|Justin Rush 6a21bb5cb0||3年前|
In today’s cloud world being able to connect securely and privately to your AWS instances is a necessity. With that said not everyone is able to setup an AWS Direct Connect connection, or have a network appliance they can setup for VPN connections into AWS.
In this post I will show you how to setup a Software VPN using OpenVPN via their AWS Marketplace Offering, setup the local VPN Client to connect to the OpenVPN server, as well as create an instance in a new private subnet in the default VPC that we will use to test our VPN Connectivity. I will also review the costs for having this solution running monthly in your AWS Account.
Our process today will consist of 4 easy steps
The following are prerequisites for this process:
First we will need to create an EC2 instance using the OpenVPN Marketplace AMI offering.
Select “Community AMIs” on the left and then search for “OpenVPN Access Server 2.1.4” Scroll down until you find the AMI for your current region (see table below). I am deploying to us-west-2 so I am looking for ami-d3e743b3. Once you find the appropriate AMI click, “Select”
We are going to use a t2.Micro for our demo which should already be selected for you so click “Next: Configure Instance Details” on the bottom right.
On the Step 3: Configure Instance Details page you will see your instance details. Since this is going into the default VPC and a public subnet most settings can be left alone with the exception of Enable termination protection as we do not want our VPN being terminated on accident. After clicking the box go ahead and click “Next: Add Storage”
The only thing we will need to change here is make sure the Volume Type is set “General Purpose.” After checking that go ahead and click “Next: Add Tags”
It’s an AWS Best Practice to tag your instances; enter in any tags you want here. At a minimum you should add a value for the default Name tag so you can differentiate between instances in the console. I will be using “1Strategy-OpenVPN-Access-Server”. After adding any tags click “Next: Configure Security Group”
We will be creating a new Security Group for our VPN Server. The ports we will be settings are TCP: 22, 443, 943, and UDP: 1194. After setting your SG access, click “Review and Launch” and then “Launch.” * TCP
*note: All of the default ports can be changed from the admin tool*
After pressing “Launch” you will be presented with the key-pair screen. I will be creating a new key-pair for this demo, but if you already have one, feel free to re-use it. If you are making a new key-pair, type in the name and then click “Download Key Pair” and then “Launch Instances.”
Our OpenVPN Access Server is now being created in our AWS Account. Next steps will be to setup an EIP and then SSH into the server to setup OpenVPN.
Setting an Elastic IP for your instance ensures the VPN Public IP does not change if you need to stop your instances. If it were to change, you would need to reconfigure your server every time.
Login to your AWS account and navigate to the EC2 Dashboard and click “Elastic IPs” on the left. We will be creating a new Elastic IP by clicking “Allocate new address” at the top. Then “Allocate” on the next screen.
Now we will associate our new EIP with the OpenVPN Instance. Select your EIP from the list and then click “Actions>Associate Address.”
Now that we have an Elastic IP set for our OpenVPN Access Server it’s time to SSH into the server. I am using MacOS so I am able to use SSH natively just like on Linux. If you are using Windows you should convert your PEM to a PPK for Putty or look into OpenSSH.
`$ SSH openvpnas@elastic-ip-here -i key-pair.pem`
On your first time connecting, you will be prompted and asked if to accept the OpenVPN EULA.
After accepting the EULA, the “OpenVPN Access Server Setup Wizard” launches. If you ever need to run the setup wizard again run
$ sudo ovpn-init --ec2 on the server. Here are the prompts you will see and a brief explanation of each.
* Will this be the primary Access Server node. - Default: yes
While still connected via SSH we should create a new password for admin user, and make sure our EC2 instance has all the latest updates.
* Set a secure password for admin user.
$ sudo passwd openvpn
* Make sure our Linux system is update and secure.
$ sudo apt-get update && sudo apt-get upgrade -y
* optional: Default timezone is US (Pacific - Los Angeles) if you need to change run this.
$ sudo dpkg-reconfigure tzdata
Last thing we need to do before we can connect to the admin area and to our VPN is disable the Source/Destination check in AWS. Without doing this we would not be able to access our private subnets. You can read more about it here. To change this go to the EC2 console in AWS, select your instance, choose Actions>Networking>Change Source/Dest. Check as seen below. Choose “Yes, Disable” on the next screen.
To be able to verify and test our VPN connection into our AWS account we will first setup a simple EC2 instance in the private subnet that I mentioned in the prerequisites.
Now that we have our OpenVPN Access Server running and an EC2 instance deployed to a private subnet within our VPC it is time to install the OpenVPN Client and test out connectivity.
Note: On your first attempt to connect you will be warned by your browser that the SSL certificate cannot b validated this is OK for our demo but in a real world you will want to setup a real SSL certificate in your setup.
On the screen enter “openvpn” for the Username and the password you created for the user in Section 2, Step 7.
After your credentials are accepted you will see the screen below. Go ahead and click “Click here to continue” which will download the OpenVPN client installer to your machine.
A great thing about this download is that the client already has your connection strings setup for you.
After your installation has completed you will find a new icon on your Menu Bar up top. If you click on the icon you will see the Elastic IP of your OpenVPN Access Server instance and an option to connect. Click on “Connect...”
You will probably get a notice like the below. This is because the client install came with a configuration file from the OpenVPN Access Server. For this we will go ahead and click “Yes”
ssh ec2-user@internal-ip-here -i key-pair.pem
In this post, I covered launching an OpenVPN Access Server EC2 instance using the AWS Marketplace offering by OpenVPN, setting up your local client, and connecting to an EC2 instance in a private subnet to verify the VPN is working.
I hope this post helps you out in some way. I plan to expand on this post in the future by showing how to extend your home or small office router into AWS using OpenVPN.
Justin is a DevOps Engineer at 1Strategy, an AWS Advanced Consulting Partner specializing in Amazon Web Services (AWS). With 17+ years in Information Technology, Justin has accumulated a diversity of hard and soft skills, often dubbed a “Jack-of-all-Trades.” Justin is a passionate advocate of gender equality and digital privacy, and serves in the leadership for Seattle #CoffeeOps.