Skip to main content

Google Cloud Platform BYOL Instance Quick Start Guide


The GCP Marketplace BYOL appliance lets you quickly launch your GCP VPC to get your VPN server up and running. Here's how.

Access Server provides a Google Cloud Platform (GCP) VPN that you can get up and running within minutes.

Working with GCP, you use their appliances, which are Linux-based virtual machines running on virtualized hardware. By using the Access Server appliance from their Marketplace, you can launch a VPN hosted in the cloud, with the following benefits:

Read on for your guide to getting started with your VPN server on the web.

To get started:

  1. Sign in to the Google Cloud Platform (GCP).

  2. Launch a new Access Server appliance through GCP. Or search for Access Server in the Google Cloud marketplace.

  3. Choose the instance launch options that work best for you.


    For IP forwarding, set the option to ON for a site-to-site VPN setup and OFF for remote access via NAT.

  4. Click Deploy to launch.

  5. Once the instance successfully deploys, save the Admin URL, user, and temporary password listed for the instance. The wizard displays these for you.

Once the new solution deploys, the wizard displays detailed information about your Access Server instance:

  • Site address: The URL where users can sign in to access clients and configuration downloads (Client Web UI).

  • Admin URL: The URL for the Admin Web UI where you can easily configure and manage your VPN solution.

  • Admin user: The username for signing in to the Admin Web UI.

  • Admin password (Temporary): A temporary password to sign in for the first time.

  • Instance: The instance’s name.

  • Instance zone: Where your GCP instance is deployed.

  • Instance machine type: The size chosen during launch configuration.

  • Log into the admin panel: Takes you to the Admin Web UI.

  • SSH: Connect to your instance using SSH.

Use this information to sign in to the Admin Web UI:

  1. Open the Admin URL in a web browser.

  2. The URL uses HTTPS; however, the instance starts with a self-signed certificate, so your web browser displays a security message you can click through. (We recommend uploading a trusted SSL certificate with your custom domain name.)

  3. Sign in with the admin user and temporary password.

  4. Read through the End User License Agreement and click Agree.

  5. The first time you sign in, you see the Activation Manager, where you can enter an activation key. Or you can start using Access Server immediately with two concurrent VPN connections.

We recommend changing the temporary password for the admin user. Follow these steps:

  1. Sign in to the Admin Web UI with the admin user and temporary password.

  2. Click User Management > User Permissions.

  3. Click More Settings next to your admin user.

  4. Enter a new password in the password field.

You can now begin creating users and testing out the VPN.

We recommend promoting the ephemeral IP address from Google into a static IP address. Refer to Google's documentation: Reserve a static external IP address | Compute Engine Documentation.

We recommend promoting an ephemeral external IP address, so the IP address doesn’t change. We also recommend setting up a hostname.

We recommend setting up a default hostname for users and administrators to connect to the VPN server rather than using the IP address. To do so, refer to Setting up your OpenVPN Access Server Hostname.


By default, the hostname for your Access Server on GCP is the ephemeral IP address and must be changed if you ever change your IP address for your instance.

You can start right away with two simultaneous connections to your VPN server. To add more connections, purchase a subscription from our site and activate it using the Admin Web UI: Purchasing And Activating A Subscription.

Once you’ve assigned a hostname for your Access Server, you can add a web server certificate and remove the security warning displayed by the browser. To do so, refer to Installing a valid SSL web certificate in Access Server.

The default time zone may not be the time zone that you're in. If you are in a different time zone, you can change this setting by running this command, then choose your appropriate time zone:

sudo dpkg-reconfigure tzdata

We recommend installing the NTP client to keep the time synchronized, but it's especially important for those that plan on using multi-factor authentication with TOTP. Run this command:

apt-get install ntp

By default, Access Server gives VPN clients access to your VPC using network address translation (NAT). Using this method, traffic originating from the VPN clients appears to come from Access Server’s local IP address.

However, one drawback of this method is that traffic from the VPC itself can’t directly access a VPN client as the NAT engine prevents it. To make a VPN client directly addressable via the VPC, configure Access Server with routing instead of NAT. When you enable and configure routing, Access Server keeps the source IP address of VPN-client packets intact, and it’s possible to have direct access from the VPC network to the VPN client. However, the VPC doesn’t automatically recognize the VPN subnet within the VPN instance, so it doesn’t know how to send the return traffic back to the instance. To correct this problem, add a static route in the Google routing table for your VPC so that the return traffic flows properly. To learn how to do this, refer to this document on Google VPC routing:

Routes | VPC | Google Cloud


A site-to-site VPN tunnel with routing requires you to turn on the IP forwarding option when you create the instance. If this option is off, any static routing within the VPN network fails. You must relaunch your instance with the correct parameter to correct this issue.

We recommend updating your Linux OS. From the time we've generated the appliance and you've downloaded and are using it, there are likely a number of updates. To make sure your appliance OS is up to date, execute the following commands:

sudo apt-get update
sudo apt-get upgrade

Strengthen Security