DEV Community

Cover image for OpenVPN Setup on AWS EC2
Samuel Ajisafe
Samuel Ajisafe

Posted on

OpenVPN Setup on AWS EC2

This guide walk you through a step by step process to set up a VPN on AWS that allows you to browse the internet and use OpenVPN as the client, follow these steps:

"OpenVPN is a virtual private network (VPN) system that implements techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It implements both client and server applications."

Step 1a: Create a VPC with Public and Private Subnets
Sign in to the AWS Management Console and open the Amazon VPC console.

Step 1b. Create a VPC with a CIDR block (e.g., 10.0.0.0/16).
Create Subnets:
Public Subnet (e.g., 10.0.1.0/24): For the VPN endpoint.
Private Subnet (e.g., 10.0.2.0/24): For other instances, if needed.

Step 1c. Create an Internet Gateway and attach it to your VPC.

Step 1d. Create a Route Table for the public subnet and add a route to the Internet Gateway (0.0.0.0/0 to the Internet Gateway).

Step 1e. Associate the Route Table with the public subnet.

Step 2: Set Up an OpenVPN Server on an EC2 Instance

Launch an EC2 Instance in the public subnet:

Choose an Amazon Linux 2 AMI.

Choose an instance type (e.g., t2.micro).

Configure instance details, ensuring it's in the public subnet.

Add storage (default is fine).

Add a security group with the following inbound rules:
SSH (TCP port 22) from your IP address.
OpenVPN (UDP port 1194) from anywhere.

Launch the instance and connect to it using SSH.

Install OpenVPN and Easy-RSA:

sudo yum update -y
sudo amazon-linux-extras install epel -y
sudo yum install openvpn easy-rsa -y
Enter fullscreen mode Exit fullscreen mode

Set Up the PKI (Public Key Infrastructure):

mkdir -p ~/openvpn-ca
cd ~/openvpn-ca
cp -r /usr/share/easy-rsa/3/* ./
./easyrsa init-pki
./easyrsa build-ca
./easyrsa gen-req server nopass
./easyrsa sign-req server server
./easyrsa gen-dh
openvpn --genkey --secret ta.key
./easyrsa gen-req client1 nopass
./easyrsa sign-req client client1
Enter fullscreen mode Exit fullscreen mode

Copy the Necessary Files:

sudo cp pki/ca.crt pki/issued/server.crt pki/private/server.key pki/dh.pem ta.key /etc/openvpn
Enter fullscreen mode Exit fullscreen mode

Edit the OpenVPN Server Configuration File:

sudo nano /etc/openvpn/server.conf
Enter fullscreen mode Exit fullscreen mode
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
tls-auth ta.key 0
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
verb 3
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
Enter fullscreen mode Exit fullscreen mode

Enable IP Forwarding
Edit the sysctl Configuration File:

sudo nano /etc/sysctl.conf
Enter fullscreen mode Exit fullscreen mode

Uncomment or add:

net.ipv4.ip_forward = 1
Enter fullscreen mode Exit fullscreen mode

Apply the Changes:

sudo sysctl -p
Enter fullscreen mode Exit fullscreen mode

Step 4: Configure NAT
Set Up NAT Using iptables:

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
Enter fullscreen mode Exit fullscreen mode

Step 5: Create a Systemd Service for iptables Rules Persistence
Create a New Systemd Service File:

sudo nano /etc/systemd/system/iptables-restore.service
Enter fullscreen mode Exit fullscreen mode

Add the Following Content:

[Unit]
Description=Restore iptables rules
Before=network-pre.target
Wants=network-pre.target

[Service]
Type=oneshot
ExecStart=/sbin/iptables-restore /etc/iptables/rules.v4
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target
Enter fullscreen mode Exit fullscreen mode

Enable and Start the Service:

sudo systemctl enable iptables-restore.service
sudo systemctl start iptables-restore.service
Enter fullscreen mode Exit fullscreen mode

Start the OpenVPN Server Service:

sudo systemctl restart openvpn@server
Enter fullscreen mode Exit fullscreen mode

Copy the Client Files:

sudo cp pki/ca.crt pki/issued/client1.crt pki/private/client1.key ta.key /etc/openvpn
Enter fullscreen mode Exit fullscreen mode

Step 6: Configure the Client
Generate a Client Configuration File:

sudo nano /etc/openvpn/client1.ovpn
Enter fullscreen mode Exit fullscreen mode

Add the Following Content and Replace YOUR_EC2_PUBLIC_IP with Your EC2 Instance's Public IP:

client
dev tun
proto udp
remote YOUR_EC2_PUBLIC_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3

<ca>
-----BEGIN CERTIFICATE-----
(Insert the content of ca.crt here)
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
(Insert the content of client1.crt here)
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
(Insert the content of client1.key here)
-----END PRIVATE KEY-----
</key>

<tls-auth>
-----BEGIN OpenVPN Static key V1-----
(Insert the content of ta.key here)
-----END OpenVPN Static key V1-----
</tls-auth>
Enter fullscreen mode Exit fullscreen mode

Step 7: Connect Using OpenVPN Client
Install OpenVPN Client on your local machine or mobile client.
Import the Configuration File into your OpenVPN client.
Connect to the VPN using the OpenVPN client.

Congratulations the process is now completed, you can now surf the web.

Top comments (0)