OpenVPN + iptables: Limit Access To Your Internal Services on Google Cloud Platform

OpenVPN + iptables: Limit Access To Your Internal Services on Google Cloud Platform

IMPORTANT

This article does not cover GCE instance creation and OpenVPN installation steps – there are a lot of guides on the Internet.
Just make sure you enable IP Forwarding during instance creation in order for your VPN to work.

Why VPN?

Now that people more and more often use cloud computing services, they don’t really need VPNs, because all your cloud services share the same internal network. Moreover, you can create your own private subnets in a few mouse clicks. But what if you want to restrict public access to your internal resources and only allow your team members to access them? There are several solutions that come to mind: a cloud firewall, an SSH proxy (usually called Bastion), a Web proxy (say, NGINX). Correct, but there always are staff members that work remotely, especially developers, and most likely they don’t have a static IP address, so firewall and proxy won’t work for everyone. Below is an example of such a situation.

The Issue

Cloud provider: GCP
Tech stack: Linux and Windows VM instances running different web applications
Tasks: restrict access to internal services from the Internet
Peculiarities:

  • some web applications should only be available to certain developers, Linux developers should not have RDP access
  • dev contractors don’t have static IPs
  • staff members have different kinds of OSs: Windows, Mac, Linux

Solution:

  • the facts that we have to deal with dynamic IPs and that internal servers should be accessed in different ways, such as Web, RDP, NFS, make usage of firewall and proxy complicated, therefore the easy-to-manage and easy-to-use option is a VPN
  • there’re going to be all types of most popular operating systems, so we need a reliable piece of software that would work on all those OSs, and my choice was OpenVPN

Implementing Solution

You are supposed to have an OpenVPN server by this moment. Just make sure you enable ‘IP Forwarding’ during creation of your GCE instance for OpenVPN

  1. Configure your server
  2. /etc/openvpn/server.conf

  3. Generate OpenVPN configs for your users
  4. Assign static IPs from the IP pool to your users
  5. /etc/openvpn/ipp.txt

    Each user should have a /30 subnet. Use ‘ipcalc’ to calculate the next available IP and gateway

    Our HostMin is 10.8.0.5, this will be the user’s local endpoint, while 10.8.0.6 will be the remote endpoint.

  6. Add ifconfig-push for each of your users
  7. /etc/openvpn/ccd/userone

  8. Script for managing iptables rules
  9. /etc/openvpn/iptables.sh

Comments are closed.