tutorials/s2s-vpn-strongswan/index.mdx b/tutorials/s2s-vpn-strongswan/index.mdx index 87ffff6796..cb0e7b7743 100644 --- a/tutorials/s2s-vpn-strongswan/index.mdx +++ b/tutorials/s2s-vpn-strongswan/index.mdx @@ -233,7 +233,7 @@ At this point: - The Site-to-Site VPN connection status is **Active** in the Scaleway console. - Both the "Tunnel via IPv4" and the BGP session are up. - You can ping the Scaleway gateway from the customer gateway using its BGP session's IP. -- You cannot ping scw-gw using its private IP (172.16.0.3) because the BGP routes are not yet exchanged. +- You cannot ping scw-gw using its private IP (`172.16.0.3`) because the BGP routes are not yet exchanged. ### Exchanging routes via BGP From 8657a290abc1bd33e307c4cc04cba7e649518f65 Mon Sep 17 00:00:00 2001 From: Samy OUBOUAZIZ Date: Fri, 10 Apr 2026 14:59:09 +0200 Subject: [PATCH 09/16] docs(pgw): update --- tutorials/s2s-vpn-strongswan/index.mdx | 63 ++++++++++++-------------- 1 file changed, 28 insertions(+), 35 deletions(-) diff --git a/tutorials/s2s-vpn-strongswan/index.mdx b/tutorials/s2s-vpn-strongswan/index.mdx index cb0e7b7743..1307c4fb37 100644 --- a/tutorials/s2s-vpn-strongswan/index.mdx +++ b/tutorials/s2s-vpn-strongswan/index.mdx @@ -21,16 +21,16 @@ In this tutorial, you will learn how to establish a secure connection between tw You will create two Projects in the [Scaleway console](https://console.scaleway.com/), called **Customer Project** and **Scaleway Project**. -The **Customer Project** will act as the customer infrastructure holdng , and will contain the following resources: +The **Customer Project** will act as the customer infrastructure, and will contain the following resources: - A Private Network within a VPC -- A first Instance, acting as a a customer server -- A second Instance, acting as a customer gateway that will hold the BGB and stronSwan configurations +- A first Instance, acting as a customer server +- A second Instance, acting as a customer gateway that will hold the BGP and strongSwan configurations -The **Scaleway Project** will contain the following resources +The **Scaleway Project** will contain the following resources: - A Private Network within a VPC -- An Instance that we will reach from the customer server +- An Instance that will be reached from the customer server - A Site-to-site VPN to handle traffic between the two networks @@ -48,7 +48,7 @@ This tutorial is intended for demonstration and testing purposes, and may not be ## Setting up the Customer Project -1. In the Scaleway Console, create a new Project called "Customer Project". +1. In the Scaleway console, create a new Project called "Customer Project". 2. [Create a new VPC](/vpc/how-to/create-vpc/) in the desired region. @@ -86,20 +86,20 @@ This tutorial is intended for demonstration and testing purposes, and may not be 1. Access **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. -3. [Create a VPN gateway](/site-to-site-vpn/how-to/create-manage-vpn-gateway/) with the following parameters: +2. [Create a VPN gateway](/site-to-site-vpn/how-to/create-manage-vpn-gateway/) with the following parameters: - Public IP address - Attached to the Private Network with the IP `172.16.0.3/22` -4. [Create a customer gateway](/site-to-site-vpn/how-to/create-manage-customer-gateway/) with the following parameters: +3. [Create a customer gateway](/site-to-site-vpn/how-to/create-manage-customer-gateway/) with the following parameters: - IP address: same as the actual customer gateway created earlier - ASN: 65000 -5. [Create a routing policy](/site-to-site-vpn/how-to/create-manage-customer-gateway/) with the following parameters: +4. [Create a routing policy](/site-to-site-vpn/how-to/create-manage-customer-gateway/) with the following parameters: - IPv4 - Incoming whitelist: 172.16.16.0/22 - Outgoing whitelist: 172.16.0.0/22 (or set both to 0.0.0.0/0 for maximum flexibility) -6. [Create the connection](/site-to-site-vpn/how-to/create-manage-vpn-connection/) with the following parameters: +5. [Create the connection](/site-to-site-vpn/how-to/create-manage-vpn-connection/) with