Connecting to a cloud network using OpenVPN
With TCP or UDP port tunnels and asymmetric encryption, you can create virtual networks. VPN can be used, for example, to:
- Connect geographically remote networks.
- Connect freelancers to the office network.
- Set up an encrypted connection over an open Wi-Fi network.
OpenVPN Access Server is compatible with the open-source version
An example of auto-connect and login-and-password configurations is shown below. To create a virtual network:
- Prepare your cloud.
- Create subnets and a test VM.
- Start the VPN server.
- Configure network traffic permissions.
- Get the administrator password.
- Activate license.
- Create an OpenVPN user.
- Connect to the VPN.
If you no longer need the VPN server, delete the VM.
Prepare your cloud
Sign up for Yandex Cloud and create a billing account:
- Go to the management console
and log in to Yandex Cloud or create an account if you do not have one yet. - On the Yandex Cloud Billing
page, make sure you have a billing account linked and it has theACTIVE
orTRIAL_ACTIVE
status. If you do not have a billing account, create one.
If you have an active billing account, you can go to the cloud page
Learn more about clouds and folders.
Required paid resources
The cost of infrastructure support for OpenVPN includes:
- Fee for the disks and continuously running VMs (see Yandex Compute Cloud pricing).
- Fee for using a dynamic or a static public IP (see Yandex Virtual Private Cloud pricing).
- Fee for the OpenVPN Access Server license (when using more than two connections).
Create subnets and a test VM
To connect cloud resources to the internet, make sure you have networks and subnets.
Create a VM for the test without a public IP and connect it to a subnet.
Start the VPN server
Create a VM to be the gateway for VPN connections:
-
On the folder page in the management console
, click Create resource in the top-right corner. -
Select Virtual machine instance.
-
Enter
vpn-server
as your VM name and add a description. -
Select the availability zone where the test VM is already located.
-
Under Boot disk image, go to the Marketplace tab and select the OpenVPN Access Server image.
-
Under Disks and file storages, enter
10 GB
as your disk size. -
Under Computing resources:
-
Select the Intel Ice Lake platform.
-
Specify the number of vCPUs and the amount of RAM:
- vCPU:
2
. - RAM:
2 GB
.
- vCPU:
-
-
Under Network settings:
-
Select the required network and subnet and assign a public IP address to the VM either by selecting it from the list or automatically.
Only use static public IP addresses from the list or make the IP address static. Dynamic IP addresses may change after the VM reboots and the connections will no longer work.
-
If a list of Security groups is available, select a security group. If you leave this field empty, the default security group will be assigned.
-
-
Under Access, specify the information required to access the instance:
-
In the Login field, enter the SSH username, for example,
yc-user
. -
In the SSH key field, paste the contents of the public key file.
You will need to create a key pair for the SSH connection yourself, see Creating an SSH key pair.
-
-
Click Create VM.
-
A window will open informing you of the pricing type: BYOL (Bring Your Own License). Click Create.
Security groups act as a virtual firewall for incoming and outgoing traffic. See more about the default security group here.
-
To enable OpenVPN Access Server to work, add the following rules to the default security group:
Traffic
directionDescription Port range Protocol Source CIDR blocks Incoming VPN Server
443
TCP
CIDR
0.0.0.0/0
Incoming VPN Server
1194
UDP
CIDR
0.0.0.0/0
Incoming Admin Web UI,
Client Web UI
943
TCP
CIDR
0.0.0.0/0
A VPN server can redirect traffic from the
HTTPS
port. If required, leave the onlyTCP 443
port open. See also the settings in the Configuration → Network Settings tab of the server admin panel. -
If you have configured a security group of your own, make sure it allows traffic between the VPN server and the required resources. For example, they share the same security group and there is a Self rule for the whole group.
The openvpn user with administrator privileges was created on the OpenVPN
server in advance. The password is generated automatically when you create a VM.
Get the password in the serial port output or the serial console. The password will display in the following string:
To log in, please use the `openvpn` account with the <password> password.
Where <password>
is the openvpn
user password.
Log in to the admin panel using the openvpn
username and the obtained password.
If you do not get the password after launching the VPN server for the first time, you need to re-create the VM running OpenVPN Access Server. The password will not display when reboot.
Activate license
Note
If you have up to two VPN connections, use the product for free (no activation required).
To activate the license:
- Create an account on openvpn.net
. - Enter the confirmation code received by email.
- In the Where would you like to Go? window, select the "Remember my choice" option and select the Access serve product.
- In the Tell us more window, select the purpose: Business use or Personal Use.
- On the Subscriptions tab, select the maximum number of connections in the How many VPN connections do you need? field. and click Create.
- Your subscription will be displayed on the screen: Subscription 1.
- To copy the activation key, click Copy Key under Subscription Key.
Wait until the VM status changes to RUNNING
and enter the activation key in the admin panel at https://<VM public IP address>/admin/
.
