VPN access for single clients

[Mani Gandham]

From: https://cloud.google.com/compute/docs/vpn/overview

Cloud VPN only supports IPsec gateway-to-gateway scenarios. You must have a dedicated physical or virtual IPsec VPN gateway on the client side. Cloud VPN does not currently support client-to-gateway (road warrior) scenarios. In other words, it doesn't work with client software on a laptop, only with full IPsec VPN gateway software. Cloud VPN does not support VPN technologies other than IPsec.

Will GCE ever support VPN access by single clients? We have a distributed team which requires having instances with a public IP so that they can be used for dev/staging/QA access. With the quotas on external IPs, and the potential security issues, it seems it would be far better to have direct VPN access instead. While the current solution would work for a large office to setup a permanent connection, it would be nice to have an option that individuals can use.

AWS has hostnames that dynamically resolve to either internal or external IPs automatically depending on where they're accessed. For GCE, instead of resolving to public IPs, a similar system that uses GCE's advanced networking to automatically route traffic to the right instance without the instance having a public IP would be ideal. This would let the GCE network firewall rules easily manage all external access and having stable hostnames makes it easy to have application code that doesn't need to change depending on where the code is being run.

[Kamran (Google Cloud Support)]

Hello Mani,

That's correct. Cloud VPN only supports IPsec gateway-to-gateway scenarios. For client-to-gateway (road warrior) scenarios, you can install and configure an IPSec VPN software, like Strongswan on a GCE VM and configure it for remote access. Using a VPN client users can connect to this VPN server and, after a secure tunnel established they can connect to all other VMs which are deployed inside the same network. In this case, the other VMs won't need to have external IP addresses. However, you will need to setup a NAT gateway if the other VMs need to have access to internet. Configuring a NAT gateway is described in this article. The other option for road warrior scenarios can be using VPN over SSH.

Hope this helps.

Sincerely,

[Mani Gandham]

Solved this by using a virtual SDN (software defined network) LAN via ZeroTier.

Instructions here for AWS can be adapted to GCP and allow for a LAN connection that allows for internal IP access with multiple devices and a permanent connection. Single micro-instance works well enough.

https://www.zerotier.com/community/topic/72/creating-a-zerotier-to-amazon-vpc-gateway