OpenVPN is a popular method to use to create an encrypted IPSec tunnel or SSL tunnel from client machines to AWS. However, there is not much documentation or specifics on the web to walk through the set up OpenVPN on AWS and the client tools and configuration necessary. Here are some step by step instructions for creating a encrypted SSL tunnel with caveats included:
1. Create the OpenVPN instance on AWS: Spin-up an Amazon Linux
server (m1.small is fine) in a public subnet in the VPC you want to connect to.
The VPC has to be a 10.0.0.0/16 network or you'll have to adjust these
instructions a bit. Put it in a separate security group with TCP 443 inbound
from everywhere (for VPN connections) and TCP 22 inbound only from IPs you
trust (for SSH admin)
Note:
·
Need to create VPC with a public subnet . I created a VPC with a public and private subnet as the whole idea behind this exercise is to have instances locked down from access and to the outside world by placing them in private subnets.
·
Need to create a security group. Created a new security group OpenVPNConfig.
For TCP port 443 (port of OpenVPN server), needs to have a custom TCP rule for address in 10.0.0.0/16
·
Give 22 (SSH) to 0.0.0.0/0 for now just to
get be able to work with instance to configure properly. Once the OpenVPN server is running and tested, you will connect via VPN only so you should remove this rule.
·
Create a new key pair if desired.
2.Give the OpenVPN instance an EIP. You can do this by associating an ENI to the instance.
3.Login, and yum install
openvpn
A. sudo yum -y install openvpn
NOTE:
1. Instruction for location say here /usr/share/doc/openvpn/examples/easy-rsa/2.0
but actually here: /usr/share/openvpn/easy-rsa/2.0
2. Need to execute as root : sudo su
3. Command used: cp -r /usr/share/openvpn/easy-rsa/2.0
/etc/openvpn/
4. I actually got 01.pem and 02.pem and
dh1024.pem
Server Configuration – This is actually
the same as the web page starting at section called Server Configuration.
5.Adjust the
/etc/openvpn/openvpn.conf file to be something like this. Note this uses
TCP443 instead of UDP so it'll get through the AWS firewall.
port 443
proto tcp-server
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/test-system.crt
key /etc/openvpn/keys/test-system.key
dh /etc/openvpn/keys/dh1024.pem
cipher BF-CBC
server 10.8.0.0 255.255.255.0
push "route 10.0.0.0 255.255.0.0"
comp-lzo
verb 6
ifconfig-pool-persist /etc/openvpn/ipp.txt
keepalive 10 120
status openvpn-status.log
My file:
port 443
proto tcp-server
dev tun
ca /etc/openvpn/2.0/keys/ca.crt
cert /etc/openvpn/2.0/keys/openvpn-system.crt
key /etc/openvpn/2.0/keys/openvpn-system.key
dh /etc/openvpn/2.0/keys/dh1024.pem
cipher BF-CBC
server 10.8.0.0 255.255.255.0
push "route 10.0.0.0 255.255.0.0"
comp-lzo
verb 6
ifconfig-pool-persist /etc/openvpn/ipp.txt
keepalive 10 120
status openvpn-status.log
6. Make
it auto-start: sudo chkconfig openvpn on && sudo service openvpn start
Note:
1. The startup failed the first time I
tried to start because of an error in my config file. I had to run without chkconfig and with
–config <config file location and name> to find out what error was.
7. Copy the client1.pem, client.crt and ca.crt
from the server (or whatever you generated with build-key etc.) from the
instructions you followed above… to your Mac.
A. My files were: ca.crt, openvpn-system.crt, tom.crt, tom.key,
01.pem (seems to be associated with openvpn-system.crt), 02.pem (seems to be
associated with tom.crt)
B. And Diffie-Hellman
pem files: dh1024.pem
C. Copy using scp: scp -i
/Users/tomlasz/Documents/Documents/EC2KeyPairs/OpenVPN.pem
ec2-user@<elastic ip address>:/etc/openvpn/2.0/keys/tom.crt .
D. I needed to do a chmod 777 on the keys
directory to get scp to work.
E. I needed to do a chmod 644 on the
tom.key file to get scp to work on that file.
8. Setup IPTables on the OpenVPN server so that
it'll do NAT out to the VPC for clients connecting to the VPN. Here are
all the commands you need assuming you used the instructions above. As
root, (sudo –s) run these on the server:
iptables -I FORWARD -i tun0 -o eth0 -s
10.8.0.0/24 -d 10.0.0.0/16 -m conntrack --ctstate NEW -j ACCEPT
iptables -I FORWARD -m conntrack --ctstate
RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -I POSTROUTING -o eth0 -s
10.8.0.0/24 -j MASQUERADE
iptables -t nat -I POSTROUTING -o eth0 -s
10.0.0.0/16 -j MASQUERADE
9. Make these rules auto-start by adding those
lines to a file like /etc/iptables.conf and then adding this line to
/etc/rc.local
iptables-restore < /etc/iptables.conf
10. You're done with the server.
11. On your Mac (client machine), install Tunnelbrick and use this
client config, changing the location of the keys to the files you copied from
the server and change the public IP to match the EIP of your OpenVPN server.
client
dev tun
proto tcp-client
# enter the server's hostname
# or IP address here, and port number
remote <elastic ip> 443
#resolv-retry infinite
nobind
persist-key
persist-tun
# Use the full filepaths to your
# certificates and keys
ca /Users/myan/.openvpn/ca.crt
cert /Users/myan/.openvpn/client1.crt
key /Users/myan/.openvpn/client1.key
ns-cert-type server
comp-lzo
#verb 6
12. Follow Tunnelbrick instructions using the
OpenVPN client config above, and you're good. Tunnelbrick can have issues on Mac. If you do have issues, try Viscosity.
13. Connect. Now you can connect to all the
10.x.y.z private addresses in your VPC, provided that their security group
allows inbound connections from the security group that you created for the
OpenVPN server.
Note: Changed SSH on security group of my OpenVPN instance to 10.0.0.0/16 from open to world (0.0.0.0/0) now that I know it works.
14. Once it's working, roll-up that OpenVPN
server into an AMI and the you can launch it into any VPC with a 10.0.0.0/16
network and connect to its EIP from Tunnelbrick, giving you access to all EC2
instances in the VPC through their private addresses. No jump box, no
EIPs – easy. (Provided your security groups let in connections from the
VPN server, which I do by default in all VPCs now.)