Create an OpenVPN user
OpenVPN Access Server provides two web interfaces:
- Client Web UI at
https://<VM_public_IP_address>/
. This interface is used by regular users to download client applications and configuration profiles. - Admin Web UI at
https://<VM_public_IP_address>/admin/
. This interface is used to configure the server.
Note
By default, the server has a self-signed certificate installed. If you need to replace this certificate, follow the steps described here
To create a user, log in to the admin panel:
- In the browser, open a URL, such as
https://<VM_public_IP_address>/admin/
. - Enter the
openvpn
username and password (to learn how to get the admin password, see this section). - Click Agree. This will open the home screen of the OpenVPN admin panel.
- Go to the User management tab and select User permissions.
- In the user list, enter the name of a new user in the New Username field, e.g.,
test-user
. - Click the pencil icon in the More Settings column and set the new user's password in the Password field.
- Click Save settings.
- Click Update running server.
Connect to the VPN
In the admin panel, you can download OpenVPN Connect
To check that a connection is established and working properly, connect to the VPN and run the ping
command for the test VM internal address:
-
Install the
openvpn
using package manager:sudo apt update && sudo apt install openvpn
-
Allow auto-connect for the
test-user
user:- Log in to the admin panel at
https://<VM_public_IP_address>/admin/
. - Open the User management → User permissions tab.
- Enable the Allow Auto-login option in the user line.
- Log in to the admin panel at
-
Configure routing:
- Log in to the admin panel at
https://<VM_public_IP_address>/admin/
. - Open the Configuration → VPN Settings tab.
- Under Routing, disable the Should client Internet traffic be routed through the VPN? option.
- Log in to the admin panel at
-
Download a configuration profile:
- In the browser, open the user panel at
https://<VM_public_IP_address>/
. - Log in using the
test-user
username and password. - In the Available Connection Profiles section, click Yourself (autologin profile) and upload the
profile-1.ovpn
file. - You can also download a configuration file in the admin panel at
https://<<VM_public_IP_address>/admin/
.
- In the browser, open the user panel at
-
Upload the configuration file to a Linux machine:
scp profile-1.ovpn user@<IP address>:~
-
Move the configuration file to the
/etc/openvpn
folder:sudo mv /home/user/profile-1.ovpn /etc/openvpn
-
Change the file extension from
ovpn
toconf
:sudo mv /etc/openvpn/profile-1.ovpn /etc/openvpn/profile-1.conf
-
Close access to the file:
sudo chown root:root /etc/openvpn/profile-1.conf sudo chmod 600 /etc/openvpn/profile-1.conf
-
The VPN connection will turn on automatically after restarting. To start the connection manually, run the command:
sudo openvpn --config /etc/openvpn/profile-1.conf
Result:
2022-04-05 15:35:49 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning. 2022-04-05 15:35:49 OpenVPN 2.5.1 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2021 2022-04-05 15:35:49 library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.10 2022-04-05 15:35:49 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key 2022-04-05 15:35:49 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication 2022-04-05 15:35:49 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key 2022-04-05 15:35:49 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication 2022-04-05 15:35:49 TCP/UDP: Preserving recently used remote address: [AF_INET]51.250.25.105:443 2022-04-05 15:35:49 Socket Buffers: R=[131072->131072] S=[16384->16384] 2022-04-05 15:35:49 Attempting to establish TCP connection with [AF_INET]51.250.25.105:443 [nonblock] ... ... 2022-04-05 15:35:54 Initialization Sequence Completed
-
Test the network using the command
ping
:sudo ping <internal_IP_address_of_the_test_VM>
If the command is executed, the VM can be accessed via OpenVPN.
-
To terminate a manually established connection, press Ctrl + C.
-
Download the installation distribution:
- In the browser, open the user panel at
https://<VM_public_IP_address>/
. - Log in using the
test-user
username and password. - Download OpenVPN Connect version 2 or 3 by clicking the Windows icon.
- In the browser, open the user panel at
-
Install and run OpenVPN Connect.
-
A VPN connection will turn on automatically if auto-login is enabled in the user profile.
-
A new configuration profile can be imported into the application. To do this, specify
https://<VM_public_IP_address>/
or select a profile file. -
Open the terminal and run the
ping <internal_IP_address_of_the_test_VM>
command. If the command is executed, the VM can be accessed via OpenVPN.
-
Download the installation distribution:
- In the browser, open the user panel at
https://<VM_public_IP_address>/
. - Log in using the
test-user
username and password. - Download OpenVPN Connect version 2 or 3 by clicking the Apple icon.
- In the browser, open the user panel at
-
Install and run OpenVPN Connect.
-
A VPN connection will turn on automatically if auto-login is enabled in the user profile.
-
A new configuration profile can be imported into the application. To do this, specify
https://<VM_public_IP_address>/
or select a profile file. -
Open the terminal and run the
ping <internal_IP_address_of_the_test_VM>
command. If the command is executed, the VM can be accessed via OpenVPN.
How to delete the resources you created
Delete the resources you no longer need to avoid being charged for them: