Contact UsGet started

Creating a tunnel between two subnets using OpenVPN Access Server

Written by
Updated at February 27, 2025

When you use the computing resources of a public cloud, you often need a secure connection between two networks, e.g., your office network and a Yandex Cloud test farm. The best way to handle this is using a VPN, which allows you to:

  • Connect networks residing in different locations.
  • Provide contractors with an access to an in-house network.
  • Set up an encrypted connection over Wi-Fi.

This tutorial describes how to create a VPN tunnel using the OpenVPN technology.

OpenVPN Access Server is built on and compatible with the OpenVPN open-source version. It provides clients for Windows, Mac, Android, and iOS. You can also use its web UI to manage connections.

In this example, we will create a tunnel connecting two subnets into a single network. The tunnel will be established between two VPN gateways: OpenVPN Access Server and a VM instance with the OpenVPN client. To test the VPN tunnel, you will need to configure both gateways. In our example, one subnet is hosted in Yandex Cloud, while the other may reside both in Yandex Cloud and in an external network.

To create a tunnel between two subnets:

  1. Get your cloud ready.
  2. Create a network and subnets.
  3. Create the VMs you want to connect.
  4. Create a gateway VM.
  5. Set up a VPN server.
  6. Configure network traffic rules.
  7. Get the administrator password.
  8. Create an OpenVPN remote user account.
  9. Configure the OpenVPN gateway on the second subnet.
  10. Test the VPN tunnel.

If you no longer need your VPN server, delete the created VMs.

Get your cloud ready

Sign up for Yandex Cloud and create a billing account:

  1. Go to the management console and log in to Yandex Cloud or create an account if you do not have one yet.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one.

If you have an active billing account, you can go to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

The cost of the OpenVPN infrastructure support includes:

Create a network and subnets

To connect cloud resources to the internet, make sure you have a network and subnets.

Create a network

  1. In the management console, select the folder where you want to create a cloud network.
  2. In the list of services, select Virtual Private Cloud.
  3. Click Create network.
  4. Specify the network name, e.g., ovpn-network.
  5. Disable the Create subnets option.
  6. Click Create network.

Create subnets

  1. Select the ovpn-network network.
  2. Click Add subnet.
  3. Specify the subnet name, e.g., ovpn-left.
  4. Select an availability zone from the drop-down list.
  5. Enter the subnet CIDR: 10.128.0.0/24.
  6. Click Create subnet.
  7. Repeat steps 2 to 6 to create the second subnet. Name it ovpn-right and specify its CIDR: 10.253.11.0/24.

Create the VMs you want to connect

  1. On the folder page in the management console, click Create resource and select Virtual machine instance.

  2. Under Boot disk image in the Product search field, select an image for the VM.

  3. Under Location, select an availability zone for the ovpn-left subnet.

  4. Under Network settings:

    • In the Subnet field, select the network named ovpn-network and the ovpn-left subnet.

    • In the Public IP address field, select No address.

    • Expand the Additional section:

      • In the Internal IPv4 address field, select Manual.
      • In the input field that appears, specify 10.128.0.4.

  5. Under Access, select SSH key and specify the VM access credentials:

    • In the Login field, specify a username: yc-user.

    • In the SSH key field, select the SSH key saved in your organization user profile.

      If there are no saved SSH keys in your profile, or you want to add a new key:

      • Click Add key.
      • Enter a name for the SSH key.
      • Upload or paste the contents of the public key file. You need to create a key pair for the SSH connection to a VM yourself.
      • Click Add.

      The SSH key will be added to your organization user profile.

      If users cannot add SSH keys to their profiles in the organization, the added public SSH key will only be saved to the user profile of the VM being created.

  6. Under General information, specify the VM name: ao-openvpn-test.

  7. Click Create VM.

  8. Repeat steps 1 to 7 to create the second VM. Specify its name: vm-ovpn-host, internal IPv4 address: 10.253.11.110, and subnet: ovpn-right.

Create a gateway VM

  1. On the folder page in the management console, click Create resource and select Virtual machine instance.

  2. Under Boot disk image in the Product search field, select an image for the VM.

  3. Under Location, select the availability zone where the ovpn-right subnet resides.

  4. Under Network settings:

    • In the Subnet field, select the network named ovpn-network and the ovpn-right subnet.

    • In the Public IP address field, select Auto or List.

      Either use static public IP addresses from the list or convert your VM IP address to static. If your VM has a dynamic IP address, it can change when you reboot your VM; as a result, your VM connections will no longer work.

    • Expand the Additional section. In the Internal IPv4 address field, select Manual.

    • In the input field that appears, specify 10.253.11.19.

  5. Under Access, select SSH key and specify the VM access credentials:

    • In the Login field, specify a username: yc-user.

    • In the SSH key field, select the SSH key saved in your organization user profile.

      If there are no saved SSH keys in your profile, or you want to add a new key:

      • Click Add key.
      • Enter a name for the SSH key.
      • Upload or paste the contents of the public key file. You need to create a key pair for the SSH connection to a VM yourself.
      • Click Add.

      The SSH key will be added to your organization user profile.

      If users cannot add SSH keys to their profiles in the organization, the added public SSH key will only be saved to the user profile of the VM being created.

  6. Under General information, specify the VM name: vm-ovpn-gw.

  7. Click Create VM.

Set up a VPN server

Create a VM to run the VPN server:

  1. On the folder page in the management console, click Create resource and select Virtual machine instance.

  2. Under Boot disk image, specify OpenVPN Access Server in the Product search field and select the OpenVPN Access Server image.

  3. Under Location, select the availability zone where the ovpn-left subnet resides.

  4. Under Disks and file storages, specify the boot disk size: 10 GB.

  5. Under Computing resources, navigate to the Custom tab and specify the required platform, number of vCPUs, and amount of RAM:

    • Platform: Intel Ice Lake
    • vCPU: 2
    • Guaranteed vCPU performance: 100%
    • RAM: 2 GB

  6. Under Network settings:

    • In the Subnet field, select the network named ovpn-network and the ovpn-left subnet.

    • In the Public IP address field, select Auto or List.

      Either use static public IP addresses from the list or convert your VM IP address to static. If your VM has a dynamic IP address, it can change when you reboot your VM; as a result, your VM connections will no longer work.

    • In the Security groups field, select a security group. If you leave this field empty, the system will assign the default security group to the network.

    • Expand the Additional section. In the Internal IPv4 address field, select Manual.

    • In the input field that appears, specify 10.128.0.3.

  7. Under Access, select SSH key and specify the VM access credentials:

    • In the Login field, specify a username: yc-user.

    • In the SSH key field, select the SSH key saved in your organization user profile.

      If there are no saved SSH keys in your profile, or you want to add a new key:

      • Click Add key.
      • Enter a name for the SSH key.
      • Upload or paste the contents of the public key file. You need to create a key pair for the SSH connection to a VM yourself.
      • Click Add.

      The SSH key will be added to your organization user profile.

      If users cannot add SSH keys to their profiles in the organization, the added public SSH key will only be saved to the user profile of the VM being created.

  8. Under General information, specify the VM name: vpn-server.

  9. Click Create VM.

  10. This will open a window with the licensing model: BYOL (Bring Your Own License).

  11. Click Create.

Configure network traffic rules

Security groups act as a virtual firewall for incoming and outgoing traffic. See more about the default security group here.

  1. To enable OpenVPN Access Server to work, add the following rules to the default security group:

    Traffic
    direction    		 Description Port range Protocol Source CIDR blocks
    Incoming VPN Server 443 TCP CIDR 0.0.0.0/0
    Incoming VPN Server 1194 UDP CIDR 0.0.0.0/0
    Incoming Admin Web UI,
    Client Web UI    		 943 TCP CIDR 0.0.0.0/0

    A VPN server can redirect traffic from the HTTPS port. If required, leave the only TCP 443 port open. See also the settings in the ConfigurationNetwork Settings tab of the server admin panel.

  2. If you have configured a security group of your own, make sure it allows traffic between the VPN server and the required resources. For example, they share the same security group and there is a Self rule for the whole group.

Get the administrator password

The openvpn user with administrator privileges was created on the OpenVPN server in advance. The password is generated automatically when you create a VM.

