VPN server on Google Compute Engine with OpenVPN

Question

I'm trying to use Google Compute Engine server as VPN server for all my traffic (I'm living in Russia, we have some issues with censorship here).

There is mini-tutorial about VPN on GCE, but it's about network between 2 servers inside GCE and not with OpenVPN.

I've made all steps from another tutorial, about setting up VPN with OpenVPN on Debian, I can connect to VPN from client, but then I can't open connections (can't even ping google). On the server I can ping and download everything as usual.

I have VPN on Linode with same setup and it works fine. So issue is in GCE network routing or firewall rules.

I've tried a lot of variants but nothing works. Please, look at settings and tell me what should I change.

// config lines removed, because issue is solved //

Is there a way to enable ip forwarding? echo 1 > /proc/sys/net/ipv4/ip_forward — Alec Istomin, Apr 23 '14 at 03:31
@AlecIstomin, yes, it's done. I have VPN on Linode with same setup and it works fine. So issue is in GCE network routing or firewall rules. — OZ_, Apr 23 '14 at 12:31
Maybe ask GCE support? This seems like the sort of thing they could answer quickly. — Bill Weiss, Apr 23 '14 at 13:39
@BillWeiss price for their support plans starts from $150/month, but if this issue will not be solved in week, I think I will pay them. Also I'll try to find somebody on oDesk to fix it and then will write tutorial in my blog. — OZ_, Apr 23 '14 at 14:06
https://www.odesk.com/jobs/~01c4b1438a64f31fdd - don't hesitate to apply, if you can help, guys. — OZ_, Apr 30 '14 at 13:13
Please run this and share the output from your server: uname -a; ip a l; ifconfig -a; route -n; iptables -Lv; iptables -Lv -t nat — Alec Istomin, Apr 30 '14 at 22:12
@AlecIstomin https://gist.github.com/jamm/a1d108e27d1d89a93c39 — OZ_, May 01 '14 at 07:41
All looks good, but the packets are not "forwarded" and therefor not "NAT'ed". Can you show what you got in "cat /proc/sys/*/ipv4/ip_forward", there should be 1 (enabled) there and it should be put to /etc/sysctl.conf to survive the reboot — Alec Istomin, May 01 '14 at 17:14
Hm. cat /proc/sys/*/ipv4/ip_forward shows 0 even when I have net.ipv4.ip_forward=1 in /etc/sysctl.conf. Will investigate, thank you. — OZ_, May 02 '14 at 12:30
Nobody wants to solve this issue even for $100, so I close odesk posting - I don't have any hope anymore about this issue. — OZ_, May 05 '14 at 07:04
Hi @Oz_ I was wondering if you're still considering ask GCE support about this issue? I'm still looking for a solution, but maybe someone form Google can explain us why the VPN isn't working as expected. Nevertheless, I'll post the fix if I'm able to find one. — Mario, May 07 '14 at 07:10
@Mario probably. Linode VPN works very unstable, so I need to find something more stable. — OZ_, May 08 '14 at 16:54

Shivox · Answer 1 · 2015-01-31T22:27:46.390

7

You can solve the issue of not being able to browse the web through the VPN despite being able to ping, traceroute... by one of the two following ways:

First, you can use TCP protocol instead of UDP, by changing 'proto udp' to 'proto tcp' in both client and server conf files.

Second, you can use tap device instead of tun, by changing 'dev tun' to 'dev tap' in both client and server conf files.

Not sure what the issue is though, it seems it's a problem from Google's end.

edited Jan 31 '15 at 22:27

answered Jan 31 '15 at 22:16

Shivox

71
1
5

2

You are my hero! Thank you very much! Switch to TCP did the trick. I'll expand full "how-to" in separate answer. That feeling when long time dream comes true... Thank you! – OZ_ Feb 01 '15 at 12:07

score 7 · Accepted Answer · edited Apr 13 '17 at 12:14

First of all, thanks to @Shivox for his answer.

