OpenVPN Access Server(self-hosted) set-up on AWS EC2
Posted on Feb. 14, 2022, 7:25 a.m., 321, by: sagar
Nowadays, hiding identity, remotely accessing the company or server, Inside IoT security etc are the challenges we face each day. We can use OpenVPN as an SSH whitelisting so we can access/ssh the servers or instances only when we’re connected to the VPN.
OpenVPN is not completely free.
To set up OpenVPN on AWS EC2 we can use different types of Linux machines such as Ubuntu, CentOS, Amazon Linux etc. For this tutorial, I’m going to use AWS Marketplace AMIs(pre-baked AMIs). Even though the instance is pre-baked, setting up OpenVPN might be a little tricky. So. I’m going to cover those step by step.
Create Instance using AWS Marketplace AMI:
- Go to your console and select the region you want your OpenVPN instance to be in.
- Select EC2 service and search OpenVPN to launch a new instance from AWS Marketplace. It will show official OpenVPN AMIs from AWS Marketplace.
- Now select one of the OpenVPN Access Server from the list. For this, I’m going to select the first one with t2.micro instance type.
- (Important)Configure all of the instance details as per your requirements. During the configuration, make sure you choose your VPC and subnet. If you don’t have custom VPC and subnets, leave all these settings as is. Make sure that OpenVPN server instance is in public subnet so it is accessible via the web directly.
- Create a security group for the OpenVPN Server in which save rules AWS already has filled.
- Now review and launch the instance. It will run a new instance.
IP and Domain:
When the instance is up and running, AWS provides public IP automatically. But it will immediately change when you reboot the instance anytime. For this, we can associate an elastic IP to the instance so it stays the same even if the instance is stopped or rebooted.
- Go to Elastic IPs section and Allocate a new address.
- Now you have new elastic IP but not associated with any instance. Associate address selecting your openVPN instance.
- Save, and you have now elastic IP. Now, you can associate a domain to this public IP.
If you want to use a custom domain, make sure you have a domain like vpn.yourdomain.com(or any as you wish) to access this server(instance).
Point your A record of domain to the elastic IP.
Setup OpenVPN:
You will not be able to access openVPN server directly as you haven’t set up server. For this you have to ssh into the server:
- Use key-pair file vpn-keypair.pem (created when launching instance) to ssh into the instance. Open port 22 for all traffic to be able to SSH into the instance. (we can change that later after setup)
- Use username as openvpnas as this is the default with OpenVPN marketplace instance.
- Once you log in, follow the setup wizard. It will ask no. of settings to you.
[email protected]:#
Welcome to OpenVPN Access Server Appliance 2.8.5
System information as of Sat Feb 11 12:24:42 UTC 2022
System load: 0.95 Processes: 98
Usage of /: 26.7% of 7.69GB Users logged in: 0
Memory usage: 18% IP address for eth0: 172.32.1.87
Swap usage: 0%
OpenVPN Access Server
Initial Configuration Tool
------------------------------------------------------
OpenVPN Access Server End User License Agreement (OpenVPN-AS EULA)
1. Copyright Notice: OpenVPN Access Server License;
Copyright (c) 2009-2020 OpenVPN Inc. All rights reserved.
"OpenVPN" is a trademark of OpenVPN Inc.
2. Redistribution of OpenVPN Access Server binary forms and related documents,
are permitted provided that redistributions of OpenVPN Access Server binary
forms and related documents reproduce the above copyright notice as well as
a complete copy of this EULA.
3. You agree not to reverse engineer, decompile, disassemble, modify,
translate, make any attempt to discover the source code of this software,
or create derivative works from this software.
4. The OpenVPN Access Server is bundled with other open source software
components, some of which fall under different licenses. By using OpenVPN
or any of the bundled components, you agree to be bound by the conditions
of the license for each respective component. For more information, you can
find our complete EULA (End-User License Agreement) on our website
(<http://openvpn.net>), and a copy of the EULA is also distributed with the
Access Server in the file /usr/local/openvpn_as/license.txt.
5. This software is provided "as is" and any expressed or implied warranties,
including, but not limited to, the implied warranties of merchantability
and fitness for a particular purpose are disclaimed. In no event shall
OpenVPN Inc. be liable for any direct, indirect, incidental,
special, exemplary, or consequential damages (including, but not limited
to, procurement of substitute goods or services; loss of use, data, or
profits; or business interruption) however caused and on any theory of
liability, whether in contract, strict liability, or tort (including
negligence or otherwise) arising in any way out of the use of this
software, even if advised of the possibility of such damage.
6. OpenVPN Inc. is the sole distributor of OpenVPN Access Server
licenses. This agreement and licenses granted by it may not be assigned,
sublicensed, or otherwise transferred by licensee without prior written
consent of OpenVPN Inc. Any licenses violating this provision
will be subject to revocation and deactivation, and will not be eligible
for refunds.
