Friday, June 14, 2013

OpenVPN Server on AWS EC2


OpenVPN is a popular method to use to create an encrypted IPSec tunnel or SSL tunnel from client machines to AWS.  However, there is not much documentation or specifics on the web to walk through the set up OpenVPN on AWS and the client tools and configuration necessary.  Here are some step by step instructions for creating a encrypted SSL tunnel with caveats included:

1. Create the OpenVPN instance on AWS: Spin-up an Amazon Linux server (m1.small is fine) in a public subnet in the VPC you want to connect to. The VPC has to be a 10.0.0.0/16 network or you'll have to adjust these instructions a bit.  Put it in a separate security group with TCP 443 inbound from everywhere (for VPN connections) and TCP 22 inbound only from IPs you trust (for SSH admin)
      Note:
·   Need to create VPC with a public subnet .  I created a VPC with a public and private subnet as the whole idea behind this exercise is to have instances locked down from access and to the outside world by placing them in private subnets.
·   Need to create a security group.  Created a new security group OpenVPNConfig. For TCP port 443 (port of OpenVPN server),  needs to have a custom TCP rule for address in 10.0.0.0/16
·   Give 22 (SSH) to 0.0.0.0/0 for now just to get be able to work with instance to configure properly.  Once the OpenVPN server is running and tested, you will connect via VPN only so you should remove this rule.
·   Create a new key pair if desired.

2.Give the OpenVPN instance an EIP. You can do this by associating an ENI to the instance.

3.Login, and yum install openvpn

      A. sudo yum -y install openvpn

4.Do this: http://www.openlogic.com/wazi/bid/188052/From-Zero-to-OpenVPN-in-30-Minutes, with one caveat: when you do the build-dh command it'll generate a dh1024.pem file – that's the one you need, not 01.pem.
NOTE:
1.    Instruction for location say here /usr/share/doc/openvpn/examples/easy-rsa/2.0 but actually here: /usr/share/openvpn/easy-rsa/2.0
2.    Need to execute as root : sudo su
3.    Command used: cp -r /usr/share/openvpn/easy-rsa/2.0
/etc/openvpn/
4. I actually got 01.pem and 02.pem and dh1024.pem
Server Configuration – This is actually the same as the web page starting at section called Server Configuration.

5.Adjust the /etc/openvpn/openvpn.conf file to be something like this.  Note this uses TCP443 instead of UDP so it'll get through the AWS firewall.
port 443
proto tcp-server
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/test-system.crt
key /etc/openvpn/keys/test-system.key
dh /etc/openvpn/keys/dh1024.pem
cipher BF-CBC
server 10.8.0.0 255.255.255.0
push "route 10.0.0.0 255.255.0.0"
comp-lzo
verb 6
ifconfig-pool-persist /etc/openvpn/ipp.txt
keepalive 10 120
status openvpn-status.log

My file:
port 443
proto tcp-server
dev tun
ca /etc/openvpn/2.0/keys/ca.crt
cert /etc/openvpn/2.0/keys/openvpn-system.crt
key /etc/openvpn/2.0/keys/openvpn-system.key
dh /etc/openvpn/2.0/keys/dh1024.pem
cipher BF-CBC
server 10.8.0.0 255.255.255.0
push "route 10.0.0.0 255.255.0.0"
comp-lzo
verb 6
ifconfig-pool-persist /etc/openvpn/ipp.txt
keepalive 10 120
status openvpn-status.log

6. Make it auto-start: sudo chkconfig openvpn on && sudo service openvpn start
Note:
1. The startup failed the first time I tried to start because of an error in my config file.  I had to run without chkconfig and with –config <config file location and name> to find out what error was.

7. Copy the client1.pem, client.crt and ca.crt from the server (or whatever you generated with build-key etc.) from the instructions you followed above… to your Mac.
            A. My files were: ca.crt, openvpn-system.crt, tom.crt, tom.key, 01.pem (seems to be associated with openvpn-system.crt), 02.pem (seems to be associated with tom.crt)
B. And Diffie-Hellman pem files: dh1024.pem
C. Copy using scp: scp -i /Users/tomlasz/Documents/Documents/EC2KeyPairs/OpenVPN.pem ec2-user@<elastic ip address>:/etc/openvpn/2.0/keys/tom.crt .
D. I needed to do a chmod 777 on the keys directory to get scp to work.
E. I needed to do a chmod 644 on the tom.key file to get scp to work on that file.

8. Setup IPTables on the OpenVPN server so that it'll do NAT out to the VPC for clients connecting to the VPN.  Here are all the commands you need assuming you used the instructions above.  As root, (sudo –s) run these on the server:

iptables -I FORWARD -i tun0 -o eth0 -s 10.8.0.0/24 -d 10.0.0.0/16 -m conntrack --ctstate NEW -j ACCEPT
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -I POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE
iptables -t nat -I POSTROUTING -o eth0 -s 10.0.0.0/16 -j MASQUERADE

9. Make these rules auto-start by adding those lines to a file like /etc/iptables.conf and then adding this line to /etc/rc.local

iptables-restore < /etc/iptables.conf

10. You're done with the server. 
11. On your Mac (client machine), install Tunnelbrick and use this client config, changing the location of the keys to the files you copied from the server and change the public IP to match the EIP of your OpenVPN server.

client
dev tun
proto tcp-client

# enter the server's hostname
# or IP address here, and port number
remote <elastic ip> 443

#resolv-retry infinite
nobind
persist-key
persist-tun

# Use the full filepaths to your
# certificates and keys
ca /Users/myan/.openvpn/ca.crt
cert /Users/myan/.openvpn/client1.crt
key /Users/myan/.openvpn/client1.key

ns-cert-type server
comp-lzo
#verb 6


12. Follow Tunnelbrick instructions using the OpenVPN client config above, and you're good.  Tunnelbrick can have issues on Mac.  If you do have issues, try Viscosity. 

13. Connect.  Now you can connect to all the 10.x.y.z private addresses in your VPC, provided that their security group allows inbound connections from the security group that you created for the OpenVPN server.

Note: Changed SSH on security group of my OpenVPN instance to 10.0.0.0/16 from open to world (0.0.0.0/0) now that I know it works.


14. Once it's working, roll-up that OpenVPN server into an AMI and the you can launch it into any VPC with a 10.0.0.0/16 network and connect to its EIP from Tunnelbrick, giving you access to all EC2 instances in the VPC through their private addresses.  No jump box, no EIPs – easy.  (Provided your security groups let in connections from the VPN server, which I do by default in all VPCs now.)

2 comments:

  1. I have setup OPEN VPN using the open VPN standard AMI on AWS VPC and successfully able to connect from remote location. My concerned is, I am unable to find the directory easy-rsa for client configuration. I would like to configure a dedicated tunnel from aws to my data-center without using aws gateway. is that possible? Do I still need RSA, since I am able to connect without any issue.

    Please helpme...

    ReplyDelete
  2. Nice guide. One correction: OpenVPN is not IPsec. It's an SSL VPN.

    ReplyDelete