How to Set Up OpenVPN Server on Google Compute Engine with Proper Routing and Firewall Rules


17 views

When setting up OpenVPN on GCE, many developers encounter connectivity issues where clients can connect but cannot route traffic properly. The root cause typically lies in three areas:

  1. GCE's network firewall rules blocking VPN traffic
  2. Missing IP forwarding configuration
  3. Incorrect NAT/masquerading setup

First, ensure these firewall rules exist in your GCE project:

gcloud compute firewall-rules create allow-openvpn \
--direction=INGRESS \
--priority=1000 \
--network=default \
--action=ALLOW \
--rules=udp:1194 \
--source-ranges=0.0.0.0/0

Also allow forwarded traffic:

gcloud compute firewall-rules create allow-forwarded-vpn-traffic \
--direction=INGRESS \
--priority=1000 \
--network=default \
--action=ALLOW \
--rules=all \
--source-ranges=10.8.0.0/24

On your GCE instance, enable IP forwarding:

echo 1 > /proc/sys/net/ipv4/ip_forward
sysctl -p

Make this persistent by adding to /etc/sysctl.conf:

net.ipv4.ip_forward = 1

Here's a working server.conf template for GCE:

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
client-to-client
keepalive 10 120
cipher AES-256-CBC
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 1

Add these iptables rules on your GCE instance:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT

Make them persistent:

apt install iptables-persistent
netfilter-persistent save

If issues persist:

  • Check OpenVPN logs: journalctl -u openvpn@server -f
  • Verify routing: ip route show
  • Test connectivity: tcpdump -i tun0
  • Check GCE quotas to ensure you're not hitting limits

When deploying OpenVPN on Google Compute Engine (GCE), the main obstacle isn't the OpenVPN configuration itself - it's GCE's unique networking architecture. Unlike traditional VPS providers, GCE implements additional network abstraction layers that require specific handling.

Here's what you need to verify for a working OpenVPN setup:


# Required GCE firewall rules (run via gcloud CLI)
gcloud compute firewall-rules create allow-openvpn \
    --direction=INGRESS \
    --priority=1000 \
    --network=default \
    --action=ALLOW \
    --rules=udp:1194 \
    --source-ranges=0.0.0.0/0

gcloud compute firewall-rules create allow-openvpn-traffic \
    --direction=INGRESS \
    --priority=1000 \
    --network=default \
    --action=ALLOW \
    --rules=all \
    --source-tags=openvpn

GCE instances don't enable IP forwarding by default. You must configure both the instance and GCE network settings:


# On the GCE instance:
echo 1 > /proc/sys/net/ipv4/ip_forward
sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.conf
sysctl -p

# For persistent forwarding after reboots
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf

Here's a working server configuration template (server.conf) that handles GCE's special requirements:


port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
# Critical for GCE
push "route 10.128.0.0 255.128.0.0"

The most common point of failure is proper NAT setup. This iptables configuration works reliably on GCE:


iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ens4 -j MASQUERADE
iptables -A FORWARD -i ens4 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i tun0 -o ens4 -j ACCEPT

# Save rules for persistence
apt-get install iptables-persistent -y
netfilter-persistent save

After configuration, test these critical paths:


# On server:
tcpdump -i tun0
ping 10.8.0.1

# On client:
traceroute 8.8.8.8
curl ifconfig.me

If connections work but no internet access, check:

  • GCE instance metadata: Enable "IP forwarding" in VM instance settings
  • VPC network routes: Should show default internet gateway
  • Firewall logs: gcloud compute firewall-rules describe [RULE_NAME]