How to create a VPN server with Google Cloud

Learn how to build your own VPN server with Google Cloud and Meshnet.

Introduction

Building your own VPN server can be an empowering experience because it puts you in control of your online privacy and promotes your digital autonomy.

While it's possible to set up a VPN server on your own hardware, using a cloud platform offers certain benefits. First, it gives you access to a wide range of server locations, which can be helpful if you're looking to access content that is restricted by geographic location. Plus, cloud platforms allow you to easily adjust your server resources as needed to ensure that your VPN server always runs smoothly.

Google Cloud is another reliable cloud provider for creating virtual machines (VM), joining the ranks of such established platforms as AWS, Microsoft Azure, and Digital Ocean. Though Google Cloud hosting isn't entirely free, the provider does offer limited resources at no cost.

The article details setting up a VPN server using the capabilities of GCP and the power of Meshnet. Meshnet provides secure connectivity and advanced traffic routing features, enabling seamless access to your VPN server from any location and device.

Note

While setting up your own VPN server enhances your online privacy, it may not provide the same level of protection as connecting to a standard VPN server offered by NordVPN. NordVPN follows a strict no-logs policy, which is crucial for ensuring your online activities remain confidential.

Prerequisites

Before you begin, make sure you have a Google Cloud account with billing activated. As a new customer, you are eligible to receive free credits.

To sign up for Google Cloud
  1. Go to the Google Cloud page and select the Get started for free button.

  2. Sign in with your Google Account if prompted.

  3. Specify the required information, accept the terms of service, and select Continue.

  4. Fill in your billing details and select Start my free trial.

Create a VM instance on Google Cloud

This section will guide you through the process of setting up and launching a VM instance using the Compute Engine service offered by Google Cloud.

Note

Although the guide focuses on setting up an Ubuntu-based VM, the steps below are applicable to other operating system (OS) images available on Compute Engine, such as Windows Server or various Linux distributions.

To get started with VM instances on Google Cloud:

  1. Sign in to your Google Cloud account.

  2. In the Google Cloud console, navigate to the VM instances page.

  3. If necessary, activate Compute Engine by selecting the Enable button.

To configure and launch a VM instance:

  1. Select Create instance.

  2. Specify a name for your VM, adhering to the naming convention for Compute Engine resources.

  3. Select the appropriate region, zone, and machine configuration for your VM instance.

  4. Under Boot disk, select Change, then choose an operating system for your VM, such as Ubuntu, and the latest LTS version.

  5. In the Firewall section, select Allow HTTPS traffic to permit secure web connections to your VM.

  6. Keep the default settings for other configurations.

  7. Select Create to start the VM.

Your VM instance may require some time to initialize. A green check mark in the Status column signifies that the VM is up and running.

Connect to your instance

You can now access your VM instance from the Google Cloud console by clicking SSH in the row of the instance or connecting from your local machine using an SSH client. This guide will concentrate on the latter approach.

Generate an SSH key pair

To connect to the VM instance from a local machine using SSH, it is necessary to have a public-private key pair for authentication. To create a new SSH key pair:

  1. Open the terminal on your local machine.

  2. Enter the following command, replacing </path/key-filename> with the desired path and filename for the key pair and <username> with the username associated with your VM instance:

    ssh-keygen -t rsa -f </path/key-filename> -C <username>

    Example

    ssh-keygen -t rsa -f /Users/MeshnetUser/Desktop/keys/ssh_key_meshnet -C meshnet_user

    This command generates a private key (key-filename) and a public key (key-filename.pub) at the specified path.

Note

If you are using a Windows machine, specify the custom path using the Windows format, such as C:\path\key_filename.

Set permissions for the private key

To protect your private key, make sure that only you have read access to it by setting the appropriate permissions.

  1. Right-click the private key.

  2. Select Properties, choose the Security tab, and click Advanced.

  3. Click Disable inheritance > Convert inherited permissions into explicit permission on this object.

  4. Back in the Advanced security settings window, remove access for all users except your own account by selecting a permission entry and clicking Remove.

Add the public key to instance metadata

To associate the public key with your VM instance, add it to the instance metadata, as follows:

  1. On your local computer, open the terminal (PowerShell on Windows).

  2. Display the contents of the public SSH key file by entering the cat command followed by the path to the file.

    cat </path/public-key-filename>

    Example

    cat /Users/MeshnetUser/Desktop/keys/ssh_key_meshnet.pub

  3. The contents of your SSH key will be displayed in the terminal. Select and copy the output.

  4. Navigate to the VM instances page and click the name of your VM.

  5. Click Edit at the top of the page.

  6. Scroll down to the Security and access section, and under SSH Keys, click Add item.

  7. Paste the public key you copied earlier into the text box and click Save.

Access the VM via SSH

Note

By default, Compute Engine VMs created from public images do not permit root login with a password over SSH.

