# How to create a VPN server with Google Cloud
## Introduction
Building your own VPN server can be an empowering experience because it puts you in control of your online privacy and promotes your digital autonomy.
While it's possible to set up a VPN server on your own hardware, using a cloud platform offers certain benefits. First, it gives you access to a wide range of server locations, which can be helpful if you're looking to access content that is restricted by geographic location. Plus, cloud platforms allow you to easily adjust your server resources as needed to ensure that your VPN server always runs smoothly.
Google Cloud is another reliable cloud provider for creating virtual machines (VM), joining the ranks of such established platforms as [AWS](https://meshnet.nordvpn.com/how-to/traffic-routing/vpn-server-with-aws), [Microsoft Azure](https://meshnet.nordvpn.com/how-to/traffic-routing/vpn-server-with-azure), and [Digital Ocean.](https://meshnet.nordvpn.com/how-to/traffic-routing/set-up-your-own-vpn-server) Though Google Cloud hosting isn't entirely free, the provider does offer limited resources at no cost.
The article details setting up a VPN server using the capabilities of GCP and the power of Meshnet. Meshnet provides secure connectivity and advanced traffic routing features, enabling seamless access to your VPN server from any location and device.
{% hint style="info" %}
**Note**
While setting up your own VPN server enhances your online privacy, it may not provide the same level of protection as connecting to a standard VPN server offered by NordVPN. NordVPN follows a [strict no-logs policy](https://nordvpn.com/features/strict-no-logs-policy/), which is crucial for ensuring your online activities remain confidential.
{% endhint %}
## Prerequisites
Before you begin, make sure you have a Google Cloud account with billing activated. As a new customer, you are eligible to receive free credits.
To sign up for Google Cloud
1. Go to the [Google Cloud](https://cloud.google.com/) page and select the **Get started for free** button.
2. Sign in with your Google Account if prompted.
3. Specify the required information, accept the terms of service, and select **Continue**.
4. Fill in your billing details and select **Start my free trial**.
## Create a VM instance on Google Cloud
This section will guide you through the process of setting up and launching a VM instance using the Compute Engine service offered by Google Cloud.
{% hint style="info" %}
**Note**
Although the guide focuses on setting up an Ubuntu-based VM, the steps below are applicable to other operating system (OS) images available on Compute Engine, such as Windows Server or various Linux distributions.
{% endhint %}
To get started with VM instances on Google Cloud:
1. Sign in to your Google Cloud account.
2. In the Google Cloud console, navigate to the [VM instances](https://console.cloud.google.com/compute/instances) page.
3. If necessary, activate **Compute Engine** by selecting the **Enable** button.
To configure and launch a VM instance:
1. Select **Create instance**.
2. Specify a name for your VM, adhering to the [naming convention](https://cloud.google.com/compute/docs/naming-resources#resource-name-format) for Compute Engine resources.
3. Select the appropriate region, zone, and machine configuration for your VM instance.
4. Under **Boot disk**, select **Change**, then choose an operating system for your VM, such as Ubuntu, and the latest LTS version.
5. In the **Firewall** section, select **Allow HTTPS traffic** to permit secure web connections to your VM.
6. Keep the default settings for other configurations.
7. Select **Create** to start the VM.
Your VM instance may require some time to initialize. A green check mark in the **Status** column signifies that the VM is up and running.
## Connect to your instance
You can now access your VM instance from the Google Cloud console by clicking [**SSH**](https://nordvpn.com/cybersecurity/glossary/secure-shell/) in the row of the instance or connecting from your local machine using an SSH client. This guide will concentrate on the latter approach.
### Generate an SSH key pair
To connect to the VM instance from a local machine using SSH, it is necessary to have a public-private key pair for authentication. To create a new SSH key pair:
1. Open the terminal on your local machine.
2. Enter the following command, replacing `` with the desired path and filename for the key pair and `` with the username associated with your VM instance:
\
This command generates a private key (`key-filename`) and a public key (`key-filename.pub`) at the specified path.
{% hint style="info" %}
**Note**
If you are using a Windows machine, specify the custom path using the Windows format, such as `C:\path\key_filename`.
{% endhint %}
### Set permissions for the private key
To protect your private key, make sure that only you have read access to it by setting the appropriate permissions.
{% tabs %}
{% tab title="From Windows" %}
1. Right-click the private key.
2. Select **Properties**, choose the **Security** tab, and click **Advanced**.
3. Click **Disable inheritance** > **Convert inherited permissions into explicit permission on this object.**
4. Back in the **Advanced security settings** window, remove access for all users except your own account by selecting a permission entry and clicking **Remove**.
{% endtab %}
{% tab title="From macOS or Linux" %}
1. Open the terminal.
2. Enter the `chmod 400` command followed by the path to the generated private key:
chmod 400 </path/private-key-filename>
\
**Example**
{% endtab %}
{% endtabs %}
### Add the public key to instance metadata
To associate the public key with your VM instance, add it to the instance metadata, as follows:
1. On your local computer, open the terminal (**PowerShell** on Windows).
2. Display the contents of the public SSH key file by entering the `cat` command followed by the path to the file.
3. The contents of your SSH key will be displayed in the terminal. Select and copy the output.
4. Navigate to the [VM instances](https://console.cloud.google.com/compute/instances) page and click the name of your VM.
