Doorman VPN¶

Doorman is a virtual private network (VPN) service provided by Equinix Metal™ that helps to secure traffic between you and your servers for management purposes. By enabling Doorman, you will be able to access your servers at their Private IP addresses (which can be helpful if you decide to deploy servers without a Public IP address). Doorman is not a VPN solution between servers for web traffic.

Doorman is also an open-source project developed and maintained by Equinix Metal and available on GitHub.

This document covers configuration and use of Doorman on your Equinix Metal account.

Enabling Doorman¶

To leverage Doorman, you will need to have Two Factor Authentication (2FA) enabled on your the Equinix Metal account.

Console

Once you have 2FA enabled, a new section will be available in the Security section of your Personal Settings: the Customer VPN. Click the toggle to enable Doorman.

The Security panel where you enable Doorman

API

To enable Doorman through the API, send a POST request to the /user/vpn endpoint.

curl -X POST -H 'X-Auth-Token: <API_TOKEN>' https://api.equinix.com/metal/v1/user/vpn

Downloading the VPN Configuration¶

Console

After you turn it on, you will see the option to download the OpenVPN configuration files for each of Equinix Metal’s facilities.

Notice that configuration files are only available for a few locations. All of the options can reach any of your server's Private IP address in any facility (except hkg1), as long as you have enabled Backend Transfer.

Select the location from the menu that is the closest point of entry. Save the configuration file.

Doorman VPN Configuration Locations

API

You can also retrieve the config files from the API by sending a GET request to the /user/vpn endpoint. You need to specify which location you would like the configuration files from as the query parameter ?code=<facility_code>. For example, if you would like the configuration files from the Amsterdam location, you would use ?code=ams1.

curl -X GET -H 'X-Auth-Token: <API_TOKEN>' https://api.equinix.com/metal/v1/user/vpn?code=<facility_code>

You can then save the response as a configuration file. If you do not have Doorman VPN enabled on your account, the response will be an error.

Connecting with Doorman VPN¶

After downloading the config files, and importing them into your VPN client, start the connection. The login credentials will be:

Username: - The username is your Equinix Metal account email.
Password: - The password is the current 2FA token concatenated with your Equinix Metal account password. (This does mean that the password changes over time).

For example, if the your account password is equinixmetal-rocks-2021 and the 2FA token is 123456, the VPN password would be 123456equinixmetal-rocks-2021.

Once the connection is successful, you will be able to ping your server’s Private IP address, as well as connect via SSH.

ssh root@10.100.237.133
Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-47-generic x86_64)
...
root@vpn:~#

Disabling Doorman¶

To disable Doorman, you can click the toggle next to Configure VPN in the Security tab of your Personal Settings.

To disable Doorman through the API, send a DELETE request to the /user/vpn endpoint.

curl -X DELETE -H 'X-Auth-Token: <API_TOKEN>' https://api.equinix.com/metal/v1/user/vpn