How to set up a VPN connection during builds?

In case you need to connect to a private network during your builds (for example to deploy to an environment behind a VPN), we suggest you configure the VPN connection as follows:


  • Base64-encode the OpenVPN client configuration file, and store it as an environment variable
  • If the VPN client authentication is credentials-based, you'll also need to add the username and password as environment variables.
  • Use the below sample configuration

version: 2.1
      - build
      image: ubuntu-1604:202004-01
      - run:
          name: Install OpenVPN
          command: |
            sudo apt-get update
            sudo apt-get install openvpn -y
- run: name: Check IP before VPN connection command: | ifconfig route -n sudo netstat -anp cat /etc/resolv.conf curl
- run: name: VPN Setup background: true command: | phone_home=$(netstat -an | grep ':22 .*ESTABLISHED' | head -n1 | awk '{ split($5, a, ":"); print a[1] }') echo $phone_home echo $VPN_CLIENT_CONFIG | base64 --decode > /tmp/config.ovpn printf "user\n$VPN_PASSWORD" > /tmp/vpn.login sudo openvpn --config /tmp/config.ovpn --auth-user-pass /tmp/vpn.login \ --route $phone_home net_gateway \ --route net_gateway
- run: name: Wait for the connection to be established command: sleep 30
- run: name: Check IP after VPN connection command: | ifconfig route -n sudo netstat -anp cat /etc/resolv.conf curl - run: name: Run commands in our infrastructure command: | # A command # Another command

  - run:
name: Disconnect from OpenVPN
command: sudo killall openvpn || true
when: always



To set up an L2TP VPN connection, we recommend referring to this guide.

We suggest storing VPN_SERVER_IPVPN_IPSEC_PSKVPN_USER and VPN_PASSWORD as environment variables. Ideally, you might want to base64-encode VPN_IPSEC_PSK before storing it; you'll need to decode it during the build.

To retrieve the default gateway IP address during the build, you can use either of the following:

  • default_gw_IP=$(netstat -r | grep default | awk '{ print $2 }')
  • default_gw_IP=$(ip route | grep default | awk '{ print $3 }')

 Note that you must use the machine executor.

Was this article helpful?
0 out of 0 found this helpful



Article is closed for comments.