Contact UsGet started

Connecting to a cloud network using OpenVPN

Written by
Updated at May 7, 2025

With TCP or UDP port tunnels and asymmetric encryption, you can create virtual networks. For example, you can use VPN to do the following:

  • Connect networks residing in different locations.
  • Provide contractors with an access to an in-house network.
  • Set up an encrypted connection over Wi-Fi.

OpenVPN Access Server is compatible with the OpenVPN open-source version and built on it. It provides clients for Windows, Mac, Android, and iOS. You can also use its web UI to manage connections.

Learn how to configure auto-connection and a connection using a username and password below. To create a virtual network:

  1. Get your cloud ready.
  2. Create subnets and a test VM.
  3. Run a VPN server.
  4. Configure network traffic rules.
  5. Get the administrator password.
  6. Activate your license.
  7. Create an OpenVPN user.
  8. Connect to the VPN.

If you no longer need the VPN server, delete the VM.

Get your cloud ready

Sign up in Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or register a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

The cost of the OpenVPN infrastructure support includes:

Create subnets and a test VM

To connect cloud resources to the internet, make sure you have networks and subnets.

Create a test VM without a public IP address and connect it to the subnet.

Run a VPN server

Create a VM to run the VPN server:

  1. On the folder page in the management console, click Create resource and select Virtual machine instance.

  2. Under Boot disk image, enter OpenVPN Access Server in the Product search field and select a public OpenVPN Access Server image.

  3. Under Location. Select the availability zone where the test VM is already located.

  4. Under Disks and file storages, specify the boot disk size: 20 GB.

  5. Under Computing resources, navigate to the Custom tab and specify the required platform, number of vCPUs, and amount of RAM:

    • Platform: Intel Ice Lake
    • vCPU: 2
    • Guaranteed vCPU performance: 100%
    • RAM: 2 GB

  6. Under Network settings:

    • In the Subnet field, select the network and subnet to connect your VM to. If the required network or subnet is not listed, create it.

    • Under Public IP address, keep Auto to assign your VM a random external IP address from the Yandex Cloud pool, or select a static address from the list if you reserved one in advance.

      Either use static public IP addresses from the list or convert your VM IP address to static. Dynamic IP addresses may change after the VM reboots and the connections will no longer work.

    • If a list of Security groups is available, select a security group. If you leave this field empty, the system will assign the default security group to the network.

  7. Under Access, select SSH key and specify the data for access to the VM:

    • Under Login, enter a username. Do not use root or other names reserved by the OS. To perform operations requiring superuser privileges, use the sudo command.

    • In the SSH key field, select the SSH key saved in your organization user profile.

      If there are no saved SSH keys in your profile, or you want to add a new key:

      • Click Add key.
      • Enter a name for the SSH key.
      • Upload or paste the contents of the public key file. You need to create a key pair for the SSH connection to a VM yourself.
      • Click Add.

      The SSH key will be added to your organization user profile.

      If users cannot add SSH keys to their profiles in the organization, the added public SSH key will only be saved to the user profile of the VM being created.

  8. Under General information, specify the VM name: vpn-server.

  9. Click Create VM.

  10. This will open a window with the licensing model: BYOL (Bring Your Own License). Click Create.

Configure network traffic rules

Security groups act as a virtual firewall for incoming and outgoing traffic. See more about the default security group here.

  1. To enable OpenVPN Access Server to work, add the following rules to the default security group:

    Traffic
    direction    		 Description Port range Protocol Source CIDR blocks
    Incoming VPN Server 443 TCP CIDR 0.0.0.0/0
    Incoming VPN Server 1194 UDP CIDR 0.0.0.0/0
    Incoming Admin Web UI,
    Client Web UI    		 943 TCP CIDR 0.0.0.0/0

    A VPN server can redirect traffic from the HTTPS port. If required, leave the only TCP 443 port open. See also the settings in the ConfigurationNetwork Settings tab of the server admin panel.

  2. If you have configured a security group of your own, make sure it allows traffic between the VPN server and the required resources. For example, they share the same security group and there is a Self rule for the whole group.

Get the administrator password

The openvpn user with administrator privileges was created on the OpenVPN server in advance. The password is generated automatically when you create a VM.

Get the password in the serial port output or the serial console. The password will display in the following string:

To log in, please use the `openvpn` account with the <password> password.

Where <password> is the openvpn user password.

Log in to the admin panel using the openvpn username and the obtained password.

If you do not get the password after launching the VPN server for the first time, you need to re-create the VM running OpenVPN Access Server. The password will not display when reboot.

Activate your license

Note

If you have up to two VPN connections, use the product for free (no activation required).

To activate the license:

  1. Create an account on openvpn.net.
  2. Enter the confirmation code sent to your email address.
  3. In the Where would you like to Go? window, select the Remember my choice option and select the Access serve product.
  4. In the Tell us more window, select the purpose: Business use or Personal use.
  5. On the Subscriptions tab, select the maximum number of connections in the How many VPN connections do you need? field and click Create.
  6. Your subscription will be displayed on the screen: Subscription 1.
  7. To copy the activation key, click Copy Key under Subscription Key.

Wait until the VM status changes to RUNNING and enter the activation key in the admin panel at https://<VM_public_IP_address>/admin/.

You can look up the VM's public IP address in the management console by checking the Public IPv4 address field under Network on the VM page.