Get the password in the serial port output or the serial console. The password will display in the following string:

To log in, please use the `openvpn` account with the <password> password.

Where <password> is the openvpn user password.

Log in to the admin panel using the openvpn username and the obtained password.

If you do not get the password after launching the VPN server for the first time, you need to re-create the VM running OpenVPN Access Server. The password will not display when reboot.

Create an OpenVPN remote user account

OpenVPN Access Server provides two web interfaces:

  1. Client Web UI at https://<VM_public_IP_address>:943/. This UI allows regular users to download client applications and configuration profiles.
  2. Admin Web UI at https://<VM_public_IP_address>:943/admin/. This UI allows the administrator to configure the server.

Note

By default, the server has a self-signed certificate. If you need to replace this certificate, follow the steps here.

Once you set up a Yandex Cloud VM running OpenVPN Access Server, you will have the following IP addresses and accounts (the addresses below are provided for information purposes; your actual IPs may be different):

  1. vpn-server gateway internal IP: 10.128.0.3
  2. vpn-server VM public IP: <VM_public_IP_address>
  3. Admin Web UI: https://<VM_public_IP_address>:943/admin
  4. Admin UI account: openvpn/<admin password>
  5. Client Web UI: https://<VM_public_IP_address>:943

Create an OpenVPN account the second subnet gateway will use to connect to the OpenVPN server. Log in to the admin web UI:

  1. In your browser, open https://<VM_public_IP_address>:943/admin.
  2. Enter the openvpn username and password (see how to get the administrator password here).
  3. Click Agree. This will open the OpenVPN Admin Web UI home page.
  4. Expand the User management tab and select User permissions.
  5. In the user list, specify the user name in the New Username field, e.g., as-gw-user.
  6. Click the pencil icon in the More Settings column and specify the user password in the Local Password field.
  7. In the Access Control field, select User Routing and specify the OpenVPN Access Server subnet, e.g., 10.128.0.0/24.
  8. In the VPN Gateway field, select Yes and specify the subnet that will connect to the OpenVPN server, e.g., 10.253.11.0/24.
  9. Click Save settings.
  10. Click Update running server.
  11. Log in to the client web UI under the as-gw-user account you created. Save the connection profile in a file named as-gw-user.conf and move this file to the OpenVPN gateway VM on the second subnet.

Configure the OpenVPN gateway on the second subnet

Run the following commands in the vm-ovpn-gw console:

sudo apt update
sudo apt install openvpn
cp as-gw-user.conf /etc/openvpn/client/
echo -e "as-gw-user\n<password>" > /etc/openvpn/client/param.txt

A param.txt file will appear in the /etc/openvpn/client/ folder. This is where you should copy the as-gw-user.conf connection profile you created in the previous step:

ls -lh /etc/openvpn/client/

Result:

total 16K
-rw-rw-r-- 1 root root 9.7K Nov 10 14:37 as-gw-user.conf
-rw-r--r-- 1 root root 24 Nov 10 14:31 param.txt

In the /etc/openvpn/as-gw-user.conf connection profile, specify param.txt in the auth-user-pass line:

dev tun
dev-type tun
remote-version-min 1.2
reneg-seq 604800
auth-user-pass param.txt
verb 3
push-peer-info

Run the following commands:

sudo systemctl enable openvpn-client@as-gw-user
sudo systemctl start openvpn-client@as-gw-user
sudo systemctl status openvpn-client@as-gw-user

The result should look like this:

● openvpn-client@as-gw-user.service - OpenVPN tunnel for as/gw/user
    Loaded: loaded (/lib/systemd/system/openvpn-client@.service; enabled; vendor preset:
enabled)
    Active: active (running) since Fri 2022-11-11 20:12:49 UTC; 1h 6min ago
        Docs: man:openvpn(8)
            https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
            https://community.openvpn.net/openvpn/wiki/HOWTO
    Main PID: 2626 (openvpn)
    Status: "Initialization Sequence Completed"
        Tasks: 1 (limit: 2237)
    Memory: 2.0M
        CPU: 157ms
    CGroup: /system.slice/system-openvpn\x2dclient.slice/openvpn-client@as-gw-user.service
            └─2626 /usr/sbin/openvpn --suppress-timestamps --nobind --config as-gw-user.conf

