Connecting to a cloud network using OpenVPN
With TCP or UDP port tunnels and asymmetric encryption, you can create virtual networks. For example, you can use VPN to do the following:
- Connect geographically remote networks.
- Connect freelancers to the office network.
- Set up an encrypted connection over an open Wi-Fi network.
OpenVPN Access Server is compatible with the open-source version
An example of auto-connect and login-and-password configurations is shown below. To create a virtual network:
- Prepare your cloud.
- Create subnets and a test VM.
- Start the VPN server.
- Configure network traffic permissions.
- Get the administrator password.
- Activate license.
- Create an OpenVPN user.
- Connect to the VPN.
If you no longer need the VPN server, delete the VM.
Prepare your cloud
Sign up for Yandex Cloud and create a billing account:
- Go to the management console
and log in to Yandex Cloud or create an account if you do not have one yet. - On the Yandex Cloud Billing
page, make sure you have a billing account linked and it has theACTIVE
orTRIAL_ACTIVE
status. If you do not have a billing account, create one.
If you have an active billing account, you can go to the cloud page
Learn more about clouds and folders.
Required paid resources
The cost of infrastructure support for OpenVPN includes:
- Fee for the disks and continuously running VMs (see Yandex Compute Cloud pricing).
- Fee for using a dynamic or static external IP address (see Yandex Virtual Private Cloud pricing).
- Fee for the OpenVPN Access Server license (when using more than two connections).
Create subnets and a test VM
To connect cloud resources to the internet, make sure you have networks and subnets.
Create a test VM without a public IP address and connect it to the subnet.
Start the VPN server
Create a VM to be the gateway for VPN connections:
-
On the folder page in the management console
, click Create resource and selectVirtual machine instance
. -
Under Boot disk image, enter
OpenVPN Access Server
in the Product search field and select a public OpenVPN Access Server image. -
Under Location. Select the availability zone where the test VM is already located.
-
Under Disks and file storages, enter
20 GB
as your boot disk size. -
Under Computing resources, navigate to the
Custom
tab and specify the required platform, number of vCPUs, and amount of RAM:- Platform:
Intel Ice Lake
. - vCPU:
2
. - Guaranteed vCPU performance:
100%
. - RAM:
2 GB
.
- Platform:
-
Under Network settings:
-
In the Subnet field, select the network and subnet to connect your VM to. If the required network or subnet is not listed, create it.
-
Under Public IP, keep
Auto
to assign your VM a random external IP address from the Yandex Cloud pool or select a static address from the list if you reserved one in advance.Either use static public IP addresses from the list or convert the VM IP address to static. Dynamic IP addresses may change after the VM reboots and the connections will no longer work.
-
If a list of Security groups is available, select a security group. If you leave this field empty, the default security group will be assigned.
-
-
Under Access, select the SSH key option, and specify the data for access to the VM:
- Under Login, enter the username. Do not use
root
or other names reserved by the OS. To perform operations requiring superuser permissions, use thesudo
command. -
In the SSH key field, select the SSH key saved in your organization user profile.
If there are no saved SSH keys in your profile, or you want to add a new key:
- Click Add key.
- Enter a name for the SSH key.
- Upload or paste the contents of the public key file. You need to create a key pair for the SSH connection to a VM yourself.
- Click Add.
The SSH key will be added to your organization user profile.
If users cannot add SSH keys to their profiles in the organization, the added public SSH key will only be saved to the user profile of the VM being created.
- Under Login, enter the username. Do not use
-
Under General information, specify the VM name:
vpn-server
. -
Click Create VM.
-
A window will open informing you of the pricing type, which is BYOL (Bring Your Own License). Click Create.
Configure network traffic permissions
Security groups act as a virtual firewall for incoming and outgoing traffic. See more about the default security group here.
-
To enable OpenVPN Access Server to work, add the following rules to the default security group:
Traffic
directionDescription Port range Protocol Source CIDR blocks Incoming VPN Server
443
TCP
CIDR
0.0.0.0/0
Incoming VPN Server
1194
UDP
CIDR
0.0.0.0/0
Incoming Admin Web UI,
Client Web UI
943
TCP
CIDR
0.0.0.0/0
A VPN server can redirect traffic from the
HTTPS
port. If required, leave the onlyTCP 443
port open. See also the settings in the Configuration → Network Settings tab of the server admin panel. -
If you have configured a security group of your own, make sure it allows traffic between the VPN server and the required resources. For example, they share the same security group and there is a Self rule for the whole group.
Get the administrator password
The openvpn user with administrator privileges was created on the OpenVPN
server in advance. The password is generated automatically when you create a VM.
Get the password in the serial port output or the serial console. The password will display in the following string:
To log in, please use the `openvpn` account with the <password> password.
Where <password>
is the openvpn
user password.
Log in to the admin panel using the openvpn
username and the obtained password.
If you do not get the password after launching the VPN server for the first time, you need to re-create the VM running OpenVPN Access Server. The password will not display when reboot.
Activate license
Note
If you have up to two VPN connections, use the product for free (no activation required).
To activate the license:
- Create an account on openvpn.net
. - Enter the confirmation code sent to your email address.
- In the Where would you like to Go? window, select the Remember my choice option and select the Access serve product.
- In the Tell us more window, select the purpose: Business use or Personal use.
- On the Subscriptions tab, select the maximum number of connections in the How many VPN connections do you need? field and click Create.
