This article covers how to setup OpenVPN access server using amazon's machine image. OpenVPN is an open source application that uses a VPN method for creating a secure connection between point-to-point OR site-to-site connections in bridged/routed mode. It uses SSL and TLS connections to traverse NAT connections and firewalls. OpenVPN has been ported to embedded systems like DD-WRT, OpenWRT, pfsense etc. OpenVPN access server is based on the community version but offers few others paid and proprietary service like LDAP, SMB, Web UI management, Radius server etc. in AWS.
You must have an AWS account. If you still don't have it then, create an account using amazon's free tier. We will use pre-configured Amazon's machine image (AMI) for OpenVPN-AS to install OpenVPN server and deploy it in minutes.
1. Create EC2 instance for OpenVPN Access Server
Amazon's ec2 ( Elastic compute cloud ) is virtual servers in the cloud with wide range of RAM sizes, compute powers. We will use amazons free tier to launch our OpenVPN-AS.
Goto amazon web service console and select EC2 to launch a virtual server for this tutorial. To do that click services->Group A-Z->EC2
In the EC2 dashboard, click "Launch instance".
Now select AWS Marketplace and type OpenVPN in the search box and press Enter. You will find the OpenVPN Access Server in the result. Select the OpenVPN Access Server title to proceed.
Choose an instance type depending on your requirements/traffics/no of users etc. For our tutorial, we will choose t2.micro instance. Click "Next: configure instance details" to proceed.
In the next two screen-shots, configure the instance details like no of instance, auto-assign public IP, shutdown behaviour. The auto-assign public IP is enabled since we want our OpenVPN access server to communicate with outside world.
Under "Advance details" section, we will pass parameters in the users data as text and these will be available to the instance during boot time. The parameters of our interest are-
public_hostname=openvpnserver admin_user=openvpnadmin admin_pw=openvpnpassword reroute_gw=1 reroute_dns=1
Now click "Next:Add storage"
Add storage to the instance. Though we have chosen volume type as Magnetic, we will overwrite the volume type as "General type SSD" in the final step which is more efficient in performance wise than previous generation "EBS magnetic". Click "Next: add Tags" to proceed to the next step.
Tag the instance which is a combination of key-Value pair. We have tagged our instance with key value pair of Name:OpenVPN. Click "Next:Configure Security groups"
A security group will be auto generated for you for the instance. Choose "Create a new security group" and click "Review and launch". For the moment we kept the SSH world open which can be later harden with CIDR range or My IP. Click "Review and launch".
Override the volume type as general type SSD and click "Next"
Ignore the warning for the moment and click "Launch"
Create a new key pair and download the key. You need it to SSH into the OpenVPN server. You can also choose "Existing key pair" if you have already created the key and have access to it. Finally click "Launch instance"
In the next screen click "View instance"
From the EC2 dashboard, Right click the OpenVPN instance and click connect. Now copy the connection string and paste it in a temporary text file and click "Close".
Since we want to associate our OpenVPN server with a public IP, Select "Elastic IP" and click "Allocate new address"
In the next screen click "Allocate"
You will get a confirmation of successful allocation of elastic IP. Click "Close".
Now we need to associate this elastic IP to the OpenVPN instance. In Elastic IP dashboard, select the allocated elastic IP, click the Actions drop-box and choose "Associate address".
In the next screen, click instance drop down list and select the OpenVPN instance and click "Associate".
You will get a confirmation of successful association. Click ""
Now that our OpenVPN access server instance is up and running, we will SSH into it to initialize the OpenVPN. First assign proper permission to the key file that we have downloaded in earlier step.
[thegeek@mysandbox Downloads]$ chmod 400 OpenVPN-Server.pem
Remember we have copied the SSH connection string earlier, edit the string and change user root with openvpnas and connect to the remote OpenVPN AS with the following command. Once connected, change to root by sudo -i
[thegeek@mysandbox ]$ ssh -i "OpenVPN-Server.pem" firstname.lastname@example.org openvpnas@openvpnas2:~$ sudo -i
One you get into the root shell, run openVPN initial configuration tool with the following command.
