AWS VPN setup with OpenVPN

This post covers the necessary steps to set up your own VPN. We shall use OpenVPN as a  proxy to allocate users onto our AWS VPC. Let’s start a new VPC set up and its components. Please, note that VPC is a basic building block of almost anything in AWS and it is somewhat a long subject, but we will stick to a simple set up.

Adding a new VPC

Going to the AWS Console under Services, choose:

• Goto Network and Content Delivery > VPC

• Enter in Your VPCs and click on Create VPC and choose VPC with One Public Subnet.

After the creation of all resources, we should have a similar set up as below screenshot:

Here, the VPC is set up with few test subnets, Internet Gateway and Route Tables. We need to keep in mind the primary VPC CIDR(Classless Interdomain Routing) block.

List of subnets and their configurations for this VPC.

Initial route table for public subnet

This is public routing table entries for internet and internal to VPC. So now we have a basic VPC setup for hosting servers in AWS in a public network, let us jump to the VPN set up. On our first step, we are launching OpenVPN Server Appliance from AWS Marketplace. Note that, OpenVPN Server instance will be charged as per the no of concurrent connection license it has. You can choose any Open VPN server appliance as per your need.

First login to AWS Market Place with a valid AWS console login.

https://aws.amazon.com/marketplace/

Enter OpenVPN Access Server in the search window, and press Enter. Configure the first Instance as per default settings. While launching the Server Appliance, you will be noted to create a new key pair to connect the instance. Create a new pair and keep it safe to connect the instance later.

To confirm that the instance has successfully launched, watch the Instances section for status. You should see something similar to the following as your instance is being launched. Once you see "Instance status" is running, your OpenVPN Server Appliance is ready for configuration.

Allocate a static IP address for your appliance so the IP address can be reclaimed in case of AWS machine failure/shutdown/reboot. To do so, visit the Elastic IPs section in the left navigation panel.

Once your new instance is successfully launched and running, you will need to SSH into the console using a private key pair you have created previously.

When login screen is prompted, use openvpnas as the username, and then press Enter. (NOTE: If you are using previous versions of our appliance, the username used is root instead of openvpnas). Afterwards, the following steps must be followed.

>> Will this be the primary Access Server node?

Default: Yes, Press Enter to accept the default setting. Otherwise, if you are setting up your failover node, change this to say no. For this tutorial, we are setting up the primary Access Server node.

>> Please specify the network interface and IP address to be used by the Admin Web UI:

Default : 2, Choose 1 – “all interfaces: 0.0.0.0” to listen in all interface.

>> Please specify the port number for the Admin Web UI.

Default: 943, It is the default port for VPN UI console.

>> Please specify the TCP port number for the OpenVPN Daemon

Default: 443, It is usually safe to leave this at the default port.

>> Should client traffic be routed by default through the VPN?

Default: No, If you only have a small network you would like your remote users to connect over the VPN, select no. Otherwise, if you would like everything to go through the VPN while the user is connected (especially useful if you want to secure data communications over an insecure link), select yes for this option.

>> Should client DNS traffic be routed by default through the VPN?

Default: no, If you would like your VPN clients to able to resolve local domain names using an on-site DNS server, select yes for this option. Otherwise, select no. Do note that if you selected yes for the previous option, all traffic will be routed over the VPN regardless of what you set for this setting here.

>> Use local authentication via internal DB?

Default: yes, If you would like OpenVPN Access Server to keep an internal authentication database for authenticating your users, select yes for this option. When this option is turned on, you will be able to define and/or change username and passwords within the Admin Web UI.

>> Should private subnets be accessible to clients by default?

Default: yes, This option defines the default security setting of your OpenVPN Access Server. When Should client traffic be routed by default through the VPN.

>> Do you wish to login to the Admin UI as “openvpn”?

Default: Yes, This defines the initial username in which you would use to login to the Access Server Admin UI area. This username will also serve as your “lock out” administrator username shall you ever lock yourself out of your own server. If you would like to specify your own username, select no. Otherwise, accept yes for the default.

> > Please specify your OpenVPN-AS license key (or leave blank to specify later):

Explanation: If you have purchased a license key for your OpenVPN Access Server software, enter it here. Otherwise, leave it blank. OpenVPN Access Server includes two free licenses for testing purpose.

>> Create password for the OpenVPN admin user, invoking the below command.

sudo passwd openvpn

Enter new UNIX password:

Retype new UNIX password:

The last thing we need to do before we can connect to the admin area and to our VPN is disabled the Source/Destination check-in AWS. Without doing this we would not be able to access our private subnets.

To change this go to the EC2 console in AWS, select your instance, choose *Actions>Networking>Change Source/Dest. Check* as seen below. Choose “Yes, Disable” on the next screen.

Here, we are setting up a test instance on the same private subnet VPC where the OpenVPN server exists.

1.Login to your AWS account and navigate to the EC2 Dashboard and click “Launch Instance” on the left.

Press “Select” next to the top item *Amazon Linux AMI*

2. Leave on t2.micro and click “Next: Configure Instance Details.”

3. Make sure to set your subnet into your private subnet mentioned in the prerequisites. Then click “Review and Launch” as defaults for everything else are fine for this test.

Install the OpenVPN client on end user machine and connect to the instance running in the private subnet on AWS.

In your web browser enter the Elastic IP from your OpenVPN Access Server https://elastic-ip-here:943 Note: On your first attempt to connect you will be warned by your browser that the SSL certificate cannot be validated. This is OK for our demo but in the real world, you will want to set up a real SSL certificate in your setup.

On the screen enter “OpenVPN” for the Username and password you created for the user.

After your credentials are accepted you will see the screen below. Go ahead and click “Click here to continue” which will download the OpenVPN client installer to your machine.

Thus, a VPN Server appliance is deployed on our AWS account, and you can create as many AMIs on that created VPC. Now authenticated users can login to connect their AWS AMIs securely through the installed VPN Client. Deploying a VPN server providing extra security for the end users, and it is easy to deploy an OpenVPN server on your AWS account.