How to setup OpenVPN server on Google Cloud step by step

How to setup OpenVPN server on Google Cloud step by step

January 16, 2019 Off By TechAunt

People trend to use more and more VPN services as people are on high alert of their privacy. But how sure are you of the VPN providers is a question you should also answer.

As a solution i’m going to show you how to setup OpenVPN google cloud servers for free.

Setup the Google Cloud App

First of all you need to open an account on google cloud its free for a year with $300.

Menu icon >>Compute engine>>VM instances >>Create instance

Use an n1-standard-1 instance (1 vCPU, 3.75 GB memory) with Ubuntu 16.04 LTS installed. Since our VPN will use TCP:443, we need to allow HTTPS traffic.

Press the “Management, security, disks, networking, sole tenancy” button to open up the advanced options. Click on the Networking tab and hit the edit button next to the selected Network Interface.

Click into the “External IP” drop-down and select “Create IP address.” Enter a name and hit “RESERVE.” This will attach a static IP to your VPS

Be sure to turn on IP forwarding.


Hit “Done” and “Create.”

Installing OpenVPN and EasyRSA
sudo apt-get update
sudo apt-get install openvpn easy-rsa

Setting up the certificate

make-cadir ~/openvpn-ca
cd ~/openvpn-ca
nano vars

Scroll towards the bottom of the file (it’s not too long) and you should find the following:

export KEY_NAME="EasyRSA"

and change it to

export KEY_NAME="server"

Save and close the file (ctrl+x, y, enter)

run the following command:

source vars

If all gone right, the output should read

NOTE: If you run ./clean-all, I will be doing a rm -rf on /home/username/openvpn-ca/keys.

This is what we want. To ensure a clean working environment, we’ll run


Build the CA run.


Let’s create our server certificate and key.

./build-key-server server

Don’t enter a challenge password this time to ease up the process. The last two prompts require you to enter y to sign the certificate. Make sure to not skip past those!

we also need an encryption key

openvpn --genkey --secret keys/tiv.key

Generate a Client Certificate

If you have more than one client, you can follow this step multiple times. Just make sure to make your client names unique.

cd ~/openvpn-ca
source vars

this time don’t use ./clean-all

./build-key client

skip through all except the last two prompts, which will ask you to sign by entering y.

Set up the OpenVPN Server

cd ~/openvpn-ca/keys
sudo cp ca.crt server.crt server.key tiv.key dh2048.pem /etc/openvpn

Copy the Config file and edit

gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf

sudo nano /etc/openvpn/server.conf

The first step is to find the tls-auth directive. There will be a semicolon (;) next to the directive, which we’ll remove. Underneath, we’ll add a line.

tls-auth tiv.key 0 # This file is secret
key-direction 0

we’ll uncomment the AES-128-CBC line and add an auth directive.

cipher AES-128-CBC
auth SHA256

Next up are the user and group settings:

user nobody
group nogroup

To send all traffic through the VPN. For this, find the redirect-gateway directive and uncomment it.

push "redirect-gateway def1 bypass-dhcp"

Right below, there should be a couple of dhcp-option lines. Uncomment those and change it to google DNS

push "dhcp-option DNS"
push "dhcp-option DNS"

After change

push "dhcp-option DNS"
push "dhcp-option DNS"

change the port and protocol that OpenVPN operates on. The default is UDP:1194

port 443
proto tcp
;proto udp

Add following lines as well

cert server.crt
key server.key

Then Save and close

Preparing Ubuntu server

sudo nano /etc/sysctl.conf

Look for the following line and remove the # (comment character).


Save and close. To update session settings, run:

sudo sysctl –p

Set Up a Basic Firewall

we can enable the firewall by typing:

sudo ufw enable

we need to find and update our firewall (UFW) rules to masquerade clients. The first step is to find the interface that we’re running on:

ip route | grep default

The interface we want is the one that has the word “dev” in it. In our case, that looks like this:

default via dev ens4

So, our interface is ens4. With this, we’ll update our firewall rules:

sudo nano /etc/ufw/before.rules

Above where it says Don’t delete these required lines… add the following code:

# NAT Table
# OpenVPN client traffic

Save and close.

sudo nano /etc/default/ufw

Find the DEFAULT_FORWARD_POLICY directive and change it from “DROP” to “ACCEPT”.


Save and close.

Running OpenVPN

To start the server, run the following:

sudo systemctl start [email protected]

To check that it started properly, run:

sudo systemctl status [email protected]

If everything went well, you should see some output that includes Active: active (running). You might need to hit q to exit the information panel. If you’re good, link the service to the startup sequence.

sudo systemctl enable [email protected]

Setting up a Client Configuration Structure
For ease of setting up client configs, we’ll first create a structure. To start, create a config folder to store the client config files.

mkdir -p ~/clients/files

The client keys will be within these configs, so let’s lock the permissions on the files directory.

chmod 700 ~/clients/files

Copy the sample configuration.

cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/clients/base.conf

Let’s edit the file:

nano ~/clients/base.conf

Find the remote directive. Replace the my-server-1 with the public external IP address that was assigned to your GCE instance. If you chose a port other than 1194, update that accordingly.

remote 443

Also update your protocol.

proto tcp

Uncomment user and group:

user nobody
group nogroup

Find the ca, cert, and key directives and comment them out, since our configs will include these automatically.

#ca ca.crt
# cert client.crt
# key client.key

Use the same cipher and auth settings as before:

cipher AES-128-CBC
auth SHA256

Somewhere, we’ll need to add key-direction. Make sure to use 1, as this is for the client now. 0 was for the server.

key-direction 1

If your current client config is (or will be) used on a Linux device, add the following:

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

Note that if you include these in a non-Linux environment (Android and macOS included in non-Linux), your clients may act strangely.
Save and close. Next, we need to write a script to generate our client configs quickly and easily.

nano ~/clients/

Inside, paste this code:

cat ${BASE_CONFIG} \
<(echo -e '') \
${KEY_DIR}/ca.crt \
<(echo -e '\n') \
${KEY_DIR}/${1}.crt \
<(echo -e '\n') \
${KEY_DIR}/${1}.key \
<(echo -e '\n') \
${KEY_DIR}/tiv.key \
<(echo -e '') \
> ${OUTPUT_DIR}/${1}.ovpn

The {1} here refers to the first argument, which will be our client name. Make sure to update tiv.key according to your HMAC key name.

Allow execution of this script:

chmod 700 ~/clients/

Generate Client Configs

The step you’ve all been waiting for is finally here. We’ll generate our client configs.

cd ~/clients
./ client

Check that this worked by running:

ls ~/clients/files

If it did, there should be a client.ovpn file in this directory now. We need to download this file and transfer it to our devices. To do this, click on the gear icon in the top right of the SSH session, and select “Download file.” Or you can use filezilla.

The fully qualified path should be something like this:


You have successfully created the VPN server! Now you can download the OpenVPN software from Here. And then import the downloaded client.ovpn file.