/vpn-server

Easily deploy OpenVPN Server on Google Cloud Platform

Primary LanguageShellThe UnlicenseUnlicense

VPN Server

Easily deploy OpenVPN Server on Google Cloud Platform

Usage

1. Create your gcs bucket and configuration

gsutil mb -c standard -l us-central1 gs://YOUR-CONFIGURATION-BUCKT-NAME

Directory structure (This is example. Please create those files.)

gs://YOUR-CONFIGURATION-BUCKT-NAME
├── ddclient/
│     └── ddclient.conf
└── openvpn/
       ├── server.conf, ca.crt, dh.pem, openvpn.crt, openvpn.key, ta.key
       └── ccd/
              └── network1, network2, macbook, iphone

2. Create a configuration file for deployment manager

vpn-server.yaml (without health check)

imports:
- path: startup-script.sh
- path: vpn-server.yaml.jinja # or vpn-server-hc.yaml.jinja (with healthcheck)
  name: vpn-server.jinja

resources:
- name: vpn-server
  type: vpn-server.jinja
  properties:
    machineType: f1-micro
    zone: us-central1-f
    networkTier: PREMIUM

    configurationBucket: YOUR-CONFIGURATION-BUCKT-NAME
    editMode: false # If true, mount gcs bucket with gcsfuse
    allowSSH: true
    allowStatusPage: true # OpenVPN status page: http://ddns.example.com
    antiRobotAuth: user:password # Basic Authentication for OpenVPN status page
    ddclient: # Default: https://github.com/ddclient/ddclient/archive/v3.9.0.tar.gz
    ddns-update-interval: # Default: none (e.g. 1week)

3. Deploy VPN Server

gcloud deployment-manager deployments create vpn-server --config vpn-server.yaml

4. Delete VPN Server

gcloud deployment-manager deployments delete vpn-deployment

Example

Network

+---------- VPN Server on GCP (ddns.example.com, 172.16.0.1) ----------+
| VPN Network: 172.16.0.0/24                                           |
|                                                                      |
|    +-- network1 (172.16.0.A) --+    +-- network2 (172.16.0.B) --+    |
|    | 192.168.1.0/24            |    | 192.168.2.0/24            |    |
|    |                           |    |                           |    |
|    +---------------------------+    +---------------------------+    |
|                                                                      |
|    macbook (172.16.0.C)    iphone (172.16.0.D)                       |
|                                                                      |
+----------------------------------------------------------------------+

server.conf

# Service
verb 4
passtos

# Networking
dev tun
persist-key
persist-tun
topology subnet
keepalive 10 30
route 192.168.1.0 255.255.255.0 # network1
route 192.168.2.0 255.255.255.0 # network2

# VPN
proto udp4
server 172.16.0.0 255.255.255.0
compress lz4-v2
push "compress lz4-v2"
client-to-client
client-config-dir /etc/openvpn/server/ccd

# Cryptography
auth SHA512
cipher AES-256-GCM
ncp-ciphers AES-256-GCM
tls-server
tls-version-min 1.2
tls-auth /etc/openvpn/server/ta.key 0
ca /etc/openvpn/server/ca.crt
dh /etc/openvpn/server/dh.pem
cert /etc/openvpn/server/openvpn.crt
key /etc/openvpn/server/openvpn.key

script-security 2
up /usr/local/share/openvpn/up.sh
down /usr/local/share/openvpn/down.sh

ccd

network1

iroute 192.168.1.0 255.255.255.0
push "route 192.168.2.0 255.255.255.0"

network2

iroute 192.168.2.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"

macbook, iphone

push "route 192.168.1.0 255.255.255.0"
push "route 192.168.2.0 255.255.255.0"
push "dhcp-option DNS 192.168.1.0"
push "dhcp-option DOMAIN home"

ddclient.conf

See https://github.com/ddclient/ddclient