The Ultimate Guide to Setting Up Your Own Secure VPN with Google Cloud Platform

The easy and efficient way to set up your own secure VPN in less than 1 hour.

Photo by Jason Dent on Unsplash

Introduction

Last year, I tested several VPN providers looking for a secure VPN to route my connections through a Swiss server. If you are familiar with Swiss internet and privacy laws, you probably already know why I route my connections through Switzerland. Otherwise, a quick Google search will give you some interesting insights.

As a privacy and information security professional, I have trust issues when it comes to my data online. Using a VPN means placing trust in the hands of your chosen VPN provider. Surely, a VPN should stop your ISP and others from prying on your browsing and data. However, VPN operators can still snoop on your browsing, keep logs of your data, and sell it for ad money. The million-dollar question is: Why would you trust a free VPN provider with your data?

Moreover, even premium VPN services seem sluggish, congested and often provide only high-level details of their security features.

In this light, I decided to set up my own secure VPN using a Google Cloud Platform(GCP) Virtual Machine (VM) as a server and open-source software such as WireGuard and PiVPN to tunnel the connections.

This article builds upon dhanangw’s “Setup WireGuard VPN in Google Cloud Platform.” It will show you how I have done it and guide you through each step to set up your own secure VPN with GCP quickly.

If you do not know WireGuard, it is an open-source VPN that supports all the state-of-the-art cryptography like the Noise protocol framework, Curve25519, ChaCha20, Poly1305, BLAKE2, SipHash24, HKDF. Plus, WireGuard runs in the kernel space, so it is speedier than OpenVPN.

However, since configuring clients in WireGuard can be a tad tedious, I have decided to tinker a bit and pair it with PiVPN to take advantage of its swift client configuration capabilities.

You will need:

• A Google Cloud Platform account.
• Knowledge of basic Linux commands.
• Some familiarity with computer networking (so that you at least know what’s happening).

Topics covered:

1. Setting up networking in GCP.
2. Creating a GCP VM instance as a VPN server.
3. Installing and setting up the WireGuard server.
4. Installing Qrencode.
5. Installing and setting up PiVPN.
6. Setting up the WireGuard Android app as a client.

1. Setting up networking in GCP

First of all, you will need to configure GCP’s firewall. In the GCP console, open the sidebar menu and go to Networking > VPC Network > Firewall.

Click on “Create Firewall” and:

1. Input a name for the firewall rule (e.g. vpn-firewall-1).
2. Under “Direction of traffic”, select “Ingress”.
3. Under “Targets”, select “All instances in the network”.
4. Under “Source filter”, select “IP Ranges”.
5. Under “Source IP ranges”, input “0.0.0.0/0” (i.e. allow all traffic).
6. Under “Protocols and ports”, select “Specified protocol and ports”.
7. Select the “udp” protocol and enter the port number “51820”.
8. Hit “Create”.

Wait for the notification that the firewall rule has been created and proceed to the next step.

2. Creating a GCP VM instance as a VPN server

To create the VM instance to be used as a VPN server, go to the GCP console, open the sidebar menu and go to Compute > Compute Engine> VM Instances.

Click on “Create Instance” and:

1. In the left sidebar menu, select “New VM instance”.
2. Input a name for the VM instance (e.g. vpn-server-1).
3. Choose the region where you want the VM to be located (I have selected the same region as the static IP address).
4. Under “Machine family” select “General-purpose”.
5. Under “Series” select “N1”.
6. Under “Machine type” select “f1-micro”.
7. Under “Boot disk” select “Change” and choose “Ubuntu” version “Ubuntu 20.04 LTS”.
8. Hit “Select” and expand the “Management, security, disks, networking, sole tenancy” menu.
9. Select the “Networking” tab.
10. Under External IP, select “Create IP address” to reserve a new static IP address for your VM.
11. Enable “IP forwarding”.
12. Hit “Create”.

Wait for the notification that the VM instance has been created and is running and proceed to the next step.

3. Installing and setting up the WireGuard server

If the newly created VM instance shows a white checkmark in a green dot you can start setting it up as a VPN server.

Click on “SSH” in the “Connect” column and wait for a new browser window to pop up and display the SSH terminal.

