How to Setup OpenVPN Access Server on AWS

February 9, 2017 | By in SECURITY
| 1 Reply More

This article covers how to setup OpenVPN access server using amazon's machine image. OpenVPN is an open source application that uses a VPN method for creating a secure connection between point-to-point OR site-to-site connections in bridged/routed mode. It uses SSL and TLS connections to traverse NAT connections and firewalls. OpenVPN has been ported to embedded systems like DD-WRT, OpenWRT, pfsense etc. OpenVPN access server is based on the community version but offers few others paid and proprietary service like LDAP, SMB, Web UI management, Radius server etc. in AWS.

Prerequisite:

You must have an AWS account. If you still don't have it then, create an account using amazon's free tier. We will use pre-configured Amazon's machine image (AMI) for OpenVPN-AS to install OpenVPN server and deploy it in minutes.

1. Create EC2 instance for OpenVPN Access Server

Amazon's ec2 ( Elastic compute cloud ) is virtual servers in the cloud with wide range of RAM sizes, compute powers. We will use amazons free tier to launch our OpenVPN-AS.

Goto amazon web service console and select EC2 to launch a virtual server for this tutorial. To do that click services->Group A-Z->EC2

Select EC2 service in AWS

In the EC2 dashboard, click "Launch instance".

Launch ec2 instance

Now select AWS Marketplace and type OpenVPN in the search box and press Enter. You will find the OpenVPN Access Server in the result. Select the OpenVPN Access Server title to proceed.

Search OpenVPN image

Choose an instance type depending on your requirements/traffics/no of users etc. For our tutorial, we will choose t2.micro instance. Click "Next: configure instance details" to proceed.

Choose AWS instance type

In the next two screen-shots, configure the instance details like no of instance, auto-assign public IP, shutdown behaviour. The auto-assign public IP is enabled since we want our OpenVPN access server to communicate with outside world.

configure EC2 instance details

Under "Advance details" section, we will pass parameters in the users data as text and these will be available to the instance during boot time. The parameters of our interest are-

public_hostname=openvpnserver
admin_user=openvpnadmin
admin_pw=openvpnpassword
reroute_gw=1
reroute_dns=1

Now click "Next:Add storage"

Configure EC2 instance details

Add storage to the instance. Though we have chosen volume type as Magnetic, we will overwrite the volume type as "General type SSD" in the final step which is more efficient in performance wise than previous generation "EBS magnetic". Click "Next: add Tags" to proceed to the next step.

Add storage to EC2 instance

Tag the instance which is a combination of key-Value pair. We have tagged our instance with key value pair of Name:OpenVPN. Click "Next:Configure Security groups"

Add tag to EC2 instance

A security group will be auto generated for you for the instance. Choose "Create a new security group" and click "Review and launch". For the moment we kept the SSH world open which can be later harden with CIDR range or My IP. Click "Review and launch".

Create Security group for EC2 instance

Override the volume type as general type SSD and click "Next"

Boot from SSD

Ignore the warning for the moment and click "Launch"

Review EC2 instance and launch

Create a new key pair and download the key. You need it to SSH into the OpenVPN server. You can also choose "Existing key pair" if you have already created the key and have access to  it. Finally click "Launch instance"

Create a new key pair

In the next screen click "View instance"

View ec2 instance

From the EC2 dashboard, Right click the OpenVPN instance and click connect. Now copy the connection string and paste it in a temporary text file and click "Close".

Copy SSH connection string

Since we want to associate our OpenVPN server with a public IP, Select "Elastic IP" and click "Allocate new address"

Allocate elastic IP to the instance

In the next screen click "Allocate"

Allocate elastic IP confirmation

You will get a confirmation of successful allocation of elastic IP. Click "Close".

Close Elastic IP Dialog Box

Now we need to associate this elastic IP to the OpenVPN instance. In Elastic IP dashboard, select the allocated elastic IP, click the Actions drop-box and choose "Associate address".

Associate Elastic IP to instance

In the next screen, click instance drop down list and select the OpenVPN instance and click "Associate".

Choose instance to associate elastic IP

You will get a confirmation of successful association. Click ""

Close EIP association dialog box

Now that our OpenVPN access server instance is up and running, we will SSH into it to initialize the OpenVPN. First assign proper permission to the key file that we have downloaded in earlier step.