the following parameters: - The VPN gateway you just created - The customer gateway you just created - The IPv4 routing policy you just created @@ -119,15 +119,15 @@ The Site-to-Site VPN setup is now complete. You can check its status from the ** ``` -1. Install the required packages: +2. Install the required packages: ```bash apt-get install frr frr-pythontools ``` -2. Access the `/etc/frr/daemons` file, and set the `bgpd=yes` parameter. +3. Access the `/etc/frr/daemons` file, and set the `bgpd=yes` parameter. -3. Create the `/etc/frr/frr.conf` file, and add the following content to it: +4. Create the `/etc/frr/frr.conf` file, and add the following content to it: ``` log syslog informational @@ -145,7 +145,7 @@ The Site-to-Site VPN setup is now complete. You can check its status from the ** ! ``` -4. Run the following command to restart the `frr` service: +5. Run the following command to restart the `frr` service: ```bash systemctl restart frr @@ -161,7 +161,7 @@ The BGP service is now configured on the customer gateway. ssh root@ ``` -1. Run the following commands to create an XFRM interface to tag the BGP session's packets: +2. Run the following commands to create an XFRM interface to tag the BGP session's packets: ```bash ip link add type xfrm if_id 1 dev ens2 @@ -169,13 +169,13 @@ The BGP service is now configured on the customer gateway. ip link set xfrm0 up ``` -2. Run the following command to install the required strongSwan packages: +3. Run the following command to install the required strongSwan packages: ```bash apt-get install strongswan strongswan-pki libstrongswan-standard-plugins libstrongswan-extra-plugins strongswan-libcharon ``` -3. Create the `/etc/swanctl/conf.d/moon.conf` file, and add the content below to it. Make sure to replace the placeholders with the appropriate values: +4. Create the `/etc/swanctl/conf.d/moon.conf` file, and add the content below to it. Make sure to replace the placeholders with the appropriate values: ``` connections { @@ -185,11 +185,11 @@ The BGP service is now configured on the customer gateway. local { auth = psk - id = 52.15.82.244 + id = } remote { auth = psk - id = 52.15.82.244 + id = } children { net-net { @@ -215,13 +215,13 @@ The BGP service is now configured on the customer gateway. secrets { ike-scaleway-psk { - id = xxx.15.82.244 + id = secret = "" # PSK available in Secret Manager in the Scaleway console } } ``` -4. Run the commands below to load the strongSwan configuration and initiate the connection: +5. Run the commands below to load the strongSwan configuration and initiate the connection: ```bash swanctl --load-conns @@ -229,11 +229,7 @@ The BGP service is now configured on the customer gateway. swanctl --initiate --child net-net ``` -At this point: -- The Site-to-Site VPN connection status is **Active** in the Scaleway console. -- Both the "Tunnel via IPv4" and the BGP session are up. -- You can ping the Scaleway gateway from the customer gateway using its BGP session's IP. -- You cannot ping scw-gw using its private IP (`172.16.0.3`) because the BGP routes are not yet exchanged. +The Site-to-Site VPN connection status is **Active** in the Scaleway console, both the "Tunnel via IPv4" and the BGP session are up. You can ping the Scaleway gateway from the customer gateway using its BGP session's IP, however you cannot ping scw-gw using its private IP (`172.16.0.3`) because the BGP routes are not yet exchanged. ### Exchanging routes via BGP @@ -273,16 +269,15 @@ At this point: ! ``` -4. Run the following command to restart the `frr` service: +3. Run the following command to restart the `frr` service: ```bash systemctl restart frr ``` -At this point: -- In the customer gateway, the `ip route` command shows the new route for the `172.16.0.0/22` subnet. -- You can ping the VPN gateway and Scaleway server from the customer gateway. -- you cannot ping resources in the Scaleway Project from the customer server yet, because it misses the gateway configuration. +3. run the `ip route` command. The new route `172.16.0.0/22` should appear in the list. + +You