Creating a tunnel between two subnets using OpenVPN Access Server
When you use the computing resources of a public cloud, you often need a secure connection between two networks, e.g., your office network and a Yandex Cloud test farm. The best way to handle this is using a VPN, which allows you to:
- Connect networks residing in different locations.
- Provide contractors with an access to an in-house network.
- Set up an encrypted connection over Wi-Fi.
This tutorial describes how to create a VPN tunnel using the OpenVPN technology.
OpenVPN Access Server is built on and compatible with the OpenVPN open-source version
In this example, we will create a tunnel connecting two subnets into a single network. The tunnel will be established between two VPN gateways: OpenVPN Access Server and a VM instance with the OpenVPN client. To test the VPN tunnel, you will need to configure both gateways. In our example, one subnet is hosted in Yandex Cloud, while the other may reside both in Yandex Cloud and in an external network.
To create a tunnel between two subnets:
- Get your cloud ready.
- Create a network and subnets.
- Create the VMs you want to connect.
- Create a gateway VM.
- Set up a VPN server.
- Configure network traffic rules.
- Get the administrator password.
- Create an OpenVPN remote user account.
- Configure the OpenVPN gateway on the second subnet.
- Test the VPN tunnel.
If you no longer need your VPN server, delete the created VMs.
Get your cloud ready
Sign up for Yandex Cloud and create a billing account:
- Go to the management console
and log in to Yandex Cloud or create an account if you do not have one yet. - On the Yandex Cloud Billing
page, make sure you have a billing account linked and it has theACTIVE
orTRIAL_ACTIVE
status. If you do not have a billing account, create one.
If you have an active billing account, you can go to the cloud page
Learn more about clouds and folders.
Required paid resources
The cost of the OpenVPN infrastructure support includes:
- Fee for the disks and continuously running VMs (see Yandex Compute Cloud pricing).
- Fee for a dynamic or static public IP address (see Yandex Virtual Private Cloud pricing).
- Fee for the OpenVPN Access Server license (when using more than two connections).
Create a network and subnets
To connect cloud resources to the internet, make sure you have a network and subnets.
Create a network
- In the management console
, select the folder where you want to create a cloud network. - In the list of services, select Virtual Private Cloud.
- Click Create network.
- Specify the network name, e.g.,
ovpn-network
. - Disable the Create subnets option.
- Click Create network.
Create subnets
- Select the
ovpn-network
network. - Click Add subnet.
- Specify the subnet name, e.g.,
ovpn-left
. - Select an availability zone from the drop-down list.
- Enter the subnet CIDR:
10.128.0.0/24
. - Click Create subnet.
- Repeat steps 2 to 6 to create the second subnet. Name it
ovpn-right
and specify its CIDR:10.253.11.0/24
.
Create the VMs you want to connect
-
On the folder page in the management console
, click Create resource and selectVirtual machine instance
. -
Under Boot disk image in the Product search field, select an image for the VM.
-
Under Location, select an availability zone for the
ovpn-left
subnet. -
Under Network settings:
-
In the Subnet field, select the network named
ovpn-network
and theovpn-left
subnet. -
In the Public IP address field, select
No address
. -
Expand the Additional section:
- In the Internal IPv4 address field, select
Manual
. - In the input field that appears, specify
10.128.0.4
.
- In the Internal IPv4 address field, select
-
-
Under Access, select SSH key and specify the VM access credentials:
- In the Login field, specify a username:
yc-user
. -
In the SSH key field, select the SSH key saved in your organization user profile.
If there are no saved SSH keys in your profile, or you want to add a new key:
- Click Add key.
- Enter a name for the SSH key.
- Upload or paste the contents of the public key file. You need to create a key pair for the SSH connection to a VM yourself.
- Click Add.
The SSH key will be added to your organization user profile.
If users cannot add SSH keys to their profiles in the organization, the added public SSH key will only be saved to the user profile of the VM being created.
- In the Login field, specify a username:
-
Under General information, specify the VM name:
ao-openvpn-test
. -
Click Create VM.
-
Repeat steps 1 to 7 to create the second VM. Specify its name:
vm-ovpn-host
, internal IPv4 address:10.253.11.110
, and subnet:ovpn-right
.
