Creating a VPN connection using OpenVPN
This scenario describes how to configure an OpenVPN instance to access Yandex Cloud VMs over an encrypted connection. It considers the option to configure an OpenVPN gateway with username and password-based access.
To set up a VPN tunnel:
- Before you start.
- Create subnets and a test VM.
- Create an OpenVPN instance.
- Get the administrator password.
- Create an OpenVPN user.
- Connect to the VPN.
If you no longer need the OpenVPN instance, delete it.
Before you start
Before deploying the server, you need to sign up for Yandex Cloud and create a billing account:
- Go to the management console. Then log in to Yandex Cloud or sign up if don't already have an account.
- On the billing page, make sure you linked a billing account, and it has the
TRIAL_ACTIVEstatus. If you don't have a billing account, create one.
If you have an active billing account, you can create or select a folder to run your VM in from the Yandex Cloud page.
Required paid resources
The cost of infrastructure support for OpenVPN includes:
- A fee for continuously running VMs (see pricingYandex Compute Cloud).
- A fee for using a dynamic external IP address (see pricing Yandex Virtual Private Cloud).
Create subnets and a test VM
Create a test VM without a public IP and connect it to the subnet.
Create an OpenVPN instance
Create a VM in Yandex Cloud to serve as a gateway for a VPN tunnel.
Open your folder and click Create resource. Select Virtual machine.
Enter a name for the VM, for example,
Select the subnet availability zone to connect the OpenVPN instance to and where the test VM is already located.
Under Images from Cloud Marketplace, click Select and choose the OpenVPN image.
In the Network settings section, choose the required network and subnet and assign a public IP to the VM either by selecting it from the list or automatically.
In the Access field, enter the login and SSH key to access the VM.
Click Create VM.
Get the administrator password
openvpn user with administrator privileges was created on the OpenVPN server in advance. An initial password is generated automatically. To access the admin panel, get the password:
Connect to the virtual machine over SSH:
ssh <VM public IP>
Run the command:
sudo cat /usr/local/openvpn_as/tmp/initial_ovpn_pass && echo
The password, which is located in a text file, will be displayed on the screen.
Log in to the admin panel using the
openvpnusername and the obtained password.
Create an OpenVPN user
To establish an OpenVPN connection, enter the username and password of the user on the client machine. Create a new user:
- In the browser, open a URL like
https://<VM public IP address>:943/admin/.
- Specify the
openvpnusername and the password obtained in the previous step.
- Click Agree. This opens the main screen of the OpenVPN admin panel.
- Go to the User management tab and select User permissions.
- In the list of users, enter the name of the new user in the New Username field, like
- Click the pencil icon in the More Settings column and set the new user's password in the Password field.
- Click Save settings.
- Click Update running server.
You can then connect to the VPN using OpenVPN Connect.
Connect to the VPN
To check that a connection is established and working properly, connect to the VPN and run the
ping command for the test VM internal address:
- Start the OpenVPN Connect Client.
- Create a new connection. Type the VM IP address, enter
test-useras the user, and enter the user's password.
- Enable the created connection.
- Open the terminal and run the command
ping <internal IP address of the test VM>. If the command is executed, the VM can be accessed via OpenVPN.
Delete the created resources
If you no longer need the OpenVPN instance, delete the
openvpn-instance VM and the test VM.
If you reserved a public static IP address, delete it.