This article covers how to setup OpenVPN access server using amazon's machine image. OpenVPN is an open source application that uses a VPN method for creating a secure connection between point-to-point OR site-to-site connections in bridged/routed mode. It uses SSL and TLS connections to traverse NAT connections and firewalls. OpenVPN has been ported to embedded systems like DD-WRT, OpenWRT, pfsense etc. OpenVPN access server is based on the community version but offers few others paid and proprietary service like LDAP, SMB, Web UI management, Radius server etc. in AWS.
You must have an AWS account. If you still don't have it then, create an account using amazon's free tier. We will use pre-configured Amazon's machine image (AMI) for OpenVPN-AS to install OpenVPN server and deploy it in minutes.
1. Create EC2 instance for OpenVPN Access Server
Amazon's ec2 ( Elastic compute cloud ) is virtual servers in the cloud with wide range of RAM sizes, compute powers. We will use amazons free tier to launch our OpenVPN-AS.
Goto amazon web service console and select EC2 to launch a virtual server for this tutorial. To do that click services->Group A-Z->EC2
In the EC2 dashboard, click "Launch instance".
Now select AWS Marketplace and type OpenVPN in the search box and press Enter. You will find the OpenVPN Access Server in the result. Select the OpenVPN Access Server title to proceed.
Choose an instance type depending on your requirements/traffics/no of users etc. For our tutorial, we will choose t2.micro instance. Click "Next: configure instance details" to proceed.
In the next two screen-shots, configure the instance details like no of instance, auto-assign public IP, shutdown behaviour. The auto-assign public IP is enabled since we want our OpenVPN access server to communicate with outside world.
Under "Advance details" section, we will pass parameters in the users data as text and these will be available to the instance during boot time. The parameters of our interest are-
Now click "Next:Add storage"
Add storage to the instance. Though we have chosen volume type as Magnetic, we will overwrite the volume type as "General type SSD" in the final step which is more efficient in performance wise than previous generation "EBS magnetic". Click "Next: add Tags" to proceed to the next step.
Tag the instance which is a combination of key-Value pair. We have tagged our instance with key value pair of Name:OpenVPN. Click "Next:Configure Security groups"
A security group will be auto generated for you for the instance. Choose "Create a new security group" and click "Review and launch". For the moment we kept the SSH world open which can be later harden with CIDR range or My IP. Click "Review and launch".
Override the volume type as general type SSD and click "Next"
Ignore the warning for the moment and click "Launch"
Create a new key pair and download the key. You need it to SSH into the OpenVPN server. You can also choose "Existing key pair" if you have already created the key and have access to it. Finally click "Launch instance"
In the next screen click "View instance"
From the EC2 dashboard, Right click the OpenVPN instance and click connect. Now copy the connection string and paste it in a temporary text file and click "Close".
Since we want to associate our OpenVPN server with a public IP, Select "Elastic IP" and click "Allocate new address"
In the next screen click "Allocate"
You will get a confirmation of successful allocation of elastic IP. Click "Close".
Now we need to associate this elastic IP to the OpenVPN instance. In Elastic IP dashboard, select the allocated elastic IP, click the Actions drop-box and choose "Associate address".
In the next screen, click instance drop down list and select the OpenVPN instance and click "Associate".
You will get a confirmation of successful association. Click ""
Now that our OpenVPN access server instance is up and running, we will SSH into it to initialize the OpenVPN. First assign proper permission to the key file that we have downloaded in earlier step.
[thegeek@mysandbox Downloads]$ chmod 400 OpenVPN-Server.pem
Remember we have copied the SSH connection string earlier, edit the string and change user root with openvpnas and connect to the remote OpenVPN AS with the following command. Once connected, change to root by sudo -i
[thegeek@mysandbox ]$ ssh -i "OpenVPN-Server.pem" email@example.com
openvpnas@openvpnas2:~$ sudo -i
One you get into the root shell, run openVPN initial configuration tool with the following command.
root@openvpnas2:# sudo ovpn-init --ec2
Detected an existing OpenVPN-AS configuration.
Continuing will delete this configuration and restart from scratch.
Please enter 'DELETE' to delete existing configuration: DELETE
OpenVPN Access Server
Initial Configuration Tool
OpenVPN Access Server End User License Agreement (OpenVPN-AS EULA)
1. Copyright Notice: OpenVPN Access Server License;
Copyright (c) 2009-2013 OpenVPN Technologies, Inc.. All rights reserved.
"OpenVPN" is a trademark of OpenVPN Technologies, Inc.
11. Purchasing a license key does not entitle you to any special rights or
privileges, except the ones explicitly outlined in this user agreement.
Unless otherwise arranged prior to your purchase with OpenVPN Technologies,
Inc., software maintenance costs and terms are subject to change after your
initial purchase without notice. In case of price decreases or special
promotions, OpenVPN Technologies, Inc. will not retrospectively apply
credits or price adjustments toward any licenses that have already been
issued. Furthermore, no discounts will be given for license maintenance
renewals unless this is specified in your contract with OpenVPN
Please enter 'yes' to indicate your agreement [no]: yes
Once you provide a few initial configuration settings,
OpenVPN Access Server can be configured by accessing
its Admin Web UI using your Web browser.