can ping the VPN gateway and Scaleway server from the customer gateway, however you cannot ping resources in the Scaleway Project from the customer server yet, because the gateway is must be configured beforehand. ### Setting up the gateway in the customer Private Network @@ -292,12 +287,10 @@ At this point: sysctl -w net.ipv4.ip_forward=1 ``` -2. In the customer server, run the following command to add the route that gateway: +2. In the customer server, run the following command to add the route via the gateway: ```bash ip route add 172.16.0.0/22 via 172.16.16.2 ``` -At this point: -- Everything works as expected, we can ping a private server from the other -- Test it by connecting to customer-srv and issuing `ping 172.16.0.2` \ No newline at end of file +The Scaleway server is now reachable from the customer infrastructure via the Site-to-Site VPN. You can test the connection by running the `ping 172.16.0.2` command from the customer server. \ No newline at end of file From 0782591b05b50f49621f5cb17de6742b8edd5293 Mon Sep 17 00:00:00 2001 From: Samy OUBOUAZIZ Date: Mon, 13 Apr 2026 17:31:44 +0200 Subject: [PATCH 10/16] docs(s2svpn): update --- tutorials/s2s-vpn-strongswan/index.mdx | 26 +++++++++++--------------- 1 file changed, 11 insertions(+), 15 deletions(-) diff --git a/tutorials/s2s-vpn-strongswan/index.mdx b/tutorials/s2s-vpn-strongswan/index.mdx index 1307c4fb37..001d3b64a2 100644 --- a/tutorials/s2s-vpn-strongswan/index.mdx +++ b/tutorials/s2s-vpn-strongswan/index.mdx @@ -134,9 +134,9 @@ The Site-to-Site VPN setup is now complete. You can check its status from the ** ! router bgp 65000 - bgp router-id 169.254.0.7 # BGP session IPv4 Interconnection subnet - neighbor 169.254.0.6 remote-as 12876 # Other IP from the subnet specified above - neighbor 169.254.0.6 description TransitProvider # Other IP from the subnet specified above + bgp router-id # your IP in the BGP session - see connection overview in the Scaleway console + neighbor remote-as 12876 # the other IP in the BGP session + neighbor description TransitProvider ! address-family ipv4 unicast #network 172.16.16.0/22 # let commented to announce all your routes, uncomment to select the routes to announce @@ -165,7 +165,7 @@ The BGP service is now configured on the customer gateway. ```bash ip link add type xfrm if_id 1 dev ens2 - ip addr add 169.254.0.7/31 dev xfrm0 + ip addr add /31 dev xfrm0 ip link set xfrm0 up ``` @@ -252,19 +252,15 @@ The Site-to-Site VPN connection status is **Active** in the Scaleway console, bo exit ! router bgp 65000 - # Example values: - # 169.254.0.7: "Interconnection subnet" IP in Scaleway console -> connection overview -> BGP session - # 169.254.0.6: The other IP in the same subnet as above - # 172.16.16.0/22: The subnet this server (customer-gw) serves - bgp router-id 169.254.0.7 - neighbor 169.254.0.6 remote-as 12876 - neighbor 169.254.0.6 description TransitProvider + bgp router-id + neighbor remote-as 12876 + neighbor description TransitProvider ! address-family ipv4 unicast #network 172.16.16.0/22 # let commented to announce all your routes, uncomment to select the routes to announce redistribute connected - neighbor 169.254.0.6 route-map PROV_1_IN in - neighbor 169.254.0.6 route-map PROV_1_OUT out + neighbor route-map PROV_1_IN in + neighbor route-map PROV_1_OUT out exit-address-family ! ``` @@ -290,7 +286,7 @@ You can ping the VPN gateway and Scaleway server from the customer gateway, howe 2. In the customer server, run the following command to add the route via the gateway: ```bash - ip route add 172.16.0.0/22 via 172.16.16.2 + ip route add 172.16.0.0/22 via ``` -The Scaleway server is now reachable from the customer infrastructure via the Site-to-Site VPN. You can test the connection by running the `ping 172.16.0.2` command from the customer server. \ No newline at end of file +The Scaleway server is now reachable from the customer infrastructure via the Site-to-Site VPN. You can test the connection by running the `ping ` command from the customer server. \ No newline at end of file From 6d9d1add7766f09cf118232e40ab3076fd67a0c1 