The terminal window should look like this:

To proceed with the setup:

1. Update and upgrade system packages:

sudo apt-get update && sudo apt-get upgrade -y

2. Check if the VM instance needs to be rebooted:

cat /var/run/reboot-required

If the command returns

*** System restart required ***

then reboot the VM instance with

sudo reboot

3. Activate IP forwarding for IPv4 by editing the /etc/sysctl.conf file. Uncomment the line net.ipv4.ip_forward=1 and then apply the changes by entering:

sudo sysctl -p

4. Install WireGuard by entering:

sudo apt install wireguard

5. To generate the server keys, enter:

sudo mkdir -p /etc/wireguard/keys; wg genkey | sudo tee /etc/wireguard/keys/server.key | wg pubkey | sudo tee /etc/wireguard/keys/server.key.pub

The command above will generate and save the private key for the VPN server in the mobile.key file and the public key in the mobile.key.pub file. Both files will be saved in the newly created /etc/wireguard/keys folder.

6. To see your VPN server’s private key, enter:

cat /etc/wireguard/keys/server.key

7. Check what is your default network interface:

ip -o -4 route show to default | awk '{print $5}'

8. Write down the name of your network interface.

9. To configure the WireGuard interface, first create a new file /etc/wireguard/wg0.conf. Open it, and paste this:

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <YOUR_SERVER_PRIVATE_KEY>
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o <YOUR_NETWORK_INTERFACE> -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o <YOUR_NETWORK_INTERFACE> -j MASQUERADE
SaveConfig = true

10. Make sure to replace <YOUR_NETWORK_INTERFACE> with the name of your default network interface and <YOUR_SERVER_PRIVATE_KEY> with your VPN server’s private key.

11. For security reasons, set the permission for the wg0.conf, server.key and server.key.pub files by entering:

sudo chmod 600 /etc/wireguard/wg0.conf
sudo chmod 600 /etc/wireguard/keys/server.key
sudo chmod 600 /etc/wireguard/keys/server.key.pub

12. Activate the WireGuard interface by entering:

sudo wg-quick up wg0

13. Double check that the interface is running and that the displayed public key matches your VPN server’s public key:

sudo wg show wg0

14. Set WireGuard’s interface to start at boot:

sudo systemctl enable wg-quick@wg0

15. Open WireGuard’s ports:

sudo ufw allow 51820/udp
sudo ufw allow 22/tcp

16. Enable Ubuntu’s firewall:

sudo ufw enable

17. Check Ubuntu’s firewall status and that the WireGuard’s ports are open:

sudo ufw status verbose

18. Set the MTU size to 1360 to cope with GCP’s limitations:

sudo ip link set dev wg0 mtu 1360

The WireGuard VPN server is now configured.

4. Installing Qrencode

Before installing PiVPN, you must install Qrencode to use QR codes to configure your devices (clients) to route their connections through the VPN server. To do so, enter:

sudo apt install qrencode

With Qrencode successfully installed, you can proceed to install PiVPN.

5. Installing and setting up PiVPN

To install PiVPN, enter:

curl -L https://install.pivpn.io | bash

If you get an error that the installer cannot install packages such as dnsutils, install them manually using:

sudo apt install <package name>

1. Once PiVPN installer is up and running, you should see this:

Don’t worry, it’s normal that it mentions a Raspberry Pi.

2. Hit “OK” on the static IP notices, and then select the user.

3. At this point, you will be asked to choose which VPN you want to use. Select WireGuard and hit “OK”.

4. Ensure that Port 51820 (the one you have opened before) is selected and then hit “OK”.

5. You will then be asked to confirm that the selected port is correct. Click “Yes”.

6. Then, choose a DNS provider. I like OpenDNS, but all the others are also fine.

7. Choose the public IP and ensure that it matches the static IP address you have reserved before.

8. Hit “OK” on the notices and enable the Security Updates.

9. Once the installation is completed, reboot the machine, close the pop-up terminal window and SSH into the instance again.

If everything worked fine, you could now add a client to your VPN.

6. Setting up the WireGuard Android app as a client

1. To add a client, in the SSH terminal enter:

pivpn add

2. Enter a name for your client (e.g. Android):

3. If the client has been successfully added, you should see this:

4. Now download the WireGuard Android App, and in the SSH window, enter:

pivpn -qr

5. A QR code should appear (for security reasons, I will not share mine here).

6. Open the WireGuard Android App, tap on the “+” icon and then select “SCAN FROM QR CODE”.

7. Et voilà, once you have scanned the QR code, your Android phone will be ready to use WireGuard VPN.

If you also want to set up a computer as a client, add a new client to PiVPN, download the .conf file and use it to configure WireGuard on the client machine.

Since VPN servers can obviously be attacked (they have a static IP exposed to the internet), I have also installed a Datadog agent to log and monitor my GCP VM instance and configured it to detect threats.

I will show this soon in another article. In the meantime, have fun setting up your VPN server.

Disclaimer: The opinions and views herein contained are solely mine and neither represent nor express those of my clients.