VPN server on Google Compute Engine with OpenVPN

Solution 1:

You can solve the issue of not being able to browse the web through the VPN despite being able to ping, traceroute... by one of the two following ways:

First, you can use TCP protocol instead of UDP, by changing 'proto udp' to 'proto tcp' in both client and server conf files.

Second, you can use tap device instead of tun, by changing 'dev tun' to 'dev tap' in both client and server conf files.

Not sure what the issue is though, it seems it's a problem from Google's end.

Solution 2:

First of all, thanks to @Shivox for his answer.

And here is the quick how-to:

• I recommend you create additional network (see "Networks" tab"). In network preferences, add allowing rules for: tcp:22 (if not exist), tcp:9700, tcp:17619. 17619 here is variable - change it to any port you like (range is 9075-65534). You only need 3 rules and 2 default routes, nothing else.
• Go to "Create Compute Engine instance", click "Show advanced options", allow ports forwarding, select location of the server.
• Now (when you've selected location), add static IP to the server.
• Select Ubuntu 14.04 image (exactly this version).
• Create instance
• Connect via SSH (most easy way - use in-browser tool from GCE panel)
• sudo su
• apt-key update && apt-get update && apt-get -y upgrade && apt-get -y install python-software-properties && apt-get -y install software-properties-common && add-apt-repository -y ppa:pritunl && apt-get update && apt-get -y install pritunl
• In browser open https://instance_ip:9700
• On question about DB, click "Save"
• In login window, use pritunl as username and password
• Now change username and password of admin user
• Add organization, then 2 users (for desktop and mobile)
• Click "Add server" in "Servers" tab
• Use port number from first step (17619 as example) and tcp protocol.
• Attach organization to server
• Start server
• In "Users" tab download keys for both users (tar archives with ovpn files inside).

I use Viscosity for OS X and OpenVPN connect for iOS as clients. In Viscosity, turn on "Send all traffic over VPN connection" option in "Networking" tab.

---

Solution 3:

Please remember that Google VPC is dropping packets that has source_ip other than an internal IP of a VM having external IP.

This doc https://cloud.google.com/compute/docs/vpc/advanced-vpc states:

The VPC network rewrites the IP header to declare the instance's external IP address as the source. If the instance has no external IP address, the call is not allowed, and the VPC network drops the packet without informing the sender.

So if your openVPN is just forwarding packets from the other network, then the packets to public internal will be dropped as source_ip does not match any existing VM's internal IP. For this reason you need to NAT the packets leaving your local network, e.g on your VPN node.

Chain POSTROUTING (policy ACCEPT)
target      prot opt source              destination         
MASQUERADE  all  --  192.168.0.0/16      !192.168.0.0/16

"Pritunl" mentioned in the OZ_ answer works, because it configures the NAT automatically.

---

Solution 4:

This is not really an answer, but the site didn't allow me to add it as a comment to your question.

Nevertheless, I have almost the exact same configuration you detailed above (I didn't configure the dnsmaq on the server tough)

Unfortunately, The VPN is not working as expected. I can resolve an address, ping some Internet hosts and even make a complete trace while connected to the VPN. However when I open the browser and navigate to a site, the connection is really slow. I don't know what can be affecting the connection, but is really a strange problem.

Maybe someone from Google can help us know what is going on.

PS 1. As other people has suggested before, can you verify if ip forwarding is enable? For me, the only way to ensure the value for net.ipv4.ip_forward was properly restored after a reboot was after I used a custom rule on /etc/sysctl.d

For example, you can add the rule using the following command:

$ sudo echo "net.ipv4.ip_forward = 1" > /etc/sysctl.d/90-useroverrides.conf

PS 2. If the forward works for you, can you test a trace route to a external host while connected to the VPN?. The output I got when I do this is a bit strange (Why there are multiple hops on the same IP ????):

$ sudo traceroute www.yahoo.com -T -p 80 -N 1 -z 0.5 -q 1
traceroute to www.yahoo.com (98.139.183.24), 30 hops max, 60 byte packets
 1  209.85.241.26 (209.85.241.26)  0.764 ms
 2  209.85.241.34 (209.85.241.34)  0.668 ms
 3  209.85.241.26 (209.85.241.26)  0.966 ms
 4  209.85.241.36 (209.85.241.36)  0.702 ms
 5  209.85.241.28 (209.85.241.28)  0.865 ms
 6  209.85.241.36 (209.85.241.36)  0.642 ms
 7  209.85.241.26 (209.85.241.26)  0.921 ms
 8  209.85.241.28 (209.85.241.28)  18.837 ms
 9  72.14.238.107 (72.14.238.107)  13.378 ms
10  72.14.237.131 (72.14.237.131)  38.275 ms
11  209.85.254.131 (209.85.254.131)  13.349 ms
12  *
13  ae-8.pat1.bfz.yahoo.com (216.115.101.231)  44.903 ms
14  ae-4.msr1.bf1.yahoo.com (216.115.100.25)  45.323 ms
15  xe-10-3-1.clr1-a-gdc.bf1.yahoo.com (98.139.232.101)  47.382 ms
16  et18-25.fab6-1-sat.bf1.yahoo.com (98.139.128.103)  45.793 ms
17  po-13.bas1-7-prd.bf1.yahoo.com (98.139.129.209)  41.143 ms
18  ir2.fp.vip.bf1.yahoo.com (98.139.183.24)  42.451 ms

PS 3. The only thing that seems to work properly is the VPN is using the external IP from my host to access the Internet

$ sudo curl --interface tun0 checkip.dyndns.org
<html><head><title>Current IP Check</title></head><body>Current IP Address: 107.178.XXX.XXX</body></html>