Easily deploy OpenVPN Server on Google Cloud Platform
gsutil mb -c standard -l us-central1 gs://YOUR-CONFIGURATION-BUCKT-NAME
Directory structure (This is example. Please create those files.)
gs://YOUR-CONFIGURATION-BUCKT-NAME
├── ddclient/
│ └── ddclient.conf
└── openvpn/
├── server.conf, ca.crt, dh.pem, openvpn.crt, openvpn.key, ta.key
└── ccd/
└── network1, network2, macbook, iphone
vpn-server.yaml (without health check)
imports:
- path: startup-script.sh
- path: vpn-server.yaml.jinja # or vpn-server-hc.yaml.jinja (with healthcheck)
name: vpn-server.jinja
resources:
- name: vpn-server
type: vpn-server.jinja
properties:
machineType: f1-micro
zone: us-central1-f
networkTier: PREMIUM
configurationBucket: YOUR-CONFIGURATION-BUCKT-NAME
editMode: false # If true, mount gcs bucket with gcsfuse
allowSSH: true
allowStatusPage: true # OpenVPN status page: http://ddns.example.com
antiRobotAuth: user:password # Basic Authentication for OpenVPN status page
ddclient: # Default: https://github.com/ddclient/ddclient/archive/v3.9.0.tar.gz
ddns-update-interval: # Default: none (e.g. 1week)
gcloud deployment-manager deployments create vpn-server --config vpn-server.yaml
gcloud deployment-manager deployments delete vpn-deployment
+---------- VPN Server on GCP (ddns.example.com, 172.16.0.1) ----------+
| VPN Network: 172.16.0.0/24 |
| |
| +-- network1 (172.16.0.A) --+ +-- network2 (172.16.0.B) --+ |
| | 192.168.1.0/24 | | 192.168.2.0/24 | |
| | | | | |
| +---------------------------+ +---------------------------+ |
| |
| macbook (172.16.0.C) iphone (172.16.0.D) |
| |
+----------------------------------------------------------------------+
# Service
verb 4
passtos
# Networking
dev tun
persist-key
persist-tun
topology subnet
keepalive 10 30
route 192.168.1.0 255.255.255.0 # network1
route 192.168.2.0 255.255.255.0 # network2
# VPN
proto udp4
server 172.16.0.0 255.255.255.0
compress lz4-v2
push "compress lz4-v2"
client-to-client
client-config-dir /etc/openvpn/server/ccd
# Cryptography
auth SHA512
cipher AES-256-GCM
ncp-ciphers AES-256-GCM
tls-server
tls-version-min 1.2
tls-auth /etc/openvpn/server/ta.key 0
ca /etc/openvpn/server/ca.crt
dh /etc/openvpn/server/dh.pem
cert /etc/openvpn/server/openvpn.crt
key /etc/openvpn/server/openvpn.key
script-security 2
up /usr/local/share/openvpn/up.sh
down /usr/local/share/openvpn/down.sh
network1
iroute 192.168.1.0 255.255.255.0
push "route 192.168.2.0 255.255.255.0"
network2
iroute 192.168.2.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"
macbook, iphone
push "route 192.168.1.0 255.255.255.0"
push "route 192.168.2.0 255.255.255.0"
push "dhcp-option DNS 192.168.1.0"
push "dhcp-option DOMAIN home"