VPN server on Google Compute Engine
Mac Bautista
Hello,
I'm trying to use a Google Compute Engine VM as a VPN server for all my traffic.
I've made all steps from another tutorial about setting up VPN with OpenVPN [https://docs.google.com/document/d/1Ol0kC9bgbBh2zlohtBP7uZnzioZ4sShIcENgTwq5Ot0/edit].
I can connect to the VPN from client, the requests made to the DNS Server are resolved without any problems (sometimes there are some delays, though), I can ping some Internet hosts (Like www.google.com or www.yahoo.com) and I can make a complete trace while connected to the VPN
However, I'm not able to surf the Internet properly while connected to the VPN.
Sometimes I can
access a site (like checkip.dyndns.org) but got only the text parts
(no images or media), other times the address is not properly
resolved or I receive a error message about the connection.
I've
checked all the elements that I can think of, I've tried a lot of
variants in my configuration but nothing works.
Does anyone have what could be wrong with my setup?
Here is some information that can be useful:
Instance:
"name": "vm01",
"description": "VM for OpenVPN",
"tags": {
"fingerprint": "XXXXXXXXXXXX"
},
"machineType": "https://www.googleapis.com/compute/v1/projects/XXXXXX/zones/us-central1-a/machineTypes/f1-micro",
"canIpForward": true,
"networkInterfaces": [
{
"network": "https://www.googleapis.com/compute/v1/projects/XXXXXX/global/networks/default",
"networkIP": "10.240.XXX.XXX",
"name": "nic0",
"accessConfigs": [
{
"kind": "compute#accessConfig",
"type": "ONE_TO_ONE_NAT",
"name": "External NAT",
"natIP": "107.178.XXX.XXX"
}
]
}
],
Network:
{
"kind": "compute#network",
"selfLink": "https://www.googleapis.com/compute/v1/projects/XXXXXX/global/networks/default",
"id": "XXXXXXXXXXXXXXXXXXXX",
"creationTimestamp": "2014-05-01T15:51:37.299-07:00",
"name": "default",
"description": "Default network for the project",
"IPv4Range": "10.240.0.0/16",
"gatewayIPv4": "10.240.0.1"
}
Firewall:
custom-allow-udpvpn
Incoming openvpn udp allowed.
Source Ranges:
Allowed Protocols or Ports:
udp:1194
default-allow-internal
Internal traffic from default allowed
Source Ranges:
Allowed Protocols or Ports:
tcp:1-65535
udp:1-65535
icmp
default-ssh
SSH allowed from anywhere
Source Ranges:
Allowed Protocols or Ports:
tcp:22
Routes:
default-route-3f3eXXXXXXX1e034
Default
route to the Internet.
Instance Tags:
This route applies to all
instances.
Destination
IP range:
0.0.0.0/0
Next
hop
https://www.googleapis.com/compute/v1/projects/XXXXXX/global/gateways/default-internet-gateway
Priority
1000
default-route-a68fXXXXXXX1db51
Default
route to the virtual network.
Instance Tags:
This route applies
to all instances.
Destination
IP range:
10.240.0.0/16
Priority
1000
PS. There is mini-tutorial about VPN on GCE [https://developers.google.com/compute/docs/networking#settingupvpn], but it's about connecting an external network to an instance (or another network) in GCE. So, it's not help for this case.
ingenie...@gmail.com
Mac Bautista
Thanks for the suggestion, I'll research that alternative too.
However, I was wondering if anyone know something I have to configure on the GCE console (or any other place) so the setup described above works as expected? (maybe something like the creation of a route/firewall)
A friend of mine has almost the exact same configuration on a VM from Amazon and everything work fine over there.
Does anyone have any other suggestion?
Mac Bautista
Below is the output of some commands from the GCE instance and from a PC while connected to the VPN.
- From the GCE instance:
$ sudo curl checkip.dyndns.org
<html><head><title>Current IP Check</title></head><body>Current IP Address: 107.178.XXX.XXX</body></html>
$ sudo ping checkip.dyndns.org -c 2
PING checkip.dyndns.com (216.146.39.70) 56(84) bytes of data.