And here is the quick how-to:

I recommend you create additional network (see "Networks" tab"). In network preferences, add allowing rules for: tcp:22 (if not exist), tcp:9700, tcp:17619. 17619 here is variable - change it to any port you like (range is 9075-65534). You only need 3 rules and 2 default routes, nothing else.
Go to "Create Compute Engine instance", click "Show advanced options", allow ports forwarding, select location of the server.
Now (when you've selected location), add static IP to the server.
Select Ubuntu 14.04 image (exactly this version).
Create instance
Connect via SSH (most easy way - use in-browser tool from GCE panel)
sudo su
apt-key update && apt-get update && apt-get -y upgrade && apt-get -y install python-software-properties && apt-get -y install software-properties-common && add-apt-repository -y ppa:pritunl && apt-get update && apt-get -y install pritunl
In browser open https://instance_ip:9700
On question about DB, click "Save"
In login window, use pritunl as username and password
Now change username and password of admin user
Add organization, then 2 users (for desktop and mobile)
Click "Add server" in "Servers" tab
Use port number from first step (17619 as example) and tcp protocol.
Attach organization to server
Start server
In "Users" tab download keys for both users (tar archives with ovpn files inside).

I use Viscosity for OS X and OpenVPN connect for iOS as clients. In Viscosity, turn on "Send all traffic over VPN connection" option in "Networking" tab.

Just to note: Google Cloud Platform gives free trial with $300 for 60 days. — OZ_, Feb 08 '15 at 20:06
Intructions to install Pritunl on Ubuntu 14.04 changed: https://github.com/pritunl/pritunl#ubuntu-trusty — motobói, Sep 26 '16 at 15:28

score 4 · Answer 3 · edited May 10 '17 at 11:18

Please remember that Google VPC is dropping packets that has source_ip other than an internal IP of a VM having external IP.

This doc https://cloud.google.com/compute/docs/vpc/advanced-vpc states:

The VPC network rewrites the IP header to declare the instance's external IP address as the source. If the instance has no external IP address, the call is not allowed, and the VPC network drops the packet without informing the sender.

So if your openVPN is just forwarding packets from the other network, then the packets to public internal will be dropped as source_ip does not match any existing VM's internal IP. For this reason you need to NAT the packets leaving your local network, e.g on your VPN node.

Chain POSTROUTING (policy ACCEPT)
target      prot opt source              destination         
MASQUERADE  all  --  192.168.0.0/16      !192.168.0.0/16

"Pritunl" mentioned in the OZ_ answer works, because it configures the NAT automatically.

score 3 · Answer 4 · answered May 02 '14 at 09:00

This is not really an answer, but the site didn't allow me to add it as a comment to your question.

Nevertheless, I have almost the exact same configuration you detailed above (I didn't configure the dnsmaq on the server tough)

Unfortunately, The VPN is not working as expected. I can resolve an address, ping some Internet hosts and even make a complete trace while connected to the VPN. However when I open the browser and navigate to a site, the connection is really slow. I don't know what can be affecting the connection, but is really a strange problem.

Maybe someone from Google can help us know what is going on.

PS 1. As other people has suggested before, can you verify if ip forwarding is enable? For me, the only way to ensure the value for net.ipv4.ip_forward was properly restored after a reboot was after I used a custom rule on /etc/sysctl.d

For example, you can add the rule using the following command:

$ sudo echo "net.ipv4.ip_forward = 1" > /etc/sysctl.d/90-useroverrides.conf

PS 2. If the forward works for you, can you test a trace route to a external host while connected to the VPN?. The output I got when I do this is a bit strange (Why there are multiple hops on the same IP ????):