[thegeek@mysandbox Downloads]$ chmod 400 OpenVPN-Server.pem

Remember we have copied the SSH connection string earlier, edit the string and change user root with openvpnas and connect to the remote OpenVPN AS with the following command. Once connected, change to root by sudo -i

[thegeek@mysandbox ]$ ssh -i "OpenVPN-Server.pem" openvpnas@ec2-52-221-74-192.ap-southeast-1.compute.amazonaws.com

openvpnas@openvpnas2:~$ sudo -i

One you get into the root shell, run openVPN initial configuration tool with the following command.

root@openvpnas2:# sudo ovpn-init --ec2

Detected an existing OpenVPN-AS configuration.
Continuing will delete this configuration and restart from scratch.
Please enter 'DELETE' to delete existing configuration: DELETE

OpenVPN Access Server
Initial Configuration Tool
------------------------------------------------------
OpenVPN Access Server End User License Agreement (OpenVPN-AS EULA)

1. Copyright Notice: OpenVPN Access Server License;
Copyright (c) 2009-2013 OpenVPN Technologies, Inc.. All rights reserved.
"OpenVPN" is a trademark of OpenVPN Technologies, Inc.
--------------------------------------

--------------------------------------
11. Purchasing a license key does not entitle you to any special rights or
privileges, except the ones explicitly outlined in this user agreement.
Unless otherwise arranged prior to your purchase with OpenVPN Technologies,
Inc., software maintenance costs and terms are subject to change after your
initial purchase without notice. In case of price decreases or special
promotions, OpenVPN Technologies, Inc. will not retrospectively apply
credits or price adjustments toward any licenses that have already been
issued. Furthermore, no discounts will be given for license maintenance
renewals unless this is specified in your contract with OpenVPN
Technologies, Inc.

Please enter 'yes' to indicate your agreement [no]: yes

Once you provide a few initial configuration settings,
OpenVPN Access Server can be configured by accessing
its Admin Web UI using your Web browser.

Will this be the primary Access Server node?
(enter 'no' to configure as a backup or standby node)
> Press ENTER for default [yes]: yes

Please specify the network interface and IP address to be
used by the Admin Web UI:
(1) all interfaces: 0.0.0.0
(2) eth0: 172.31.16.206
Please enter the option number from the list above (1-2).
> Press Enter for default [2]: 1

Please specify the port number for the Admin Web UI.
> Press ENTER for default [943]: 943

Please specify the TCP port number for the OpenVPN Daemon
> Press ENTER for default [443]: 443

Should client traffic be routed by default through the VPN?
> Press ENTER for default [yes]: yes

Should client DNS traffic be routed by default through the VPN?
> Press ENTER for default [yes]: yes

Use local authentication via internal DB?
> Press ENTER for default [yes]: yes

Private subnets detected: ['172.31.0.0/16']

Should private subnets be accessible to clients by default?
> Press ENTER for EC2 default [yes]: yes

To initially login to the Admin Web UI, you must use a
username and password that successfully authenticates you
with the host UNIX system (you can later modify the settings
so that RADIUS or LDAP is used for authentication instead).

You can login to the Admin Web UI as "openvpnadmin" or specify
a different user account to use for this purpose.

Do you wish to login to the Admin UI as "openvpnadmin"?
> Press ENTER for default [yes]: yes

> Please specify your OpenVPN-AS license key (or leave blank to specify later):

Initializing OpenVPN...
Adding new user login...
useradd -s /sbin/nologin "openvpnadmin"
Writing as configuration file...
Perform sa init...
Wiping any previous userdb...
Creating default profile...
Modifying default profile...
Adding new user to userdb...
Modifying new user as superuser in userdb...
Getting hostname...
Hostname: openvpnserver
Preparing web certificates...
Getting web user account...
Adding web group account...
Adding web group...
Adjusting license directory ownership...
Initializing confdb...
Generating init scripts...
Generating PAM config...
Generating init scripts auto command...
Starting openvpnas...

NOTE: Your system clock must be correct for OpenVPN Access Server
to perform correctly.  Please ensure that your time and date
are correct on this system.

Initial Configuration Complete!

