Contact UsGet started
© 2024 Iron Hive LLC Belgrade

Connecting to a cloud network using OpenVPN

Written by
Updated at August 29, 2024

With TCP or UDP port tunnels and asymmetric encryption, you can create virtual networks. VPN can be used, for example, to:

  • Connect geographically remote networks.
  • Connect freelancers to the office network.
  • Set up an encrypted connection over an open Wi-Fi network.

OpenVPN Access Server is compatible with the open-source version of OpenVPN and built on its basis. It provides clients for Windows, Mac, Android, and iOS and is used to manage connections using a web interface.

An example of auto-connect and login-and-password configurations is shown below. To create a virtual network:

  1. Prepare your cloud.
  2. Create subnets and a test VM.
  3. Start the VPN server.
  4. Configure network traffic permissions.
  5. Get the administrator password.
  6. Activate license.
  7. Create an OpenVPN user.
  8. Connect to the VPN.

If you no longer need the VPN server, delete the VM.

Prepare your cloud

Sign up for Yandex Cloud and create a billing account:

  1. Go to the management console and log in to Yandex Cloud or create an account if you do not have one yet.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one.

If you have an active billing account, you can go to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

The cost of infrastructure support for OpenVPN includes:

Create subnets and a test VM

To connect cloud resources to the internet, make sure you have networks and subnets.

Create a VM for the test without a public IP and connect it to a subnet.

Start the VPN server

Create a VM to be the gateway for VPN connections:

  1. On the folder page in the management console, click Create resource in the top-right corner.

  2. Select Virtual machine instance.

  3. Enter vpn-server as your VM name and add a description.

  4. Select the availability zone where the test VM is already located.

  5. Under Boot disk image, go to the Marketplace tab and select the OpenVPN Access Server image.

  6. Under Disks, enter 10 GB as your disk size.

  7. Under Computing resources:

    • Select the Intel Ice Lake platform.

    • Specify the number of vCPUs and the amount of RAM:

      • vCPU: 2.
      • RAM: 2 GB.

  8. Under Network settings:

    • Select the required network and subnet and assign a public IP address to the VM either by selecting it from the list or automatically.

      Only use static public IP addresses from the list or make the IP address static. Dynamic IP addresses may change after the VM reboots and the connections will no longer work.

    • If a list of Security groups is available, select a security group. If you leave this field empty, the default security group will be assigned.

  9. Under Access, specify the information required to access the instance:

    • In the Login field, enter the SSH username, for example, yc-user.

    • In the SSH key field, paste the contents of the public key file.

      You will need to create a key pair for the SSH connection yourself, see Creating an SSH key pair.

  10. Click Create VM.

  11. A window will open informing you of the pricing type: BYOL (Bring Your Own License). Click Create.

Security groups act as a virtual firewall for incoming and outgoing traffic. See more about the default security group here.

  1. To enable OpenVPN Access Server to work, add the following rules to the default security group:

    Traffic
    direction    		 Description Port range Protocol Source CIDR blocks
    Incoming VPN Server 443 TCP CIDR 0.0.0.0/0
    Incoming VPN Server 1194 UDP CIDR 0.0.0.0/0
    Incoming Admin Web UI,
    Client Web UI    		 943 TCP CIDR 0.0.0.0/0

    A VPN server can redirect traffic from the HTTPS port. If required, leave the only TCP 443 port open. See also the settings in the ConfigurationNetwork Settings tab of the server admin panel.

  2. If you have configured a security group of your own, make sure it allows traffic between the VPN server and the required resources. For example, they share the same security group and there is a Self rule for the whole group.

The openvpn user with administrator privileges was created on the OpenVPN server in advance. The password is generated automatically when you create a VM.

Get the password in the serial port output or the serial console. The password will display in the following string:

To log in, please use the `openvpn` account with the <password> password.

Where <password> is the openvpn user password.

Log in to the admin panel using the openvpn username and the obtained password.

If you do not get the password after launching the VPN server for the first time, you need to re-create the VM running OpenVPN Access Server. The password will not display when reboot.

Activate license

Note

If you have up to two VPN connections, use the product for free (no activation required).

To activate the license:

  1. Create an account on openvpn.net.
  2. Enter the confirmation code received by email.
  3. In the Where would you like to Go? window, select the "Remember my choice" option and select the Access serve product.
  4. In the Tell us more window, select the purpose: Business use or Personal Use.
  5. On the Subscriptions tab, select the maximum number of connections in the How many VPN connections do you need? field. and click Create.
  6. Your subscription will be displayed on the screen: Subscription 1.
  7. To copy the activation key, click Copy Key under Subscription Key.

Wait until the VM status changes to RUNNING and enter the activation key in the admin panel at https://<VM public IP address>/admin/.

Create an OpenVPN user

OpenVPN Access Server provides two web interfaces:

  1. Client Web UI at https://<VM_public_IP_address>/. This interface is used by regular users to download client applications and configuration profiles.
  2. Admin Web UI at https://<VM_public_IP_address>/admin/. This interface is used to configure the server.