Will this be the primary Access Server node?
(enter 'no' to configure as a backup or standby node)
> Press ENTER for default [yes]: yes
Please specify the network interface and IP address to be
used by the Admin Web UI:
(1) all interfaces: 0.0.0.0
(2) eth0: 172.31.16.206
Please enter the option number from the list above (1-2).
> Press Enter for default : 1
Please specify the port number for the Admin Web UI.
> Press ENTER for default : 943
Please specify the TCP port number for the OpenVPN Daemon
> Press ENTER for default : 443
Should client traffic be routed by default through the VPN?
> Press ENTER for default [yes]: yes
Should client DNS traffic be routed by default through the VPN?
> Press ENTER for default [yes]: yes
Use local authentication via internal DB?
> Press ENTER for default [yes]: yes
Private subnets detected: ['172.31.0.0/16']
Should private subnets be accessible to clients by default?
> Press ENTER for EC2 default [yes]: yes
To initially login to the Admin Web UI, you must use a
username and password that successfully authenticates you
with the host UNIX system (you can later modify the settings
so that RADIUS or LDAP is used for authentication instead).
You can login to the Admin Web UI as "openvpnadmin" or specify
a different user account to use for this purpose.
Do you wish to login to the Admin UI as "openvpnadmin"?
> Press ENTER for default [yes]: yes
> Please specify your OpenVPN-AS license key (or leave blank to specify later):
Adding new user login...
useradd -s /sbin/nologin "openvpnadmin"
Writing as configuration file...
Perform sa init...
Wiping any previous userdb...
Creating default profile...
Modifying default profile...
Adding new user to userdb...
Modifying new user as superuser in userdb...
Preparing web certificates...
Getting web user account...
Adding web group account...
Adding web group...
Adjusting license directory ownership...
Generating init scripts...
Generating PAM config...
Generating init scripts auto command...
NOTE: Your system clock must be correct for OpenVPN Access Server
to perform correctly. Please ensure that your time and date
are correct on this system.
Initial Configuration Complete!
You can now continue configuring OpenVPN Access Server by
directing your Web browser to this URL:
Login as "openvpnadmin" with the same password used to authenticate
to this UNIX host.
During normal operation, OpenVPN AS can be accessed via these URLs:
Admin UI: https://126.96.36.199:943/admin
Client UI: https://188.8.131.52:943/
See the Release Notes for this release at:
2. Login to OpenVPN admin interface
Point your browser to https://OpenVPN-AS-IP:943/admin and type user name and password that we have provided as a text data while configuring EC2 instance details.
Accept the license
You will be taken to OpenVPN access server's status page. Here you can browse all features of OpenVPN AS.
Click "Server Network Settings" under Configuration from left sidebar menu list. You will find that host name is set to the value that we pass as a data text while configuring instance details. Interface is set to all, protocol to both .i.e TCP and UDP. Services are forwarded to Admin/Client web server. You can also change the UDP/TCP port number to your choice through this page.
Under User Management->User permissions, create a new user and tick Allow Auto-login to on. Once done click "Save Settings". We have chosen the user name as linuxuser.
In the next page yo will be prompted to update the server to propagate new settings to the server. Click "Update Running Server"
Coming back to user permissions settings, Click "Show" for user that we have created in the previous step under more settings column. Provide a password for the user and click "save settings" followed by "Update Running Server".
Access client UI in browser by pointing it to https://OpenVPN-AS-Server-IP:943/ Provide the user name and password that you have created in the last step.
Once successfully logged in, you will find list of client we can use to connect to OpenVPN AS. We will connect the OpenVPN server from a linux client. Download the autologin profile that will be needed to connect to OpenVPN server from a client.
2. Configure OpenVPN Client
We will connect OpenVPN AS from a linux client (CentOS 7) Install OpenVPN in the linux client using the following command.
[root@mysandbox ]# yum install openvpn
Add an entry of hostname/IP of OpenVPN server in /etc/hosts since client.ovpn will contain lines like remote openvpnserver 1194 udp. To resolve the hostname of openvpnserver we need to attach hostname/IP pair in /etc/hosts. Once done, restart network.
[thegeek@mysandbox ~]$ cat /etc/hosts
[thegeek@mysandbox ~]$ service network restart
If you don't like this then in the OpenVPN server's admin console, change the hostname to public IP of the OpenVPN server. Save the settings and update the server to propagate new settings to the server. Next Log out from the client UI and download the freshly generated client.ovpn ( auto-login profile ) after logging through client UI again.
Now connect to the OpenVPN server assuming you have client.ovpn that we have downloaded earlier in the CWD.
