Virtual Private Networks

When your clouds or servers reside in a network that sits behind a restrictive firewall or use a private IP range, you will need to set up a Virtual Private Network between and your network to be able to manage them through the service.'s VPN functionality is based on the OpenVPN protocol, which implements a Virtual Private Network (VPN) in order to create secure point-to-point connections to remote access areas. OpenVPN is capable of accessing private networks by traversing network address translators (NATs) and  firewalls,  while utilizing the exchange of keys in order to secure its VPN connections (or tunnels).

Setting up the VPN using the UI

To set up a new VPN, visit the Tunnels section from your dashboard menu and click on the Add your tunnels button. Type in a name for your tunnel, and optionally a description. Then, on the CIDRs field,  add the private IP range that the cloud that you want to manage resides in. will choose two random IPv4 addresses for the endpoints of the VPN tunnel. If you want to exclude some of the addresses of the network to avoid IP conflicts, you can fill them in on the excluded CIDRs field. You also have the option to choose between UDP and TCP protocol

Once you’re done, click on the Add button. will create the tunnel. Click on it, and will provide you with a bash script that you’ll need to run on your VPN client - usually one of the machines or the router of your private network.

When deploying your VPN client, make sure that there are no firewall rules blocking incoming or forwarded Internet traffic. Your VPN client needs to allow incoming data and outgoing data to The UDP port that is used can be seen  in  the page above. Additionally, make sure that the machine where the VPN client resides can forward packets to your local VMs. Please, ensure your firewall and IPtables rules (if any) have been properly configured. 

As soon as you have established your VPN tunnels, you can go ahead and add your infrastructure in Your private network IPs will be accessible for you by the service as if they were public. Just go ahead and  add your private clouds and perform actions on private VMs like you would normally do.


To confirm that the tunnel has been established on your VPN client, run ifconfig and make sure you can see the vpn-tunXYZ interface, where XYZ is a number. Example

vpn-tun114 Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:  P-t-P:  Mask:
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)


The tunnel is up and we should be able to ping the P-t-P ip (in my case this is 

On the tunnel page we can also see the port on the remote side that is assigned for our VPN client. Make sure that outgoing traffic to this port is allowed (UDP to port 1319 in my case). 

Setting up the VPN  using the command-line interface

All VPN related actions have been also integrated into the mist CLI, which can be installed by simply running pip install mist. The available VPN related commands are:

  • List tunnels

        You can retrieve a list of your established tunnels by invoking: mist list-tunnels. You can optionally add the --pretty argument to the aforementioned command in order to print the output in a nicely formatted table.     

  • Add tunnel

      In order to add a new  tunnel  you need to use the mist add- tunnelcommand . The arguments accepted by the aforementioned command include:

name: a required parameter denoting the unique name of the tunnel

cidrs: a required list of the CIDRs to be routed over the particular VPN tunnel

exclude_cidrs: an optional parameter specifying a list of CIDRs that you may wish to be excluded from the tunnel establishment process in order to avoid potential routing conflicts due to the allocation of already locally existing IP addresses to the VPN endpoints

description: an argument to optionally add a description to the newly created tunnel

Now, let's see a couple of examples adding new VPN tunnels:

root@ubuntu:~ $ mist add-tunnel --name MyTunnel --cidrs --exclude-cidrs --description 'This is just an example'

The first command requests the establishment of a VPN tunnel named “MyTunnel” via which the service will be able to reach the private networks and Additionally, the network has been specified as a network to be excluded from the allocation process of IP addresses for the two VPN endpoints in order to avoid routing conflicts. For example, the CIDR could represent a network that is directly attached to your VPN client, thus you would like to avoid an existing 172.16.150.x IP to be allocated to your VPN interface, as well. Finally, the newly established tunnel comes with the description “This is just an example”. The description and exclude- cidrs  fields are optional.

As soon as the newly requested VPN interface has been established on the server-side (the side), the mist add-tunnel command will return the configuration script that needs to be executed on the client-side in order for the tunnel establishment to be completed. At this point, the client-side configuration comes in two forms. Firstly, a bash script will be returned, which needs to be run on your VPN client and will take care of downloading the necessary dependencies, setting up the VPN configuration files and security key, and starting the OpenVPN service. All you have to do is copy and paste the bash script on your VPN client, make it executable, and run it.

The second option consists of a single curl command, which you can execute on you VPN client and will take care of automatically downloading and executing the configuration script.

Your VPN client can be any machine sitting  in  your private network, including your own router.

After the configuration's execution has been successfully completed, you should have a new interface up and  running  similar to:

	vpn-tun1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00    inet addr:  P-t-P:  Mask:

inet  addr  is the IP address allocated to your VPN endpoint, while P-T-P is the server-side IP address.

  • Edit tunnel

The mist CLI also allows you to edit an already established tunnel. The mist edit-tunnel command allows you edit the name, description, and list of accessible CIDRs. However, you cannot edit the list of excluded CIDRs. For instance, let's edit tunnel “MyTunnel”:

root@ubuntu:~ $ mist edit-tunnel e63fddace687u754aa9e66e4g56th257 --name EditedTunnel --cidrs --description 'This is just an example'

The above command will edit the tunnel with tunnel ID e63fddace687u754aa9e66e4g56th257.  Once you run it, the tunnel's name will be changed to “MyEditedTunnel” and will also be able to access machines that sit in the network.

All tunnel IDs can be retrieved by calling the mist list-tunnels command. Tunnel IDs are required in order to perform actions on existing tunnels, such as editing, deleting, or retrieving a tunnel's configuration script.

  • Get the client configuration script

For every already established  tunnel  you can explicitly request the corresponding VPN client's configuration script. All you need to provide is the tunnel's ID as follows:

root@ubuntu:~ $ mist tunnel-script e63fddace687u754aa9e66e4g56th257
  • Get the shell command

      Similarly, you may request the corresponding curl command for a more automated deployment. Again, the tunnel's ID is all that needs to be provided to the shell command:

root@ubuntu:~ $ mist tunnel-command e63fddace687u754aa9e66e4g56th257
  • Delete tunnel

     Finally, you can tear down an existing VPN tunnel using the mist delete-tunnel command, as follows:

root@ubuntu:~ $ mist delete-tunnel e63fddace687u754aa9e66e4g56th257

Still need help? Contact Us Contact Us