Note

By default, the server has a self-signed certificate installed. If you need to replace this certificate, follow the steps described here.

To create a user, log in to the admin panel:

  1. In the browser, open a URL, such as https://<VM_public_IP_address>/admin/.
  2. Enter the openvpn username and password (to learn how to get the admin password, see this section).
  3. Click Agree. This will open the home screen of the OpenVPN admin panel.
  4. Go to the User management tab and select User permissions.
  5. In the user list, enter the name of a new user in the New Username field, e.g., test-user.
  6. Click the pencil icon in the More Settings column and set the new user's password in the Password field.
  7. Click Save settings.
  8. Click Update running server.

Connect to the VPN

In the admin panel, you can download OpenVPN Connect for Windows, Linux, MacOS, Android, iOS. You can also use OpenSource clients for connection.

To check that a connection is established and working properly, connect to the VPN and run the ping command for the test VM internal address:

  1. Install the openvpn using package manager:

    sudo apt update && sudo apt install openvpn

  2. Allow auto-connect for the test-user user:

    • Log in to the admin panel at https://<VM_public_IP_address>/admin/.
    • Open the User managementUser permissions tab.
    • Enable the Allow Auto-login option in the user line.

  3. Configure routing:

    • Log in to the admin panel at https://<VM_public_IP_address>/admin/.
    • Open the ConfigurationVPN Settings tab.
    • Under Routing, disable the Should client Internet traffic be routed through the VPN? option.

  4. Download a configuration profile:

    • In the browser, open the user panel at https://<VM_public_IP_address>/.
    • Log in using the test-user username and password.
    • In the Available Connection Profiles section, click Yourself (autologin profile) and upload the profile-1.ovpn file.
    • You can also download a configuration file in the admin panel at https://<<VM_public_IP_address>/admin/.

  5. Upload the configuration file to a Linux machine:

    scp profile-1.ovpn user@<IP address>:~

  6. Move the configuration file to the /etc/openvpn folder:

    sudo mv /home/user/profile-1.ovpn /etc/openvpn

  7. Change the file extension from ovpn to conf:

    sudo mv /etc/openvpn/profile-1.ovpn /etc/openvpn/profile-1.conf

  8. Close access to the file:

    sudo chown root:root /etc/openvpn/profile-1.conf
sudo chmod 600 /etc/openvpn/profile-1.conf

  9. The VPN connection will turn on automatically after restarting. To start the connection manually, run the command:

    sudo openvpn --config /etc/openvpn/profile-1.conf

    Result:

    2022-04-05 15:35:49 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2022-04-05 15:35:49 OpenVPN 2.5.1 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2021
2022-04-05 15:35:49 library versions: OpenSSL 1.1.1k  25 Mar 2021, LZO 2.10
2022-04-05 15:35:49 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2022-04-05 15:35:49 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2022-04-05 15:35:49 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2022-04-05 15:35:49 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2022-04-05 15:35:49 TCP/UDP: Preserving recently used remote address: [AF_INET]51.250.25.105:443
2022-04-05 15:35:49 Socket Buffers: R=[131072->131072] S=[16384->16384]
2022-04-05 15:35:49 Attempting to establish TCP connection with [AF_INET]51.250.25.105:443 [nonblock]
...
...
2022-04-05 15:35:54 Initialization Sequence Completed

  10. Test the network using the command ping:

    sudo ping <internal_IP_address_of_the_test_VM>

    If the command is executed, the VM can be accessed via OpenVPN.

  11. To terminate a manually established connection, press Ctrl + C.

  1. Download the installation distribution:

    • In the browser, open the user panel at https://<VM_public_IP_address>/.
    • Log in using the test-user username and password.
    • Download OpenVPN Connect version 2 or 3 by clicking the Windows icon.

  2. Install and run OpenVPN Connect.

  3. A VPN connection will turn on automatically if auto-login is enabled in the user profile.

  4. A new configuration profile can be imported into the application. To do this, specify https://<VM_public_IP_address>/ or select a profile file.

  5. Open the terminal and run the ping <internal_IP_address_of_the_test_VM> command. If the command is executed, the VM can be accessed via OpenVPN.

  1. Download the installation distribution:

    • In the browser, open the user panel at https://<VM_public_IP_address>/.
    • Log in using the test-user username and password.
    • Download OpenVPN Connect version 2 or 3 by clicking the Apple icon.

  2. Install and run OpenVPN Connect.

  3. A VPN connection will turn on automatically if auto-login is enabled in the user profile.

  4. A new configuration profile can be imported into the application. To do this, specify https://<VM_public_IP_address>/ or select a profile file.

  5. Open the terminal and run the ping <internal_IP_address_of_the_test_VM> command. If the command is executed, the VM can be accessed via OpenVPN.

How to delete the resources you created

Delete the resources you no longer need to avoid being charged for them:

  • Delete the vpn-server VM and the test VM.
  • If you reserved a public static IP address, delete it.

See also

Previous
SGW solution by the Yandex Cloud architect team
Next
Creating and configuring a UserGate gateway in proxy server mode