Setting up VPN using OpenVPN on Google Cloud or AWS

VPN is a good way to protect your cloud infrastructure from attacks. In the method below I will list down the step how to log in to your vpn machine and access the cloud LAN from you laptop.

I am using Debian on Google Cloud as an example. The setup process should be similar on other clouds. The cloud lan is in the network and the vpn lan will be in the network

1. Setup firewall rules to allow connection to vpn machine:
Networks > your network (usually named default) > Firewall rules:

Create new:
Name: VPN Traffic
Source IP Ranges:
Allowed Protocols/Ports: tcp:1194
Target Tags: vpn

2. Spawn a new debain machine, go to advanced and tag it vpn. Also enable IP Forwarding.

Log in and run this:
“sudo sysctl -w net.ipv4.ip_forward=1“
Make the same change in “/etc/sysctl.conf“

3. Install openvpn:

sudo apt-get update
sudo apt-get install openvpn

4. Set up openvpn

* Create a new directory with the command sudo mkdir /etc/openvpn/easy-rsa/.
* Copy the necessary files with the command sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/.
* Change the ownership of the newly copied directory with the command sudo chown -R $USER /etc/openvpn/easy-rsa/.
* Edit the file /etc/openvpn/easy-rsa/vars and change the variables listed below.

The variables to edit are:

export KEY_CITY="SanFrancisco"
export KEY_ORG="Uberlabs"
export KEY_EMAIL=""
export KEY_CN="FooBar"

Once the file has been edited and saved, we’ll run several commands must be entered in order to create the certificates:

cd /etc/openvpn/easy-rsa/
source vars
./pkitool --initca
./pkitool --server server
cd keys
sudo openvpn --genkey --secret ta.key
sudo cp server.crt server.key ca.crt dh1024.pem ta.key /etc/openvpn/

Client Certificates

The clients will need to have certificates in order to authenticate to the server. To create these certificates, do the following:

change KEY_CN in vars file everytime you create a new client cert, else you will notice that hostname.crt is of 0 bytes. Or you can use KEY_CN=someuniqueclientcn ./pkitool client1.

cd /etc/openvpn/easy-rsa/
source vars
./pkitool hostname

Files needed to setup client
* /etc/openvpn/ca.crt
* /etc/openvpn/easy-rsa/keys/hostname.crt (Where hostname is the hostname of the client).
* /etc/openvpn/easy-rsa/keys/hostname.key (Where hostname is the hostname of the client).

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
sudo gzip -d /etc/openvpn/server.conf.gz

Open /etc/openvpn/server.conf and make the below change. SSH does not work properly in udp mode.

proto tcp
push "route" #this is a change

While udp is recommended by openvon but ssh was failing when I tried to ssh on some other hosts on the cloud.

Configure iptables to allow traffic from VPN to LAN
iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE

TIP: Restart openvpn every time you make a change in iptables they are not reflected instantly.

sudo service openvpn restart

Client setup:
Install openvpn on your laptop. Copy Sample client.conf to /etc/openvpn. Save the client files in /etc/openvpn/

proto tcp
remote 1194
ca ca.crt
cert roshan-home.crt
key roshan-home.key

sudo service openvpn restart

sudo ifconfig in 30 seconds you will see a new vpn interface tun0. You should be able to ping 10.240.x.x and ssh.

Additional Debugging:
* Use routing table info to see if it is set correctly route -n or netstat -rn
* tcpdump to see if icmp packets are received tcpdump -i any icmp
* netcat or telnet to see if vpn port is open

netcat -z -v 1194
telnet 1194