How to setup Point-To-Site VPN in Google Cloud using OpenVPN

If you are looking for a Point-To-Site VPN setup in GCP to access GCP resources over a secure connection from a client device, you can leverage a third party Network Appliance like OpenVPN. GCP does not offer managed Point-To-Site VPN service as of today though Cloud HA VPN service can be leveraged to set up Site-To-Site VPN Tunnels. But what is OpenVPN and why?

What is OpenVPN?

OpenVPN is a free and open-source virtual private network (VPN) software that uses the OpenSSL library to encrypt and secure network connections. It is a popular choice for creating VPNs because it is reliable, secure, and easy to set up and use.

OpenVPN allows users to connect to a remote network over the internet and access resources on that network as if they were connected directly to it. This is useful for accessing resources on a private network from a remote location, or for creating a secure connection between two networks.

OpenVPN uses the OpenSSL library to encrypt network traffic, which makes it difficult for anyone to intercept and read the data being transmitted over the VPN. It also uses secure authentication methods to ensure that only authorized users can access the VPN.

OpenVPN offers two types of service, OpenVPN Cloud, a managed solution and self hosted solution also known as OpenVPN Access Server. We will use the self hosted solution (OpenVPN Access Server) in this blog post.

Prerequisites

1. Working GCP Project
2. VPC with a Subnet for OpenVPN Access Server VM

Setup

In this guide, we will go through the setup and configuration in Google Cloud. We will use Cloud Console to set up the OpenVPN Network appliance using Compute Engine service.

To get started, login to Google Cloud Console, and jump into GCP Marketplace. Search for OpenVPN Access Server.

Select OpenVPN Access Server from the result and click on Launch button.

Enable required APIs if not enabled already. Click on the ENABLE button to enable them from the deployment experience.

Once the APIs are enabled, the deployment experience will take you to the New OpenVPN Access Server deployment page. Fill and update all the required details as per your need.

Select the appropriate VPC, in which you want to deploy the Network Appliance. The deployment will also create Firewall Rules which are required for the OpenVPN Access Server to function.

Once the deployment is done, you can find the Admin URL, Client (Site) URL and Admin credentials. We will change the Admin credentials as they are visible in the Deployment Manager.

After the deployment, we will have to update OpenVPN Access Server configuration and GCP resource configuration. We will perform below configurational changes:

1. Reserve the External IP
2. Change the Admin Password
3. Update the Time Zone
4. Install NTP client for automatic time synchronization (Optional)
5. Update the OS
6. Update the OpenVPN Access Server
7. Update the Routes
8. User Management
9. Connecting to the VPN using Client
10. Add Hostname and SSL (Optional)

1. Reserve the External IP

If you have deployed OpenVPN Access Server using default configuration then probably external IP attached to the Compute Engine is ephemeral. Before we make any changes, first reserve the existing external IP attached to the Compute Engine. You can do that by following the steps below:

Go to IP Addresses in the Networking section from Cloud Console.

Find the IP Attached to the OpenVPN Access Server VM in the EXTERNAL IP ADDRESSES tab and click on RESERVE to change type into static assignment. This will prevent IP change during the reboot/shutdown of the OpenVPN Access Server VM.

Once you click RESERVE, it will ask to provide a name and a description for the External IP.

2. Update the Admin Password

The deployment of OpenVPN Access Server has generated an Admin Password which is visible in the deployment manager. I would highly recommend changing that. To do so, click on the SSH button to access the instance via SSH and use below cmd to update the password of the openvpn user.

sudo passwd openvpn

3. Update Default Timezone

Use below cmd to update the TimeZone. Default timezone is set to PST. If you reside somewhere else, you below command to update the timezone. You need to SSH into the VM to run the below command:

sudo dpkg-reconfigure tzdata

4. Install NTP Client (Optional)

Install NTP client for automatic time synchronization. This is recommended but especially if you are using Google Authenticator for MFA. You need to SSH into the VM to run the below command:

sudo apt-get install ntp

5. Update the OS

If you deploy OpenVPN Access Server through Google Cloud Marketplace then it uses Ubuntu as the OS. It is recommended to update the OS before you start using it. You need to SSH into the VM and use below commands to update the OS:

sudo apt-get update
sudo apt-get upgrade

6. Update the OpenVPN Access Server

When you update the OS, OpenVPN Access Server won’t be updated as it is pinned to skip updates during the OS updates to avoid any changes. You have to do this explicitly using below cmd. You can check the current version using below cmd. You need to SSH first into the VM to run the cmds.

