We will be using a docker image from linuxserver
that will have openvpn-as (OpenVPN Access Server) ready as our base container, OpenVPN is a commercial software that requires licensing for more than 2 active connections. Thus this is only recommended for personal use.
Additionally, Google Cloud charges not only the compute hours but also egress network traffic. While compute hours can make use of the free-tier f1-micro instance, egree network traffic will be charged. If you are using 10s of GiB of traffic a month, you are better of purchasing a VPN service, though you do not "own" your data that way.
Navigate to https://console.cloud.google.com and create a new compute instance with following configurations:
- f1-micro (part of free-tier)
- 10 GB HDD
- Static external IP with either Standard or Premium network tier (see networking pricing for more details)
- Choose a Container Optimized disk as this will have docker preconfigured.
- Allow https web server
- Add an
openvpn
network tag for now, we will setup firewall rules in the next section
We will be using a webserver for admin configuration access, port 943. VPN tunnel will be using 9443 for TCP and 1194 for UDP. Navigate to VPC network
-> Firewall
and create the appropriate ingress and egress rules and set Targets
to openvpn
.
Once the VM instance and wirewall rules are configured, we should be able to boot up the instance and pull the openvpn-as docker image. Do
docker pull linuxserver/openvpn-as
mkdir vpn-data
docker create --name=openvpn-as --cap-add=NET_ADMIN -e PUID=1000 -e PGID=1000 -p 943:943
-p 9443:9443 -p 1194:1194/udp --restart unless-stopped --net=host --privileged linuxserver/openvpn
-as
sudo docker container start openvpn-as
Now we should be able to enter the public ip in a browser and access the AS admin page. It should be something like https://X.X.X.X:943/admin
. Default username and password is admin
and password
.
Note: Since this is a self signed cert, it only provides encryption. So browser like Chrome might not allow you to connect for security reasons, I used Safari.
For security purposes, it is recommended to remove the default admin
user and create another user with admin privileges. To do that, go to User Management
-> User Permissions
. I have also created another user without admin privilege for connecting to the VPN. I have also enabled auto-login for convinence.
Then navigate to Configuration
-> Network Settings
-> Hostname or IP Address:
, set the public ip of the VM instance here so later we can generate the correct profile to import to VPN clients.
That's it!
Devices can simply navigate to https://X.X.X.X:943
to login using their own username and password (preconfigured by the admin), and they should see a user-friendly page for downloading OS specific client and profiles to import.
Devices then can manually import the downloaded profile and connect, or manually type in the info for the VPN. Keep in mind that the VPN server is at https://X.X.X.X:943
, and the actual VPN tunnel should be (assuming TCP) using port 9443 or 1194 for UDP.
I can't get OpenVPN Connect on Mac to work, it connects but looks like all DNS requests aren't working. The open-sourced Tunnelblick works fine.