To enable packet transfers from other hosts, run these commands:

vm-ovpn-gw:~$ sudo bash -c "echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf"
vm-ovpn-gw:~$ sudo sysctl -p

On the vpn-server gateway VM, check whether there is a route to 10.253.11.0/24:

vpn-server:~$ sudo ip route

Result:

default via 10.128.0.1 dev eth0 proto dhcp src 10.128.0.3 metric 100
10.128.0.0/24 dev eth0 proto kernel scope link src 10.128.0.3
10.128.0.1 dev eth0 proto dhcp scope link src 10.128.0.3 metric 100
10.253.11.0/24 dev as0t2 proto static
172.27.224.0/22 dev as0t0 proto kernel scope link src 172.27.224.1
172.27.228.0/22 dev as0t1 proto kernel scope link src 172.27.228.1
172.27.232.0/22 dev as0t2 proto kernel scope link src 172.27.232.1
172.27.236.0/22 dev as0t3 proto kernel scope link src 172.27.236.1

On the vm-ovpn-gw VM, check the route to 10.128.0.0/24:

sudo ip route

Result:

default via 10.253.11.1 dev ens18 proto dhcp src 10.253.11.19 metric 100
10.128.0.0/24 via 172.27.232.1 dev tun0 metric 101
10.253.11.0/24 dev ens18 proto kernel scope link src 10.253.11.19 metric 100
10.253.11.1 dev ens18 proto dhcp scope link src 10.253.11.19 metric 100
172.27.224.0/20 via 172.27.232.1 dev tun0 metric 101
172.27.232.0/22 dev tun0 proto kernel scope link src 172.27.232.5
178.154.226.72 via 10.253.11.1 dev ens18

Test the VPN tunnel

To test the tunnel, you will need two test VMs you created in the previous steps. These VMs must reside in both subnets and be different from the tunnel gateways.

To exchange data, both VMs must have static routes to each other’s subnets: ao-openvpn-test to 10.253.11.0/24, and vm-ovpn-host to 10.128.0.0/24.

On the vm-ovpn-host VM, run the following command:

sudo ip route add 10.128.0.0./24 via 10.253.11.19

Adding a static route on the test VM in Yandex Cloud will not work. In Yandex Cloud, you should specify VM static routes differently.

In Yandex Cloud, the ao-openvpn-as OpenVPN server VM and ao-openvpn-test VM reside in the same default subnet. In the settings of this subnet, add a static route with the following parameters:

Name: office-net
Prefix: 10.253.11.0/24
Next hop: 10.128.0.3

To apply this static route to the ao-openvpn-test VM, shut it down and start it again.

Use the ping command on the vm-ovpn-host VM to test the VPN connection to the second test VM:

ping 10.128.0.4

Result:

PING 10.128.0.4 (10.128.0.4) 56(84) bytes of data.
64 bytes from 10.128.0.4: icmp_seq=1 ttl=61 time=7.45 ms
64 bytes from 10.128.0.4: icmp_seq=2 ttl=61 time=5.61 ms
64 bytes from 10.128.0.4: icmp_seq=3 ttl=61 time=5.65 ms
^C
--- 10.128.0.4 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 5.613/6.235/7.446/0.855 ms

Do the same to test the VPN connection on the ao-openvpn-test VM:

ping 10.253.11.110

Result:

PING 10.253.11.110 (10.253.11.110) 56(84) bytes of data.
64 bytes from 10.253.11.110: icmp_seq=1 ttl=61 time=6.23 ms
64 bytes from 10.253.11.110: icmp_seq=2 ttl=61 time=5.90 ms
64 bytes from 10.253.11.110: icmp_seq=3 ttl=61 time=6.09 ms
64 bytes from 10.253.11.110: icmp_seq=4 ttl=61 time=5.69 ms
^C
--- 10.253.11.110 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 5.688/5.976/6.229/0.203 ms

How to delete the resources you created

To free up resources, delete the vpn-server VM and the test VM.

If you reserved a public static IP address, delete it.

See also

Previous
Implementing fault-tolerant scenarios for network VMs
Next
Creating a bastion host