5. Click **Edit** at the top of the page.
6. Scroll down to the **Security and access** section, and under **SSH Keys**, click **Add item**.
7. Paste the public key you copied earlier into the text box and click **Save**.
### Access the VM via SSH
{% hint style="info" %}
**Note**
By default, Compute Engine VMs created from public images do not permit root login with a password over SSH.
{% endhint %}
To establish an SSH connection to your VM instance:
1. Locate the external IP address of your VM instance on the **VM instances** page of the Google Cloud console.\
2. Open the terminal on your local machine.
3. Enter the command below, replacing the placeholders with the appropriate values for your VM instance, where:
* `` is the path to your private SSH key file.
* `` is the username you specified when generating the key pair.
* `` is the external IP address of your VM instance.
4. When establishing a connection to the server for the first time, the SSH client asks you to review and confirm the host key's fingerprint. To proceed with the connection, type `yes` in response to the prompt.
You should now be successfully connected to your VM instance.
## Install NordVPN on the instance
To set up NordVPN on your instance, follow these steps:
1. Download and install the NordVPN Linux client by entering this command in the instance terminal:
sh <(wget -qO - https://downloads.nordcdn.com/apps/linux/install.sh)
2. Log in to your NordVPN account.
### Log in to NordVPN
You can log in to your NordVPN account without the use of a graphical user interface (GUI) in two ways:
* By running the `nordvpn login` command with the `--token` flag
* By running the `nordvpn login` command with the `--callback` flag
Instructions for both methods are outlined below.
Log in using a token
1. On any device, log in to your [Nord Account](https://my.ndaccount.com/) dashboard and select the **Meshnet (by NordVPN)** card.
2. Under **Advanced settings**, select **Get access token**.
3. Enter the verification code sent to your email address.
4. Under **Access token**, click **Generate new token**.
5. In the dialog that appears, choose either a token that expires in 30 days or one that never expires, and then select **Generate token**.
6. Select **Copy and close**.
7. On your VM, enter the `nordvpn login --token` command along with the copied token:
```bash
nordvpn login --token
```
\
**Example**
You should now see a welcome message.
Log in using a URL
1. Run the following command:
```bash
nordvpn login
```
2. Open the provided link on any device in your browser.
3. Complete the login procedure.
4. Right-click the **Continue** button and select **Copy link address**.
5. Run the following command, replacing `` with the previously copied link address:
```bash
nordvpn login --callback ""
```
\
**Example**
You should now see a welcome message.
{% hint style="success" %}
**Tip**
To preserve your token when logging out of the NordVPN app, use the `nordvpn logout --persist-token` command. Otherwise, your token will be revoked.
{% endhint %}
{% hint style="info" %}
**Note**
If you encounter the error message “Whoops! Permission denied accessing /run/nordvpn/nordvpnd.sock,” enter `sudo usermod -aG nordvpn $USER`. Then, reboot your instance and log back in.
{% endhint %}
## Enable Meshnet
On your instance, [enable Meshnet](https://meshnet.nordvpn.com/getting-started/how-to-start-using-meshnet/using-meshnet-on-linux) by typing this command:
{% code overflow="wrap" %}
```bash
nordvpn set meshnet on
```
{% endcode %}
To view the Nord name and Meshnet IP address of your instance, enter the following command.
{% code overflow="wrap" %}
```bash
nordvpn meshnet peer list
```
{% endcode %}
Additionally, you will see all the devices connected to your network. Depending on the [permissions](https://meshnet.nordvpn.com/features/explaining-permissions/traffic-routing-permissions) granted to each device, they will have access to this server via Meshnet.
### Grant the traffic routing permission
To begin using the VPN server, you need to grant the traffic routing permission for each peer device that you want to have access to the server. Enable this permission from the server machine using the following command:
{% code overflow="wrap" %}
```bash
nordvpn meshnet peer routing allow
```
{% endcode %}
**Example**
{% code overflow="wrap" %}
```bash
nordvpn meshnet peer routing allow secret.raccoon-everest.nord
```
{% endcode %}
For more information, see the [Traffic routing permissions](https://meshnet.nordvpn.com/features/explaining-permissions/traffic-routing-permissions#changing-permissions) page.
## Route traffic through your server
To begin using your instance as a VPN server, you need to route traffic from a client device through the instance. Follow these steps:
1. On your client device, open **NordVPN** and log in to your account.
2. Start routing traffic through the linked host device you set up.\
\
**Example**
\
For detailed guidance on enabling traffic routing, refer to [Routing traffic in Meshnet](https://meshnet.nordvpn.com/features/routing-traffic-in-meshnet#see-also).
[Your device's IP address](https://nordvpn.com/what-is-my-ip/) should now match the public IP address of your instance. This way, your real IP address remains secure, and the websites you visit will detect the location of your VPN server instead of your actual device.