7. A purchased license entitles you to use this software for the duration of
time denoted on your license key on any one (1) particular device, up to
the concurrent user limit specified by your license. Multiple license keys
may be activated to achieve a desired concurrency limit on this given
device. Unless otherwise prearranged with OpenVPN Inc.,
concurrency counts on license keys are not to be divided for use amongst
multiple devices. Upon activation of the first purchased license key in
this software, you agree to forego any free licenses or keys that were
given to you for demonstration purposes, and as such, the free licenses
will not appear after the activation of a purchased key. You are
responsible for the timely activation of these licenses on your desired
server of choice. Refunds on purchased license keys are only possible
within 30 days of purchase of license key, and then only if the license key
has not already been activated on a system. To request a refund, contact us
through our support ticket system using the account you have used to
purchase the license key. Exceptions to this policy may be given for
machines under failover mode, and when the feature is used as directed in
the OpenVPN Access Server user manual. In these circumstances, a user is
granted one (1) license key (per original license key) for use solely on
failover purposes free of charge. Other failover and/or load balancing use
cases will not be eligible for this exception, and a separate license key
would have to be acquired to satisfy the licensing requirements. To request
a license exception, please file a support ticket in the OpenVPN Access
Server ticketing system. A staff member will be responsible for determining
exception eligibility, and we reserve the right to decline any requests not
meeting our eligibility criteria, or requests which we believe may be
fraudulent in nature.
8. Activating a license key ties it to the specific hardware/software
combination that it was activated on, and activated license keys are
nontransferable. Substantial software and/or hardware changes may
invalidate an activated license. In case of substantial software and/or
hardware changes, caused by for example, but not limited to failure and
subsequent repair or alterations of (virtualized) hardware/software, our
software product will automatically attempt to contact our online licensing
systems to renegotiate the licensing state. On any given license key, you
are limited to three (3) automatic renegotiations within the license key
lifetime. After these renegotiations are exhausted, the license key is
considered invalid, and the activation state will be locked to the last
valid system configuration it was activated on. OpenVPN Inc.reserves the
right to grant exceptions to this policy for license holders under
extenuating circumstances, and such exceptions can be requested through a
ticket via the OpenVPN Access Server ticketing system.
9. Once an activated license key expires or becomes invalid, the concurrency
limit on our software product will decrease by the amount of concurrent
connections previously granted by the license key. If all of your purchased
license key(s) have expired, the product will revert to demonstration mode,
which allows a maximum of two (2) concurrent users to be connected to your
server. Prior to your license expiration date(s), OpenVPN Inc. will attempt
to remind you to renew your license(s) by sending periodic email messages
to the licensee email address on record. You are solely responsible for
the timely renewal of your license key(s) prior to their expiration if
continued operation is expected after the license expiration date(s).
OpenVPN Inc. will not be responsible for any misdirected and/or undeliverable
email messages, nor does it have an obligation to contact you regarding
your expiring license keys.
10. Any valid license key holder is entitled to use our ticketing system for
support questions or issues specifically related to the OpenVPN Access
Server product. To file a ticket, go to our website at <http://openvpn.net/>
and sign in using the account that was registered and used to purchase the
license key(s). You can then access the support ticket system through our
website and submit a support ticket. Tickets filed in the ticketing system
are answered on a best-effort basis. OpenVPN Inc. staff
reserve the right to limit responses to users of our demo / expired
licenses, as well as requests that substantively deviate from the OpenVPN
Access Server product line. Tickets related to the open source version of
OpenVPN will not be handled here.
11. Purchasing a license key does not entitle you to any special rights or
privileges, except the ones explicitly outlined in this user agreement.
Unless otherwise arranged prior to your purchase with OpenVPN,
Inc., software maintenance costs and terms are subject to change after your
initial purchase without notice. In case of price decreases or special
promotions, OpenVPN Inc. will not retrospectively apply
credits or price adjustments toward any licenses that have already been
issued. Furthermore, no discounts will be given for license maintenance
renewals unless this is specified in your contract with OpenVPN Inc.
Please enter 'yes' to indicate your agreement [no]: yes
Once you provide a few initial configuration settings,
OpenVPN Access Server can be configured by accessing
its Admin Web UI using your Web browser.
Will this be the primary Access Server node?
(enter 'no' to configure as a backup or standby node)
> Press ENTER for default [yes]: yes
Please specify the network interface and IP address to be
used by the Admin Web UI:
(1) all interfaces: 0.0.0.0
(2) eth0: 172.31.16.206
Please enter the option number from the list above (1-2).
> Press Enter for default [2]: 1
Please specify the port number for the Admin Web UI.
> Press ENTER for default [943]: 943
Please specify the TCP port number for the OpenVPN Daemon
> Press ENTER for default [443]: 443
Should client traffic be routed by default through the VPN?
> Press ENTER for default [yes]: yes
Should client DNS traffic be routed by default through the VPN?
