In this guide we will setup a “Debian 9(stretch)” virtual machine on our GCP Project and configure a OpenVPN server.
Let’s start by opening the menu from the top left of the page and selecting ‘VM instances’ under ‘Compute Engine’.
We start the creation process by clicking on create.
Next we start by giving a name to the instance to be created. Then we select a region. The best option is to select a region that is in close proximity. The regions can be further specified by selecting a zone under them(this is an optional choice and may be left as the default value).
Now we will select the operating system that we want the system to use. Click on the change icon and search for ‘Debian 9′(if that is not already selected).
We shall see a link for “Management, security, discs, networking, sole tenancy” when we scroll down the page. We will click on that to view an advanced options section.
Navigating to the Security tab we can add our public ssh key into the box. We should add a name at the end of the ssh key if there is not one as that will the username we shall use to connect to the instance later on.
Finally we shall move onto the Networking tab and add ‘vpn’ to the Network tags field. This tag will later be used to bind firewall rules to the instance.
Finally we can click the ‘Create’ button on the bottom of the page and start the creation of the instance.
With the machine instance setup we can now move onto adding a rule to allow clients to connect to the VPN server. We navigate to the Firewall Rules section as shown below.
We start by adding a rule and giving it a name.
Then we select the Ingress option to make the rule effect incoming packages and set the ‘Action’ as ‘Allow’
We will select the Specified targets tags from the Targets field. And then set the tag that we gave the machine during creation as the Target tag. This will associate the rule with the machine.
Next we select IP Ranges as the Source filter on the rule. and add ‘0.0.0.0/0’ as the Source IP range. This will allow all addresses to reach the machine over VPN. If we have a list of the client public addresses we can give that in order to restrict the allowed Public IP’s.
Finally we select “Specified protocols and ports” option and set the tcp port that we want for the VPN server connection. The default OpenVPN port is 1194.
We can now click the ‘Create’ button at the bottom to add the rule.
Having set up the machine and its security rules we can now start installing OpenVPN and configuring it. Start by connecting to the machine over ssh. Once connected:
sudo su cd
wget https://git.io/vpn -O openvpn-configuration.sh chmod +x openvpn-configuration.sh
Upon running the script asks us about the ip address of the machine. We select the number corresponding to the Public IP address of the machine.
Next we choose to use TCP as the base connection type for our VPN.
Now we will set the port that we added an Inbound rule for so that the OpenVPN server can listen for incoming connections on that port.
The DNS option can be set as preferred.
Finally we give a name that will be used to create a certificate for a user to be allowed to connect. The script will create the required files that a user will need to be able to connect to the server.
Welcome to this OpenVPN road warrior installer! I need to ask you a few questions before starting setup. You can use the default options and just press enter if you are ok with them. This server is behind NAT. What is the public IPv4 address or hostname? Public IPv4 address / hostname [18.104.22.168]: Which protocol do you want for OpenVPN connections? 1) UDP (recommended) 2) TCP Protocol : 2 What port do you want OpenVPN listening to? Port : Which DNS do you want to use with the VPN? 1) Current system resolvers 2) 22.214.171.124 3) Google 4) OpenDNS 5) Verisign DNS : Finally, tell me a name for the client certificate. Client name [client]: 1234 Okay, that was all I needed. We are ready to set up your OpenVPN server now. Press any key to continue...
With the server up and running we can run the script again in order to create new client certificates or to revoke existing certificates.
We can rerun the script we downloaded to install OpenVPN. The script will now as us if we want to add or remove a user.
Entering the number corresponding to “Add a new user” and then providing a name for the user when prompted for shall create the certificate file required for the user to connect to the VPN server.
Looks like OpenVPN is already installed. What do you want to do? 1) Add a new user 2) Revoke an existing user 3) Remove OpenVPN 4) Exit Select an option: 1 Tell me a name for the client certificate. Client name: test2 Using SSL: openssl OpenSSL 1.1.0l 10 Sep 2019 Generating a RSA private key .......................................................................+++++ ...........+++++ writing new private key to '/etc/openvpn/server/easy-rsa/pki/private/test2.key.DVI9' ----- Using configuration from ./safessl-easyrsa.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'test2' Certificate is to be certified until Mar 21 16:49:44 2030 GMT (3650 days) Write out database with 1 new entries Data Base Updated Client test2 added, configuration is available at: /root/test2.ovpn
On the other hand if we enter the number corresponding to “Revoke an existing user”; we will be presented with a list of the available clients. Entering the number corresponding to the user that we intend to remove shall destroy the certificate generated for that user; resulting in them not being able to connect to the VPN.
Looks like OpenVPN is already installed. What do you want to do? 1) Add a new user 2) Revoke an existing user 3) Remove OpenVPN 4) Exit Select an option: 2 Select the existing client certificate you want to revoke: 1) client 2) test2 Select one client: 2 Do you really want to revoke access for client test2? [y/N]: y Using configuration from ./safessl-easyrsa.cnf Revoking Certificate 12B01D572096F0E4512D3DE9E0480C88. Data Base Updated Using SSL: openssl OpenSSL 1.1.0l 10 Sep 2019 Using configuration from ./safessl-easyrsa.cnf An updated CRL has been created. CRL file: /etc/openvpn/server/easy-rsa/pki/crl.pem Certificate for client test2 revoked!
Since we only allow SSH connection to the machine other than the VPN; we can use any SFTP client to connect to the server and download the user certificate files.
Users can then connect to the VPN server using their ovpn certificate files.