Create a gateway VM
-
On the folder page in the management console
, click Create resource and selectVirtual machine instance
. -
Under Boot disk image in the Product search field, select an image for the VM.
-
Under Location, select the availability zone where the
ovpn-right
subnet resides. -
Under Network settings:
-
In the Subnet field, select the network named
ovpn-network
and theovpn-right
subnet. -
In the Public IP address field, select
Auto
orList
.Either use static public IP addresses from the list or convert your VM IP address to static. If your VM has a dynamic IP address, it can change when you reboot your VM; as a result, your VM connections will no longer work.
-
Expand the Additional section. In the Internal IPv4 address field, select
Manual
. -
In the input field that appears, specify
10.253.11.19
.
-
-
Under Access, select SSH key and specify the VM access credentials:
- In the Login field, specify a username:
yc-user
. -
In the SSH key field, select the SSH key saved in your organization user profile.
If there are no saved SSH keys in your profile, or you want to add a new key:
- Click Add key.
- Enter a name for the SSH key.
- Upload or paste the contents of the public key file. You need to create a key pair for the SSH connection to a VM yourself.
- Click Add.
The SSH key will be added to your organization user profile.
If users cannot add SSH keys to their profiles in the organization, the added public SSH key will only be saved to the user profile of the VM being created.
- In the Login field, specify a username:
-
Under General information, specify the VM name:
vm-ovpn-gw
. -
Click Create VM.
Set up a VPN server
Create a VM to run the VPN server:
-
On the folder page in the management console
, click Create resource and selectVirtual machine instance
. -
Under Boot disk image, specify
OpenVPN Access Server
in the Product search field and select the OpenVPN Access Server image. -
Under Location, select the availability zone where the
ovpn-left
subnet resides. -
Under Disks and file storages, specify the boot disk size:
10 GB
. -
Under Computing resources, navigate to the
Custom
tab and specify the required platform, number of vCPUs, and amount of RAM:- Platform:
Intel Ice Lake
- vCPU:
2
- Guaranteed vCPU performance:
100%
- RAM:
2 GB
- Platform:
-
Under Network settings:
-
In the Subnet field, select the network named
ovpn-network
and theovpn-left
subnet. -
In the Public IP address field, select
Auto
orList
.Either use static public IP addresses from the list or convert your VM IP address to static. If your VM has a dynamic IP address, it can change when you reboot your VM; as a result, your VM connections will no longer work.
-
In the Security groups field, select a security group. If you leave this field empty, the system will assign the default security group to the network.
-
Expand the Additional section. In the Internal IPv4 address field, select
Manual
. -
In the input field that appears, specify
10.128.0.3
.
-
-
Under Access, select SSH key and specify the VM access credentials:
- In the Login field, specify a username:
yc-user
. -
In the SSH key field, select the SSH key saved in your organization user profile.
If there are no saved SSH keys in your profile, or you want to add a new key:
- Click Add key.
- Enter a name for the SSH key.
- Upload or paste the contents of the public key file. You need to create a key pair for the SSH connection to a VM yourself.
- Click Add.
The SSH key will be added to your organization user profile.
If users cannot add SSH keys to their profiles in the organization, the added public SSH key will only be saved to the user profile of the VM being created.
- In the Login field, specify a username:
-
Under General information, specify the VM name:
vpn-server
. -
Click Create VM.
-
This will open a window with the licensing model: BYOL (Bring Your Own License).
-
Click Create.
Configure network traffic rules
Security groups act as a virtual firewall for incoming and outgoing traffic. See more about the default security group here.
-
To enable OpenVPN Access Server to work, add the following rules to the default security group:
Traffic
directionDescription Port range Protocol Source CIDR blocks Incoming VPN Server
443
TCP
CIDR
0.0.0.0/0
Incoming VPN Server
1194
UDP
CIDR
0.0.0.0/0
Incoming Admin Web UI,
Client Web UI
943
TCP
CIDR
0.0.0.0/0
A VPN server can redirect traffic from the
HTTPS
port. If required, leave the onlyTCP 443
port open. See also the settings in the Configuration → Network Settings tab of the server admin panel. -
If you have configured a security group of your own, make sure it allows traffic between the VPN server and the required resources. For example, they share the same security group and there is a Self rule for the whole group.
