OpenVPN Setup on AWS EC2
Samuel Ajisafe
Posted on July 18, 2024
This guide walk you through a step by step process to set up a VPN on AWS that allows you to browse the internet and use OpenVPN as the client, follow these steps:
"OpenVPN is a virtual private network (VPN) system that implements techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It implements both client and server applications."
Step 1a: Create a VPC with Public and Private Subnets
Sign in to the AWS Management Console and open the Amazon VPC console.
Step 1b. Create a VPC with a CIDR block (e.g., 10.0.0.0/16).
Create Subnets:
Public Subnet (e.g., 10.0.1.0/24): For the VPN endpoint.
Private Subnet (e.g., 10.0.2.0/24): For other instances, if needed.
Step 1c. Create an Internet Gateway and attach it to your VPC.
Step 1d. Create a Route Table for the public subnet and add a route to the Internet Gateway (0.0.0.0/0 to the Internet Gateway).
Step 1e. Associate the Route Table with the public subnet.
Step 2: Set Up an OpenVPN Server on an EC2 Instance
Launch an EC2 Instance in the public subnet:
Choose an Amazon Linux 2 AMI.
Choose an instance type (e.g., t2.micro).
Configure instance details, ensuring it's in the public subnet.
Add storage (default is fine).
Add a security group with the following inbound rules:
SSH (TCP port 22) from your IP address.
OpenVPN (UDP port 1194) from anywhere.
Launch the instance and connect to it using SSH.
Install OpenVPN and Easy-RSA:
sudo yum update -y
sudo amazon-linux-extras install epel -y
sudo yum install openvpn easy-rsa -y
Set Up the PKI (Public Key Infrastructure):
mkdir -p ~/openvpn-ca
cd ~/openvpn-ca
cp -r /usr/share/easy-rsa/3/* ./
./easyrsa init-pki
./easyrsa build-ca
./easyrsa gen-req server nopass
./easyrsa sign-req server server
./easyrsa gen-dh
openvpn --genkey --secret ta.key
./easyrsa gen-req client1 nopass
./easyrsa sign-req client client1
Copy the Necessary Files:
sudo cp pki/ca.crt pki/issued/server.crt pki/private/server.key pki/dh.pem ta.key /etc/openvpn
Edit the OpenVPN Server Configuration File:
sudo nano /etc/openvpn/server.conf
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
tls-auth ta.key 0
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
verb 3
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
Enable IP Forwarding
Edit the sysctl Configuration File:
sudo nano /etc/sysctl.conf
Uncomment or add:
net.ipv4.ip_forward = 1
Apply the Changes:
sudo sysctl -p
Step 4: Configure NAT
Set Up NAT Using iptables:
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
Step 5: Create a Systemd Service for iptables Rules Persistence
Create a New Systemd Service File:
sudo nano /etc/systemd/system/iptables-restore.service
Add the Following Content:
[Unit]
Description=Restore iptables rules
Before=network-pre.target
Wants=network-pre.target
[Service]
Type=oneshot
ExecStart=/sbin/iptables-restore /etc/iptables/rules.v4
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
Enable and Start the Service:
sudo systemctl enable iptables-restore.service
sudo systemctl start iptables-restore.service
Start the OpenVPN Server Service:
sudo systemctl restart openvpn@server
Copy the Client Files:
sudo cp pki/ca.crt pki/issued/client1.crt pki/private/client1.key ta.key /etc/openvpn
Step 6: Configure the Client
Generate a Client Configuration File:
sudo nano /etc/openvpn/client1.ovpn
Add the Following Content and Replace YOUR_EC2_PUBLIC_IP with Your EC2 Instance's Public IP:
client
dev tun
proto udp
remote YOUR_EC2_PUBLIC_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
<ca>
-----BEGIN CERTIFICATE-----
(Insert the content of ca.crt here)
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
(Insert the content of client1.crt here)
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
(Insert the content of client1.key here)
-----END PRIVATE KEY-----
</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
(Insert the content of ta.key here)
-----END OpenVPN Static key V1-----
</tls-auth>
Step 7: Connect Using OpenVPN Client
Install OpenVPN Client on your local machine or mobile client.
Import the Configuration File into your OpenVPN client.
Connect to the VPN using the OpenVPN client.
Congratulations the process is now completed, you can now surf the web.
Posted on July 18, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.