Google Cloud Platform BYOL Instance Quick Start Guide
OpenVPN Access Server provides a Google Cloud Platform (GCP) VPN that you can get up and running within minutes.
Working with GCP, you use their appliances, which are Linux-based virtual machines running on virtualized hardware. By using the OpenVPN Access Server appliance from their Marketplace, you can launch a VPN hosted in the cloud, with the following benefits:
- Quickly extend your GCP private networking to remote users and other sites.
- Create hub-and-spoke network topology, site-to-site, user-to-cloud, and various other secure VPN connections.
- Provide secure, remote access to applications deployed on appliances.
Read on for your guide to getting started with your VPN server on the web.
Launch the appliance
To get started:
- Sign in to the Google Cloud Platform (GCP).
- Launch a new Access Server appliance through GCP. Or, search for OpenVPN Access Server in the Google Cloud marketplace.
- Choose the instance launch options that work best for you.
- For IP forwarding, set the option to ON for a site-to-site VPN setup and OFF for remote access via NAT.
- Click Deploy to launch.
- Once the instance successfully deploys, save the Admin URL, user, and temporary password listed for the instance. The wizard displays these for you.
Sign into the Admin Web UI for the first time
Once the new solution deploys, the wizard displays detailed information about your OpenVPN Access Server instance:
- Site address: The URL where users can sign in to access clients and configuration downloads (Client Web UI).
- Admin URL: The URL for the Admin Web UI where you can easily configure and manage your VPN solution.
- Admin user: The username for signing in to the Admin Web UI.
- Admin password (Temporary): A temporary password to sign in for the first time.
- Instance: The instance’s name.
- Instance zone: Where your GCP instance is deployed.
- Instance machine type: The size chosen during launch configuration.
- Log into the admin panel: Takes you to the Admin Web UI.
- SSH: Connect to your instance using SSH.
Use this information to sign in to the Admin Web UI:
- Open the Admin URL in a web browser.
- The URL uses HTTPS; however, the instance starts with a self-signed certificate, so your web browser displays a security message you can click through. (We recommend uploading a trusted SSL certificate with your custom domain name.)
- Sign in with the admin user and temporary password.
- Read through the End User License Agreement and click Agree.
- The first time you sign in, you see the Activation Manager, where you can enter an activation key. Or you can start using Access Server immediately with two concurrent VPN connections.
Update the admin user account password
We recommend changing the temporary password for the admin user. Follow these steps:
- Sign in to the Admin Web UI with the admin user and temporary password.
- Click User Management > User Permissions.
- Click More Settings next to your admin user.
- Enter a new password in the password field.
- Click Save Settings and Update Running Server.
You can now begin creating users and testing out the VPN.
Assign a static IP address
We recommend promoting the ephemeral IP address from Google into a static IP address. Refer to Google's documentation: Reserve a static external IP address | Compute Engine Documentation.
We recommend promoting an ephemeral external IP address, so the IP address doesn’t change. We also recommend setting up a hostname.
Change default hostname (Admin UI)
We recommend setting up a default hostname for users and administrators to connect to the VPN server rather than using the IP address. To do so, refer to Setting up your OpenVPN Access Server Hostname.
Note: By default, the hostname for your Access Server on GCP is the ephemeral IP address and must be changed if you ever change your IP address for your instance.
Purchase and activate a license
You can start right away with two simultaneous connections to your VPN server. To add more connections, purchase a license from our site and activate it using the Admin Web UI: Purchasing And Activating A License Key.
Add a web server certificate (Admin Web UI)
Once you’ve assigned a hostname for your Access Server, you can add a web server certificate and remove the security warning displayed by the browser. To do so, refer to Installing a valid SSL web certificate in Access Server.
Change default time zone (SSH)
If you need to change the time zone of the instance, run this command:
sudo dpkg-reconfigure tzdata
The system will show the new local time after this setting is configured.
Install NTP client for automatic time synchronization (SSH)
We recommend everyone set this up, but especially those using multi-factor authentication.
apt-get install ntp
Set up static routes (optional)
By default, OpenVPN Access Server gives VPN clients access to your VPC using Network Address Translation (NAT). Using this method, traffic originating from the VPN clients appears to come from Access Server’s local IP address.
However, one drawback of this method is that traffic from the VPC itself can’t directly access a VPN client as the NAT engine prevents it. To make a VPN client directly addressable via the VPC, configure Access Server with routing instead of NAT. When you enable and configure routing, Access Server keeps the source IP address of VPN-client packets intact, and it’s possible to have direct access from the VPC network to the VPN client. However, the VPC doesn’t automatically recognize the VPN subnet within the VPN instance, so it doesn’t know how to send the return traffic back to the instance. To correct this problem, add a static route in the Google routing table for your VPC so that the return traffic flows properly. To learn how to do this, refer to this document on Google VPC routing:
Note: A site-to-site VPN tunnel with routing requires you to turn on the IP forwarding option when you create the instance. If this option is off, any static routing within the VPN network fails. You must relaunch your instance with the correct parameter to correct this issue.
Update operating system software (recommended)
From the time we’ve generated the appliance and the time you’ve downloaded and are using the appliance, operating system updates might have become available. To make sure your appliance operating system is up to date, execute the following commands on an SSH connection:
sudo apt-get update sudo apt-get upgrade
Further security recommendations
We also have security recommendations for all OpenVPN Access Server installations.