Roshan Singh

Setting up VPN using OpenVPN on Google Cloud or AWS

08 Dec 2014 [ aws google-cloud vpn ]

VPN is a good way to protect your cloud infrastructure from attacks. In the method below I will list down the step how to log in to your vpn machine and access the cloud LAN from you laptop.

I am using Debian on Google Cloud as an example. The setup process should be similar on other clouds. The cloud lan is in the network 10.240.0.0/16 and the vpn lan will be in the network 10.8.0.0/16.

  1. Setup firewall rules to allow connection to vpn machine:

Networks > your network (usually named default) > Firewall rules:

Create new:
Name: VPN Traffic
Source IP Ranges: 0.0.0.0/0
Allowed Protocols/Ports: tcp:1194
Target Tags: vpn
  1. Spawn a new debain machine, go to advanced and tag it vpn. Also enable IP Forwarding.

Log in and run this:

“sudo sysctl -w net.ipv4.ip_forward=1“

Make the same change in “/etc/sysctl.conf“

  1. Install openvpn:
sudo apt-get update
sudo apt-get install openvpn
  1. Set up openvpn

  • Create a new directory with the command sudo mkdir /etc/openvpn/easy-rsa/.

  • Copy the necessary files with the command sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/.

  • Change the ownership of the newly copied directory with the command sudo chown -R $USER /etc/openvpn/easy-rsa/.

  • Edit the file /etc/openvpn/easy-rsa/vars and change the variables listed below.

The variables to edit are:

export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Uberlabs"
export KEY_EMAIL="name@host.com"
export KEY_CN="FooBar"

Once the file has been edited and saved, we’ll run several commands must be entered in order to create the certificates:

cd /etc/openvpn/easy-rsa/
source vars
./clean-all
./build-dh
./pkitool --initca
./pkitool --server server
cd keys
sudo openvpn --genkey --secret ta.key
sudo cp server.crt server.key ca.crt dh1024.pem ta.key /etc/openvpn/

Client Certificates

The clients will need to have certificates in order to authenticate to the server. To create these certificates, do the following:

change KEY_CN in vars file everytime you create a new client cert, else you will notice that hostname.crt is of 0 bytes. Or you can use KEY_CN=someuniqueclientcn ./pkitool client1.

cd /etc/openvpn/easy-rsa/
source vars
./pkitool hostname

Files needed to setup client

  • /etc/openvpn/ca.crt

  • /etc/openvpn/easy-rsa/keys/hostname.crt (Where hostname is the hostname of the client).

  • /etc/openvpn/easy-rsa/keys/hostname.key (Where hostname is the hostname of the client).

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/

sudo gzip -d /etc/openvpn/server.conf.gz

Open /etc/openvpn/server.conf and make the below change. SSH does not work properly in udp mode.

proto tcp
server 10.8.0.0 255.255.0.0
push "route 10.240.0.0 255.255.0.0" #this is a change
client-to-client

While udp is recommended by openvon but ssh was failing when I tried to ssh on some other hosts on the cloud.

Configure iptables to allow traffic from VPN to LAN

iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -o eth0 -j MASQUERADE

TIP: Restart openvpn every time you make a change in iptables they are not reflected instantly.

sudo service openvpn restart

Client setup:

Install openvpn on your laptop. Copy Sample client.conf to /etc/openvpn. Save the client files in /etc/openvpn/

proto tcp
remote 146.148.64.124 1194
ca ca.crt
cert roshan-home.crt
key roshan-home.key

sudo service openvpn restart

sudo ifconfig in 30 seconds you will see a new vpn interface tun0. You should be able to ping 10.240.x.x and ssh.

Additional Debugging:

  • Use routing table info to see if it is set correctly route -n or netstat -rn

  • tcpdump to see if icmp packets are received tcpdump -i any icmp

  • netcat or telnet to see if vpn port is open

netcat -z -v 146.148.64.124 1194
telnet 146.148.64.124 1194

References:

Recent Posts