Create a VPN Server on Google Cloud
In this article, we will discuss how to set up an OpenVPN Access Server on a Google Cloud Compute Engine Instance. This will allow you to create a secure network tunnel for your computer or mobile device, enabling you to browse content securely on the network. The process is relatively simple and can be completed in just a few steps. By the end of this guide, you will have a fully functional OpenVPN Access Server up and running on the Google Cloud.
Prerequisite
- Custom Domain Email for sign up OpenVPN
- Google Cloud Project with linked to the billing account
- Computer running macOS
Install the Necessary Package Before Beginning
Before proceeding, it is necessary to install Homebrew on your local machine. Homebrew is a package manager for macOS and Linux, it will allow you to easily install and manage other packages that are necessary for creating the OpenVPN Access Server. By having Homebrew installed, you will be able to quickly and easily install the additional packages that are required for the setup process.
# skip if you already installed brew
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"After installing Homebrew, the next step is to install Terraform and the Google Cloud Command Line Interface (CLI) on your local machine. These tools are necessary for creating and managing resources on Google Cloud. Terraform will be used to create a virtual machine instance with the necessary configurations for the OpenVPN Access Server, and the Google Cloud CLI will aid in the installation of the OpenVPN Access Server package on the newly created instance. With both Terraform and the Google Cloud CLI installed, it will be simpler to manage and configure resources on Google Cloud.
# skip if you already installed terraform
brew install terraform
# skip if you already installed gcloud
brew install --cask google-cloud-sdkTo complete the installation of the Google Cloud CLI, refer to the instructions provided in the output of the command mentioned above or follow the guide provided.
# skip if you already installed gcloud
# for zsh shell in Intel chip macOS
echo 'source "/usr/local/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/path.zsh.inc"' >> ~/.zshrc
echo 'source "/usr/local/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/completion.zsh.inc"' >> ~/.zshrc
source ~/.zshrc
# for zshrc sell in M1 M2 chip macOS (arm)
echo 'source /opt/homebrew/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/completion.zsh.inc' >> ~/.zshrc
echo 'source /opt/homebrew/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/path.zsh.inc' >> ~/.zshrc
source ~/.zshrcTo set up the Google Cloud CLI, execute the following command and complete the prompts that follow.
# skip if you already used gcloud
gcloud init
gcloud auth loginCreate Google Cloud Compute Engine VM Instance and install OpenVPN Access Server
Use the following steps to create a Google Cloud Compute Engine virtual machine instance and install OpenVPN Access Server.
- Enable “Compute Engine API” on https://console.cloud.google.com/apis/library/compute.googleapis.com
- Access the Google Cloud Console at https://console.cloud.google.com/iam-admin/serviceaccounts
- Create a new Service Account and assign the role of “Compute Admin” to it.
In this example, the Service Account is named “terraform-vpn”.
- On the Service Accounts page, click on the Service Account that you have just created.
- Access the “KEYS” menu and select the option to create a new key.
- Select “JSON” as the key type, a JSON key file will be generated and downloaded.
- Download the source code and configuration files from the following GitHub project: https://github.com/mosathip/openvpn-server-gcp.
In this example, the openvpn-server-gcp files were downloaded as a zip file and extracted to the desktop.
- Go to the directory where you have downloaded the openvpn-server-gcp file.
- Move the JSON key file generated in the previous step to the “terraform” folder and rename it to “service-account.json”.
- In the “terraform” folder, make a copy of the “example.tfvars” file and rename it to “my-var.tfvars”.
- Customize the “my-var.tfvars” file to fit your needs.
project_id is Google Cloud Project unique id, find on Google Cloud Dashboard
region is the region for hosting a virtual machine
zone is a specific location in a region for hosting a virtual machine
see available zone
- Open Terminal and change the directory to where you have downloaded the openvpn-server-gcp file.
- Execute the command to install the necessary packages of Terraform.
terraform -chdir=./terraform init
- Execute the command to create a virtual machine.
The virtual machine is configured with the following specifications: machine type is “f1-micro” (the smallest size with 0.2 vCPU and 0.6 GB of memory), the disk is a 10 GB HDD (the smallest and most cost-effective class), and the operating system is Ubuntu 22.04 LTS (a free OS).
terraform -chdir=./terraform apply -auto-approve --var-file my-var.tfvars
- Execute the command to define the variable.