- Your subscription will be displayed on the screen: Subscription 1.
- To copy the activation key, click Copy Key under Subscription Key.
Wait until the VM status changes to RUNNING
and enter the activation key in the admin panel at https://<VM_public_IP_address>/admin/
.
You can look up the VM's public IP address in the management console
Create an OpenVPN user
OpenVPN Access Server provides two web interfaces:
- Client Web UI at
https://<VM_public_IP_address>/
. This interface is used by regular users to download client applications and configuration profiles. - Admin Web UI at
https://<VM_public_IP_address>/admin/
. This interface is used to configure the server.
Note
By default, the server has a self-signed certificate installed. If you need to replace this certificate, follow the steps described here
To create a user, log in to the admin panel:
- In the browser, open a URL, such as
https://<VM_public_IP_address>/admin/
. - Enter the
openvpn
username and password (to learn how to get the admin password, see this section). - Read the license agreement of click Agree. This will open the home screen of the OpenVPN admin panel.
- Go to the User management tab and select User permissions.
- In the user list, enter a username for the new user in the New Username field, e.g.,
test-user
. - Click the pencil icon in the More Settings column and enter a password for the new user in the Password field.
- Click Save settings.
- Click Update running server.
Connect to the VPN
In the admin panel, you can download OpenVPN Connect
To make sure the connection is established and working properly, connect to the VPN and run the ping
command for the internal address of the test VM:
-
Install
openvpn
using the package manager:sudo apt update && sudo apt install openvpn
-
Allow automatic connection for the
test-user
user:- Log in to the admin panel at
https://<VM_public_IP_address>/admin/
. - Open the User management → User permissions tab.
- Enable the Allow Auto-login option in the user line.
- Log in to the admin panel at
-
Configure routing:
- Log in to the admin panel at
https://<VM_public_IP_address>/admin/
. - Open the Configuration → VPN Settings tab.
- Under Routing, disable the Should client Internet traffic be routed through the VPN? option.
- Log in to the admin panel at
-
Download a configuration profile:
- In your browser, open the user panel at
https://<VM_public_IP_address>/
. - Sign in using the
test-user
username and password. - In the Available Connection Profiles section, click Yourself (autologin profile) and download the
profile-1.ovpn
file. - You can also download a configuration file in the admin panel at
https://<<VM_public_IP_address>/admin/
.
- In your browser, open the user panel at
-
Upload the configuration file to a Linux machine:
scp profile-1.ovpn user@<IP_address>:~
-
Move the configuration file to the
/etc/openvpn
folder:sudo mv /home/user/profile-1.ovpn /etc/openvpn
-
Change the file extension from
ovpn
toconf
:sudo mv /etc/openvpn/profile-1.ovpn /etc/openvpn/profile-1.conf
-
Close access to the file:
sudo chown root:root /etc/openvpn/profile-1.conf sudo chmod 600 /etc/openvpn/profile-1.conf
-
The VPN connection will turn on automatically after restarting. To start the connection manually, run the command:
sudo openvpn --config /etc/openvpn/profile-1.conf
Result:
2022-04-05 15:35:49 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning. 2022-04-05 15:35:49 OpenVPN 2.5.1 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2021 2022-04-05 15:35:49 library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.10 2022-04-05 15:35:49 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key 2022-04-05 15:35:49 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication 2022-04-05 15:35:49 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key 2022-04-05 15:35:49 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication 2022-04-05 15:35:49 TCP/UDP: Preserving recently used remote address: [AF_INET]51.250.25.105:443 2022-04-05 15:35:49 Socket Buffers: R=[131072->131072] S=[16384->16384] 2022-04-05 15:35:49 Attempting to establish TCP connection with [AF_INET]51.250.25.105:443 [nonblock] ... ... 2022-04-05 15:35:54 Initialization Sequence Completed
-
Test the network using the
ping
command:sudo ping <test_VM_internal_IP_address>
If the command is running, the VM can be accessed via VPN.
-
To terminate a manually established connection, press Ctrl + C.
-
Download the installation distribution:
- In your browser, open the user panel at
https://<VM_public_IP_address>/
. - Sign in using the
test-user
username and password. - Download OpenVPN Connect version 2 or 3 by clicking the Windows icon.
- In your browser, open the user panel at
-
Install and run OpenVPN Connect.
-
A VPN connection will turn on automatically if auto-login is enabled in the user profile.
-
You can import a new configuration profile into the application. To do this, specify
https://<VM_public_IP_address>/
or select a profile file. -
Open the terminal and run this command:
ping <internal_IP_address_of_test_VM>
. If the command is running, the VM can be accessed via VPN.
-
Download the installation distribution:
- In your browser, open the user panel at
https://<VM_public_IP_address>/
. - Sign in using the
test-user
username and password. - Download OpenVPN Connect version 2 or 3 by clicking the Apple icon.
- In your browser, open the user panel at
-
Install and run OpenVPN Connect.
-
A VPN connection will turn on automatically if auto-login is enabled in the user profile.
-
You can import a new configuration profile into the application. To do this, specify
https://<<VM_public_IP_address>/
or select a profile file. -
Open the terminal and run this command:
ping <internal_IP_address_of_test_VM>
. If the command is running, the VM can be accessed via VPN.
How to delete the resources you created
Delete the resources you no longer need to avoid paying for them:
- Delete the VM called
vpn-server
and test VMs. - If you reserved a public static IP address, delete it.