Home / server / Questions / 590530
Accepted
OZ_
Asked: 2014-04-23 03:59:48 +0800 CST

VPN server on Google Compute Engine with OpenVPN

  • 772

I'm trying to use Google Compute Engine server as VPN server for all my traffic (I'm living in Russia, we have some issues with censorship here).

There is mini-tutorial about VPN on GCE, but it's about network between 2 servers inside GCE and not with OpenVPN.

I've made all steps from another tutorial, about setting up VPN with OpenVPN on Debian, I can connect to VPN from client, but then I can't open connections (can't even ping google). On the server I can ping and download everything as usual.

I have VPN on Linode with same setup and it works fine. So issue is in GCE network routing or firewall rules.

I've tried a lot of variants but nothing works. Please, look at settings and tell me what should I change.

// config lines removed, because issue is solved //

vpn openvpn google-cloud-platform google-compute-engine

8 Answers

  1. You can solve the issue of not being able to browse the web through the VPN despite being able to ping, traceroute... by one of the two following ways:

    First, you can use TCP protocol instead of UDP, by changing 'proto udp' to 'proto tcp' in both client and server conf files.

    Second, you can use tap device instead of tun, by changing 'dev tun' to 'dev tap' in both client and server conf files.

    Not sure what the issue is though, it seems it's a problem from Google's end.

    • 7
  2. Best Answer

    First of all, thanks to @Shivox for his answer.

    And here is the quick how-to:

    • I recommend you create additional network (see "Networks" tab"). In network preferences, add allowing rules for: tcp:22 (if not exist), tcp:9700, tcp:17619. 17619 here is variable - change it to any port you like (range is 9075-65534). You only need 3 rules and 2 default routes, nothing else.
    • Go to "Create Compute Engine instance", click "Show advanced options", allow ports forwarding, select location of the server.
    • Now (when you've selected location), add static IP to the server.
    • Select Ubuntu 14.04 image (exactly this version).
    • Create instance
    • Connect via SSH (most easy way - use in-browser tool from GCE panel)
    • sudo su
    • apt-key update && apt-get update && apt-get -y upgrade && apt-get -y install python-software-properties && apt-get -y install software-properties-common && add-apt-repository -y ppa:pritunl && apt-get update && apt-get -y install pritunl
    • In browser open https://instance_ip:9700
    • On question about DB, click "Save"
    • In login window, use pritunl as username and password
    • Now change username and password of admin user
    • Add organization, then 2 users (for desktop and mobile)
    • Click "Add server" in "Servers" tab
    • Use port number from first step (17619 as example) and tcp protocol.
    • Attach organization to server
    • Start server
    • In "Users" tab download keys for both users (tar archives with ovpn files inside).

    I use Viscosity for OS X and OpenVPN connect for iOS as clients. In Viscosity, turn on "Send all traffic over VPN connection" option in "Networking" tab.

    • 7

  3. Please remember that Google VPC is dropping packets that has source_ip other than an internal IP of a VM having external IP.

    This doc https://cloud.google.com/compute/docs/vpc/advanced-vpc states:

    The VPC network rewrites the IP header to declare the instance's external IP address as the source. If the instance has no external IP address, the call is not allowed, and the VPC network drops the packet without informing the sender.

    So if your openVPN is just forwarding packets from the other network, then the packets to public internal will be dropped as source_ip does not match any existing VM's internal IP. For this reason you need to NAT the packets leaving your local network, e.g on your VPN node. 

    Chain POSTROUTING (policy ACCEPT)
target      prot opt source              destination         
MASQUERADE  all  --  192.168.0.0/16      !192.168.0.0/16

    "Pritunl" mentioned in the OZ_ answer works, because it configures the NAT automatically.

    • 4

  4. This is not really an answer, but the site didn't allow me to add it as a comment to your question.

    Nevertheless, I have almost the exact same configuration you detailed above (I didn't configure the dnsmaq on the server tough)

    Unfortunately, The VPN is not working as expected. I can resolve an address, ping some Internet hosts and even make a complete trace while connected to the VPN. However when I open the browser and navigate to a site, the connection is really slow. I don't know what can be affecting the connection, but is really a strange problem.