You can now continue configuring OpenVPN Access Server by
directing your Web browser to this URL:

https://52.221.74.192:943/admin
Login as "openvpnadmin" with the same password used to authenticate
to this UNIX host.

During normal operation, OpenVPN AS can be accessed via these URLs:
Admin  UI: https://52.221.74.192:943/admin
Client UI: https://52.221.74.192:943/

See the Release Notes for this release at:
http://www.openvpn.net/access-server/rn/openvpn_as_2_1_4b.html

2. Login to OpenVPN admin interface

Point your browser to https://OpenVPN-AS-IP:943/admin and type user name and password that we have provided as a text data while configuring EC2 instance details.

OpenVPN AS login page

Accept the license

OpenVPN accept licence

You will be taken to OpenVPN access server's status page. Here you can browse all features of OpenVPN AS.

OpenVPN access server overview

Click "Server Network Settings" under Configuration from left sidebar menu list. You will find that host name is set to the value that we pass as a data text while configuring instance details. Interface is set to all, protocol to both .i.e TCP and UDP. Services are forwarded to Admin/Client web server. You can also change the UDP/TCP port number to your choice through this page.

OpenVPN server network settings

Under User Management->User permissions, create a new user and tick Allow Auto-login to on. Once done click "Save Settings". We have chosen the user name as linuxuser.

OpenVPN create user

In the next page yo will be prompted to update the server to propagate new settings to the server. Click "Update Running Server"

OpenVPN update running server

Coming back to user permissions settings, Click "Show" for user that we have created in the previous step under more settings column. Provide a password for the user and click "save settings" followed by "Update Running Server".

OpenVPN update password for user

Access client UI in browser by pointing it to https://OpenVPN-AS-Server-IP:943/  Provide the user name and password that you have created in the last step.

OpenVPN client login

Once successfully logged in, you will find list of client we can use to connect to OpenVPN AS. We will connect the OpenVPN server from a linux client. Download the autologin profile that will be needed to connect to OpenVPN server from a client.

Download OpenVPN autologin profile for client

2. Configure OpenVPN Client

We will connect OpenVPN AS from a linux client (CentOS 7) Install OpenVPN in the linux client using the following command.

[root@mysandbox ]# yum install openvpn

Add an entry of hostname/IP of OpenVPN server in /etc/hosts since client.ovpn will contain lines like remote openvpnserver 1194 udp. To resolve the hostname of openvpnserver we need to attach hostname/IP pair in /etc/hosts. Once done, restart network.

[thegeek@mysandbox ~]$ cat /etc/hosts
52.221.74.192   openvpnserver

[thegeek@mysandbox ~]$ service network restart

If you don't like this then in the OpenVPN server's admin console, change the hostname to public IP of the OpenVPN server. Save the settings and update the server to propagate new settings to the server. Next Log out from the client UI and download the freshly generated client.ovpn ( auto-login profile ) after logging through client UI again.

OpenVPN AS change hostname

Now connect to the OpenVPN server assuming you have client.ovpn that we have downloaded earlier in the CWD.