Mon Sep 17 00:00:00 2001 From: Samy OUBOUAZIZ Date: Tue, 14 Apr 2026 14:26:57 +0200 Subject: [PATCH 11/16] docs(s2svpn): update --- tutorials/s2s-vpn-strongswan/index.mdx | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/tutorials/s2s-vpn-strongswan/index.mdx b/tutorials/s2s-vpn-strongswan/index.mdx index 001d3b64a2..3a75845d03 100644 --- a/tutorials/s2s-vpn-strongswan/index.mdx +++ b/tutorials/s2s-vpn-strongswan/index.mdx @@ -60,7 +60,7 @@ This tutorial is intended for demonstration and testing purposes, and may not be - Public IPv4 connectivity - Attached to the previously created Private Network -5. [Create a Scaleway Instance](/instances/how-to/create-an-instance/) with the parameters below. It will serve as the customer server. +5. [Create another Scaleway Instance](/instances/how-to/create-an-instance/) with the parameters below. It will serve as the customer server. - Same region as the previously created Private Network - Debian OS image - No public IPv4/IPv6 connectivity @@ -84,6 +84,10 @@ This tutorial is intended for demonstration and testing purposes, and may not be ### Configuring Site-to-Site VPN + +Make sure to create a Site-to-Site VPN tunnel in the "Scaleway project" previously created. + + 1. Access **Site-to-Site VPN** in the **Network** section of the [Scaleway console](https://console.scaleway.com) side menu. 2. [Create a VPN gateway](/site-to-site-vpn/how-to/create-manage-vpn-gateway/) with the following parameters: @@ -125,7 +129,7 @@ The Site-to-Site VPN setup is now complete. You can check its status from the ** apt-get install frr frr-pythontools ``` -3. Access the `/etc/frr/daemons` file, and set the `bgpd=yes` parameter. +3. Access the `/etc/frr/daemons` file, and set the `bgpd=no` parameter to `bgpd=yes`. 4. Create the `/etc/frr/frr.conf` file, and add the following content to it: @@ -134,9 +138,9 @@ The Site-to-Site VPN setup is now complete. You can check its status from the ** ! router bgp 65000 - bgp router-id # your IP in the BGP session - see connection overview in the Scaleway console - neighbor remote-as 12876 # the other IP in the BGP session - neighbor description TransitProvider + bgp router-id 169.254.0.7/31 # your IP in the BGP session - see connection overview in the Scaleway console + neighbor 169.254.0.6/31 remote-as 12876 # the other IP in the BGP session + neighbor 169.254.0.6/31 description TransitProvider ! address-family ipv4 unicast #network 172.16.16.0/22 # let commented to announce all your routes, uncomment to select the routes to announce @@ -155,7 +159,7 @@ The BGP service is now configured on the customer gateway. ### Setting up strongSwan on the customer gateway -1. Log in to the customer gateway using SSH. Make sure to replace the placeholder with the appropriate value: +1. Log in to the customer gateway using SSH if you are not already. Make sure to replace the placeholder with the appropriate value: ```bash ssh root@ From d6705b02712bdb1a2475da90e95bfb5a11a35874 Mon Sep 17 00:00:00 2001 From: Samy OUBOUAZIZ Date: Thu, 16 Apr 2026 15:05:36 +0200 Subject: [PATCH 12/16] docs(s2svpn): update --- tutorials/s2s-vpn-strongswan/index.mdx | 52 +++++++++++++++----------- 1 file changed, 30 insertions(+), 22 deletions(-) diff --git a/tutorials/s2s-vpn-strongswan/index.mdx b/tutorials/s2s-vpn-strongswan/index.mdx index 3a75845d03..b7058dea2c 100644 --- a/tutorials/s2s-vpn-strongswan/index.mdx +++ b/tutorials/s2s-vpn-strongswan/index.mdx @@ -52,7 +52,7 @@ This tutorial is intended for demonstration and testing purposes, and may not be 2. [Create a new VPC](/vpc/how-to/create-vpc/) in the desired region. -3. [Create a new Private Network](/vpc/how-to/create-private-network/) within the VPC you just created. Define a custom IPv4 CIDR block with the range `172.16.16.0/22`. +3. [Create a new Private Network](/vpc/how-to/create-private-network/) within the VPC you just created. 