# Oracle Cloud

**For a more detailed tutorial refer to** [**Site-to-Site with IPsec**](https://docs.pritunl.com/kb/vpn/tutorials/pritunl-link)

First create security list rules to allow `UDP` ports `500` and `4500` for IPsec traffic. You will also need to allow traffic from the other linked networks.

**Optionally TCP port 9790 can also be opened for host to host checking. This allows each pritunl-link host to ping other hosts to measure latency and availability. These checks are used to detect network partitions and discover the best link to activate in a high availability configuration.**

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FO9zphFSXapx6GE2gGehG%2Foraclecloud0.png?alt=media\&token=94fa4986-a317-4b49-9d7e-9a345c5dc5a4)

Create a private key for the API user using the command below. These commands can be run on any Linux computer.

```shell
openssl genrsa -out oci_key.pem 2048
openssl rsa -pubout -in oci_key.pem -out oci_pub.pem
cat oci_pub.pem
```

Open the *Users* section of the *Identity* console and select a user that will be used to authenticate with the Oracle Cloud API. Then copy the *OCID* in the user info, this will be needed later.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FQEtWcnwVQTP5CEamQnG5%2Foraclecloud4.png?alt=media\&token=d725492c-6c9e-47c0-9d1f-a360a938855e)

Open the user details click *Add Public Key*. Then copy the output of `cat oci_pub.pem` to the *Public Key* field.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FEsEAsB7nfcVFUiPkMyZM%2Foraclecloud2.png?alt=media\&token=10c1a379-433d-418d-b832-68154da56fc4)

Get a base64 copy of the private key by running the command below. This will be needed in the next step. Once done run the second command to delete the key.

```shell
openssl base64 -in oci_key.pem | tr -d "\n"
rm oci_*.pem
```

Access with this user should be controlled with a policy. This can be done by creating a user group and adding the user to that group then configuring a policy for the group. Below is an example policy for the user. This can be further restricted based on the environment.

```
ALLOW GROUP pritunl TO MANAGE virtual-network-family IN tenancy
ALLOW GROUP pritunl TO MANAGE vnics IN tenancy
```

Below is the startup script that can be put it in the *User data* or run manually. The first three pritunl-link commands need to be updated with the Oracle Cloud tenancy ocid, Oracle user ocid and the Base64 private key from above. The fourth pritunl-link command needs to be run if the Pritunl server does not have a signed HTTPS certificate. The fifth command sets the provider to `oracle`. The sixth command will add the URI, this needs to be replaced by clicking *Get URI* in the Pritunl web console. This command can be run multiple times if more then one link is configured. The `pritunl-link verify-off` line can be left out if the Pritunl server is configured with a valid SSL certificate. It is not necessary to verify the SSL certificate, the sensitive data is encrypted with AES-256 and signed with HMAC SHA-512 using the token and secret in the URI.

```shell
#!/bin/bash
sudo tee /etc/yum.repos.d/pritunl.repo << EOF
[pritunl]
name=Pritunl Repository
baseurl=https://repo.pritunl.com/stable/yum/oraclelinux/10/
gpgcheck=1
enabled=1
gpgkey=https://raw.githubusercontent.com/pritunl/pgp/master/pritunl_repo_pub.asc
EOF

sudo dnf -y update
sudo dnf -y install pritunl-link

sudo systemctl stop firewalld
sudo systemctl disable firewalld

sudo pritunl-link oracle-tenancy-ocid ocid1.tenancy.oc1..aaaaaaaa6emuu...
sudo pritunl-link oracle-user-ocid ocid1.user.oc1..aaaaaaaagfbc5x7qsrq...
sudo pritunl-link oracle-private-key LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBL...
sudo pritunl-link verify-off
sudo pritunl-link provider oracle
sudo pritunl-link add pritunl://token:secret@test.pritunl.com
```

Create an Oracle Linux 10 instance and open the *Advanced Options* and click *Paste cloud-init script*.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FfxbT4teGjYDbxTu6PapW%2Foraclecloud3.png?alt=media\&token=e561cac7-0bad-4281-84c1-15f876f19efe)

Select the VNIC attached to the instance and click *Edit VNIC*. Then select *Skip Source/Destination Check*.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FuJIqs0y00crKNFMGM2yt%2Foraclecloud5.png?alt=media\&token=ef5b9db8-1c8b-4bbe-b19e-e3f04b4d2987)

The commands below can be run to check the logs and status of the link. The `pritunl-link` service will already be running and connected once the URI is added.

```shell
journalctl -u pritunl-link
sudo ipsec status
```