Movatterモバイル変換

[0]ホーム
URL:

bald man icon

Setting up aVPN on Google Cloud Platform

Introduction

Hi there, a few days ago I found this amazing repository,setup-ipsec-vpn, that have a cool set of scripts to setup a IPSecVPN on almost any OS. These bash scripts are so powerful, you basically don’t need anything else, of course you will need access to aVM😁. The scripts are not meant to be run on your regular PC or Laptop, even if you try to run them on your PCyou won’t be able. The scripts are so cool, that they covered even this possibility, that you by mistake run them on you PC.

Of course, there’s a part that the scripts cannot cover, is the part of working with your particular Cloud. I tried to setup thisVPN on Google Cloud Platform and Azure, and honestly the easiest way was with Google Cloud Platform, maybe because I’m not so familiar with Azure. The repository have even documentation to achieve this, in Azure and Amazon Web Services, but nothing about GCP, so I will try to make one here. Let’s go then.

Prerequisites

  1. First things first, a Google Cloud Platform, at least you don’t have credit card, it will be very easy for you to create a GCPaccount.
  2. A will try to make use of only the terminal, so in case you want to follow me in all the process, you will needgcloud cli. The previous link contains steps to install it.

Is that’s all? It seems so, pretty cool Gealber, just that, the first requirement could be a good deal, just depends on which part of the world you leave. Ok, let’s jump that explanation, that’s for another post.

High level explanation

We will need to accomplish the following steps:

  1. Create a firewall rule that will acceptUDP andTCP connections on ports 500 and 4500.
  2. Create aVM, and associate this firewall rule to thisVM.
  3. Test if all this works )), in case you don’t know what means “))”, this are smiley faces for Russians, Belorussians, etc… I know weird guys, tell me about it.

sketch

Starting

Creating firewall rule from the terminal

In the following command, keep in mind that, should contains the name of your Google Cloud Project, in order to list all your Google Cloud Projects you could run the following command:

gcloud projects list

Creating firewall rule

gcloud compute --project=<NAME OF YOUR PROJECT> firewall-rules create vpn-ipsec --direction=INGRESS --priority=1000 --network=default --action=ALLOW --rules=tcp:500,tcp:4500,udp:500,udp:4500 --source-ranges=0.0.0.0/0 --target-tags=vpn-ipsec

Here the name of the rule is “vpn-ipsec”, and the tag that I declared has the same name, later we will use this tag in the creation of theVM.

CreatingVM, and associating firewall rule to theseVM

Before creating theVM you should take into consideration that here you have several options that you should explore by yourself, in my case just using the default values are good. On this step I honestly recommend you to enter intoGoogle Cloud Platform and use the browser, so you could be aware all the time of what you enabled and what you didn’t.

Things that you MUST enable:

  1. On network tags, add the tag that we used for creating the firewall rule, very important step. In our case isvpn-ipsec.
  2. EnableIP Forwarding, is just bellow the previous step, just a click.
  3. Add this one line bash as the default start up command, is the last option:
curl -sLo vpn.sh https://git.io/vpnstart && sudo sh vpn.sh

Now you are good to go, create theVM and wait around 5 minutes, to give enough time the script to run.

Enabling IKEv2 and extracting client connect info

We will need to connect to ourVM instance through the console, you can find information about this procedure in the same page of the instances in Google Cloud Platform. FromGoogle Cloud documentation you can see that using ssh you can connect to yourVM.

ssh -i PATH_TO_PRIVATE_KEY USERNAME@EXTERNAL_IP

Once connected to yourVM instance, we need to add a client to this vpn server in order to be able to connect to it.Let’s add this client:

sudo ikev2.sh --addclient gealber

You can change the name of the client for one of your own, is your choice, althoughgealber is a cool name for you client, let’s just leave it as so.

Now after the execution of this command you must have in your current directory the following files:

.├── gealber.mobileconfig├── gealber.p12├── gealber.sswan

Basically these are configuration files that you will need to have in order to connect to theVPN, so let copy them to your local machine. Yes they are in theVM, not the local one.

scp <username>@<external-ip-address>:~/gealber.sswan .

scp will copy through ssh the filegealber.sswan in theVM to my current directory. I only copied this file, given that is the only one needed to connect to theVPN with an Android device.

In order to use this file you will need a password for extracting this file in the Android app, this password was generated on the start up of theVM by the helper script. You can fetch that password very easy inspecting the logs of yourVM instance on this way:

gcloud logging read "resource.type=gce_instance" | grep -i "Password"

YOU SHOULDN’T LOSE THIS PASSWORD

Connecting

The documentation to connect to thisVPN server, could be found in the repository that I mention before, here I leave you a link in case you need it.

ikev2 client connection Android

In this link there’s a detailed description of how to connect to theVPN having the .sswan configuration file.

That’s all )).

[8]ページ先頭
©2009-2025 Movatter.jp