How to create a personal VPN Server on Google Cloud Platform (GCP) with libreswan using the free tier Compute Engine.
Both Android 11 or higher and iOS 4.0+ devices can connect to IKEv2/IPSec VPN servers with their native VPN clients.
Follow the instructions at https://cloud.google.com/sdk/docs/install to install the gcloud CLI, then run the following commands to initialize it and install the required components.
gcloud init
gcloud components install beta
Follow the instructions at https://learn.hashicorp.com/tutorials/terraform/install-cli?in=terraform/gcp-get-started to install Terraform.
Before creating your first VM instance, you need to link a billing account to the GCP project you will use to host your VPN server and enable the compute.googleapis.com
service.
A default project and billing account are provisioned when you create a free trial GCP account.
Use the following PowerShell commands to get your default project and billing account details, and link them. Replace the filter
parameters with the names of your project and billing account.
gcloud projects list
$projectID = gcloud projects list `
--filter="name:'My First Project'" `
--format="value(projectId)"
gcloud beta billing accounts list
$billingAccount = gcloud beta billing accounts list `
--filter="displayName:'My Billing Account'" `
--format="value(name)"
gcloud beta billing projects link $projectID `
--billing-account=$billingAccount
gcloud config set project $projectID
gcloud services enable compute.googleapis.com
GCP doesn't have a feature to create a public DNS name for virtual machines and Google Cloud Free Tier does not include external IP addresses. We will use a Dynamic DNS name to provide a convenient way to access the VPN server.
There are a few free Dynamic DNS service providers available, such as No-IP.com. If you own a domain name, it is possible that your registrar provides this service (for example, Google Domains.)
The installation script configures the DDclient package to update the dynamic DNS entry using the dyndns2 protocol. If you select a provider that doesn't support this protocol, you will need to adapt the startup script (install.sh
).
The VM will be created and configured by Terraform. The main.tf
configuration file requires the following parameters:
project
: Google Cloud Platform project IDzone
: free VMs are available in the following zones:us-west1-a
us-west1-b
us-west1-c
us-central1-a
us-central1-b
us-central1-c
us-central1-f
us-east1-b
us-east1-c
us-east1-d
instance_name
: Compute Engine VM instance nameipsec_identifier
: IPSec identifierhostname
: Dynamic DNS hostnamedyndns.server
: Dynamic DNS update server- No-IP.com:
dynupdate.no-ip.com
- Google Domains:
domains.google.com
- No-IP.com:
dyndns.user
: Dynamic DNS service user namedyndns.password
: Dynamic DNS service password
Create a file with name terraform.tfvars
with those parameters using the following format:
project = "<GCP project ID>"
zone = "<GCP zone>"
instance_name = "<Compute Engine VM instance name>"
ipsec_identifier = "<IPSec Identifier>"
hostname = "<hostname>"
dyndns = {
server = "<Dynamic DNS update server>"
user = "<Dynamic DNS user name>"
password = "<Dynamic DNS password>"
}
Execute the following commands to create the VPN server:
gcloud auth application-default login
terraform init
terraform plan
terraform apply
Terraform will output the information required to configure the VPN client.
Execute the following command to open an SSH session to your VM and check if the installation succeeded.
gcloud compute ssh <instance name> --zone=<zone>
Terraform will output the required information to configure the VPN client (server address, IPSec identifier, and pre-shared key).
Use the following values to configure the Android VPN client:
- Type: IKEv2/IPSec PSK
- Server address:
server_address
- IPSec identifier:
ipsec_identifier
- IPSec pre-shared key:
ipsec_pre_shared_key
Use the following values to configure the iOS VPN client:
- Type: IKEv2
- Server:
server_address
- Remote ID:
server_address
- Local ID:
ipsec_identifier
- User Authentication: None
- Use Certificate: off
- Secret:
ipsec_pre_shared_key