4. [Create a Scaleway Instance](/instances/how-to/create-an-instance/) with the parameters below. It will serve as the customer gateway. - Same region as the previously created Private Network @@ -72,7 +72,7 @@ This tutorial is intended for demonstration and testing purposes, and may not be 1. [Create a new VPC](/vpc/how-to/create-vpc/) in the same region as the VPC in the customer Project. -2. [Create a new Private Network](/vpc/how-to/create-private-network/) within the VPC you just created. Define a custom IPv4 CIDR block with range `172.16.0.0/22`. +2. [Create a new Private Network](/vpc/how-to/create-private-network/) within the VPC you just created. 3. [Create a Scaleway Instance](/instances/how-to/create-an-instance/) with the parameters below. It will serve as the Scaleway server: - Same region as the previously created Private Network @@ -92,7 +92,7 @@ Make sure to create a Site-to-Site VPN tunnel in the "Scaleway project" previous 2. [Create a VPN gateway](/site-to-site-vpn/how-to/create-manage-vpn-gateway/) with the following parameters: - Public IP address - - Attached to the Private Network with the IP `172.16.0.3/22` + - Attached to the Private Network you just created. 3. [Create a customer gateway](/site-to-site-vpn/how-to/create-manage-customer-gateway/) with the following parameters: - IP address: same as the actual customer gateway created earlier @@ -100,8 +100,8 @@ Make sure to create a Site-to-Site VPN tunnel in the "Scaleway project" previous 4. [Create a routing policy](/site-to-site-vpn/how-to/create-manage-customer-gateway/) with the following parameters: - IPv4 - - Incoming whitelist: 172.16.16.0/22 - - Outgoing whitelist: 172.16.0.0/22 (or set both to 0.0.0.0/0 for maximum flexibility) + - Incoming whitelist: + - Outgoing whitelist: (or set both to 0.0.0.0/0 for maximum flexibility) 5. [Create the connection](/site-to-site-vpn/how-to/create-manage-vpn-connection/) with the following parameters: - The VPN gateway you just created @@ -116,40 +116,45 @@ The Site-to-Site VPN setup is now complete. You can check its status from the ** ### Configuring the BGP service -1. Log in to the customer gateway using SSH. Make sure to replace the placeholder with the appropriate value: +1. Retrieve the BGP session IP (without the subnet mask) from your Site-to-Site VPN connection **Overview** tab in the Scaleway console. + +2. Log in to the customer gateway using SSH. Make sure to replace the placeholder with the appropriate value: ```bash ssh root@ ``` - -2. Install the required packages: +3. Install the required packages: ```bash apt-get install frr frr-pythontools ``` -3. Access the `/etc/frr/daemons` file, and set the `bgpd=no` parameter to `bgpd=yes`. +4. Access the `/etc/frr/daemons` file, and set the `bgpd=no` parameter to `bgpd=yes`. + +5. Create the `/etc/frr/frr.conf` file, and add the content below to it. Make sure to replace the placeholders with the appropriate values. -4. Create the `/etc/frr/frr.conf` file, and add the following content to it: + + The BGP session neighbor IP can be deduced from the BGP session IP. It either ends wit `.6` or `.7` with a `/31` submask. + ``` log syslog informational ! router bgp 65000 - bgp router-id 169.254.0.7/31 # your IP in the BGP session - see connection overview in the Scaleway console - neighbor 169.254.0.6/31 remote-as 12876 # the other IP in the BGP session - neighbor 169.254.0.6/31 description TransitProvider + bgp router-id + neighbor remote-as 12876 + neighbor 169.254.0.6 description TransitProvider ! address-family ipv4 unicast - #network 172.16.16.0/22 # let commented to announce all your routes, uncomment to select the routes to announce + #network # let commented to announce all your routes, uncomment to select the routes to announce redistribute connected exit-address-family ! ``` -5. Run the following command to restart the `frr` service: +6. Run the following command to restart the `frr` service: ```bash systemctl restart frr @@ -159,17 +164,19 @@ The BGP service is now configured on the customer gateway. ### Setting up strongSwan on the customer gateway +4. Click **Generate version** under **PSK** in the **Overview** tab of your Site-to-Site VPN connection to in the Scaleway console, then access Secret Manager to retrieve the