# How to Create or Delete a Virtual Private Network

Machines are Linux and Windows virtual machines with persistent storage, GPU options, and free unlimited bandwidth. They’re designed for high-performance computing (HPC) workloads.

A Virtual Private Network (VPN) is a secure, encrypted network that runs over a public network, like the internet. A VPN typically consists of at least one gateway, a private network, and a tunnel.

- **VPN gateway**: An entry point that connects the machines within your private network to machines external to Paperspace, such as your local machine.
- **VPN tunnel**: An encrypted connection that secures and encrypts data transferred between machines. The VPN gateway creates a Protocol Security (IPSec) site-to-site VPN tunnel. This protocol ensures your machines communicate securely with a direct and encrypted connection.
- [**Private network**](https://docs.digitalocean.com/products/paperspace/machines/how-to/manage-private-networks/index.html.md): A dedicated network that’s logically isolated from other networks on Paperspace. A [private network](https://docs.digitalocean.com/products/paperspace/machines/how-to/manage-private-networks/index.html.md#create) is required to create a VPN, as a VPN gateway connects to your private network which then establishes a VPN tunnel.

The [Paperspace API](https://docs.digitalocean.com/reference/paperspace/api-reference/index.html.md) and [Paperspace CLI](https://docs.digitalocean.com/reference/paperspace/pspace/index.html.md) cannot create VPNs. You can only create a VPN via the [Paperspace console](https://console.paperspace.com) by submitting a VPN request to [Paperspace support](https://docs.digitalocean.com/products/paperspace/machines/support/index.html.md).

## Create a Virtual Private Network

The VPN is manually created by Paperspace after submitting a request with the necessary specs. You need to provide the following resources for Paperspace to create a VPN: a [private network](#choose-a-network), a [public IP address](#assign-a-vpn-public-ip-address), a [pre-shared key](#add-a-pre-shared-key), and [internal networks](#add-internal-networks).

To submit your VPN request, go to the [Paperspace console](https://console.paperspace.com), in the top-left corner, click the drop-down menu, select **CORE**, click the **VPN** tab, then click **CREATE VPN** to open the **Create VPN** request form.

### Choose or Set Up a Private Network

Before creating a VPN, you need a private network and the IP address of the machine you want to use as the VPN gateway.

If you do not have any private networks, [create a private network](https://docs.digitalocean.com/products/paperspace/machines/how-to/manage-private-networks/index.html.md#create) for your VPN. Within your private network, [attach the machines](https://docs.digitalocean.com/products/paperspace/machines/how-to/manage-private-networks/index.html.md#migrate) you want connected to the VPN.

### Retrieve Public IP Address

Before you create a VPN, get the public IP address of the machine you want to use as a VPN.

To find your machine’s IP address, go to the [Paperspace console](https://console.paperspace.com/), in the top-left corner, click the drop-down menu, select **CORE**, click **Machines** tab, then select the machine you want to get the IP address of.

From the machine’s overview page, in the top-right corner, click the **Settings** tab. In the **Settings** page, in the **Public IP** section, copy your machine’s IP address for later use.

If your machine doesn’t have a public IP address, [assign a public IP address](https://docs.digitalocean.com/products/paperspace/machines/how-to/manage-public-ips/index.html.md) to your machine.

### Choose a Network

In the **Select a network** section, click the drop-down menu to select the private network you want connected to your VPN.

### Assign a VPN Public IP Address

In the **VPN Public IP Address** section, type the [public IP address](#retrieve-public-ip-address) of the machine you’re using as a VPN.

### Add a Pre-shared Key

A pre-shared key is a secret key shared between your machines and a physical or third-party location, such as a local machine.

Pre-shared keys secure the connection between machines by ensuring that only authorized machines can establish a connection to your VPN and its machines.

To add a pre-shared key, in the **Pre-shared Key** section, type the pre-shared key.

If you need to generate a pre-shared key, we recommend using [OpenSSL](https://www.openssl.org), an open source library that implements protocols, such as the Secure Socket Layer (SSL), and offers cryptography methods, such as generating random keys.

