cloud

How To Set A Server To Server VPN on Google Compute Engine

There are many cases where you wish to migrate data from one location to another. In most cases, you will wish to do it over a secure channel. In this tutorial we will see what are the main steps in order to set a VPN (in this case: StrongSwan) on Google Compute Engine so you will have a server to server VPN solution between your on own server(s) located in the basement and Compute Engine.
In this tutorial we will setup a VPN connection from your own datacenter to Compute Engine. First, let’s look at the big picture. We wish to have one gateway in our datacenter and another on Compute Engine. These gateways, will be responsible to connect and secure our channel so we could transfer our data over it in a secure way.

High Level Network diagram

VPN on GCE network macro view

Main steps

Pre-Setup Work

  • Set up a dedicated host at the client network.

  • Set up an external ip for the host and open port 4500 UDP

Compute Engine Work

1. Using the included management script, manageVPN.sh,  you will be able to set up the gateway host and all the required advanced networking.
Edit the following parameters before executing.

2. Execute the setup script.

$ ./manageVPN.sh -p [your project] -n [your network] -i https://www.googleapis.com/compute/v1/projects/centos-cloud/global/images/centos-6-v20131120 start

Please note that you can choose other Linux images.

3. Connect to the vpn gateway.

$ gcutil --project=your-project-name ssh vpn-gateway

4.  Create a file called ipsec.conf with the following contents:

5.   Execute the following on the host to install & configure strongSwan.
Use the ipsec.conf from above.

 On CentOS 6

Client Network Work

I recommend a dedicated (or low utilization) box to host the strongSwan VPN server. The following setup needs to be done on that host in addition to exposing the box to the internet on port 4500.

1. Create a file called ipsec.conf with the following contents:

2.   Execute the following on the host to install & configure strongSwan.

Use the ipsec.conf from above.

CentOS 6

3. Update the secret key.  Execute the following on the host to install & configure strongSwan.  Use the ipsec.conf from above.

4.  Set up routes on the cassandra hosts to reach the remote Compute Engine network via the local gateway host.

Appendix

manageVPN.sh Script

Misc

  1. The online documentation for Compute Engine.

  2. StrongSwan documentation.

Happy hacking.

Standard