    Maybe someone from Google can help us know what is going on.

    PS 1. As other people has suggested before, can you verify if ip forwarding is enable? For me, the only way to ensure the value for net.ipv4.ip_forward was properly restored after a reboot was after I used a custom rule on /etc/sysctl.d

    For example, you can add the rule using the following command:

    $ sudo echo "net.ipv4.ip_forward = 1" > /etc/sysctl.d/90-useroverrides.conf

    PS 2. If the forward works for you, can you test a trace route to a external host while connected to the VPN?. The output I got when I do this is a bit strange (Why there are multiple hops on the same IP ????):

    $ sudo traceroute www.yahoo.com -T -p 80 -N 1 -z 0.5 -q 1
traceroute to www.yahoo.com (98.139.183.24), 30 hops max, 60 byte packets
 1  209.85.241.26 (209.85.241.26)  0.764 ms
 2  209.85.241.34 (209.85.241.34)  0.668 ms
 3  209.85.241.26 (209.85.241.26)  0.966 ms
 4  209.85.241.36 (209.85.241.36)  0.702 ms
 5  209.85.241.28 (209.85.241.28)  0.865 ms
 6  209.85.241.36 (209.85.241.36)  0.642 ms
 7  209.85.241.26 (209.85.241.26)  0.921 ms
 8  209.85.241.28 (209.85.241.28)  18.837 ms
 9  72.14.238.107 (72.14.238.107)  13.378 ms
10  72.14.237.131 (72.14.237.131)  38.275 ms
11  209.85.254.131 (209.85.254.131)  13.349 ms
12  *
13  ae-8.pat1.bfz.yahoo.com (216.115.101.231)  44.903 ms
14  ae-4.msr1.bf1.yahoo.com (216.115.100.25)  45.323 ms
15  xe-10-3-1.clr1-a-gdc.bf1.yahoo.com (98.139.232.101)  47.382 ms
16  et18-25.fab6-1-sat.bf1.yahoo.com (98.139.128.103)  45.793 ms
17  po-13.bas1-7-prd.bf1.yahoo.com (98.139.129.209)  41.143 ms
18  ir2.fp.vip.bf1.yahoo.com (98.139.183.24)  42.451 ms

    PS 3. The only thing that seems to work properly is the VPN is using the external IP from my host to access the Internet

    $ sudo curl --interface tun0 checkip.dyndns.org
<html><head><title>Current IP Check</title></head><body>Current IP Address: 107.178.XXX.XXX</body></html>
    • 3

  5. Edit /etc/sysctl.conf by uncommenting #net.ipv4.ip_forward=1

    That should allow OpenVPN to direct your traffic.

    • 1

  6. You need IP forwarding enabled for your VM instance in google cloud, otherwise packets won't reach your VM. Note, this is separate from net.ipv4.ip_forward = 1 that you can set in your VM.

    IP forwarding can only be set once before you create a VM, and cannot be modified afterwards. To enable it for a new VM click Management, security, disks, networking, sole tenancy: enter image description here

    Then, in Networking tab click on Network Interface and set IP Forwarding to ON:

    enter image description here

    • 1

  7. You need to add rule that allow traffic for OpenVPN itself:

    iptables -A INPUT -p udp --dport 1194 -j ACCEPT
    • 0

  8. About the Network.

    1) Enable all traffic from OpenVPN Subnet (e.g. 10.8.0.0/24) at Console

    2) I would strongly suggest You to add Masquerade to Your network

    firewall-cmd --zone=trusted --add-masquerade --permanent
firewall-cmd --reload-all

    3) Do not forget to enable packet routing in the kernel

    a) once 

     echo 1 > /proc/sys/net/ipv4/ip_forward

    b) forever in /etc/sysctl.conf:

     net.ipv4.ip_forward = 1
    • 0