## Generate a pre-shared key using OpenSSL

To generate a pre-shared key using OpenSSL:

1. [Download and install the OpenSSL library](https://openssl-library.org/source/index.html) onto your local machine.
2. Open a terminal, run an `openssl rand` command that generates a random key. You can specify the byte format and the number of random bytes in your key. For example, the following `openssl rand` command outputs a pre-shared key encoded using the base64 format with 24 random bytes generated.

```shell
openssl rand -base64 24
```

3. The command should output a random generated key, which you can use as your pre-shared key.

### Add Internal Networks

Internal networks are the machines you want connected to your VPN.

In the **Internal Network(s), separated by commas** section, list the IP addresses of the machines you want accessible through your VPN.

After configuring your VPN, click **CREATE VPN**. A VPN may take up to 24-48 hours to create. Once your VPN is created, Paperspace support notifies you via email that your VPN is created and connected.

The VPN is not visible on the Paperspace console as it runs in the background and connects the machines in your private network, by default.

If you want to delete your VPN from your Paperspace account, contact [Paperspace support](https://docs.digitalocean.com/products/paperspace/machines/support/index.html.md). Paperspace support notifies you via email once the VPN is deleted.

### Test VPN Connectivity

To test your VPN, go to the [Paperspace console](https://console.paperspace.com), in the top-left corner, click the drop-down menu, select **CORE**, click the **Machines** tab, then find and select a machine belonging to your VPN’s private network.

On the machine’s overview page, click the **Details** tab, in the **Details** page, on the right side, under the **Private IP** section, copy the private IP address.

Then, [connect to your machine](https://docs.digitalocean.com/products/paperspace/machines/how-to/connect/index.html.md), in your machine, open a terminal, and run a Internet Control Message Protocol (ICMP) (`ping`) command.

ICMP (Internet Control Message Protocol) sends and receives ping requests to test network connectivity. You can use a `ping` command to verify whether your machine can reach the VPN gateway and receive a response.

```shell
ping 203.0.113.0
```

Your VPN is working properly if the packets line indicates data was sent and received with minimal packet loss.

```shell
...
--- 203.0.113.0 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3068ms
...
```

If your `ping` command outputs a request timeout, you may need to enable ICMP command on your machine.

```shell
PING 203.0.113.0 (203.0.113.0): 56 data bytes
Request timeout for icmp_seq 0
...
```

## Enable ICMP

For Windows-based machines, [configure your Windows firewall to enable ICMP](https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure).

**Note**: As of 1 July 2024, Windows-based templates are retired and unavailable to new Paperspace users. If you joined Paperspace prior to this date, you can still start, manage, and create Windows-based template machines.

To enable ICMP for Linux-based machines:

1. Run the `iptables` command to check the current rules on your machine.

   ```shell
   sudo iptables -L -v
   ```

   If ICMP is enabled, the output should show that `echo-request` and `echo-reply` is accepted.

   ```shell
   ACCEPT     icmp -- anywhere             anywhere             icmp echo-request
   ACCEPT     icmp -- anywhere             anywhere             icmp echo-reply
   ```
2. If ICMP isn’t enabled, enable it by allowing ICMP echo requests and replies.

   ```shell
   sudo iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
   sudo iptables -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT
   ```
3. Afterwards, save the new rules you’ve added.

   ```shell
   sudo iptables-save | sudo tee /etc/iptables/rules.v4
   ```
4. Then, reboot your machine.

   ```shell
   sudo reboot
   ```
5. To verify if ICMP is enabled, re-run the `iptables` command and find `ACCEPT icmp` for `echo-request` and `echo-reply`.

   ```shell
   sudo iptables -L -v
   ```

After enabling ICMP on your machine, attempt to re-run your `ping` command. If you continue to receive timeout requests or other errors such as denied permissions, contact [Paperspace Support](https://docs.digitalocean.com/products/paperspace/machines/support/index.html.md).