Get the administrator password
The openvpn user with administrator privileges was created on the OpenVPN
server in advance. The password is generated automatically when you create a VM.
Get the password in the serial port output or the serial console. The password will display in the following string:
To log in, please use the `openvpn` account with the <password> password.
Where <password>
is the openvpn
user password.
Log in to the admin panel using the openvpn
username and the obtained password.
If you do not get the password after launching the VPN server for the first time, you need to re-create the VM running OpenVPN Access Server. The password will not display when reboot.
Create an OpenVPN remote user account
OpenVPN Access Server provides two web interfaces:
- Client Web UI at
https://<VM_public_IP_address>:943/
. This UI allows regular users to download client applications and configuration profiles. - Admin Web UI at
https://<VM_public_IP_address>:943/admin/
. This UI allows the administrator to configure the server.
Note
By default, the server has a self-signed certificate. If you need to replace this certificate, follow the steps here
Once you set up a Yandex Cloud VM running OpenVPN Access Server, you will have the following IP addresses and accounts (the addresses below are provided for information purposes; your actual IPs may be different):
vpn-server
gateway internal IP:10.128.0.3
vpn-server
VM public IP:<VM_public_IP_address>
- Admin Web UI:
https://<VM_public_IP_address>:943/admin
- Admin UI account:
openvpn/<admin password>
- Client Web UI:
https://<VM_public_IP_address>:943
Create an OpenVPN account the second subnet gateway will use to connect to the OpenVPN server. Log in to the admin web UI:
- In your browser, open
https://<VM_public_IP_address>:943/admin
. - Enter the
openvpn
username and password (see how to get the administrator password here). - Click Agree. This will open the OpenVPN Admin Web UI home page.
- Expand the User management tab and select User permissions.
- In the user list, specify the user name in the New Username field, e.g.,
as-gw-user
. - Click the pencil icon in the More Settings column and specify the user password in the Local Password field.
- In the Access Control field, select User Routing and specify the OpenVPN Access Server subnet, e.g.,
10.128.0.0/24
. - In the VPN Gateway field, select Yes and specify the subnet that will connect to the OpenVPN server, e.g.,
10.253.11.0/24
. - Click Save settings.
- Click Update running server.
- Log in to the client web UI under the
as-gw-user
account you created. Save the connection profile in a file namedas-gw-user.conf
and move this file to the OpenVPN gateway VM on the second subnet.
Configure the OpenVPN gateway on the second subnet
Run the following commands in the vm-ovpn-gw
console:
sudo apt update
sudo apt install openvpn
cp as-gw-user.conf /etc/openvpn/client/
echo -e "as-gw-user\n<password>" > /etc/openvpn/client/param.txt
A param.txt
file will appear in the /etc/openvpn/client/
folder. This is where you should copy the as-gw-user.conf
connection profile you created in the previous step:
ls -lh /etc/openvpn/client/
Result:
total 16K
-rw-rw-r-- 1 root root 9.7K Nov 10 14:37 as-gw-user.conf
-rw-r--r-- 1 root root 24 Nov 10 14:31 param.txt
In the /etc/openvpn/as-gw-user.conf
connection profile, specify param.txt
in the auth-user-pass
line:
dev tun
dev-type tun
remote-version-min 1.2
reneg-seq 604800
auth-user-pass param.txt
verb 3
push-peer-info
Run the following commands:
sudo systemctl enable openvpn-client@as-gw-user
sudo systemctl start openvpn-client@as-gw-user
sudo systemctl status openvpn-client@as-gw-user
The result should look like this:
● openvpn-client@as-gw-user.service - OpenVPN tunnel for as/gw/user
Loaded: loaded (/lib/systemd/system/openvpn-client@.service; enabled; vendor preset:
enabled)
Active: active (running) since Fri 2022-11-11 20:12:49 UTC; 1h 6min ago
Docs: man:openvpn(8)
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
https://community.openvpn.net/openvpn/wiki/HOWTO
Main PID: 2626 (openvpn)
Status: "Initialization Sequence Completed"
Tasks: 1 (limit: 2237)
Memory: 2.0M
CPU: 157ms
CGroup: /system.slice/system-openvpn\x2dclient.slice/openvpn-client@as-gw-user.service
└─2626 /usr/sbin/openvpn --suppress-timestamps --nobind --config as-gw-user.conf
To enable packet transfers from other hosts, run these commands:
vm-ovpn-gw:~$ sudo bash -c "echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf"
vm-ovpn-gw:~$ sudo sysctl -p
On the vpn-server
gateway VM, check whether there is a route to 10.253.11.0/24
:
vpn-server:~$ sudo ip route
Result:
default via 10.128.0.1 dev eth0 proto dhcp src 10.128.0.3 metric 100
10.128.0.0/24 dev eth0 proto kernel scope link src 10.128.0.3
10.128.0.1 dev eth0 proto dhcp scope link src 10.128.0.3 metric 100
10.253.11.0/24 dev as0t2 proto static
172.27.224.0/22 dev as0t0 proto kernel scope link src 172.27.224.1
172.27.228.0/22 dev as0t1 proto kernel scope link src 172.27.228.1
172.27.232.0/22 dev as0t2 proto kernel scope link src 172.27.232.1
172.27.236.0/22 dev as0t3 proto kernel scope link src 172.27.236.1
On the vm-ovpn-gw
VM, check the route to 10.128.0.0/24
:
sudo ip route
Result:
default via 10.253.11.1 dev ens18 proto dhcp src 10.253.11.19 metric 100
10.128.0.0/24 via 172.27.232.1 dev tun0 metric 101
10.253.11.0/24 dev ens18 proto kernel scope link src 10.253.11.19 metric 100
10.253.11.1 dev ens18 proto dhcp scope link src 10.253.11.19 metric 100
172.27.224.0/20 via 172.27.232.1 dev tun0 metric 101
172.27.232.0/22 dev tun0 proto kernel scope link src 172.27.232.5
178.154.226.72 via 10.253.11.1 dev ens18
Test the VPN tunnel
To test the tunnel, you will need two test VMs you created in the previous steps. These VMs must reside in both subnets and be different from the tunnel gateways.
To exchange data, both VMs must have static routes to each other’s subnets: ao-openvpn-test
to 10.253.11.0/24
, and vm-ovpn-host
to 10.128.0.0/24
.
On the vm-ovpn-host
VM, run the following command:
sudo ip route add 10.128.0.0./24 via 10.253.11.19
Adding a static route on the test VM in Yandex Cloud will not work. In Yandex Cloud, you should specify VM static routes differently.
In Yandex Cloud, the ao-openvpn-as
OpenVPN server VM and ao-openvpn-test
VM reside in the same default
subnet. In the settings of this subnet, add a static route with the following parameters:
Name: office-net
Prefix: 10.253.11.0/24
Next hop: 10.128.0.3
To apply this static route to the ao-openvpn-test
VM, shut it down and start it again.
Use the ping
command on the vm-ovpn-host
VM to test the VPN connection to the second test VM:
ping 10.128.0.4
Result:
PING 10.128.0.4 (10.128.0.4) 56(84) bytes of data.
64 bytes from 10.128.0.4: icmp_seq=1 ttl=61 time=7.45 ms
64 bytes from 10.128.0.4: icmp_seq=2 ttl=61 time=5.61 ms
64 bytes from 10.128.0.4: icmp_seq=3 ttl=61 time=5.65 ms
^C
--- 10.128.0.4 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 5.613/6.235/7.446/0.855 ms
Do the same to test the VPN connection on the ao-openvpn-test
VM:
ping 10.253.11.110
Result:
PING 10.253.11.110 (10.253.11.110) 56(84) bytes of data.
64 bytes from 10.253.11.110: icmp_seq=1 ttl=61 time=6.23 ms
64 bytes from 10.253.11.110: icmp_seq=2 ttl=61 time=5.90 ms
64 bytes from 10.253.11.110: icmp_seq=3 ttl=61 time=6.09 ms
64 bytes from 10.253.11.110: icmp_seq=4 ttl=61 time=5.69 ms
^C
--- 10.253.11.110 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 5.688/5.976/6.229/0.203 ms
How to delete the resources you created
To free up resources, delete the vpn-server
VM and the test VM.
If you reserved a public static IP address, delete it.