Creating a VPN access server using the OpenVPN AMI

As more and more companies rely on cloud computing to store and process sensitive data, the security of the cloud has become a top priority. One of the tools you can use as part of your own security to help keep your data protected is a virtual private network (VPN). In AWS it is possible to set up a VPN within a matter of minutes using an EC2 combined together with the OpenVPN service.

What is OpenVPN?

OpenVPN is a free and open-source software that implements VPN techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities.

By using OpenVPN with an EC2, you will be be able to benefit from:

• Security: OpenVPN uses encryption to protect data transmission over the internet, ensuring that sensitive data remains confidential.
• Flexibility: OpenVPN can be used with a variety of protocols, including TCP, UDP, and L2TP, making it easy to find the right solution for your company's needs.
• Scalability: EC2 instances can be easily scaled up or down as needed, so your VPN solution can grow along with your company.
• Cost-effectiveness: By using EC2s and OpenVPN, you can avoid the high costs of purchasing and maintaining dedicated hardware for your VPN solution (effectively swapping CapEx for OpEx).

Let’s now go over the steps of setting up an EC2 instance with OpenVPN.

How to setup OpenVPN using an EC2

You will first need to login into your AWS account and navigate to the EC2 dashboard. From here you will need to click on the "Launch instances" button to start the process of launching a new EC2 instance.

On the next page, give a name to your server and then scroll down and click on "Browse more AMIs" as you will need to select an AMI which is available in the AWS Marketplace.

On the following screen, click on "AWS Marketplace AMIs".

Inside of the search field, type "OpenVPN" and hit enter/return on your keyboard. There will be numerous results called "OpenVPN". We however need to click "select" on the option which does not specify a number of connected devices (it should be the first option).

This particular option is included in the free-tier for Micro instances and allows a maximum of 2 connections with the VPN.

Next click on "continue".

At this point you should be back on the main instance configuration page with the OpenVPN Access Server Community Image added into the AMI section.

Next you will need to scroll down and select "t2.micro" in the instance type section. This is so that we can use the free-tier.

After selecting the instance type, you will need to either select an existing key pair, create a new key pair (I will not be going over how to do this) or use a role to be able to connect to the instance using SSH (I explain how to create a role to connect to an EC2 in my Gist on GitHub).

Once you have added your key pair, leave all other settings as default and click on "Launch instance" (if you are using a role to SSH, you will need to open the "Advanced details" section and select it before launching your instance).

The instance will then be launched for you. This might take a a minute or two longer than a standard free-tier Linux EC2 so be patient.

Whilst you are waiting for the EC2 to pass both of it's two status health checks, navigate to this AWS page and take note of your computer's public IP address. You will return here later on once we have configured the VPN as this IP address should be different once you are connected to the VPN.

Once your EC2 has passed both of the status checks, you will need to SSH into the instance to create an initial configuration for OpenVPN. I will not be going over how to SSH into an EC2 as this will differ depending on your computer's operating system. You will however need to be aware that unlike with the Amazon Linux AMI, the username for logging into the server is "root" and not "ec2-user". This is because the OpenVPN AMI uses an Ubuntu server.

If you have chosen to use a role so that you can use the SSM agent to connect to your instance (this is what I have used in this guide as it is more secure), you will need to type "sudo su" in the CLI so that you can become the root user.

Once you are connected to your EC2 as "root", you will be greeted with a list of terms and conditions. You will need to type "yes" to accept.

You will then be prompted with another question regarding the primary server access node. Type "yes" again.

Next you will be prompted regarding:

• the network interface and IP address - hit enter on your keyboard to accept the default first option.
• Then hit enter again to accept the default port number 943.
• Hit enter again to accept the default TCP port number 443.
• Hit enter again to confirm "no" regarding the routing of client traffic.
• Hit enter again to confirm "no" regarding client DNS traffic.
• Hit enter to confirm "yes" regarding local authentication.
• Hit enter to confirm "yes" regarding making private subnets accessible to clients.
• Hit enter to confirm that you wish to login into the Admin console with the username "openvpn" (you can change this later in the console).
• Hit enter when asked to specify an authentication key.

You will then see a configuration run inside of the terminal.

Note: if you are using a key pair to SSH into the server (i.e.not using the SSM agent), the output in the terminal includes a message (see below image) advising you to use "openvpnas" instead of "root" to log back into the server. The connection will be closed automatically. You will then need to open a new connection using ssh -i "vpn-server.pem" openvpnas@ec2-<your-ip-addess>.compute-1.amazonaws.com before continuing.

We now need to add a password so that we can login into the OpenVPN console. Type into your CLI:

sudo passwd openvpn        

You will be prompted to enter and confirm a password. Make sure it is a strong password (ideally at least 16 characters in length).

Once you have seen the "password updated successfully" confirmation, you can close your connection to the server.

At this point return back to your EC2 dashboard to get the public IP address of your EC2. You now need to visit the following page in your web browser:

https://<your-ec2-ip-address>:943/admin - (e.g. https://107.23.173.89:943/admin)

Make sure you are using https as you will get an error if you use http.

Depending on your browser, you may see a screen like the one shown below with a warning regarding the connection:

If you get this, click on "Advanced" (or whatever your browser shows) followed by "Proceed to <your IP address> (unsafe)".

You should then see the OpenVPN login page. You may need to change browser if you are unable to access this page.

Next, login using the the username "openvpn" and the password that you set earlier in the CLI.

Once you have logged in, click on "Agree".

You should then be at the OpenVPN dashboard.

Next, click on "VPN Settings" in the left side menu.

On the following page, locate the setting "Should client Internet traffic be routed through the VPN?". Change the value to "yes" and then click on the "Save Settings" button. This will ensure that all of your internet traffic will go through the VPN connection.

You will then need to click on the "Update Running Server" button at the top of your screen.

You will see a confirmation once this is completed.

Adding/Changing users

If you wish to change or add an additional user, you will need to navigate to the "User Permissions" page (under "User Management") where you can change the details/permissions to meet your requirements.

Once you have made any changes, logout as the admin user.

Connecting with the VPN

We now need to login as a normal user. To do this, visit the following address:

https://<your-ec2-public-ip>:943 - (e.g. https://52.1.85.107:943/ )

Unless you changed them, you will be able to login using the same credentials as you used for the admin user.

Once you are logged in, you will see the following screen showing the various clients which can be installed to create a VPN connection. By default at the top of the page, it will suggest the client for your current operating system (i.e. Windows, Mac etc).

Click on the icon to download the VPN client to your computer. Once the download has completed, install the software in the same way as you would for any other software and open it. Once you are on the main VPN dashboard, you can toggle the connection switch to start the VPN connection. You will be prompted for your username and password (the details you used to login and download the software) the first time you make the connection.

The VPN client will display the details of the connection once it has been successful. If you now go back and visit this AWS page again, you should see a different IP address to the one displayed earlier. Your current IP address will reflect the location of your EC2 server (i.e. if you set up the EC2 in us-east-1, you will have an American IP address). You will need to remember that the cost of running an EC2 will vary from region to region.

At this point you have successfully configured and setup an EC2 with the OpenVPN AMI.

To summarise, setting up an EC2 instance with OpenVPN is a cost-effective and secure way to ensure that your sensitive data is protected when transmitted over the internet. With its strong encryption and scalability, OpenVPN is an ideal choice for companies looking to secure their cloud-based data.