Contact UsGet started

Connecting to a cloud network using OpenVPN

Written by
Updated at September 24, 2024

With TCP or UDP port tunnels and asymmetric encryption, you can create virtual networks. For example, you can use VPN to do the following:

  • Connect geographically remote networks.
  • Connect freelancers to the office network.
  • Set up an encrypted connection over an open Wi-Fi network.

OpenVPN Access Server is compatible with the open-source version of OpenVPN and built on its basis. It provides clients for Windows, Mac, Android, and iOS and is used to manage connections using a web interface.

An example of auto-connect and login-and-password configurations is shown below. To create a virtual network:

  1. Prepare your cloud.
  2. Create subnets and a test VM.
  3. Start the VPN server.
  4. Configure network traffic permissions.
  5. Get the administrator password.
  6. Activate license.
  7. Create an OpenVPN user.
  8. Connect to the VPN.

If you no longer need the VPN server, delete the VM.

Prepare your cloud

Sign up for Yandex Cloud and create a billing account:

  1. Go to the management console and log in to Yandex Cloud or create an account if you do not have one yet.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one.

If you have an active billing account, you can go to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

The cost of infrastructure support for OpenVPN includes:

Create subnets and a test VM

To connect cloud resources to the internet, make sure you have networks and subnets.

Create a test VM without a public IP address and connect it to the subnet.

Start the VPN server

Create a VM to be the gateway for VPN connections:

  1. On the folder page in the management console, click Create resource in the top-right corner and select Virtual machine instance.

  2. Enter vpn-server as your VM name and add a description.

  3. Select the availability zone where the test VM is already located.

  4. Under Boot disk image, go to the Marketplace tab and select the OpenVPN Access Server image.

  5. Under Disks, enter 20 GB as your disk size.

  6. Under Computing resources, navigate to the Custom tab and specify:

    • Platform: Intel Ice Lake
    • vCPU: 2
    • RAM: 2 GB

  7. Under Network settings:

    • Select the required network and subnet and assign a public IP address to the VM either by selecting it from the list or automatically.

      Either use static public IP addresses from the list or convert the VM IP address to static. Dynamic IP addresses may change after the VM reboots and the connections will no longer work.

    • If a list of Security groups is available, select a security group. If you leave this field empty, the default security group will be assigned.

  8. Under Access, specify the data for access to the VM:

    • In the Login field, enter the SSH username, e.g., yc-user.

    • In the SSH key field, paste the contents of the public key file.

      You will need to create a key pair for the SSH connection yourself; see Creating an SSH key pair for details.

  9. Click Create VM.

  10. A window will open informing you of the pricing type, which is BYOL (Bring Your Own License). Click Create.

Configure network traffic permissions

Security groups act as a virtual firewall for incoming and outgoing traffic. See more about the default security group here.

  1. To enable OpenVPN Access Server to work, add the following rules to the default security group:

    Traffic
    direction    		 Description Port range Protocol Source CIDR blocks
    Incoming VPN Server 443 TCP CIDR 0.0.0.0/0
    Incoming VPN Server 1194 UDP CIDR 0.0.0.0/0
    Incoming Admin Web UI,
    Client Web UI    		 943 TCP CIDR 0.0.0.0/0

    A VPN server can redirect traffic from the HTTPS port. If required, leave the only TCP 443 port open. See also the settings in the ConfigurationNetwork Settings tab of the server admin panel.

  2. If you have configured a security group of your own, make sure it allows traffic between the VPN server and the required resources. For example, they share the same security group and there is a Self rule for the whole group.

Get the administrator password

The openvpn user with administrator privileges was created on the OpenVPN server in advance. The password is generated automatically when you create a VM.

Get the password in the serial port output or the serial console. The password will display in the following string:

To log in, please use the `openvpn` account with the <password> password.

Where <password> is the openvpn user password.

Log in to the admin panel using the openvpn username and the obtained password.

If you do not get the password after launching the VPN server for the first time, you need to re-create the VM running OpenVPN Access Server. The password will not display when reboot.

Activate license

Note

If you have up to two VPN connections, use the product for free (no activation required).

To activate the license:

  1. Create an account on openvpn.net.
  2. Enter the confirmation code sent to your email address.
  3. In the Where would you like to Go? window, select the Remember my choice option and select the Access serve product.
  4. In the Tell us more window, select the purpose: Business use or Personal use.
  5. On the Subscriptions tab, select the maximum number of connections in the How many VPN connections do you need? field and click Create.
  6. Your subscription will be displayed on the screen: Subscription 1.
  7. To copy the activation key, click Copy Key under Subscription Key.

Wait until the VM status changes to RUNNING and enter the activation key in the admin panel at https://<VM_public_IP_address>/admin/.

You can look up the VM's public IP address in the management console by checking the Public IPv4 address field under Network on the VM page.

Create an OpenVPN user

OpenVPN Access Server provides two web interfaces:

  1. Client Web UI at https://<VM_public_IP_address>/. This interface is used by regular users to download client applications and configuration profiles.
  2. Admin Web UI at https://<VM_public_IP_address>/admin/. This interface is used to configure the server.

