Create a openVPN server on Google Cloud Platform to connect to your Google Cloud network using openVPN and/or to route your internet traffic through the VPN (Road Warrior Scenario)

openvpn_on_google_cloud.md

Install openVPN server on Google Cloud using Pritunl

Purpose:

Create a openVPN server on Google Cloud Platform to connect to your Google Cloud network using openVPN and/or to route your internet traffic through the VPN (Road Warrior Scenario)

Create instance

• Create new instance in default network
• Chosse Ubuntu 16.04 LTS
• Check "Allow HTTP traffic" and "Allow HTTPS traffic"
• Add the tag "vpn-server"
• Enable IP forwarding
• Add static external IP

Create DNS record

• Create a dns-record for the new static IP

Instance setup

• Connect to your instance using SSH
• echo 'deb http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.2 multiverse' > /etc/apt/sources.list.d/mongodb-org-3.2.list
• echo 'deb http://repo.pritunl.com/stable/apt xenial main' > /etc/apt/sources.list.d/pritunl.list
• echo "[Unit]\nDescription=High-performance, schema-free document-oriented database\nAfter=network.target\n\n[Service]\nUser=mongodb\nExecStart=/usr/bin/mongod --config /etc/mongod.conf\n\n[Install]\nWantedBy=multi-user.target" > /lib/systemd/system/mongod.service
• apt-key adv --keyserver hkp://keyserver.ubuntu.com --recv 42F3E95A2C4F08279C4960ADD68FA50FEA312927
• apt-key adv --keyserver hkp://keyserver.ubuntu.com --recv 7568D9BB55FF9E5287D586017AE645C0CF8E292A
• apt-get update
• apt-get install pritunl mongodb-org
• systemctl start pritunl mongod
• systemctl enable pritunl mongod
• Create a setup key: pritunl setup-key

Setup

• Connect to https://YOUR_DOMAIN
• Enter the setup-key
• Update username and password
• Check "Public Address"
• Add YOUR_DOMAIN to "LetsEncrypt Domain"
• Save

Configuration

Users

• Open Users-Tab and add a new organization
• Add a user to the new organization

Server

• Open Servers-Tab and select "Add server"
• Choose a name for the new server and a Port (you can use the default port)
• Optional: Click on advanced and disable "Restrict routing" if you do not want to route all client-traffic through the VPN
• Select "Attach Organization" to add the server to your organization
• Optional: Add a route to your Google Cloud network(s)
• Optional: Remove the default route "0.0.0.0/0" if you do not want to route all client-traffic through the VPN
• Select "Start Server"

Download config

• Download the openvpn-config using the download-icon next to the user on the Users-Tab

Sources:

• https://docs.pritunl.com/docs/installation
• http://eugenioz.blogspot.de/2015/02/how-to-setup-vpn-on-google-cloud.html

Thanks for the tutorial!
I'm trying to setup vpn on GCE, but it doesn't quite work for me: google.com and google cloud website are working, rest of the internet - doesn't work. Any ideas what is wrong in my setup?
Comments on the setup:

1. Add YOUR_DOMAIN to "LetsEncrypt Domain" - I enter my instance IP I get this error: Error creating new authz :: Issuance for IP addresses not supported"

I think the problem was in the "Create a dns-record for the new static IP" step.
I've added A and CNAME records and my connection seems to work now :)
Thanks for the instruction once again

Add the tag "vpn-server"

When you asked to add vpn-server tag, did you meant to add a step for creating the rule in Firewall Rules for the specific protocol and port used by the VPN server or is it something that already exists? Because even though we can see http-server and https-server tags in Firewall Rules, there's nothing like vpn-server.

And thank you very much for this guide; it's life-saving!

From Euginoz blog it says

"In network preferences, add allowing rules for: tcp:22 (if not exist), tcp:9700, tcp:17619. 17619 here is variable - change it to any port you like (range is 9075-65534). You only need 3 rules and 2 default routes, nothing else."

But, there is no such step in your tutorial. It's article from 2015. So, I assume you don't need to setup those rules anymore (?). Please correct me if I'm wrong.

Question is did someone had a change to create two working servers for clients? How to achieve that in GCP?