Setting up a VPN on Google Cloud Platform

Introduction

Hi there, a few days ago I found this amazing repository, setup-ipsec-vpn, that have a cool set of scripts to setup a IPSec VPN on almost any OS. These bash scripts are so powerful, you basically don’t need anything else, of course you will need access to a VM😁. The scripts are not meant to be run on your regular PC or Laptop, even if you try to run them on your PC you won’t be able. The scripts are so cool, that they covered even this possibility, that you by mistake run them on you PC.

Of course, there’s a part that the scripts cannot cover, is the part of working with your particular Cloud. I tried to setup this VPN on Google Cloud Platform and Azure, and honestly the easiest way was with Google Cloud Platform, maybe because I’m not so familiar with Azure. The repository have even documentation to achieve this, in Azure and Amazon Web Services, but nothing about GCP, so I will try to make one here. Let’s go then.

Prerequisites

  1. First things first, a Google Cloud Platform, at least you don’t have credit card, it will be very easy for you to create a GCP account.
  2. A will try to make use of only the terminal, so in case you want to follow me in all the process, you will need gcloud cli. The previous link contains steps to install it.

Is that’s all? It seems so, pretty cool Gealber, just that, the first requirement could be a good deal, just depends on which part of the world you leave. Ok, let’s jump that explanation, that’s for another post.

High level explanation

We will need to accomplish the following steps:

  1. Create a firewall rule that will accept UDP and TCP connections on ports 500 and 4500.
  2. Create a VM, and associate this firewall rule to this VM.
  3. Test if all this works )), in case you don’t know what means “))”, this are smiley faces for Russians, Belorussians, etc… I know weird guys, tell me about it.

sketch

Starting

Creating firewall rule from the terminal

In the following command, keep in mind that , should contains the name of your Google Cloud Project, in order to list all your Google Cloud Projects you could run the following command:

gcloud projects list

Creating firewall rule

gcloud compute --project=<NAME OF YOUR PROJECT> firewall-rules create vpn-ipsec --direction=INGRESS --priority=1000 --network=default --action=ALLOW --rules=tcp:500,tcp:4500,udp:500,udp:4500 --source-ranges=0.0.0.0/0 --target-tags=vpn-ipsec

Here the name of the rule is “vpn-ipsec”, and the tag that I declared has the same name, later we will use this tag in the creation of the VM.

Creating VM, and associating firewall rule to these VM

Before creating the VM you should take into consideration that here you have several options that you should explore by yourself, in my case just using the default values are good. On this step I honestly recommend you to enter into Google Cloud Platform and use the browser, so you could be aware all the time of what you enabled and what you didn’t.

Things that you MUST enable:

  1. On network tags, add the tag that we used for creating the firewall rule, very important step. In our case is vpn-ipsec.
  2. Enable IP Forwarding, is just bellow the previous step, just a click.
  3. Add this one line bash as the default start up command, is the last option:
curl -sLo vpn.sh https://git.io/vpnstart && sudo sh vpn.sh

Now you are good to go, create the VM and wait around 5 minutes, to give enough time the script to run.

Enabling IKEv2 and extracting client connect info

We will need to connect to our VM instance through the console, you can find information about this procedure in the same page of the instances in Google Cloud Platform. From Google Cloud documentation you can see that using ssh you can connect to your VM.

ssh -i PATH_TO_PRIVATE_KEY USERNAME@EXTERNAL_IP

Once connected to your VM instance, we need to add a client to this vpn server in order to be able to connect to it. Let’s add this client:

sudo ikev2.sh --addclient gealber

You can change the name of the client for one of your own, is your choice, although gealber is a cool name for you client, let’s just leave it as so.

Now after the execution of this command you must have in your current directory the following files:

.
├── gealber.mobileconfig
├── gealber.p12
├── gealber.sswan

Basically these are configuration files that you will need to have in order to connect to the VPN, so let copy them to your local machine. Yes they are in the VM, not the local one.

scp <username>@<external-ip-address>:~/gealber.sswan .

scp will copy through ssh the file gealber.sswan in the VM to my current directory. I only copied this file, given that is the only one needed to connect to the VPN with an Android device.

In order to use this file you will need a password for extracting this file in the Android app, this password was generated on the start up of the VM by the helper script. You can fetch that password very easy inspecting the logs of your VM instance on this way:

gcloud logging read "resource.type=gce_instance" | grep -i "Password"

YOU SHOULDN’T LOSE THIS PASSWORD

Connecting

The documentation to connect to this VPN server, could be found in the repository that I mention before, here I leave you a link in case you need it.

ikev2 client connection Android

In this link there’s a detailed description of how to connect to the VPN having the .sswan configuration file.

That’s all )).