[root@mysandbox]# openvpn --config client.ovpn
Thu Feb 2 19:39:48 2017 OpenVPN 2.3.11 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Feb 2 2017
Thu Feb 2 19:39:48 2017 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.06
Thu Feb 2 19:39:48 2017 Control Channel Authentication: tls-auth using INLINE static key file
Thu Feb 2 19:39:48 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Feb 2 19:39:48 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Feb 2 19:39:48 2017 Socket Buffers: R=[180224->200000] S=[180224->200000]
Thu Feb 2 19:39:48 2017 UDPv4 link local: [undef]
Thu Feb 2 19:39:48 2017 UDPv4 link remote: [AF_INET]184.108.40.206:1194
Thu Feb 2 19:39:50 2017 TLS: Initial packet from [AF_INET]220.127.116.11:1194, sid=30bcd180 84319d7d
Thu Feb 2 19:39:51 2017 VERIFY OK: depth=1, CN=OpenVPN CA
Thu Feb 2 19:39:51 2017 VERIFY OK: nsCertType=SERVER
Thu Feb 2 19:39:51 2017 VERIFY OK: depth=0, CN=OpenVPN Server
Thu Feb 2 19:39:52 2017 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Thu Feb 2 19:39:52 2017 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Feb 2 19:39:52 2017 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Thu Feb 2 19:39:52 2017 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Feb 2 19:39:52 2017 Control Channel: TLSv1, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-SHA, 2048 bit RSA
Thu Feb 2 19:39:52 2017 [OpenVPN Server] Peer Connection Initiated with [AF_INET]18.104.22.168:1194
Thu Feb 2 19:39:54 2017 SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1)
Thu Feb 2 19:39:54 2017 PUSH: Received control message: 'PUSH_REPLY,explicit-exit-notify,topology subnet,route-delay 5 30,dhcp-pre-release,dhcp-renew,dhcp-release,route-metric 101,ping 12,ping-restart 50,comp-lzo yes,redirect-gateway def1,redirect-gateway bypass-dhcp,redirect-gateway autolocal,route-gateway 172.27.232.1,dhcp-option DNS 172.31.0.2,register-dns,block-ipv6,ifconfig 172.27.232.3 255.255.248.0'
Thu Feb 2 19:39:54 2017 Option 'explicit-exit-notify' in [PUSH-OPTIONS]:1 is ignored by previous <connection> blocks
Thu Feb 2 19:39:54 2017 Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:4: dhcp-pre-release (2.3.11)
Thu Feb 2 19:39:54 2017 Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:5: dhcp-renew (2.3.11)
Thu Feb 2 19:39:54 2017 Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:6: dhcp-release (2.3.11)
Thu Feb 2 19:39:54 2017 Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:16: register-dns (2.3.11)
Thu Feb 2 19:39:54 2017 Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:17: block-ipv6 (2.3.11)
Thu Feb 2 19:39:54 2017 OPTIONS IMPORT: timers and/or timeouts modified
Thu Feb 2 19:39:54 2017 OPTIONS IMPORT: explicit notify parm(s) modified
Thu Feb 2 19:39:54 2017 OPTIONS IMPORT: LZO parms modified
Thu Feb 2 19:39:54 2017 OPTIONS IMPORT: --ifconfig/up options modified
Thu Feb 2 19:39:54 2017 OPTIONS IMPORT: route options modified
Thu Feb 2 19:39:54 2017 OPTIONS IMPORT: route-related options modified
Thu Feb 2 19:39:54 2017 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Feb 2 19:39:54 2017 ROUTE_GATEWAY ON_LINK IFACE=ppp0 HWADDR=00:00:00:00:00:00
Thu Feb 2 19:39:54 2017 TUN/TAP device tun0 opened
Thu Feb 2 19:39:54 2017 TUN/TAP TX queue length set to 100
Thu Feb 2 19:39:54 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Feb 2 19:39:54 2017 /sbin/ifconfig tun0 172.27.232.3 netmask 255.255.248.0 mtu 1500 broadcast 172.27.239.255
Thu Feb 2 19:40:00 2017 ROUTE remote_host is NOT LOCAL
Thu Feb 2 19:40:00 2017 /sbin/route add -net 22.214.171.124 netmask 255.255.255.255 dev ppp0
Thu Feb 2 19:40:00 2017 /sbin/route add -net 0.0.0.0 netmask 126.96.36.199 gw 172.27.232.1
Thu Feb 2 19:40:00 2017 /sbin/route add -net 188.8.131.52 netmask 184.108.40.206 gw 172.27.232.1
Thu Feb 2 19:40:00 2017 Initialization Sequence Completed
Check the tunnel information through ifconfig
Now visit OpenVPN access server's status page again and click "List" under "At a glance" in the right side bar.
In the next page, you can view all the users who are currently using the OpenVPN server.
You can also connect to OpenVPN server from other clients like Android, Windows, MAC etc. You need to install openvpn package in these clients and while connecting the server specify the client.ovpn location and you are done.
Thats all for OpenVPN AS in AWS ! You can now browse/communicate through internet securely. OpenVPN server will protect your location and identity. You can now harden server's SSH and other settings that we left as world open in AWS security group. Hope you have enjoyed this article and thanks for reading this article.