$ sudo traceroute www.yahoo.com -T -p 80 -N 1 -z 0.5 -q 1
traceroute to www.yahoo.com (98.139.183.24), 30 hops max, 60 byte packets
 1  209.85.241.26 (209.85.241.26)  0.764 ms
 2  209.85.241.34 (209.85.241.34)  0.668 ms
 3  209.85.241.26 (209.85.241.26)  0.966 ms
 4  209.85.241.36 (209.85.241.36)  0.702 ms
 5  209.85.241.28 (209.85.241.28)  0.865 ms
 6  209.85.241.36 (209.85.241.36)  0.642 ms
 7  209.85.241.26 (209.85.241.26)  0.921 ms
 8  209.85.241.28 (209.85.241.28)  18.837 ms
 9  72.14.238.107 (72.14.238.107)  13.378 ms
10  72.14.237.131 (72.14.237.131)  38.275 ms
11  209.85.254.131 (209.85.254.131)  13.349 ms
12  *
13  ae-8.pat1.bfz.yahoo.com (216.115.101.231)  44.903 ms
14  ae-4.msr1.bf1.yahoo.com (216.115.100.25)  45.323 ms
15  xe-10-3-1.clr1-a-gdc.bf1.yahoo.com (98.139.232.101)  47.382 ms
16  et18-25.fab6-1-sat.bf1.yahoo.com (98.139.128.103)  45.793 ms
17  po-13.bas1-7-prd.bf1.yahoo.com (98.139.129.209)  41.143 ms
18  ir2.fp.vip.bf1.yahoo.com (98.139.183.24)  42.451 ms

PS 3. The only thing that seems to work properly is the VPN is using the external IP from my host to access the Internet

$ sudo curl --interface tun0 checkip.dyndns.org
<html><head><title>Current IP Check</title></head><body>Current IP Address: 107.178.XXX.XXX</body></html>

@OZ_ Glad to hear you can now ping and traceroute while connected to the VPN. Now, can you post the result of one of your traceroute?. I'm curious about the first lines of the output because it seems like the package are routed in a loop for at least the first 8 jumps ('m not a network expert,though) — Mario, May 02 '14 at 18:50
sorry, here it is: https://gist.github.com/jamm/028ae858a03e40495740 . And yes, it looks strange. Maybe we need some specific route. — OZ_, May 02 '14 at 23:20

score 1 · Answer 5 · edited May 02 '14 at 06:07

1

Edit /etc/sysctl.conf by uncommenting #net.ipv4.ip_forward=1

That should allow OpenVPN to direct your traffic.

edited May 02 '14 at 06:07

MichelZ

11,068
4
32
59

answered May 01 '14 at 19:31

Justin Miller

17
2

A good tutorial on doing it at the following URL: http://www.ducea.com/2006/08/01/how-to-enable-ip-forwarding-in-linux/ – MFT May 02 '14 at 08:11
it was mentioned in first comment http://serverfault.com/questions/590530/vpn-server-on-google-compute-engine-with-openvpn#comment696913_590530 – OZ_ May 02 '14 at 12:28

score 1 · Answer 6 · answered Nov 07 '19 at 10:41

You need IP forwarding enabled for your VM instance in google cloud, otherwise packets won't reach your VM. Note, this is separate from net.ipv4.ip_forward = 1 that you can set in your VM.

IP forwarding can only be set once before you create a VM, and cannot be modified afterwards. To enable it for a new VM click Management, security, disks, networking, sole tenancy:

Then, in Networking tab click on Network Interface and set IP Forwarding to ON:

score 0 · Answer 7 · edited Apr 30 '14 at 11:10

0

You need to add rule that allow traffic for OpenVPN itself:

iptables -A INPUT -p udp --dport 1194 -j ACCEPT

edited Apr 30 '14 at 11:10

MadHatter

79,770
20
184
232

answered Apr 22 '14 at 12:41

Paul Rudnitskiy

413
2
5

exist as rule #4 – OZ_ Apr 22 '14 at 15:29

pmi · Answer 8 · 2017-06-11T21:52:45.410

About the Network.

1) Enable all traffic from OpenVPN Subnet (e.g. 10.8.0.0/24) at Console

2) I would strongly suggest You to add Masquerade to Your network

firewall-cmd --zone=trusted --add-masquerade --permanent
firewall-cmd --reload-all

3) Do not forget to enable packet routing in the kernel

a) once

 echo 1 > /proc/sys/net/ipv4/ip_forward

b) forever in /etc/sysctl.conf:

 net.ipv4.ip_forward = 1

VPN server on Google Compute Engine with OpenVPN

8 Answers8

Linked

Related