[root@mysandbox]# openvpn --config client.ovpn
Thu Feb  2 19:39:48 2017 OpenVPN 2.3.11 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Feb  2 2017
Thu Feb  2 19:39:48 2017 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.06
Thu Feb  2 19:39:48 2017 Control Channel Authentication: tls-auth using INLINE static key file
Thu Feb  2 19:39:48 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Feb  2 19:39:48 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Feb  2 19:39:48 2017 Socket Buffers: R=[180224->200000] S=[180224->200000]
Thu Feb  2 19:39:48 2017 UDPv4 link local: [undef]
Thu Feb  2 19:39:48 2017 UDPv4 link remote: [AF_INET]52.221.74.192:1194
Thu Feb  2 19:39:50 2017 TLS: Initial packet from [AF_INET]52.221.74.192:1194, sid=30bcd180 84319d7d
Thu Feb  2 19:39:51 2017 VERIFY OK: depth=1, CN=OpenVPN CA
Thu Feb  2 19:39:51 2017 VERIFY OK: nsCertType=SERVER
Thu Feb  2 19:39:51 2017 VERIFY OK: depth=0, CN=OpenVPN Server
Thu Feb  2 19:39:52 2017 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Thu Feb  2 19:39:52 2017 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Feb  2 19:39:52 2017 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Thu Feb  2 19:39:52 2017 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Feb  2 19:39:52 2017 Control Channel: TLSv1, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-SHA, 2048 bit RSA
Thu Feb  2 19:39:52 2017 [OpenVPN Server] Peer Connection Initiated with [AF_INET]52.221.74.192:1194
Thu Feb  2 19:39:54 2017 SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1)
Thu Feb  2 19:39:54 2017 PUSH: Received control message: 'PUSH_REPLY,explicit-exit-notify,topology subnet,route-delay 5 30,dhcp-pre-release,dhcp-renew,dhcp-release,route-metric 101,ping 12,ping-restart 50,comp-lzo yes,redirect-gateway def1,redirect-gateway bypass-dhcp,redirect-gateway autolocal,route-gateway 172.27.232.1,dhcp-option DNS 172.31.0.2,register-dns,block-ipv6,ifconfig 172.27.232.3 255.255.248.0'
Thu Feb  2 19:39:54 2017 Option 'explicit-exit-notify' in [PUSH-OPTIONS]:1 is ignored by previous <connection> blocks
Thu Feb  2 19:39:54 2017 Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:4: dhcp-pre-release (2.3.11)
Thu Feb  2 19:39:54 2017 Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:5: dhcp-renew (2.3.11)
Thu Feb  2 19:39:54 2017 Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:6: dhcp-release (2.3.11)
Thu Feb  2 19:39:54 2017 Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:16: register-dns (2.3.11)
Thu Feb  2 19:39:54 2017 Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:17: block-ipv6 (2.3.11)
Thu Feb  2 19:39:54 2017 OPTIONS IMPORT: timers and/or timeouts modified
Thu Feb  2 19:39:54 2017 OPTIONS IMPORT: explicit notify parm(s) modified
Thu Feb  2 19:39:54 2017 OPTIONS IMPORT: LZO parms modified
Thu Feb  2 19:39:54 2017 OPTIONS IMPORT: --ifconfig/up options modified
Thu Feb  2 19:39:54 2017 OPTIONS IMPORT: route options modified
Thu Feb  2 19:39:54 2017 OPTIONS IMPORT: route-related options modified
Thu Feb  2 19:39:54 2017 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Feb  2 19:39:54 2017 ROUTE_GATEWAY ON_LINK IFACE=ppp0 HWADDR=00:00:00:00:00:00
Thu Feb  2 19:39:54 2017 TUN/TAP device tun0 opened
Thu Feb  2 19:39:54 2017 TUN/TAP TX queue length set to 100
Thu Feb  2 19:39:54 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Feb  2 19:39:54 2017 /sbin/ifconfig tun0 172.27.232.3 netmask 255.255.248.0 mtu 1500 broadcast 172.27.239.255
Thu Feb  2 19:40:00 2017 ROUTE remote_host is NOT LOCAL
Thu Feb  2 19:40:00 2017 /sbin/route add -net 52.221.74.192 netmask 255.255.255.255 dev ppp0
Thu Feb  2 19:40:00 2017 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 172.27.232.1
Thu Feb  2 19:40:00 2017 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 172.27.232.1
Thu Feb  2 19:40:00 2017 Initialization Sequence Completed

Check the tunnel information through ifconfig

[thegeek@mysandbox]$ ifconfig

OpenVPN tunnel created

Now visit OpenVPN access server's status page again and click "List" under "At a glance" in the right side bar.

Openvpn list user

In the next page, you can view all the users who are currently using the OpenVPN server.

OpenVPN list current user

You can also connect to OpenVPN server from other clients like Android, Windows, MAC etc. You need to install openvpn package in these clients and while connecting the server specify the client.ovpn location and you are done.

Conclusions

Thats all for OpenVPN AS in AWS ! You can now browse/communicate through internet securely. OpenVPN server will protect your location and identity. You can now harden server's SSH and other settings that we left as world open in AWS security group. Hope you have enjoyed this article and thanks for reading this article.

Filed Under : LINUX HOWTO, SECURITY

Tagged With : ,

Free Linux Ebook to Download

Leave a Reply

Commenting Policy:
Promotion of your products ? Comment gets deleted.
All comments are subject to moderation.