GCP Marketplace BYOL Instance Quick Launch Guide

Introduction

This document provides an overview for launching OpenVPN Access Server on Google Cloud Platform (GCP). The GCP Marketplace bring-your-own license (BYOL) instance is a 64-bit appliance based on Ubuntu LTS (Long Term Support). It’s simple to launch on your GCP VPC and get your VPN server up and running. To make it more convenient for you to deploy your server in the region closest to you, we currently offer the instance on the GCP Marketplace. With OpenVPN Access Server, you’ll have an enterprise VPN running in Google’s cloud services with the powerful Admin Web UI, providing you with the ease of configuration and management in a well-designed user interface.

Here’s the steps you take to launch your Access Server in GCP:

  1. Launch through GCP.
  2. Choose instance launch options.
  3. Sign in to Access Server Admin Web UI (with temporary password).
  4. Set password for admin account.
  5. Create users.

We’ve also included additional recommended and optional steps below.

Important notes about the BYOL licensing model

When you launch OpenVPN Access Server on GCP, you can get started immediately without purchasing a license from us. That’s because it comes with two free active VPN connections. When you’re ready to deploy it to users, then you can purchase and activate your subscription with more connections. This is in addition to the estimated monthly total for Google’s infrastructure and usage fees.

With the BYOL model, you purchase an activation key directly from our site and activate it on your Access Server installation. Refer to our pricing page for costs.

Launching the Appliance

To get started, launch a new Access Server appliance through GCP.

You can also search for OpenVPN Access Server in the Google Cloud marketplace.

The next section provides tips for choosing your instance launch options.

Instance Launch Options

  • Deployment name: Specify a name for your instance.
  • Zone: Specify the region for your VPN server.
  • Machine type: Choose the instance type and size for your VPN server. We recommend at least small (1 shared vCPU) or better.
  • Boot disk type: Standard Persistent Disk is appropriate since there is minimal disk I/O for the instance.
  • Boot disk size in GB: The instance, by default, comes with a 10 GB boot disk. You may increase this to a bigger number according to your needs, if necessary.
  • Network Interface:
    • Network and Subnetwork: Choose the network for your VPN server. We recommend placing it on the same network as your other resources if you need to reach those over the VPN network.
    • External IP: By default, the instance gets a dynamic (ephemeral) IP address. We recommend reserving a static IP address, which is in a later step.
  • Firewall: We’ve already configured the firewall rules for you for this instance. If you would like to restrict access to your instance, customize the IP access rules by defining source IP ranges for the firewall rules:
    • Source IP ranges for HTTPS traffic: Define the source IP address ranges that can access the TCP daemon for the VPN server. Blocking access to this port prevents users from connecting to the VPN server using TCP. By default, the Admin Web UI is available on this port.
    • Source IP ranges for TCP port 943 traffic: Define the source IP address ranges that can access OpenVPN Access Server’s Admin Web UI on TCP port 943. The range of IP addresses should be limited to your trusted IP ranges whenever possible.
    • Source IP ranges for UDP port 1194 traffic: Define the source IP address ranges that can access the UDP daemon for the VPN server. Blocking access to this port prevents users from connecting to the VPN server using UDP. Note that UDP is the default mode for the VPN server and clients automatically fallback to using TCP if the UDP protocol is unavailable or blocked.

If you click More you can enable or disable IP forwarding: Set this option to ON if you use the VPN server for a site-to-site tunnel; set this option to Off if you use the VPN server for remote access via NAT.

Click Deploy to initiate the launching process, which takes two-three minutes.

Once the instance successfully deployed, refer to the Admin URL, user and temporary password listed for the instance. The wizard displays these for you.

