---
title: Google Cloud VPN
description: Integrate Google Cloud VPN with Zero Trust networking.
image: https://developers.cloudflare.com/zt-preview.png
---

[Skip to content](#%5Ftop) 

### Tags

[ GCP ](https://developers.cloudflare.com/search/?tags=GCP)[ IPsec ](https://developers.cloudflare.com/search/?tags=IPsec) 

Was this helpful?

YesNo

[ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/networks/connectors/cloudflare-wan/configuration/third-party/google.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) 

Copy page

# Google Cloud VPN

This tutorial explains how to configure IPsec VPN between Cloudflare WAN (formerly Magic WAN) and a Google Cloud Platform (GCP) Cloud VPN.

## Prerequisites

You need to have a GCP VPN gateway created in your GCP account. This is needed to route traffic between your GCP virtual private cloud (VPC) and Cloudflare WAN. Refer to the [GCP documentation ↗](https://cloud.google.com/network-connectivity/docs/vpn/how-to/creating-static-vpns) for more information about creating a Cloud VPN gateway.

A Classic VPN Gateway is required to support static routing. Route tables will also need to be manually configured to allow the routing between the VPN and Cloudflare WAN to work. Refer to [GCP routing options ↗](https://cloud.google.com/network-connectivity/docs/vpn/concepts/choosing-networks-routing#ts-tun-routing) to learn more about GCP VPC routing.

## Google Cloud Platform

### Create a GCP Cloud VPN Gateway

1. Go to **Network Connectivity** \> **VPN**.
2. Select the **Cloud VPN Gateways** tab > **Create VPN Gateway**.
3. Give your gateway a descriptive name.
4. Choose the network you want to connect to with this Cloud VPN Gateway (VPC).
5. Select a region where this Cloud VPN Gateway should be located.
6. Choose **IPv4** as the IP traffic type that will flow through this Gateway.

Note

Cloudflare WAN does not yet support private routing via IPv6.

### Configure the VPN connection

1. Go to **Network Connectivity** \> **VPN**.
2. Select the **Cloud VPN Tunnels** tab > **Create VPN Tunnel**.
3. Select the VPN Gateway you have created > **Continue**.
4. Give your tunnel a descriptive name.
5. For **Remote Peer IP Address**, use one of the Cloudflare anycast IP addresses assigned to your account, available in [Leased IPs ↗](https://dash.cloudflare.com/?to=/:account/ip-addresses/address-space).
6. In **IKE version**, select **IKEv2**.
7. You can generate an IKE pre-shared key, or add one you already own. If you generate one during this set up, keep it somewhere safe since you will need it in other steps to finish setting up Cloudflare WAN and GCP.
8. Choose **Route-based** as routing option.
9. In **Remote network IP range** define the network you are going to expose to GCP via Cloudflare WAN.

Note

You can add new IP ranges once the VPN object is created. They will need to be created as VPC routes using this VPN connection (refer to the **Static Routes** section).

1. Repeat steps 2-9 using your second Cloudflare anycast IP to create a second VPN tunnel.

### Static Routes

Static routing is necessary to route traffic between your VPN and Cloudflare WAN. Follow these steps to create them for your VPC. Refer to [VPN route documentation ↗](https://cloud.google.com/vpc/docs/routes) to learn more about VPN routing.

1. Go to **VPC network** \> **Routes**.
2. Select **Route Management**.
3. Create a route.
4. Choose the VPC network you want to use for that route.
5. In **Route type** select **Static Routing**.
6. In **IP Version** select **IPv4**.
7. Configure the network you want to expose to your VPN in the **Destination IPv4 Range**.
8. Choose a priority for your static route.
9. (Optional) You can link that route to a specific instance tag, so only impacted instances will use that route.
10. In **Next hop** select the VPN tunnel you created previously.
11. Select **Create**.

## Cloudflare WAN

After configuring the Cloud VPN gateway VPN and the tunnels as mentioned above, go to the Cloudflare dashboard and create the corresponding IPsec tunnels and static routes on the Cloudflare WAN side.

### IPsec tunnels

1. Refer to [Add tunnels](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/configuration/how-to/configure-tunnel-endpoints/#add-tunnels) to learn how to add an IPsec tunnel. When creating your IPsec tunnel, make sure you define the following settings:  
   * **Tunnel name**: `tunnel01`  
   * **Interface address**: The IPsec tunnel inner `/30` Classless Inter-Domain Routing (CIDR) block. For example, `169.254.244.2`.  
   * **Customer endpoint**: The IP address from GCP VPN tunnel outside IP address. For example, `35.xx.xx.xx`.  
   * **Cloudflare endpoint**: Enter the first of your two anycast IPs.  
   * **Pre-shared key**: Choose **Use my own pre-shared key**, and enter the PSK you created for the GCP VPN tunnel.  
   * **Health check type**: Choose **Reply**  
   * **Health check destination**: Choose **custom** and set the IP corresponding to the interface address for the tunnel  
   * **Health check direction**: Choose **Bidirectional**  
   * **Replay protection**: Select **Enabled**.
2. Select **Save**.
3. Repeat the above steps for `tunnel02`. Chose the same prefix, but select the second IPsec tunnel for **Tunnel/Next hop**.

Note

Do not forget to create a route in the corresponding GCP VPC covering for the healthcheck configuration of the tunnel. The route subnet should match the interface address CIDR block of the IPsec tunnel (`169.254.244.2` in the example above).

Refer to the **Static Routes** section for more detail on how to create a VPC route leading to your newly created tunnel.

### Static routes

Create a static route in Cloudflare WAN that points to the appropriate virtual machine (VM) subnet you created inside your GCP virtual private cloud. For example, if your VM has a subnet of `192.168.192.0/26`, you should use it as the prefix for your static route.

To create a static route:

1. Refer to [Create a static route](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-wan/configuration/how-to/configure-routes/#create-a-static-route) to learn how to create one.
2. In **Prefix**, enter the subnet for your VM. For example, `192.168.192.0/26`.
3. For the **Tunnel/Next hop**, choose the IPsec tunnel you created in the previous step.
4. Repeat the steps above for the second IPsec tunnel you created.

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/networks/","name":"Networks"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/networks/connectors/","name":"Connectors"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/networks/connectors/cloudflare-wan/","name":"Cloudflare WAN"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/networks/connectors/cloudflare-wan/configuration/","name":"Configuration"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/networks/connectors/cloudflare-wan/configuration/third-party/","name":"Third-party integration"}},{"@type":"ListItem","position":8,"item":{"@id":"/cloudflare-one/networks/connectors/cloudflare-wan/configuration/third-party/google/","name":"Google Cloud VPN"}}]}
```