Create an OpenVPN user

OpenVPN Access Server provides two web interfaces:

  1. Client Web UI at https://<VM_public_IP_address>/. This interface is used by regular users to download client applications and configuration profiles.
  2. Admin Web UI at https://<VM_public_IP_address>/admin/. This interface is used to configure the server.

Note

By default, the server has a self-signed certificate installed. If you need to replace this certificate, follow the steps described here.

To create a user, log in to the admin panel:

  1. In the browser, open a URL, such as https://<VM_public_IP_address>/admin/.
  2. Enter the openvpn username and password (to learn how to get the admin password, see this section).
  3. Read the license agreement of click Agree. This will open the home screen of the OpenVPN admin panel.
  4. Go to the User management tab and select User permissions.
  5. In the user list, enter a username for the new user in the New Username field, e.g., test-user.
  6. Click the pencil icon in the More Settings column and enter a password for the new user in the Password field.
  7. Click Save settings.
  8. Click Update running server.

Connect to the VPN

In the user panel, you can download OpenVPN Connect for Windows, Linux, MacOS, Android, and iOS. You can also use OpenSource clients for connection.

To make sure the connection is established and working properly, connect to the VPN and run the ping command for the internal address of the test VM:

  1. Install openvpn using the package manager:

    sudo apt update && sudo apt install openvpn

  2. Allow automatic connection for test-user:

    • Log in to the admin panel at https://<VM_public_IP_address>/admin/.
    • Open the User managementUser permissions tab.
    • Enable the Allow Auto-login option in the user line.

  3. Configure routing:

    • Log in to the admin panel at https://<VM_public_IP_address>/admin/.
    • Open the ConfigurationVPN Settings tab.
    • Under Routing, disable Should client Internet traffic be routed through the VPN?.

  4. Download a configuration profile:

    • In your browser, open the user panel at https://<VM_public_IP_address>/.
    • Sign in using the test-user username and password.
    • Under Available Connection Profiles, click Yourself (autologin profile) and download the profile-1.ovpn file.
    • You can also download a configuration file in the admin panel at https://<<VM_public_IP_address>/admin/.

  5. Upload the configuration file to a Linux machine:

    scp profile-1.ovpn user@<IP_address>:~

  6. Move the configuration file to the /etc/openvpn folder:

    sudo mv /home/user/profile-1.ovpn /etc/openvpn

  7. Change the file extension from ovpn to conf:

    sudo mv /etc/openvpn/profile-1.ovpn /etc/openvpn/profile-1.conf

  8. Close access to the file:

    sudo chown root:root /etc/openvpn/profile-1.conf
sudo chmod 600 /etc/openvpn/profile-1.conf

  9. The VPN connection will turn on automatically after restarting. To establish the connection manually, run the command:

    sudo openvpn --config /etc/openvpn/profile-1.conf

    Result:

    2022-04-05 15:35:49 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2022-04-05 15:35:49 OpenVPN 2.5.1 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2021
2022-04-05 15:35:49 library versions: OpenSSL 1.1.1k  25 Mar 2021, LZO 2.10
2022-04-05 15:35:49 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2022-04-05 15:35:49 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2022-04-05 15:35:49 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2022-04-05 15:35:49 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2022-04-05 15:35:49 TCP/UDP: Preserving recently used remote address: [AF_INET]51.250.25.105:443
2022-04-05 15:35:49 Socket Buffers: R=[131072->131072] S=[16384->16384]
2022-04-05 15:35:49 Attempting to establish TCP connection with [AF_INET]51.250.25.105:443 [nonblock]
...
...
2022-04-05 15:35:54 Initialization Sequence Completed

  10. Test the network using the ping command:

    sudo ping <test_VM_internal_IP_address>

    If the command is running, the VM can be accessed via VPN.

  11. To terminate a manually established connection, press Ctrl + C.

  1. Download the installation distribution:

    • In your browser, open the user panel at https://<VM_public_IP_address>/.
    • Sign in using the test-user username and password.
    • Download OpenVPN Connect version 2 or 3 by clicking the Windows icon.

  2. Install and run OpenVPN Connect.

  3. A VPN connection will turn on automatically if auto-login is enabled in the user profile.

  4. You can import a new configuration profile into the application by specifying https://<VM_public_IP_address>/ or selecting a profile file.

  5. Open the terminal and run this command: ping <internal_IP_address_of_test_VM>. If the command is running, the VM can be accessed via VPN.

  1. Download the installation distribution:

    • In your browser, open the user panel at https://<VM_public_IP_address>/.
    • Sign in using the test-user username and password.
    • Download OpenVPN Connect version 2 or 3 by clicking the Apple icon.

  2. Install and run OpenVPN Connect.

  3. A VPN connection will turn on automatically if auto-login is enabled in the user profile.

  4. You can import a new configuration profile into the application by specifying https://<<VM_public_IP_address>/ or selecting a profile file.

  5. Open the terminal and run this command: ping <internal_IP_address_of_test_VM>. If the command is running, the VM can be accessed via VPN.

How to delete the resources you created

Delete the resources you no longer need to avoid paying for them:

  • Delete the vpn-server and test VMs.
  • If you reserved a public static IP address, delete it.

See also

Previous
Installing the Mikrotik CHR virtual router
Next
Configuring Cloud DNS to access a Managed Service for ClickHouse® cluster from other cloud networks