How to create a VPN server with Google Cloud
Learn how to build your own VPN server with Google Cloud and Meshnet.
Introduction
Building your own VPN server can be an empowering experience because it puts you in control of your online privacy and promotes your digital autonomy.
While it's possible to set up a VPN server on your own hardware, using a cloud platform offers certain benefits. First, it gives you access to a wide range of server locations, which can be helpful if you're looking to access content that is restricted by geographic location. Plus, cloud platforms allow you to easily adjust your server resources as needed to ensure that your VPN server always runs smoothly.
Google Cloud is another reliable cloud provider for creating virtual machines (VM), joining the ranks of such established platforms as AWS, Microsoft Azure, and Digital Ocean. Though Google Cloud hosting isn't entirely free, the provider does offer limited resources at no cost.
The article details setting up a VPN server using the capabilities of GCP and the power of Meshnet. Meshnet provides secure connectivity and advanced traffic routing features, enabling seamless access to your VPN server from any location and device.
Note
While setting up your own VPN server enhances your online privacy, it may not provide the same level of protection as connecting to a standard VPN server offered by NordVPN. NordVPN follows a strict no-logs policy, which is crucial for ensuring your online activities remain confidential.
Prerequisites
Before you begin, make sure you have a Google Cloud account with billing activated. As a new customer, you are eligible to receive free credits.
Create a VM instance on Google Cloud
This section will guide you through the process of setting up and launching a VM instance using the Compute Engine service offered by Google Cloud.
Note
Although the guide focuses on setting up an Ubuntu-based VM, the steps below are applicable to other operating system (OS) images available on Compute Engine, such as Windows Server or various Linux distributions.
To get started with VM instances on Google Cloud:
Sign in to your Google Cloud account.
In the Google Cloud console, navigate to the VM instances page.
If necessary, activate Compute Engine by selecting the Enable button.
To configure and launch a VM instance:
Select Create instance.
Specify a name for your VM, adhering to the naming convention for Compute Engine resources.
Select the appropriate region, zone, and machine configuration for your VM instance.
Under Boot disk, select Change, then choose an operating system for your VM, such as Ubuntu, and the latest LTS version.
In the Firewall section, select Allow HTTPS traffic to permit secure web connections to your VM.
Keep the default settings for other configurations.
Select Create to start the VM.
Your VM instance may require some time to initialize. A green check mark in the Status column signifies that the VM is up and running.
Connect to your instance
You can now access your VM instance from the Google Cloud console by clicking SSH in the row of the instance or connecting from your local machine using an SSH client. This guide will concentrate on the latter approach.
Generate an SSH key pair
To connect to the VM instance from a local machine using SSH, it is necessary to have a public-private key pair for authentication. To create a new SSH key pair:
Open the terminal on your local machine.
Enter the following command, replacing
</path/key-filename>
with the desired path and filename for the key pair and<username>
with the username associated with your VM instance:Example
This command generates a private key (
key-filename
) and a public key (key-filename.pub
) at the specified path.
Note
If you are using a Windows machine, specify the custom path using the Windows format, such as C:\path\key_filename
.
Set permissions for the private key
To protect your private key, make sure that only you have read access to it by setting the appropriate permissions.
Right-click the private key.
Select Properties, choose the Security tab, and click Advanced.
Click Disable inheritance > Convert inherited permissions into explicit permission on this object.
Back in the Advanced security settings window, remove access for all users except your own account by selecting a permission entry and clicking Remove.
Add the public key to instance metadata
To associate the public key with your VM instance, add it to the instance metadata, as follows:
On your local computer, open the terminal (PowerShell on Windows).
Display the contents of the public SSH key file by entering the
cat
command followed by the path to the file.Example
The contents of your SSH key will be displayed in the terminal. Select and copy the output.
Navigate to the VM instances page and click the name of your VM.
Click Edit at the top of the page.
Scroll down to the Security and access section, and under SSH Keys, click Add item.
Paste the public key you copied earlier into the text box and click Save.
Access the VM via SSH
Note
By default, Compute Engine VMs created from public images do not permit root login with a password over SSH.
To establish an SSH connection to your VM instance:
Locate the external IP address of your VM instance on the VM instances page of the Google Cloud console.
Open the terminal on your local machine.
Enter the command below, replacing the placeholders with the appropriate values for your VM instance, where:
</path/private-key-file>
is the path to your private SSH key file.<username>
is the username you specified when generating the key pair.<external-ip-address>
is the external IP address of your VM instance.Example
When establishing a connection to the server for the first time, the SSH client asks you to review and confirm the host key's fingerprint. To proceed with the connection, type
yes
in response to the prompt.
You should now be successfully connected to your VM instance.
Install NordVPN on the instance
To set up NordVPN on your instance, follow these steps:
Download and install the NordVPN Linux client by entering this command in the instance terminal:
Log in to your NordVPN account.
Log in to NordVPN
You can log in to your NordVPN account without the use of a graphical user interface (GUI) in two ways:
By running the
nordvpn login
command with the--token
flagBy running the
nordvpn login
command with the--callback
flag
Instructions for both methods are outlined below.
Tip
To preserve your token when logging out of the NordVPN app, use the nordvpn logout --persist-token
command. Otherwise, your token will be revoked.
Note
If you encounter the error message “Whoops! Permission denied accessing /run/nordvpn/nordvpnd.sock,” enter sudo usermod -aG nordvpn $USER
. Then, reboot your instance and log back in.
Enable Meshnet
On your instance, enable Meshnet by typing this command:
To view the Nord name and Meshnet IP address of your instance, enter the following command.
Additionally, you will see all the devices connected to your network. Depending on the permissions granted to each device, they will have access to this server via Meshnet.
Grant the traffic routing permission
To begin using the VPN server, you need to grant the traffic routing permission for each peer device that you want to have access to the server. Enable this permission from the server machine using the following command:
Example
For more information, see the Traffic routing permissions page.
Route traffic through your server
To begin using your instance as a VPN server, you need to route traffic from a client device through the instance. Follow these steps:
On your client device, open NordVPN and log in to your account.
Start routing traffic through the linked host device you set up. Example
For detailed guidance on enabling traffic routing, refer to Routing traffic in Meshnet.
Your device's IP address should now match the public IP address of your instance. This way, your real IP address remains secure, and the websites you visit will detect the location of your VPN server instead of your actual device.
Last updated