| .gitignore | ||
| .terraform.lock.hcl | ||
| main.tf | ||
| outputs.tf | ||
| README.md | ||
| variables.tf | ||
GCP to Local Home Network VPN Setup
This project uses OpenTofu (or Terraform) to configure a VPC and VPN on Google Cloud Platform (GCP), establishing a Site-to-Site VPN connection with a home server (e.g., Raspberry Pi).
Architecture Overview
-
GCP Side:
- VPC Network:
rpi-vpn-test-vpc - Subnet:
rpi-vpn-subnet(10.10.0.0/24) - VPN Gateway: Classic VPN Gateway
- Firewall Rules:
- Allow VPN and internal traffic (ICMP, TCP, UDP)
- Allow SSH access (for test VM)
- Compute Engine:
vpn-test-vm(e2-micro instance for connection testing)
- VPC Network:
-
Local Side (User Environment):
- Raspberry Pi (or home server) behind a router running a VPN daemon (e.g., StrongSwan, Libreswan)
- Port Forwarding required: UDP
500,4500-> Raspberry Pi internal IP
Prerequisites
- GCP Account & Project: A billing-enabled GCP project is required.
- OpenTofu/Terraform Installed: Refer to the OpenTofu Installation Guide.
- GCP Authentication: Authenticate locally via terminal.
gcloud auth application-default login - Check Home Public IP: Identify your current public IP address.
Usage
1. Configure Variables (terraform.tfvars)
Create a terraform.tfvars file in the project root and configure it according to your environment.
project_id = "YOUR_GCP_PROJECT_ID"
home_public_ip = "123.123.123.123"
vpn_psk = "your-secret-password"
home_internal_cidr = "192.168.0.0/24"
ssh_public_key = "ssh-rsa AAA..."
2. Initialize and Apply
# Initialize
tofu init
# Plan
tofu plan
# Apply
tofu apply
3. Check Results
Upon completion of tofu apply, the following information will be output:
gcp_vpn_ip: The public IP of the GCP VPN Gateway (target for Raspberry Pi connection).vm_public_ip: The public IP of the test VM.
Raspberry Pi Configuration Guide (StrongSwan with swanctl)
This guide uses the modern swanctl (VICI protocol) provided by StrongSwan 6.x+.
-
Install StrongSwan and Plugins:
sudo apt-get update sudo apt-get install -y strongswan libcharon-extra-plugins libstrongswan-extra-plugins libstrongswan-standard-plugins strongswan-pki -
Configure
/etc/swanctl/swanctl.conf: Replace the content of/etc/swanctl/swanctl.confwith the following configuration.Note
: Replace
YOUR_HOME_PUBLIC_IP,GCP_VPN_IP,YOUR_PSK, andHOME_CIDRwith your actual values.connections { gcp-vpn { remote_addrs = GCP_VPN_IP local { auth = psk id = YOUR_HOME_PUBLIC_IP } remote { auth = psk id = GCP_VPN_IP } children { gcp-net { local_ts = 192.168.0.0/24 # Your Home Network CIDR (e.g., 192.168.2.0/24) remote_ts = 10.10.0.0/24 # GCP Network CIDR esp_proposals = aes256-sha1-modp2048 start_action = start } } version = 2 proposals = aes256-sha1-modp2048 } } secrets { ike-gcp { id = GCP_VPN_IP secret = "YOUR_PSK" } } -
Apply & Start:
# Load configuration sudo swanctl --load-all # Check status (should show ESTABLISHED) sudo swanctl --list-sas -
Enable IP Forwarding: For the Raspberry Pi to act as a gateway and forward traffic to other devices, you must enable packet forwarding.
Edit
/etc/sysctl.confand uncomment (or add) the following line:net.ipv4.ip_forward=1Apply changes:
sudo sysctl -p
-
Important: Ensure UDP
500and4500ports are port-forwarded to the Raspberry Pi's internal IP in your router settings. -
Routing Setup (Home Router): You must configure a Static Route on your home router so that other devices in your home network can reach the GCP network.
- Destination Network:
10.10.0.0 - Subnet Mask:
255.255.255.0(or/24) - Gateway: The internal IP of your Raspberry Pi (e.g.,
192.168.2.x)
Without this, only the Raspberry Pi itself can access the GCP network. Other devices (like your PC) won't know that traffic for
10.10.0.xshould go through the Raspberry Pi. - Destination Network:
Connection Test
- Verify the tunnel status is "Established" in the VPN menu of the GCP Console.
- SSH into the test VM (
vpn-test-vm). - Ping a device in the home internal network (e.g., Raspberry Pi).
ping 192.168.0.x