Signing into Admin Web UI for the First Time

Once the new solution deploys, the wizard displays detailed information about your OpenVPN Access Server instance:

  • Site address: The URL where users can sign in to access client and configuration downloads (Client Web UI).
  • Admin URL: The URL for the Admin Web UI where you can easily configure and manage your VPN solution.
  • Admin user: The username for signing in to the Admin Web UI.
  • Admin password (Temporary): A temporary password to sign in for the first time.
  • Instance: The instance’s name.
  • Instance zone: Where your GCP instance is deployed.
  • Instance machine type: The size chosen during launch configuration.
  • Log into the admin panel: Takes you to the Admin Web UI.
  • SSH: Connect to your instance using SSH.

Use this information to sign in to the Admin Web UI:

  1. Open the Admin URL in a web browser.
  2. The URL uses HTTPS, however the instance starts with a self-signed certificate so your web browser displays a security message about this that you can click through. (We recommend uploading a trusted SSL certificate with your own custom domain name.)
  3. Sign in with the Admin user and temporary password.
  4. Read through the End User License Agreement and click Agree.
  5. The first time you sign in, you see the Activation Manager where you can enter an activation key. Or you can use Access Server with two concurrent VPN connections.

Update the Admin user account password

We recommend changing the temporary password for the Admin user. To do so, connect to the instance with SSH:

  1. Click the SSH button to access the instance via SSH.
  2. In the window that pops up, enter this command:
    • sudo passwd openvpn
  3. Enter the new password and confirm it.
  4. When you sign in with the openvpn Admin user in the future, use the new password.

You can now begin creating users and testing out the VPN. The additional steps below are optional and/or recommended.

Assign a Static IP Address

We recommend promoting the ephemeral IP address from Google into a static IP address. To do this, from the details of your instance, find the Suggested next steps. Under the last item, Assign a static external IP address to your VM instance, click Learn more.

We recommend promoting an ephemeral external IP address so the IP address doesn’t change. We also recommend setting up a hostname, detailed next.

Changing Default Hostname (Admin Web UI)

We recommend setting up a default hostname for users and administrators to connect to the VPN server rather than using the IP address. To do so, refer to Setting up your OpenVPN Access Server Hostname.

Note: By default, the hostname for your Access Server on GCP is the ephemeral IP address and must be changed if you ever change your IP address for your instance.

Adding a Web Server Certificate (Admin Web UI)

Once you’ve assigned a hostname for your Access Server, you can add a web server certificate and remove the security warning displayed by the browser. To do so, refer to Installing a valid SSL web certificate in Access Server.

Changing Default Timezone (SSH)

The default timezone is set to UTC. Use the following command to change this setting:

sudo dpkg-reconfigure tzdata

The system shows the new local time after you configure this setting.

Set up static routes (optional)

By default, OpenVPN Access Server gives VPN clients access to your VPC by using the Network Address Translation (NAT). Using this method, traffic originating from the VPN clients appears to come from Access Server’s local IP address. For that reason, routing isn’t necessary and is much easier to implement. However, one drawback of using this method is that traffic from the VPC itself cannot directly access a VPN client as the NAT engine prevents such direct contact. In order to allow a VPN client to be directly addressable via the VPC, you must configure Access Server to use the routing method instead of NAT. When you enable and configure routing, Access Server keeps the source IP address of packets VPN clients intact, and it’s possible to have direct access from the VPC network to the VPN client. However, because the VPC does not automatically recognize the VPN subnet within the VPN instance, it doesn’t know how to send the return traffic back to the instance. To correct this problem, you must add a static route in the Google routing table for your VPC so that the return traffic flows properly. To learn how to do this see this document on Google VPC routing:

Note: A site-to-site VPN tunnel with routing requires you turn on the IP forwarding option when you create the instance. If this option was turned off initially, any static routing within the VPN network will fail. You must relaunch your instance with the correct parameter in order to correct this issue.

Updating Operating System Software (recommended)

From the time we’ve generated the appliance and the time you’ve downloaded and are using the appliance, operating system updates might have become available. To make sure your appliance operating system is up to date, execute the following commands:

sudo apt-get update
sudo apt-get upgrade

Further security recommendations

We also have some security recommendations that you should implement as well, which apply to all OpenVPN Access Server installations.