Note

By default, the server has a self-signed certificate installed. If you need to replace this certificate, follow the steps described here.

To create a user, log in to the admin panel:

  1. In the browser, open a URL, such as https://<VM_public_IP_address>/admin/.
  2. Enter the openvpn username and password (to learn how to get the admin password, see this section).
  3. Read the license agreement of click Agree. This will open the home screen of the OpenVPN admin panel.
  4. Go to the User management tab and select User permissions.
  5. In the user list, enter a username for the new user in the New Username field, e.g., test-user.
  6. Click the pencil icon in the More Settings column and enter a password for the new user in the Password field.
  7. Click Save settings.
  8. Click Update running server.

Connect to the VPN

In the admin panel, you can download OpenVPN Connect for Windows, Linux, MacOS, Android, iOS. You can also use OpenSource clients for connection.

To make sure the connection is established and working properly, connect to the VPN and run the ping command for the internal address of the test VM:

  1. Install openvpn using the package manager:

    sudo apt update && sudo apt install openvpn

  2. Allow automatic connection for the test-user user:

    • Log in to the admin panel at https://<VM_public_IP_address>/admin/.
    • Open the User managementUser permissions tab.
    • Enable the Allow Auto-login option in the user line.

  3. Configure routing:

    • Log in to the admin panel at https://<VM_public_IP_address>/admin/.
    • Open the ConfigurationVPN Settings tab.
    • Under Routing, disable the Should client Internet traffic be routed through the VPN? option.

  4. Download a configuration profile:

    • In your browser, open the user panel at https://<VM_public_IP_address>/.
    • Sign in using the test-user username and password.
    • In the Available Connection Profiles section, click Yourself (autologin profile) and download the profile-1.ovpn file.
    • You can also download a configuration file in the admin panel at https://<<VM_public_IP_address>/admin/.

  5. Upload the configuration file to a Linux machine:

    scp profile-1.ovpn user@<IP address>:~

  6. Move the configuration file to the /etc/openvpn folder:

    sudo mv /home/user/profile-1.ovpn /etc/openvpn

  7. Change the file extension from ovpn to conf:

    sudo mv /etc/openvpn/profile-1.ovpn /etc/openvpn/profile-1.conf

  8. Close access to the file:

    sudo chown root:root /etc/openvpn/profile-1.conf
sudo chmod 600 /etc/openvpn/profile-1.conf

  9. The VPN connection will turn on automatically after restarting. To start the connection manually, run the command:

    sudo openvpn --config /etc/openvpn/profile-1.conf

    Result:

    2022-04-05 15:35:49 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2022-04-05 15:35:49 OpenVPN 2.5.1 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2021
2022-04-05 15:35:49 library versions: OpenSSL 1.1.1k  25 Mar 2021, LZO 2.10
2022-04-05 15:35:49 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2022-04-05 15:35:49 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2022-04-05 15:35:49 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2022-04-05 15:35:49 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2022-04-05 15:35:49 TCP/UDP: Preserving recently used remote address: [AF_INET]51.250.25.105:443
2022-04-05 15:35:49 Socket Buffers: R=[131072->131072] S=[16384->16384]
2022-04-05 15:35:49 Attempting to establish TCP connection with [AF_INET]51.250.25.105:443 [nonblock]
...
...
2022-04-05 15:35:54 Initialization Sequence Completed

  10. Test the network using the ping command:

    sudo ping <test_VM_internal_IP_address>

    If the command is executed, the VM can be accessed via OpenVPN.

  11. To terminate a manually established connection, press Ctrl + C.

  1. Download the installation distribution:

    • In your browser, open the user panel at https://<VM_public_IP_address>/.
    • Sign in using the test-user username and password.
    • Download OpenVPN Connect version 2 or 3 by clicking the Windows icon.

  2. Install and run OpenVPN Connect.

  3. A VPN connection will turn on automatically if auto-login is enabled in the user profile.

  4. You can import a new configuration profile into the application. To do this, specify the https://<VM_public_IP_address>/ URL or select a profile file.

  5. Open the terminal and run this command: ping <internal_IP_address_of_test_VM>. If the command is running, the VM can be accessed via VPN.

  1. Download the installation distribution:

    • In your browser, open the user panel at https://<VM_public_IP_address>/.
    • Sign in using the test-user username and password.
    • Download OpenVPN Connect version 2 or 3 by clicking the Apple icon.

  2. Install and run OpenVPN Connect.

  3. A VPN connection will turn on automatically if auto-login is enabled in the user profile.

  4. You can import a new configuration profile into the application. To do this, specify the https://<<VM_public_IP_address>/ URL or select a profile file.

  5. Open the terminal and run this command: ping <internal_IP_address_of_test_VM>. If the command is running, the VM can be accessed via VPN.

How to delete the resources you created

Delete the resources you no longer need to avoid paying for them:

  • Delete the VM called vpn-server and test VMs.
  • If you reserved a public static IP address, delete it.

See also

Previous
Installing a Mikrotik CHR virtual router
Next
Configuring Cloud DNS for Managed Service for ClickHouse® cluster access from other cloud networks