Island to Island VPN
Island comes with a simple, proprietary mechanism called IslandExpress, which lets you easily set up a VPN connection by sharing a common password and avoids the need to exchange a public key, always a long and unwieldy data string. Note that IslandExpress is used only when creating VPNs; once they have been created, IslandExpress is no longer used and can be disabled for maximum security.
There are two types of Island-to-Island VPN connections:
one-directional
bi-directional
With one-directional, the devices on one Island will be able to access devices on another (likely an Island with more resources, a “server”) but the devices on the “server” will not be able to access devices on the other end. With a bi-directional (or open) connection, any device on either end of the VPN connection can access any device on the other end. For both types of connections, after access is established, VPN permissions must be enabled in the Island app to outbound users or devices before they can use the VPN connection.
ONE-DIRECTIONAL VPN
Example: an employee on a home Island network wants to access devices on the office’s Island network, a common use case.
Advantages:
simplest to set up
avoids having to ensure that there are no IP address conflicts
Pre-planning:
Decide which Island has the resources that remote users need to access; in other words, which Island will be thought of as the server
Choose a password or pass phrase that will be the “Secret” exchange key for the server Island, and communicate this password to the administrator(s) of any Island(s) who wish to set up a VPN connection to the host
Set-up Steps at the “Server” Island
On the app dashboard for the server Island, click on the upper-left main menu and choose VPN.
Click IslandExpress at the top left.
Enter the Secret exchange key.
Leave the “Auto trust” toggle set to off for the highest level of security, as this keeps any user or device at the other end of the VPN from connecting automatically and immediately once the connection steps at their end have completed. By leaving Auto trust off, each remote Island wishing to use the VPN for the first time will appear as a pending request on the host dashboard, at which time the admin user can approve each connection. There are circumstances when auto trust could be enabled, for example, if the administrator needs to travel to the remote Island’s location and needs for the VPN to be functional immediately. When using auto trust, it’s especially important to use a well-chosen secret that is difficult to guess.
Click Save at the bottom. Your IslandExpress VPN is now active.
If auto trust is off, wait until the connecting VPN remote site is set up. When this has been done, an exclamation point appears on the VPN icon on the host dashboard, indicating the other end is requesting to connect. Click on each pending VPN and choose the Approve button to complete set-up.
Set-up Steps at the VPN Remote Island
On the app dashboard for the connecting Island, click on the upper-left main menu and choose VPN.
Click on Create VPN on the right side of the screen.
Ensure that IslandExpress is selected at the top left as the creation method.
Enter the Secret exchange key.
Enter the name or IP address of the VPN “server” Island.
Click on Create at the bottom, at which time the VPN name (obtained automatically from the server) will appear in a list on the right, with an annotation of “Active/Not operational.”
As soon as approved by the server, the annotation will change to “Active/Operational” and you are all set to use the VPN.
Next set up permissions and/or a schedule in the app for this Island to indicate who and which devices can make use of the VPN.
BI-DIRECTIONAL VPN
Example: An employee who needs to access office resources while working at home, and home resources while at the office. Or two offices that need access to one another’s resources.
Advantages:
Open access to resources in both directions between two Island networks
Pre-planning:
Each Island must use IP address blocks that are different from one another to avoid address conflicts. In other words, you will have to plan the network addressing scheme, and be able to customize IP addresses for bi-directional access to work.
Additional Steps to Establish Bi-Directional VPN Access
Follow the same steps listed under one-directional set up and establish a “server” VPN at one Island and a VPN connection to the host from the remote Island.
Ensure there are no conflicting IP addresses among the Islands being set up for VPN connections.
In the VPN settings for the “server” Island, click on the named VPN in the right-hand list that represents the remote Island whose devices are now to be accessible to the “server” Island.
Click on the 3 dots in the upper right and choose Edit.
In the “Remote IP(v4) address” and “Remote IP(v6)” lines, choose “none” from the pull-down menu and click Save.
Still at the “server” Island, navigate to the appropriate devices, users, or groups and assign them permission as appropriate to access the remote Island VPN resources.