howto setup OpenVPN behind a load balancer on GCP ? | C2C Community

howto setup OpenVPN behind a load balancer on GCP ?

  • 26 March 2022
  • 8 replies


I think the title captures my question.


This works “out of the box” on AWS.

But, when I setup an openvpn instance behind a UDP Network Load Balancer on GCP, I can’t get my client to connect…


Thanks for any pointers.


Best answer by cba 20 April 2022, 14:47

View original

8 replies

Here you go, 


Option 1: Medium Article on setting up OpenVPN server on GCE VM

Option 2: Launch GCP Marketplace OpenVPN server instance 

Option 3: Using IAP for TCP forwarding 

@bgopi None of your links include a GCP Load Balancer.


I have done some research.

I also have MANY OpenVPN Servers in use, with public IPs, & behind an NLB on AWS.


Hmm.. may be a topology can help if you can share src/dst of openVPN session . These options are for setting up OpenVPN to GCE VMs but not sure I understand your use case here . Can you share little more details? 


Userlevel 7
Badge +65

Hi @BigGExpress,

@bgopi has shared 3 links. i think the first one is great for you. After that you can read the External TCP/UDP Network Load Balancing overview and/or the Internal TCP/UDP Load Balancing overview Google Cloud Documentation.

I have many functioning OpenVPN servers, mostly with public IPs.

I have many functioning GCP [external, network] load balancers, fronting other services.


I have never been able to successfully combine these two things!

Have you?  Can you?

If so, please share exactly how.

Note that the question was incomplete: “OpenVPN server” can mean the proprietary Access Server software or the open source community version, and being specific does matter, because the answers differ.

That said, community version openvpn(8) should have no problem at all behind a GCP NLB.  It is a single-threaded application, VPN only, not doing all the extra stuff that Access Server does.

Access Server, on the other hand, can only work with a single-core VM node behind the NLB.  If using multiple CPU cores, Access Server distributes the client load using iptables DNAT rules.  Apparently GCP queries the OS to determine what ports are bound, and in the multi-CPU case, Access Server does not bind the ports.  But we do not know the details of how the GCP NLB decides what packets to forward.

Userlevel 7
Badge +65

Hi @BigGExpress,

have you checked @cba’s answer?