Configuring VPN using TCP

In some environments, outbound UDP connections may be blocked. This will prevent the VPN configuration discussed earlier in this document from working correctly. In these cases, it is possible to set up the VPN tunnel over TCP.

Important Note: Using TCP for a VPN tunnel will significantly impact performance in case of link congestion. We recommend to apply QoS policies (example later in this appendix) to constrain the bandwidth consumed by the tunnel.

To configure VPN using TCP:

  1. VyOS virtual appliance on-premises: Connect to the VyOS virtual appliance console on-premises and enter the following.
config
set interfaces openvpn vtun0 protocol tcp-active
set interfaces openvpn vtun0 openvpn-option "--sndbuf 131072"
set interfaces openvpn vtun0 openvpn-option "--rcvbuf 131072"
set interfaces openvpn vtun0 remote-port 443
commit
save
exit
  1. Update VPN Security Group: Log in to the GCP console, and edit the firewall rules with the fw-vpn network tag. Add a rule to allow incoming connections on TCP port 443 (typically used for HTTPS). You may remove the pre-defined rule to allow connections on port 1194.
  2. VyOS instance in GCP: Connect to the VyOS instance in GCP using PuTTY, and enter the following.
config
set interfaces openvpn vtun0 protocol tcp-passive
set interfaces openvpn vtun0 openvpn-option "--sndbuf 131072"
set interfaces openvpn vtun0 openvpn-option "--rcvbuf 131072"
set interfaces openvpn vtun0 local-port 443
commit
save
exit