OpenVPN Server on Google Cloud Platform

STEP 1: Navigate to Google Marketplace

• Top left click on three horizontal lines

• Search for Marketplace (aka Cloud Launcher)

  

STEP 2: Search for OpenVPN

• In search box type “openvpn” and hit enter

• In my case it is first result click on it to navigate to OpenVPN server page

• 

STEP 3: OpenVPN Access Server Overview

• With OpenVPN Access Server free option you will get two concurrent VPN connections for free.

• You can obtain a software license if more than two concurrent connections are needed.

• You can customise the configuration later when deploying this solution.

• Ensure to check the monthly estimate total.

STEP 4: Enable Google APIS

Enable below Google APIs before deploying Virtual Instance with OpenVPN Access Server

Enable these APIs navigating to “APIs and Service page” or directly as instructed in below image

• Compute Engine API : compute.googleapis.com

Creates and runs virtual machines on Google Cloud Platform.

• Cloud Deployment Manager V2 API: deploymentmanager.googleapis.com

The Google Cloud Deployment Manager v2 API provides services for configuring, deploying, and viewing Google Cloud services and APIs via templates which specify deployments of Cloud resources.

• Cloud Runtime Configuration API: runtimeconfig.googleapis.com

This Runtime Configurator allows you to dynamically configure and expose variables through Google Cloud Platform. In addition, you can also set Watchers and Waiters that will watch for changes to your data and return based on certain conditions.

You will see something similar image after clicking on ENABLE button as per the above image

STEP 5: OpenVPN Server Deployment Configuration

• Choose deployment name

• Select zone, machine type and set source ip to access this instance

• Check infrastructure fee before proceeding to deploy.

Once all set then click on DEPLOY

STEP 6: Enable SSH Access to OpenVPN Access Server (Option)

use below GCloud Command or create new firewall from GCP Console

gcloud compute — project=<project-name> firewall-rules create vm-openvpn-access-server-tcp-22 — direction=INGRESS — priority=1000 — network=<vpc-name> — action=ALLOW — rules=tcp:22 — source-ranges=0.0.0.0/0 — target-tags=<vm-tag>

STEP 7: Access OpenVN Server Admin URL

• Type https://<OpenVPN-Access-Server-IP>:943/admin/ in browser and you will see something similar

• Type your username and password and post successful login, you will be navigated to “Status Overview” page

  

from Admin page you can do configurations as per your need.

Securing OpenVPN involves multiple layers of configuration and best practices. When it comes to user management, particularly if you're referring to the administrative aspect of OpenVPN, it's essential to secure access. Here are some best practices:

1. Change the Default Password: If there's a default administrative password provided during the OpenVPN setup, change it immediately to prevent unauthorized access. Using a strong password is critical.

2. Add Extra Users with Least Privilege: If multiple individuals need access to the OpenVPN administration or its components, create separate user accounts for them. Always follow the principle of least privilege, meaning users should only have the permissions they need to do their job and nothing more. For instance, not everyone needs administrative rights.

3. Use Multi-Factor Authentication (MFA): If possible, implement multi-factor authentication for accessing the VPN. This provides an additional layer of security, ensuring that even if someone gets hold of a user's password, they still can't access the VPN without the second factor.

4. Restrict Access by Source IP: If you know the specific IP ranges or addresses that should have access to the administrative interface, restrict access to only those IPs.

5. Use TLS Authentication: This involves having a shared secret that needs to be present for a client to connect to the OpenVPN server, adding an extra layer of security on top of the regular username and password.

6. Regularly Update OpenVPN: Always keep your OpenVPN server and clients updated to ensure any security patches are applied.

STEP 8: Access to Non-Admin Page

• https://<OpenVPN Access Server IP>:443/

• if no user user is created then you can use same Admin credential to login

• Download and Install OpenVPN Client Connection profile as per your machine OS (Go with latest only)

STEP 9: Click on OpenVPN Connect Icon

• I have installed on my WindowsOS

• Click on OpenVPN Client to connect to OpenVPN Server

STEP 10: Connect to OpenVPN Server

• Enter your user/admin credential to connect

• Post login status will set to CONNECTED if all good

STEP 11: Validate Private IP

• Check private ip assigned to your machine.