[Solved] Google Cloud VM VPN Setup

[exomic]

Hi,

I'm trying to install a OpenVPN server on a Google Compute Engine VM to be able to access the LAN of my VM running in Google Virtual Private Cloud VPC.

Here's my setup.

Home LAN network 192.168.2.0/24
Google LAN (VPC) 10.128.0.0/9
OpenVPN Server/DNS Server IP: 10.162.0.2

What I want is to allow access to the Google LAN 10.128.0.0/9 from home. I don't want to redirect all traffic but only this lan through the VPN. I don't know why but I'm only able to ping 10.162.0.2 and not my others VM like 10.162.0.4 or the gateway 10.162.0.1

Server.conf
[oconf]
port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dhp4096.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.128.0.0 255.128.0.0" #Whole VPC
push "dhcp-option DNS 10.162.0.2"
keepalive 10 120
tls-crypt ta.key
auth SHA512
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
ncp-ciphers AES-256-GCM:AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1
[/oconf]

iptables setup:

Code: Select all

Table: nat
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    MASQUERADE  all  --  10.8.0.0/24          0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:1194 
2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

Home PC routing after connecting to the VPN:

Code: Select all

Internet:
Destination        Gateway            Flags        Refs      Use   Netif Expire
default            192.168.2.1        UGSc          121        0     en1
10.8/24            10.8.0.2           UGSc            3        0   utun1
10.8.0.2           10.8.0.2           UH              2        0   utun1
10.128/9           10.8.0.1           UGSc            1        2   utun1
127                127.0.0.1          UCS             0        0     lo0
127.0.0.1          127.0.0.1          UH              2     2307     lo0
169.254            link#7             UCS             0        0     en1
192.168.2          link#7             UCS             1        0     en1
192.168.2.1/32     link#7             UCS             1        0     en1
192.168.2.1        xx:xx:xx:xx:xx:xx  UHLWIir        54     1368     en1   1116
192.168.2.11/32    link#7             UCS             1        0     en1
192.168.2.11       zz:zz:zz:zz:zz:zz  UHLWI           0       58     lo0
192.168.2.255      ff:ff:ff:ff:ff:ff  UHLWbI          0        1     en1
224.0.0/4          link#11            UmCS            0        0   utun1
224.0.0/4          link#7             UmCSI           1        0     en1
224.0.0.251        yy:yy:yy:yy:yy:yy      UHmLWI          0        0     en1
255.255.255.255/32 link#11            UCS             1        0   utun1
255.255.255.255/32 link#7             UCSI            0        0     en1
255.255.255.255    link#11            UHW3bI          0       23   utun1   1054

[TinCanTech]

Please see:
HOWTO: Expanding the scope of the VPN to include additional machines

[exomic]

Please see:
HOWTO: Expanding the scope of the VPN to include additional machines

I have followed this tutorial. I have set the Google VPC Gateway to route 10.8.0.0/24 to the OpenVPN Server 10.162.0.2

Still I cannot reach the other servers on Google VPC (like 10.162.0.4)

I found this:
https://serverfault.com/a/848918

The VPC network rewrites the IP header to declare the instance's external IP address as the source. If the instance has no external IP address, the call is not allowed, and the VPC network drops the packet without informing the sender. So if your openVPN is just forwarding packets from the other network, then the packets to public internal will be dropped as source_ip does not match any existing VM's internal IP. For this reason you need to NAT the packets leaving your local network, e.g on your VPN node.

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 192.168.0.0/16 !192.168.0.0/16

How exactly can I setup that for my client?

[TinCanTech]

Please see:
HOWTO: Expanding the scope of the VPN to include additional machines

I have followed this tutorial

Read on ..

[exomic]

Please see:
HOWTO: Expanding the scope of the VPN to include additional machines

I have followed this tutorial

Read on ..

I have read and still no luck. I’m trying only to add host on the server side. Seems like google is blocking something I can only ping the openvpn server and not the other host on google side. I tried different iptables masquarade rules but I can’t get out of the openvpn server. The google instance has ipfowarding enabled and a route has been set on the google gateway for 10.8.0.0/24 to 10.162.0.2 (openvpn server) so google host can find their way to the von client.

[exomic]

Ho god looks like the IP_Fowarding wasn't active in the kernel and it's works after applying the command sysctl -p