Goal
I would like to make use of an API by a 3rd party. This 3rd party requires that I establish a VPN connection to their network. As such, they need a remote peer IP address to establish the VPN, then an internal IP address that they can whitelist.
My application is hosted on Google Cloud Platform, so I would like to set up a VPN tunnel & gateway using Google Cloud VPN. I intend to use a GCE VM to query the 3rd party API via the VPN.
Attempt at solution
I set up a VPN gateway & route-based tunnel (with only a single route) to the 3rd party using Cloud VPN. The GCP console confirmed that the connection was successfully established.
I also set up a GCE VM and assigned it both a static internal IP address and a static external IP address.
The 3rd party whitelisted the static external IP address assigned to my VM.
Problem
My solution did not work. Although the VPN successfully connected, I was unable to ping the internal IP address provided by the 3rd party from my GCE VM.
The problem is that the 3rd party claims it has reserved all possible internal IP addresses in its own network: 172.*, 192.*, 10.*, as weird as that seems… So, it is not possible for them to whitelist the internal IP for my VM, which clashes with their internal address range. Instead, they whitelisted the external IP address assigned to my VM.
This approach did not work, as I could not ping their internal IP from my VM.
Question
How do we get around this? I think the problem is that when I use my VM to query their API via VPN, traffic originates from the internal IP (but they have whitelisted my external IP only). So is there a way to force traffic to originate from my VM's external IP when using Cloud VPN?
I looked into setting up my own VPN on a VM instance, using these instructions: Set up an instance as a VPN gateway. However, it seems that even here I run into the same problem of internal IP address range clashes.
Any help would be greatly appreciated!
Best Answer
As per GCP documentation, the Cloud VPN can be used with VPC networks and legacy networks. For VPC, the custom mode is recommended, so you have full control over the ranges of IP addresses used by the subnets in the network. As per my understanding, it would not be possible to use external IP with Cloud VPN.
As you have mentioned, it not possible to use 172., 192., 10.X IP range, could you try using some other IP range, which is a valid RFC 1918 CIDR block.
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
Hopefully, not all these CIDR blocks have been reserved. Using a VM instance in GCP as VPN gateway will create the same issue as its getting the IP from the same IP block. What you could do is request the the 3rd party to release a small segments of the IP block and use that IP block to create custom mode network, and use it in this VPN senario.
However,if you would like to use Cloud VPN, you would have to use one of these CIDR blocks.
For this if you want you can create a feature request for using external IP with Cloud VPN,to do so follow this feature request link.