VPN server on Google Compute Engine with OpenVPN

I'm trying to use Google Compute Engine server as VPN server for all my traffic (I'm living in Russia, we have some issues with censorship here).

There is mini-tutorial about VPN on GCE, but it's about network between 2 servers inside GCE and not with OpenVPN.

I've made all steps from another tutorial, about setting up VPN with OpenVPN on Debian, I can connect to VPN from client, but then I can't open connections (can't even ping google). On the server I can ping and download everything as usual.

I have VPN on Linode with same setup and it works fine. So issue is in GCE network routing or firewall rules.

I've tried a lot of variants but nothing works. Please, look at settings and tell me what should I change.

// config lines removed, because issue is solved //


Solution 1:

You can solve the issue of not being able to browse the web through the VPN despite being able to ping, traceroute... by one of the two following ways:

First, you can use TCP protocol instead of UDP, by changing 'proto udp' to 'proto tcp' in both client and server conf files.

Second, you can use tap device instead of tun, by changing 'dev tun' to 'dev tap' in both client and server conf files.

Not sure what the issue is though, it seems it's a problem from Google's end.

Solution 2:

First of all, thanks to @Shivox for his answer.

And here is the quick how-to:

  • I recommend you create additional network (see "Networks" tab"). In network preferences, add allowing rules for: tcp:22 (if not exist), tcp:9700, tcp:17619. 17619 here is variable - change it to any port you like (range is 9075-65534). You only need 3 rules and 2 default routes, nothing else.
  • Go to "Create Compute Engine instance", click "Show advanced options", allow ports forwarding, select location of the server.
  • Now (when you've selected location), add static IP to the server.
  • Select Ubuntu 14.04 image (exactly this version).
  • Create instance
  • Connect via SSH (most easy way - use in-browser tool from GCE panel)
  • sudo su
  • apt-key update && apt-get update && apt-get -y upgrade && apt-get -y install python-software-properties && apt-get -y install software-properties-common && add-apt-repository -y ppa:pritunl && apt-get update && apt-get -y install pritunl
  • In browser open https://instance_ip:9700
  • On question about DB, click "Save"
  • In login window, use pritunl as username and password
  • Now change username and password of admin user
  • Add organization, then 2 users (for desktop and mobile)
  • Click "Add server" in "Servers" tab
  • Use port number from first step (17619 as example) and tcp protocol.
  • Attach organization to server
  • Start server
  • In "Users" tab download keys for both users (tar archives with ovpn files inside).

I use Viscosity for OS X and OpenVPN connect for iOS as clients. In Viscosity, turn on "Send all traffic over VPN connection" option in "Networking" tab.

Solution 3:

Please remember that Google VPC is dropping packets that has source_ip other than an internal IP of a VM having external IP.

This doc https://cloud.google.com/compute/docs/vpc/advanced-vpc states:

The VPC network rewrites the IP header to declare the instance's external IP address as the source. If the instance has no external IP address, the call is not allowed, and the VPC network drops the packet without informing the sender.

So if your openVPN is just forwarding packets from the other network, then the packets to public internal will be dropped as source_ip does not match any existing VM's internal IP. For this reason you need to NAT the packets leaving your local network, e.g on your VPN node.

Chain POSTROUTING (policy ACCEPT)
target      prot opt source              destination         
MASQUERADE  all  --  192.168.0.0/16      !192.168.0.0/16

"Pritunl" mentioned in the OZ_ answer works, because it configures the NAT automatically.