OPENVPN_SERVER_INSTANCE_NAMEisinstance_namein my-var.tfvarsOPENVPN_SERVER_PROJECT_IDisproject_idin my-var.tfvarsOPENVPN_SERVER_ZONEiszonein my-var.tfvars
export OPENVPN_SERVER_INSTANCE_NAME=openvpn-server
export OPENVPN_SERVER_PROJECT_ID=medium-demo-open-vpn-server
export OPENVPN_SERVER_ZONE=asia-southeast1-b
export CURRENT_USERNAME=$(whoami)
# for recheck value
echo $OPENVPN_SERVER_INSTANCE_NAME
echo $OPENVPN_SERVER_PROJECT_ID
echo $OPENVPN_SERVER_ZONE
echo $CURRENT_USERNAME
- Execute the command to install OpenVPN Access Server on a virtual machine.
sh ./script/main.sh
- Retrieve the account and password for logging in to Access Server admin from the output of the preceding command.
Create an OpenVPN Access Server Account and License
Create an OpenVPN Access Server account, which will provide you with free access for two concurrent devices to use the VPN.
- Go to https://openvpn.net/
- Click on “Create Account” to create an account.
Use an email address with a domain that does not already have an account on OpenVPN.
- Check your email for the confirmation code, then enter it to complete the registration process.
- Choose “Access Server”.
- Fill out the form to complete the registration process.
- You will be granted access to the OpenVPN Access Server Portal.
- Navigate to the “Subscriptions” menu, choose the option to “Proceed with Subscription”, set the number of concurrent connections to 2, then click on “Create” to finalize.
You will receive a free subscription for 2 concurrent connections without the need for a credit card or any other form of payment.
- Make sure to save your subscription key for future reference.
Config Your OpenVPN Access Server
Activate and configure your OpenVPN Access Server to make it ready for use.
- Access the Google Cloud Console at https://console.cloud.google.com/compute/instances
- Locate the External IP of your VM instance
In this example External IP is 35.187.250.253 - Access the Admin page of the OpenVPN Access Server and sign in using the credentials obtained during the setup process.
In this example admin page is on https://35.187.250.253:943/admin (https://x.x.x.x:943/admin)
- Activate your OpenVPN Access Server using the provided key
- Go to the Network Settings, configure your hostname or IP, and then save the settings.
In this example, the hostname “as-portal.medium-demo-open-vpn-server.online” will be used, however, you may also use your External IP address.
- Click on “Update Running Server” to apply the changes.
- If you choose to use a hostname, you will need to add a DNS record to map your subdomain to the External IP for easy accessibility.
In this example, a DNS record of type A will be added, with the name “as-portal” and address “35.187.250.253”.
Time for a Recap
If you have reached this point, your OpenVPN Access Server is now set up and ready for connections from the OpenVPN client. By following the steps outlined earlier, you have successfully created a virtual machine on the cloud, enabled a firewall for the OpenVPN Access Server website and OpenVPN client connections, created an OpenVPN Access Server account, and registered it to your OpenVPN Access Server.
To connect to the OpenVPN Access Server using the OpenVPN client
- To install OpenVPN Connect on your macOS device, you can execute the command.
brew install --cask openvpn-connect- To install OpenVPN Connect on your iOS device, you can search for “OpenVPN Connect” in the App Store or visit https://openvpn.net/vpn-client to see the available options.
The direct link to the app in the App Store is https://apps.apple.com/th/app/openvpn-connect/id590379981. - Open the OpenVPN Connect application
- Sign in to the OpenVPN Access Server using the non-admin page, using the credentials obtained during the setup process.
In this example, the URL is https://as-portal.medium-demo-open-vpn-server.online:943 or https://35.187.250.253:943/ if you are using the External IP and have not assigned a hostname.
- Click to download the Available Connection Profiles
- Import the profile into the OpenVPN client in menu file, then connect.
In this example, the option to save the password is selected and the password is entered.
- You are now connected to the OpenVPN Access Server, your IP will be changed to the External IP of the OpenVPN Access Server.
To disconnect from the VPN, simply toggle the green switch.
Conclusion
By following these steps, you have successfully set up a private VPN server that will secure your internet traffic from your client devices. This also allows you to access content that may be blocked by your current network as all traffic will be routed through the secure tunnel to your private VPN server.
Clean up from Google Cloud Platform
Google Cloud Platform offers a 3-month trial period with a credit for usage, after which it will charge your credit card. To avoid any unexpected charges, it is recommended to clean up all resources created during the setup process before the end of the trial period. This can be easily done with a single command.
# Open Terminal and change the directory to where you have downloaded
# the openvpn-server-gcp file before execute the command.
terraform -chdir=./terraform destroy -auto-approve --var-file my-var.tfvars
All your action on Google Cloud Platform with Terraform, Compute Engine VM Instance and Firewall rule was removed.
You can also remove the Service Account that you created to revoke its permissions.