To establish an SSH connection to your VM instance:

  1. Locate the external IP address of your VM instance on the VM instances page of the Google Cloud console.

  2. Open the terminal on your local machine.

  3. Enter the command below, replacing the placeholders with the appropriate values for your VM instance, where:

    • </path/private-key-file> is the path to your private SSH key file.

    • <username> is the username you specified when generating the key pair.

    • <external-ip-address> is the external IP address of your VM instance.

      ssh -i </path/private-key-file> <username>@<external-ip-address>

      Example

      ssh -i /Users/MeshnetUser/Desktop/keys/ssh_key_meshnet meshnet_user@34.29.223.197

  4. When establishing a connection to the server for the first time, the SSH client asks you to review and confirm the host key's fingerprint. To proceed with the connection, type yes in response to the prompt.

You should now be successfully connected to your VM instance.

Install NordVPN on the instance

To set up NordVPN on your instance, follow these steps:

  1. Download and install the NordVPN Linux client by entering this command in the instance terminal:

    sh <(wget -qO - https://downloads.nordcdn.com/apps/linux/install.sh)

  2. Log in to your NordVPN account.

Log in to NordVPN

You can log in to your NordVPN account without the use of a graphical user interface (GUI) in two ways:

  • By running the nordvpn login command with the --token flag

  • By running the nordvpn login command with the --callback flag

Instructions for both methods are outlined below.

Log in using a token
  1. On any device, log in to your Nord Account dashboard and select the Meshnet (by NordVPN) card.

  2. Under Manual setup, select Set up NordVPN manually.

  3. Enter the verification code sent to your email address.

  4. Under Access token, click Generate new token.

  5. In the dialog that appears, choose either a token that expires in 30 days or one that never expires, and then select Generate token.

  6. Select Copy and close.

  7. On your VM, enter the nordvpn login --token command along with the copied token:

    nordvpn login --token <your_token>

    Example

    nordvpn login --token 3fe460cefb8dcf1478c92e45908cec9f9bdbadf7a456a6dfb35dc2c58ee39d5b

You should now see a welcome message.

Log in using a URL
  1. Run the following command:

    nordvpn login

  2. Open the provided link on any device in your browser.

  3. Complete the login procedure.

  4. Right-click the Continue button and select Copy link address.

  5. Run the following command, replacing <URL> with the previously copied link address:

    nordvpn login --callback "<URL>"

    Example

    nordvpn login --callback "nordvpn://login?action=login&exchange_token=MGFlY2E1NmE4YjM2NDM4NjUzN2VjOWIzYWM3ZTU3ZDliNDdiNzRjZTMwMjE5YjkzZTNhNTI3ZWZlOTIwMGJlOQ%3D%3D&status=done"

You should now see a welcome message.

Tip

To preserve your token when logging out of the NordVPN app, use the nordvpn logout --persist-token command. Otherwise, your token will be revoked.

Note

If you encounter the error message “Whoops! Permission denied accessing /run/nordvpn/nordvpnd.sock,” enter sudo usermod -aG nordvpn $USER. Then, reboot your instance and log back in.

Enable Meshnet

On your instance, enable Meshnet by typing this command:

nordvpn set meshnet on

To view the Nord name and Meshnet IP address of your instance, enter the following command.

nordvpn meshnet peer list

Additionally, you will see all the devices connected to your network. Depending on the permissions granted to each device, they will have access to this server via Meshnet.

Grant the traffic routing permission

To begin using the VPN server, you need to grant the traffic routing permission for each peer device that you want to have access to the server. Enable this permission from the server machine using the following command:

nordvpn meshnet peer routing allow <device>

Example

nordvpn meshnet peer routing allow secret.raccoon-everest.nord

For more information, see the Traffic routing permissions page.

Route traffic through your server

To begin using your instance as a VPN server, you need to route traffic from a client device through the instance. Follow these steps:

  1. On your client device, open NordVPN and log in to your account.

  2. Start routing traffic through the linked host device you set up. Example

    For detailed guidance on enabling traffic routing, refer to Routing traffic in Meshnet.

Your device's IP address should now match the public IP address of your instance. This way, your real IP address remains secure, and the websites you visit will detect the location of your VPN server instead of your actual device.

Last updated

© 2024 Nord Security. All Rights Reserved.