cat /etc/issue

Expected output is similar to below:

vikask@openvpn-access-server-1-vm:~$ cat /etc/issue
OpenVPN Access Server Appliance 2.8.5 \n \l

At the time of writing this blog post, the current version of OpenVPN Access Server is 2.11.1. To update the Version run below cmd:

sudo apt upgrade openvpn-as

Once you update the OpenVPN Access Server, it is recommended to reboot the server.

sudo reboot

Once the reboot is complete, verify the OpenVPN Access Server version.

vikask@openvpn-access-server-1-vm:~$ cat /etc/issue
OpenVPN Access Server Appliance 2.11.1 \n \l

You can also verify the Version from Admin UI of the OpenVPN. Login to the Admin UI using Admin URL:

https://[External IP Address/Hostname]:943/Admin

If you are logging in for the first time, then read the Disclaimer and click on Agree.

7. Update the Routes

By default, the OpenVPN Access Server will have a route for its own Subnet where it is deployed. To access additional Subnets or resources of that Subnet(s), you will need to advertise those Subnets in the Routes.

To do that, you will need to login to the Admin UI of OpenVPN Access Server. Once you are logged in go to CONFIGURATION and select VPN Settings option.

In the Routing section, add additional Subnets if you want to allow access from OpenVPN.

In this example, I have added 10.128.0.0/20 subnet, where I have workloads which need to be accessible from OpenVPN Client.

Add the route, save settings and click on Update Running Server.

Make sure Firewall rule is added in GCP for additional subnets to allow Traffic from OpenVPN Access Server subnet or OpenVPN Access Server VM. By default, the OpenVPN Access Server gives VPN clients access to your VPC by using the NAT method (Network Address Translation). Using this method, traffic originating from the VPN clients will appear to be coming from the local IP address of the Access Server.

Also, Have a look at the VPN IP Network section. Make sure the IP Address defined in this section does not conflict with your existing CIDRs.

8. User Management

Now we have configured our OpenVPN Access Server, we can create additional users who can access the client. By default, openvpn user already has access to the server which can be used but I would recommend creating additional users without Admin access.

To manage users, go to USER MANAGEMENT, select User Permissions. Add additional users as needed and click on Save settings.

Click on Update Running Server to update the OpenVPN Access Server.

9. Connecting to the VPN using Client

Now, we have created user(s), we can connect to OpenVPN using Client. Users can download OpenClient by logging into the client URL which is the IP address of OpenVPN Access Server.

https://[External IP Address/Hostname]

Enter the Username and Password to login. Once you are logged in, you can download the client (If you already have the client) or Profile.

I have the Client installed already, so download the Profile instead. After importing the Profile, enter the User Password and you should be good to go.

Now let’s test the connectivity from local machine to Compute Engine VMs. Let’s try to Ping OpenVPN Access Server using Private IP.

As you can see in the above snapshot, I am able to Ping the OpenVPN Access Server with a Private IP Address. Now let’s try to ping a VM of a different Subnet which we added in the Routes section.

Ping worked for the other Subnet as well. Note — Make sure Firewall rule configured to allow traffic to additional Subnets.

10. Add Hostname and SSL

OpenVPN Access Server’ web services available on default Public IP address but it will throw an warning each time when you try to access it. It is recommended to use FQDN with signed SSL from CA to avoid these warnings. Also, FQDN is easy to remember.

To setup Hostname and SSL follow this documentation.

Licensing

OpenVPN offers two concurrent connections at free of cost. If you are looking for more concurrent connections then you can buy additional licenses directly from OpenVPN.