Lose control of the VM Instance Debian 9 in Google Compute Engine when I try to connect to a VPN Service Provider (NordVPN)

Question

Lose control of the VM Instance Debian 9 in Google Compute Engine when I try to connect to a VPN Service Provider (NordVPN).

I have an active subscription with NordVPN and I have always used this VPN without problems, both from Windows, from Mobile, and from Linux on-premises virtual machines. Now I find myself for a project to use it on different VM Debian 9 machines in Google Cloud. I installed the client (the test was done both with the custom client of the vendor, and with openVPN with the list of the vendor's servers) but when I go to connect between the VM and the VPN I lose control of the machine, the terminal hangs. This problem does not occur if I use a local VM instead. I can no longer ping it from both the internal address and the external address. Premise that I am not a networking master. The test was done both with the IP Forwarding enabled and disabled at the time the VM was created.

I only find material online to create a VPN server within GCP but it is not my case. My situation is instead that the VM is the client and the VPN server is external.

No doubt I believe this situation is possible but I cannot understand that further settings I have to enter with respect to the local VM.

Thank you all.

Answer 1

It's seems that the VPN Client is receiving network routes from your VPN Provider so the VM is routing all traffic through the VPN so all inbound connections are being dropped.

You best chance to know what's going on inside your VM once the network access is not available, as you described, is to interact with the Serial Console [1]. In [1] you can find step by step how to access your VM using the serial console through your Google Cloud Platform panel.

Now, in GCP (normally) all VM have only 1 vNIC and is through that vNIC that all traffic is being routed. When you connect your VM to NordVPN a new Network device is created (tun). If your default route [4] is set to send all default traffic to your tun (the NordVPN) and not the vNIC of GCP, when a new SYNC [5] request gets to your VM, your VM will send the ACK answer through your network card TUN (NordVPN) and not to the ETH0 (Google VM). Because the connection did not began through NordVPN, NordVPN will drop the connection.

The behavior I explained is totally expected, because you want that all traffic from your VM go to NordVPN so you can surf the net anonymously. The disadvantage is that your VM will not be able to receive incoming traffic.

[1] https://cloud.google.com/compute/docs/instances/interacting-with-serial-console

[2] https://help.ubuntu.com/community/OpenVPN

[3] https://nordvpn.com/es/tutorials/linux/openvpn/

[4] https://www.cyberciti.biz/faq/howto-debian-ubutnu-set-default-gateway-ipaddress/

[5] https://www.inetdaemon.com/tutorials/internet/tcp/3-way_handshake.shtml

[6] https://community.openvpn.net/openvpn/wiki/IgnoreRedirectGateway