root@openvpnas2:# sudo ovpn-init --ec2 Detected an existing OpenVPN-AS configuration. Continuing will delete this configuration and restart from scratch. Please enter 'DELETE' to delete existing configuration: DELETE OpenVPN Access Server Initial Configuration Tool ------------------------------------------------------ OpenVPN Access Server End User License Agreement (OpenVPN-AS EULA) 1. Copyright Notice: OpenVPN Access Server License; Copyright (c) 2009-2013 OpenVPN Technologies, Inc.. All rights reserved. "OpenVPN" is a trademark of OpenVPN Technologies, Inc. -------------------------------------- -------------------------------------- 11. Purchasing a license key does not entitle you to any special rights or privileges, except the ones explicitly outlined in this user agreement. Unless otherwise arranged prior to your purchase with OpenVPN Technologies, Inc., software maintenance costs and terms are subject to change after your initial purchase without notice. In case of price decreases or special promotions, OpenVPN Technologies, Inc. will not retrospectively apply credits or price adjustments toward any licenses that have already been issued. Furthermore, no discounts will be given for license maintenance renewals unless this is specified in your contract with OpenVPN Technologies, Inc. Please enter 'yes' to indicate your agreement [no]: yes Once you provide a few initial configuration settings, OpenVPN Access Server can be configured by accessing its Admin Web UI using your Web browser. Will this be the primary Access Server node? (enter 'no' to configure as a backup or standby node) > Press ENTER for default [yes]: yes Please specify the network interface and IP address to be used by the Admin Web UI: (1) all interfaces: 0.0.0.0 (2) eth0: 172.31.16.206 Please enter the option number from the list above (1-2). > Press Enter for default : 1 Please specify the port number for the Admin Web UI. > Press ENTER for default : 943 Please specify the TCP port number for the OpenVPN Daemon > Press ENTER for default : 443 Should client traffic be routed by default through the VPN? > Press ENTER for default [yes]: yes Should client DNS traffic be routed by default through the VPN? > Press ENTER for default [yes]: yes Use local authentication via internal DB? > Press ENTER for default [yes]: yes Private subnets detected: ['172.31.0.0/16'] Should private subnets be accessible to clients by default? > Press ENTER for EC2 default [yes]: yes To initially login to the Admin Web UI, you must use a username and password that successfully authenticates you with the host UNIX system (you can later modify the settings so that RADIUS or LDAP is used for authentication instead). You can login to the Admin Web UI as "openvpnadmin" or specify a different user account to use for this purpose. Do you wish to login to the Admin UI as "openvpnadmin"? > Press ENTER for default [yes]: yes > Please specify your OpenVPN-AS license key (or leave blank to specify later): Initializing OpenVPN... Adding new user login... useradd -s /sbin/nologin "openvpnadmin" Writing as configuration file... Perform sa init... Wiping any previous userdb... Creating default profile... Modifying default profile... Adding new user to userdb... Modifying new user as superuser in userdb... Getting hostname... Hostname: openvpnserver Preparing web certificates... Getting web user account... Adding web group account... Adding web group... Adjusting license directory ownership... Initializing confdb... Generating init scripts... Generating PAM config... Generating init scripts auto command... Starting openvpnas... NOTE: Your system clock must be correct for OpenVPN Access Server to perform correctly. Please ensure that your time and date are correct on this system. Initial Configuration Complete! You can now continue configuring OpenVPN Access Server by directing your Web browser to this URL: https://220.127.116.11:943/admin Login as "openvpnadmin" with the same password used to authenticate to this UNIX host. During normal operation, OpenVPN AS can be accessed via these URLs: Admin UI: https://18.104.22.168:943/admin Client UI: https://22.214.171.124:943/ See the Release Notes for this release at: http://www.openvpn.net/access-server/rn/openvpn_as_2_1_4b.html
2. Login to OpenVPN admin interface
Point your browser to https://OpenVPN-AS-IP:943/admin and type user name and password that we have provided as a text data while configuring EC2 instance details.
Accept the license
You will be taken to OpenVPN access server's status page. Here you can browse all features of OpenVPN AS.
Click "Server Network Settings" under Configuration from left sidebar menu list. You will find that host name is set to the value that we pass as a data text while configuring instance details. Interface is set to all, protocol to both .i.e TCP and UDP. Services are forwarded to Admin/Client web server. You can also change the UDP/TCP port number to your choice through this page.
Under User Management->User permissions, create a new user and tick Allow Auto-login to on. Once done click "Save Settings". We have chosen the user name as linuxuser.
In the next page yo will be prompted to update the server to propagate new settings to the server. Click "Update Running Server"
Coming back to user permissions settings, Click "Show" for user that we have created in the previous step under more settings column. Provide a password for the user and click "save settings" followed by "Update Running Server".
Access client UI in browser by pointing it to https://OpenVPN-AS-Server-IP:943/ Provide the user name and password that you have created in the last step.
Once successfully logged in, you will find list of client we can use to connect to OpenVPN AS. We will connect the OpenVPN server from a linux client. Download the autologin profile that will be needed to connect to OpenVPN server from a client.
2. Configure OpenVPN Client
We will connect OpenVPN AS from a linux client (CentOS 7) Install OpenVPN in the linux client using the following command.
[root@mysandbox ]# yum install openvpn
Add an entry of hostname/IP of OpenVPN server in /etc/hosts since client.ovpn will contain lines like remote openvpnserver 1194 udp. To resolve the hostname of openvpnserver we need to attach hostname/IP pair in /etc/hosts. Once done, restart network.
[thegeek@mysandbox ~]$ cat /etc/hosts 126.96.36.199 openvpnserver [thegeek@mysandbox ~]$ service network restart
If you don't like this then in the OpenVPN server's admin console, change the hostname to public IP of the OpenVPN server. Save the settings and update the server to propagate new settings to the server. Next Log out from the client UI and download the freshly generated client.ovpn ( auto-login profile ) after logging through client UI again.
Now connect to the OpenVPN server assuming you have client.ovpn that we have downloaded earlier in the CWD.