> Press ENTER for default [yes]: yes
Use local authentication via internal DB?
> Press ENTER for default [yes]: yes
Private subnets detected: ['172.31.0.0/16']
Should private subnets be accessible to clients by default?
> Press ENTER for EC2 default [yes]: yes
To initially login to the Admin Web UI, you must use a
username and password that successfully authenticates you
with the host UNIX system (you can later modify the settings
so that RADIUS or LDAP is used for authentication instead).
You can login to the Admin Web UI as "openvpn" or specify
a different user account to use for this purpose.
Do you wish to login to the Admin UI as "openvpn"?
> Press ENTER for default [yes]: yes
> Please specify your OpenVPN-AS license key (or leave blank to specify later):
Initializing OpenVPN...
Adding new user login...
useradd -s /sbin/nologin "openvpn"
Writing as configuration file...
Perform sa init...
Wiping any previous userdb...
Creating default profile...
Modifying default profile...
Adding new user to userdb...
Modifying new user as superuser in userdb...
Getting hostname...
Hostname: openvpnserver
Preparing web certificates...
Getting web user account...
Adding web group account...
Adding web group...
Adjusting license directory ownership...
Initializing confdb...
Generating init scripts...
Generating PAM config...
Generating init scripts auto command...
Starting openvpnas...
NOTE: Your system clock must be correct for OpenVPN Access Server
to perform correctly. Please ensure that your time and date
are correct on this system.
Initial Configuration Complete!
You can now continue configuring OpenVPN Access Server by
directing your Web browser to this URL:
<https://18.193.21.166:943/admin>
Login as "openvpn" with the same password used to authenticate
to this UNIX host.
During normal operation, OpenVPN AS can be accessed via these URLs:
Admin UI: <https://18.193.21.166:943/admin>
Client UI: <https://18.193.21.166:943/>
See the Release Notes for this release at:
<https://openvpn.net/vpn-server-resources/release-notes/>
- Now create password to login first time as an admin, for that:
[email protected]:~$ sudo passwd openvpn
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
[email protected]:~$
OpenVPN UI:
From browser visit https://<elastic-IP>:943/admin, you will get openVPN server UI. And login with the username OpenVPN (created before) and the admin password set earlier. Once you login, accept the terms & conditions.
-
From Configuration > Network Settings:
- Change Hostname or IP Address to vpn.yourdomain.com and click save settings.
- Now click on Update running server.
And you have successfully set up a custom domain. Visit https://vpn.yourdomain.com:943/admin it will work perfectly!
SSL Set-Up:
As there is no SSL configured your server is not trusted by browsers. In this section, we’re going to use Certbot to install SSL certificate. For this:
- SSH to your VPN server and type the following commands:
sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install -y certbot
To install Certbot, open port 80 temporarily on the security group of your OpenVPN server (Certbot will verify the server and domain).
- Go to AWS console, choose openVPN security group > inbound rules and add HTTP 80 rule with source 0.0.0.0/0 to access port 80 traffic.
- SSH into openVPN server again and type the following command:
sudo certbot certonly --standalone
Follow no. of questions with answering them and use domain as vpn.yourdomain.com. It will verify using port 80.
[email protected]:~$ sudo certbot certonly --standalone
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): [email protected]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
<https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf>. You must
agree in order to register with the ACME server at
<https://acme-v02.api.letsencrypt.org/directory>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): vpn.yourdoman.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for vpn.yourdoman.com
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/vpn.youdomain.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/vpn.youdomain.com/privkey.pem
Your cert will expire on 2022-04-14. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
After this, you can remove HTTP port 80 rule as you don’t need it anymore.
Use the following commands to show the text content of 2 files privkey.pem and fullchain.pem, and copy them manually and save them locally with the same filename: (make sure you replace vpn.yourdomain.com with the expected domain or IP)
cat /etc/letsencrypt/live/vpn.youdomain.com/fullchain.pem
cat /etc/letsencrypt/live/vpn.youdomain.com/privkey.pem
Configure SSL certificate to OpenVPN server:
- Visit https://vpn.yourdomain.com:943/admin and login with admin credentials used earlier.
- Go to Configuration > Web Server:
- Upload local fullchain.pem for Certificate and local privkey.pem for Private Key. Then click Validate.
- Click on Save and Update existing server.
Here we go, you have successfully set up SSL to your openVPN server.
Create New User:
Go to VPN admin URL and from User Management panel:
- Go to User Permission, enter new username ‘clientuser’ (you can use any) and click More Settings and set new password.
- Click on Save Settings and Update existing server.
Login:
Now, go to the client VPN URL(without /admin)(https://your.domain.com:943/) and log in with the credentials you set up earlier. You can download the client config file also. Or reset password and username from the admin panel.
That’s it!
Thank you!!
Write your comment
0 comments
No comments yet. 😀
Tags
Similar posts
There are no similar posts yet.