value of the secret. + 1. Log in to the customer gateway using SSH if you are not already. Make sure to replace the placeholder with the appropriate value: ```bash ssh root@ ``` -2. Run the following commands to create an XFRM interface to tag the BGP session's packets: +2. Run the commands below to create an XFRM interface to tag the BGP session's packets. Make sure to replace the placeholder with the appropriate values: ```bash ip link add type xfrm if_id 1 dev ens2 - ip addr add /31 dev xfrm0 + ip addr add /31 dev xfrm0 ip link set xfrm0 up ``` @@ -179,7 +186,8 @@ The BGP service is now configured on the customer gateway. apt-get install strongswan strongswan-pki libstrongswan-standard-plugins libstrongswan-extra-plugins strongswan-libcharon ``` -4. Create the `/etc/swanctl/conf.d/moon.conf` file, and add the content below to it. Make sure to replace the placeholders with the appropriate values: + +5. Create the `/etc/swanctl/conf.d/moon.conf` file, and add the content below to it to setup the IPsec tunnel. Make sure to replace the placeholders with the appropriate values: ``` connections { @@ -207,20 +215,20 @@ The BGP service is now configured on the customer gateway. rekey_time = 5400 rekey_bytes = 500000000 rekey_packets = 1000000 - esp_proposals = aes256gcm # Copy the ESP part of your connection's "Security proposal" + esp_proposals = aes256gcm # ESP part of your connection's "Security proposal" } } version = 2 mobike = no reauth_time = 10800 - proposals = aes256gcm-sha384-curve25519 # Copy the IKE part of your connection's "Security proposal" + proposals = aes256gcm-sha384-curve25519 # IKE part of your connection "Security proposal" } } secrets { ike-scaleway-psk { id = - secret = "" # PSK available in Secret Manager in the Scaleway console + secret = "" # PSK available in Secret Manager in the Scaleway console } } ``` @@ -233,7 +241,7 @@ The BGP service is now configured on the customer gateway. swanctl --initiate --child net-net ``` -The Site-to-Site VPN connection status is **Active** in the Scaleway console, both the "Tunnel via IPv4" and the BGP session are up. You can ping the Scaleway gateway from the customer gateway using its BGP session's IP, however you cannot ping scw-gw using its private IP (`172.16.0.3`) because the BGP routes are not yet exchanged. +The Site-to-Site VPN connection status is **Active** in the Scaleway console, both the "Tunnel via IPv4" and the BGP session are up. You can ping the Scaleway gateway from the customer gateway using its BGP session's IP, however you cannot ping the Scaleway gateway using its private IP because the BGP routes are not yet exchanged. ### Exchanging routes via BGP From 652cf437dfda0b1dea317d98b33896f1ef12117d Mon Sep 17 00:00:00 2001 From: Samy OUBOUAZIZ Date: Thu, 16 Apr 2026 18:01:23 +0200 Subject: [PATCH 13/16] docs(s2svpn): update --- tutorials/s2s-vpn-strongswan/index.mdx | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tutorials/s2s-vpn-strongswan/index.mdx b/tutorials/s2s-vpn-strongswan/index.mdx index b7058dea2c..1df06bdabd 100644 --- a/tutorials/s2s-vpn-strongswan/index.mdx +++ b/tutorials/s2s-vpn-strongswan/index.mdx @@ -252,7 +252,7 @@ The Site-to-Site VPN connection status is **Active** in the Scaleway console, bo log syslog informational ! - ip prefix-list PROV_1_IN seq 10 permit 172.16.0.0/22 + ip prefix-list PROV_1_IN seq 10 permit ip prefix-list PROV_1_OUT seq 10 permit any ! route-map PROV_1_IN permit 10 @@ -269,7 +269,7 @@ The Site-to-Site VPN connection status is **Active** in the Scaleway console, bo neighbor description TransitProvider ! address-family ipv4 unicast - #network 172.16.16.0/22 # let commented to announce all your routes, uncomment to select the routes to announce + #network # let commented to announce all your routes, uncomment to select the routes to announce redistribute connected neighbor route-map PROV_1_IN in neighbor route-map PROV_1_OUT out @@ -283,7 +283,7 @@ The Site-to-Site VPN connection status is **Active** in the Scaleway console, bo systemctl restart frr ``` -3. run the `ip route` command. The new route `172.16.0.0/22` should appear in the list. +3. run the `ip route` command. The new route corresponding to the Scaleway Private Network IP block appears in the list. You can ping the VPN gateway and Scaleway server from the customer gateway, however you cannot ping resources in the Scaleway Project from the customer server yet, because the gateway is must be configured beforehand. @@ -298,7 +298,7 @@ You can ping the VPN gateway and Scaleway server from the customer gateway, howe 2. In the customer server, run the following command to add the route via the gateway: ```bash - ip route add 172.16.0.0/22 via + ip route add via ``` The Scaleway server is now reachable from the customer infrastructure via the Site-to-Site VPN. You can test the connection by running the `ping ` command from the customer server. \ No newline at end of file From 28dff7122c571b2c92142855cde8a849b7093f7a Mon Sep 17 00:00:00 2001 From: Samy OUBOUAZIZ Date: Fri, 17 Apr 2026 13:41:15 +0200 Subject: [PATCH 14/16] docs(s2svpn): update --- tutorials/s2s-vpn-strongswan/index.mdx | 30 +++++++++++++------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/tutorials/s2s-vpn-strongswan/index.mdx b/tutorials/s2s-vpn-strongswan/index.mdx index 1df06bdabd..8ee5f13035 100644 --- a/tutorials/s2s-vpn-strongswan/index.mdx +++ b/tutorials/s2s-vpn-strongswan/index.mdx @@ -135,7 +135,7 @@ The Site-to-Site VPN setup is now complete. You can check its status from the ** 5. Create the `/etc/frr/frr.conf` file, and add the content below to it. Make sure to replace the placeholders with the appropriate values. - The BGP session neighbor IP can be deduced from the BGP session IP. It either ends wit `.6` or `.7` with a `/31` submask. + The BGP session neighbor IP can be deduced from the BGP session IP. It either ends with `.6` or `.7` with a `/31` submask. ``` @@ -145,10 +145,10 @@ The Site-to-Site VPN setup is now complete. You can check its status from the ** router bgp 65000 bgp router-id neighbor remote-as 12876 - neighbor 169.254.0.6 description TransitProvider + neighbor description TransitProvider ! address-family ipv4 unicast - #network # let commented to announce all your routes, uncomment to select the routes to announce + #network # let commented to announce all your routes, uncomment to select the routes to announce redistribute connected exit-address-family ! @@ -164,15 +164,15 @@ The BGP service is now configured on the customer gateway. ### Setting up strongSwan on the customer gateway -4. Click **Generate version** under **PSK** in the **Overview** tab of your Site-to-Site VPN connection to in the Scaleway console, then access Secret Manager to retrieve the value of the secret. +1. Click **Generate version** under **PSK** in the **Overview** tab of your Site-to-Site VPN connection to in the Scaleway console, then access Secret Manager to retrieve the value of the secret. -1. Log in to the customer gateway using SSH if you are not already. Make sure to replace the placeholder with the appropriate value: +2. Log in to the customer gateway using SSH if you are not already. Make sure to replace the placeholder with the appropriate value: ```bash ssh root@ ``` -2. Run the commands below to create an XFRM interface to tag the BGP session's packets. Make sure to replace the placeholder with the appropriate values: +3. Run the commands below to create an XFRM interface to tag the BGP session's packets. Make sure to replace the placeholder with the appropriate values: ```bash ip link add type xfrm if_id 1 dev ens2 @@ -180,7 +180,7 @@ The BGP service is now configured on the customer gateway. ip link set xfrm0 up ``` -3. Run the following command to install the required strongSwan packages: +4. Run the following command to install the required strongSwan packages: ```bash apt-get install strongswan strongswan-pki libstrongswan-standard-plugins libstrongswan-extra-plugins strongswan-libcharon @@ -233,7 +233,7 @@ The BGP service is now configured on the customer gateway. } ``` -5. Run the commands below to load the strongSwan configuration and initiate the connection: +6. Run the commands below to load the strongSwan configuration and initiate the connection: ```bash swanctl --load-conns @@ -264,15 +264,15 @@ The Site-to-Site VPN connection status is **Active** in the Scaleway console, bo exit ! router bgp 65000 - bgp router-id - neighbor remote-as 12876 - neighbor description TransitProvider + bgp router-id + neighbor remote-as 12876 + neighbor description TransitProvider ! address-family ipv4 unicast #network # let commented to announce all your routes, uncomment to select the routes to announce redistribute connected - neighbor route-map PROV_1_IN in - neighbor route-map PROV_1_OUT out + neighbor route-map PROV_1_IN in + neighbor route-map PROV_1_OUT out exit-address-family ! ``` @@ -283,9 +283,9 @@ The Site-to-Site VPN connection status is **Active** in the Scaleway console, bo systemctl restart frr ``` -3. run the `ip route` command. The new route corresponding to the Scaleway Private Network IP block appears in the list. +4. Run the `ip route` command. The new route corresponding to the Scaleway Private Network IP block appears in the list. -You can ping the VPN gateway and Scaleway server from the customer gateway, however you cannot ping resources in the Scaleway Project from the customer server yet, because the gateway is must be configured beforehand. +You can ping the VPN gateway and Scaleway server from the customer gateway, however you cannot ping resources in the Scaleway Project from the customer server yet, because the gateway must be configured beforehand. ### Setting up the gateway in the customer Private Network From f312a2c0411465e105ec7bdd3bbc8d8b3aad2f7d Mon Sep 17 00:00:00 2001 From: Samy OUBOUAZIZ Date: Fri, 17 Apr 2026 14:32:48 +0200 Subject: [PATCH 15/16] docs(s2svpn): update --- tutorials/s2s-vpn-strongswan/index.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tutorials/s2s-vpn-strongswan/index.mdx b/tutorials/s2s-vpn-strongswan/index.mdx index 8ee5f13035..d1d49da219 100644 --- a/tutorials/s2s-vpn-strongswan/index.mdx +++ b/tutorials/s2s-vpn-strongswan/index.mdx @@ -100,8 +100,8 @@ Make sure to create a Site-to-Site VPN tunnel in the "Scaleway project" previous 4. [Create a routing policy](/site-to-site-vpn/how-to/create-manage-customer-gateway/) with the following parameters: - IPv4 - - Incoming whitelist: - - Outgoing whitelist: (or set both to 0.0.0.0/0 for maximum flexibility) + - Incoming whitelist: `` + - Outgoing whitelist: `` (or set both to `0.0.0.0/0` for maximum flexibility) 5. [Create the connection](/site-to-site-vpn/how-to/create-manage-vpn-connection/) with the following parameters: - The VPN gateway you just created From 5bd3cc0fb0bff51f8b4867f7b544f52761bb8cfa Mon Sep 17 00:00:00 2001 From: SamyOubouaziz Date: Mon, 20 Apr 2026 14:06:45 +0200 Subject: [PATCH 16/16] Apply suggestions from code review Co-authored-by: Loic-kd --- tutorials/s2s-vpn-strongswan/index.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tutorials/s2s-vpn-strongswan/index.mdx b/tutorials/s2s-vpn-strongswan/index.mdx index d1d49da219..a76e4b11b9 100644 --- a/tutorials/s2s-vpn-strongswan/index.mdx +++ b/tutorials/s2s-vpn-strongswan/index.mdx @@ -31,7 +31,7 @@ The **Scaleway Project** will contain the following resources: - A Private Network within a VPC - An Instance that will be reached from the customer server -- A Site-to-site VPN to handle traffic between the two networks +- A Site-to-Site VPN to handle traffic between the two networks BGP does not allow routing between devices with the same ASN. We will therefore assign a private ASN (`65000`) to the customer gateway. @@ -108,7 +108,7 @@ Make sure to create a Site-to-Site VPN tunnel in the "Scaleway project" previous - The customer gateway you just created - The IPv4 routing policy you just created - Connection "Initiated by the customer gateway" - - Security proposal: "IKE2: aes256gcm-sha384-curve25519 - ESP: aes256gcm" + - Security proposal: "IKE2: aes256gcm-sha384-curve25519 - ESP: aes256gcm" The Site-to-Site VPN setup is now complete. You can check its status from the **Overview** tab of the connection.