Creating a VPN connection using OpenVPN
This scenario describes how to configure an OpenVPN instance to access Yandex.Cloud VMs over an encrypted connection. It considers the option to configure an OpenVPN gateway with username and password-based access.
To set up a VPN tunnel:
- Before you start.
- Create subnets and a test VM.
- Create an OpenVPN instance.
- Set the administrator password.
- Create an OpenVPN user.
- Connect to the VPN.
If you no longer need the OpenVPN instance, delete it.
Before you start
Before deploying the server, you need to sign up for Yandex.Cloud and create a billing account:
- Go to the management console. Then log in to Yandex.Cloud or sign up if don't already have an account.
- On the billing page, make sure you linked a billing account, and it has the
ACTIVE
orTRIAL_ACTIVE
status. If you don't have a billing account, create one.
If you have an active billing account, you can create or select a folder to run your VM in from the Yandex.Cloud page.
Learn more about clouds and folders.
Required paid resources
The cost of infrastructure support for OpenVPN includes:
- A fee for continuously running VMs (see pricingYandex Compute Cloud).
- A fee for using a dynamic external IP address (see pricing Yandex Virtual Private Cloud).
Create subnets and a test VM
To connect cloud resources to the internet, make sure you have networks and subnets.
Create a test VM without a public IP and connect it to the subnet.
Create an OpenVPN instance
Create a VM in Yandex.Cloud to serve as a gateway for a VPN tunnel.
-
Open your folder and click Create resource. Select Virtual machine.
-
Enter a name for the VM, for example,
openvpn-instance
. -
Select the subnet availability zone to connect the OpenVPN instance to and where the test VM is already located.
-
Under Images from Cloud Marketplace, click Select and choose the OpenVPN image.
-
In the Network settings section, choose the required network and subnet and assign a public IP to the VM either by selecting it from the list or automatically.
Only use static public IP addresses from the list or make the IP address static. Dynamic IP addresses may change after the VM reboots and the connections will no longer work.
-
In the Access field, enter the login and SSH key to access the VM.
-
Click Create VM.
Set the administrator password
The openvpn
user with administrator privileges was created on the OpenVPN server in advance. To access the admin panel, set a password for this user.
-
Connect to the virtual machine over SSH:
$ ssh <VM public IP>
-
Run the command:
$ sudo passwd openvpn Enter new UNIX password:
Enter a new password.
You can then log in to the OpenVPN admin panel.
Create an OpenVPN user
To establish an OpenVPN connection, enter the username and password of the user on the client machine. Create a new user:
- In the browser, open a URL like
https://<VM public IP address>:943/admin/
. - Specify the
openvpn
username and the password created in the previous step. - Click Agree. This opens the main screen of the OpenVPN admin panel.
- Go to the User management tab and select User permissions.
- In the list of users, enter the name of the new user in the New Username field, like
test-user
. - Click the pencil icon in the More Settings column and set the new user's password in the Password field.
- Click Save settings.
- Click Update running server.
You can then connect to the VPN using OpenVPN Connect.
Connect to the VPN
To check that a connection is established and working properly, connect to the VPN and run the ping
command for the test VM internal address:
- Start the OpenVPN Connect Client.
- Create a new connection. Type the VM IP address, enter
test-user
as the user, and enter the user's password. - Enable the created connection.
- Open the terminal and run the command
ping <internal IP address of the test VM>
. If the command is executed, the VM can be accessed via OpenVPN.
Delete the created resources
If you no longer need the OpenVPN instance, delete the openvpn-instance
VM and the test VM.
If you reserved a public static IP address, delete it.