How to Set Up a VPN on GCP
Background
We have a self-hosted Apache Airflow on a GCP Instance VM. Our Airflow is publicly accessible so the connection is insecure and vulnerable. Therefore, we will implement a VPN so that Airflow can only be accessed privately. We pick OpenVPN for this guide.
Introduction to VPNs
Virtual Private Network (VPN) is a service that allows users to access websites privately through another network’s servers. VPN is one of the most effective solutions for protecting internet privacy and security. To learn more about VPN, you can read this article.
How does it work?
Users will make a connection to the OpenVPN Server using the OpenVPN Client. When the user is successfully connected, the IP Address of the user will change with the IP Address of the OpenVPN Server. So users will be able to access Airflow privately by using the OpenVPN Server IP Address.
Step 1 : Set up OpenVPN Server
- Create VM Instance in Compute Engine GCP
a. OS: Debian 11
b. Tick on Allow HTTP traffic
c. Tick on Allow HTTPS traffic
d. Add network tags: vpn-server-network
e. Reserve a static external IP address
Notes:
HTTP and HTTPS traffic need to be allowed. So you can access the destination web application, in this case Apache Airflow. - Install OpenVPN Server in VM Instance
# Update & upgrade the system
sudo apt update
sudo apt upgrade
# Download OpenVPN installer
curl -o debian-11-vpn-server.sh https://raw.githubusercontent.com/Angristan/openvpn-install/master/openvpn-install.sh
chmod -v +x debian-11-vpn-server.sh
# Check and note down your IPv4 public Address
hostname -I
# Run the installer
sudo ./debian-11-vpn-server.sh
## Fill in all configuration requirements
IP address: <your-ip-address>
Public IPv4 address or hostname: <auto-detect>
Do you want to enable IPv6 support (NAT)? [y/n]: n
Port choice [1-3]: 1
Protocol [1-2]: 1
DNS [1-12]: 9
Enable compression? [y/n]: n
Customize encryption settings? [y/n]: n
## Create a client
Client name: <your-client-username>
Enter PEM pass phrase: <your-client-password>
Verifying - Enter PEM pass phrase: <your-client-password>3. Download client ovpn file (.ovpn)
After successfully creating a client, OpenVPN will automatically create an ovpn file that will be used by the user to be able to connect to the OpenVPN Server. Download and save the ovpn file on your local computer.
Step 2 : Configure firewalls
- Create a firewall rule for OpenVPN Server
a. Open firewall page on VPC Network service
b. Click create firewall rule button
c. Fill in the form
- Rule name (eg. vpn-rule)
- Target tags : vpn-server-network
- Source IPv4 ranges: 0.0.0.0/0
- Tick on UDP
- UDP port: 1194
d. Click on create button - Update IP ranges in Airflow firewall rule
a. Open firewall page on VPC Network service
b. Click on Airflow firewall rule
c. Click Edit
c. Update Source IPv4 ranges to your vpn server static external ip (eg. 34.103.197.203/32)
d. Click on save button
Step 3 : Download and Connect OpenVPN Client
- Download and install OpenVPN Client
- Open the OpenVPN Client app
- Click on Plus button in the lower right corner
- Click on File tab and browse your ovpn file.
- You’ll see your OpenVPN profile
- Click the toggle for connect to OpenVPN Server
- Open Airflow webserver page
Congratulations, your airflow is now only privately accessible through OpenVPN. Cheers! 🍻