64 bytes from checkip-lax.dyndns.com (216.146.39.70): icmp_req=1 ttl=56 time=75.2 ms
64 bytes from checkip-lax.dyndns.com (216.146.39.70): icmp_req=2 ttl=56 time=67.7 ms
--- checkip.dyndns.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 67.774/71.504/75.235/3.740 ms
$ sudo traceroute www.google.com -T -p 80 -N 1 -z 0.5 -q 1
traceroute to www.google.com (74.125.207.105), 30 hops max, 60 byte packets
1 74.125.207.105 (74.125.207.105) 0.699 ms
$ sudo traceroute checkip.dyndns.org -T -p 80 -N 1 -z 0.5 -q 1
traceroute to checkip.dyndns.org (216.146.39.70), 30 hops max, 60 byte packets
1 209.85.241.26 (209.85.241.26) 0.902 ms
2 209.85.241.34 (209.85.241.34) 0.660 ms
3 209.85.241.28 (209.85.241.28) 0.946 ms
4 209.85.241.28 (209.85.241.28) 0.864 ms
5 209.85.241.34 (209.85.241.34) 0.656 ms
6 209.85.241.36 (209.85.241.36) 0.668 ms
7 209.85.241.36 (209.85.241.36) 0.647 ms
8 209.85.241.36 (209.85.241.36) 1.157 ms
9 72.14.238.107 (72.14.238.107) 19.960 ms
10 209.85.254.239 (209.85.254.239) 19.828 ms
11 209.85.255.133 (209.85.255.133) 21.736 ms
12 4.68.62.153 (4.68.62.153) 11.526 ms
13 vlan52.ebr2.Chicago2.Level3.net (4.69.138.190) 67.298 ms
14 ae-14-14.ebr1.Dallas1.Level3.net (4.69.151.118) 69.325 ms
15 ae-91-91.csw4.Dallas1.Level3.net (4.69.151.161) 69.204 ms
16 ae-93-93.ebr3.Dallas1.Level3.net (4.69.151.170) 69.221 ms
17 ae-3-3.ebr2.LosAngeles1.Level3.net (4.69.132.77) 67.320 ms
18 ae-62-62.csw1.LosAngeles1.Level3.net (4.69.137.18) 69.343 ms
19 ae-4-90.edge6.LosAngeles1.Level3.net (4.69.144.206) 69.641 ms
20 DYNAMIC-NET.edge6.LosAngeles1.Level3.net (4.30.63.50) 67.622 ms
21 checkip-lax.dyndns.com (216.146.39.70) 69.621 ms
- From a VPN client
$ curl --interface tun0 checkip.dyndns.org
<html><head><title>Current IP Check</title></head><body>Current IP Address: 107.178.XXX.XXX</body></html>
$ ping checkip.dyndns.org -c 4
PING checkip.dyndns.com (216.146.39.70) 56(84) bytes of data.
64 bytes from checkip-lax.dyndns.com (216.146.39.70): icmp_seq=1 ttl=55 time=158 ms
64 bytes from checkip-lax.dyndns.com (216.146.39.70): icmp_seq=2 ttl=55 time=158 ms
64 bytes from checkip-lax.dyndns.com (216.146.39.70): icmp_seq=3 ttl=55 time=154 ms
64 bytes from checkip-lax.dyndns.com (216.146.39.70): icmp_seq=4 ttl=55 time=157 ms
--- checkip.dyndns.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 154.088/157.095/158.660/1.896 ms
$ sudo traceroute www.google.com -T -p 80 -N 1 -z 0.5 -q 1
traceroute to www.google.com (74.125.192.104), 30 hops max, 60 byte packets
1 10.8.0.1 (10.8.0.1) 88.078 ms
2 ib-in-f104.1e100.net (74.125.192.104) 89.979 ms
$ sudo traceroute checkip.dyndns.org -T -p 80 -N 1 -z 0.5 -q 1
traceroute to checkip.dyndns.org (216.146.39.70), 30 hops max, 60 byte packets
1 10.8.0.1 (10.8.0.1) 104.440 ms
2 209.85.241.28 (209.85.241.28) 83.734 ms
3 209.85.241.34 (209.85.241.34) 88.708 ms
4 209.85.241.28 (209.85.241.28) 92.470 ms
5 209.85.241.28 (209.85.241.28) 92.303 ms
6 209.85.241.36 (209.85.241.36) 92.773 ms
7 209.85.241.26 (209.85.241.26) 86.136 ms
8 209.85.241.28 (209.85.241.28) 88.876 ms
9 209.85.241.34 (209.85.241.34) 94.398 ms
10 72.14.232.140 (72.14.232.140) 114.815 ms
11 209.85.254.241 (209.85.254.241) 96.758 ms
12 209.85.254.131 (209.85.254.131) 105.834 ms
13 4.68.62.153 (4.68.62.153) 99.269 ms
14 vlan52.ebr2.Chicago2.Level3.net (4.69.138.190) 157.319 ms
15 ae-14-14.ebr1.Dallas1.Level3.net (4.69.151.118) 174.413 ms
16 ae-71-71.csw2.Dallas1.Level3.net (4.69.151.137) 158.440 ms
17 ae-73-73.ebr3.Dallas1.Level3.net (4.69.151.146) 155.411 ms
18 ae-3-3.ebr2.LosAngeles1.Level3.net (4.69.132.77) 159.024 ms
19 ae-82-82.csw3.LosAngeles1.Level3.net (4.69.137.26) 162.784 ms
20 ae-3-80.edge6.LosAngeles1.Level3.net (4.69.144.142) 159.915 ms
21 DYNAMIC-NET.edge6.LosAngeles1.Level3.net (4.30.63.50) 152.451 ms
22 checkip-lax.dyndns.com (216.146.39.70) 153.189 ms
Like I said in my
previous post I can connect to the VPN without any problems.
The
thing is, I can't surf the Internet properly while connected to the
VPN. It seems like there
is some network configuration I'm missing. That's why I was
asking about the addition of some routes/firewall in my setup.
PS.
Is it normal to have the same IP multiple times in different hops in the traceroute output?
Mac Bautista
I know I'm asking the same question again, but I was wondering if someone from Google (or anybody else) knows about something I need to configure on the GCE console so the VPN works as expected.
I've checked my setup on the VM and it seems like everything is configured correctly.
It's because of this I suspect the issue is related to something on the GCE.