[root@mysandbox]# openvpn --config client.ovpn Thu Feb 2 19:39:48 2017 OpenVPN 2.3.11 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Feb 2 2017 Thu Feb 2 19:39:48 2017 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.06 Thu Feb 2 19:39:48 2017 Control Channel Authentication: tls-auth using INLINE static key file Thu Feb 2 19:39:48 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Feb 2 19:39:48 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Feb 2 19:39:48 2017 Socket Buffers: R=[180224->200000] S=[180224->200000] Thu Feb 2 19:39:48 2017 UDPv4 link local: [undef] Thu Feb 2 19:39:48 2017 UDPv4 link remote: [AF_INET]188.8.131.52:1194 Thu Feb 2 19:39:50 2017 TLS: Initial packet from [AF_INET]184.108.40.206:1194, sid=30bcd180 84319d7d Thu Feb 2 19:39:51 2017 VERIFY OK: depth=1, CN=OpenVPN CA Thu Feb 2 19:39:51 2017 VERIFY OK: nsCertType=SERVER Thu Feb 2 19:39:51 2017 VERIFY OK: depth=0, CN=OpenVPN Server Thu Feb 2 19:39:52 2017 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key Thu Feb 2 19:39:52 2017 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Feb 2 19:39:52 2017 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key Thu Feb 2 19:39:52 2017 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Feb 2 19:39:52 2017 Control Channel: TLSv1, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-SHA, 2048 bit RSA Thu Feb 2 19:39:52 2017 [OpenVPN Server] Peer Connection Initiated with [AF_INET]220.127.116.11:1194 Thu Feb 2 19:39:54 2017 SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1) Thu Feb 2 19:39:54 2017 PUSH: Received control message: 'PUSH_REPLY,explicit-exit-notify,topology subnet,route-delay 5 30,dhcp-pre-release,dhcp-renew,dhcp-release,route-metric 101,ping 12,ping-restart 50,comp-lzo yes,redirect-gateway def1,redirect-gateway bypass-dhcp,redirect-gateway autolocal,route-gateway 172.27.232.1,dhcp-option DNS 172.31.0.2,register-dns,block-ipv6,ifconfig 172.27.232.3 255.255.248.0' Thu Feb 2 19:39:54 2017 Option 'explicit-exit-notify' in [PUSH-OPTIONS]:1 is ignored by previous <connection> blocks Thu Feb 2 19:39:54 2017 Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:4: dhcp-pre-release (2.3.11) Thu Feb 2 19:39:54 2017 Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:5: dhcp-renew (2.3.11) Thu Feb 2 19:39:54 2017 Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:6: dhcp-release (2.3.11) Thu Feb 2 19:39:54 2017 Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:16: register-dns (2.3.11) Thu Feb 2 19:39:54 2017 Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:17: block-ipv6 (2.3.11) Thu Feb 2 19:39:54 2017 OPTIONS IMPORT: timers and/or timeouts modified Thu Feb 2 19:39:54 2017 OPTIONS IMPORT: explicit notify parm(s) modified Thu Feb 2 19:39:54 2017 OPTIONS IMPORT: LZO parms modified Thu Feb 2 19:39:54 2017 OPTIONS IMPORT: --ifconfig/up options modified Thu Feb 2 19:39:54 2017 OPTIONS IMPORT: route options modified Thu Feb 2 19:39:54 2017 OPTIONS IMPORT: route-related options modified Thu Feb 2 19:39:54 2017 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Thu Feb 2 19:39:54 2017 ROUTE_GATEWAY ON_LINK IFACE=ppp0 HWADDR=00:00:00:00:00:00 Thu Feb 2 19:39:54 2017 TUN/TAP device tun0 opened Thu Feb 2 19:39:54 2017 TUN/TAP TX queue length set to 100 Thu Feb 2 19:39:54 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Thu Feb 2 19:39:54 2017 /sbin/ifconfig tun0 172.27.232.3 netmask 255.255.248.0 mtu 1500 broadcast 172.27.239.255 Thu Feb 2 19:40:00 2017 ROUTE remote_host is NOT LOCAL Thu Feb 2 19:40:00 2017 /sbin/route add -net 18.104.22.168 netmask 255.255.255.255 dev ppp0 Thu Feb 2 19:40:00 2017 /sbin/route add -net 0.0.0.0 netmask 22.214.171.124 gw 172.27.232.1 Thu Feb 2 19:40:00 2017 /sbin/route add -net 126.96.36.199 netmask 188.8.131.52 gw 172.27.232.1 Thu Feb 2 19:40:00 2017 Initialization Sequence Completed
Check the tunnel information through ifconfig
Now visit OpenVPN access server's status page again and click "List" under "At a glance" in the right side bar.
In the next page, you can view all the users who are currently using the OpenVPN server.
You can also connect to OpenVPN server from other clients like Android, Windows, MAC etc. You need to install openvpn package in these clients and while connecting the server specify the client.ovpn location and you are done.
Thats all for OpenVPN AS in AWS ! You can now browse/communicate through internet securely. OpenVPN server will protect your location and identity. You can now harden server's SSH and other settings that we left as world open in AWS security group. Hope you have enjoyed this article and thanks for reading this article.