Run a Free VPN Server on AWS. Set up an EC2 instance running OpenVPN… | by Geoff Cox | Nov, 2022

Set up an EC2 instance running the OpenVPN server

Image Credits: confidentiality Feather unsplash

AWS has a terrific firewall built into its core services, which can easily be used to ensure that only certain ports are open to the outside world. An additional step we can take is to run a VPN server that acts as a gateway to our protected AWS resource, for example, EC2, RDS, MLDR, etc.

We can shut down direct access to our AWS resources by revoking access through our VPN servers. This is very useful if you need to revoke access for a former employee.

AWS now offers Managed VPN Service, but the service costs at least $72 per month and is even more expensive if your VPN serves a lot of traffic. Many small organizations don’t need all the features of a managed service and can run their own VPN server at the cost of just an EC2 instance. You can also use the free tier so that you don’t have to pay anything for an EC2 instance for the first year.

Overview: Security groups allow your servers in a private cloud to communicate with each other while exposing specific ports to the world. We will create a security group to allow VPN access to our VPN server. We will assume that all your other AWS resources are members of the default security group and that the default security group does not allow access from the outside world.

log onto https://aws.amazon.comType EC2 in the search box, and click Target to go to the EC2 Dashboard.

From the EC2 Dashboard, click on Security Groups:

image credit: author

Click Create Security Group:

image credit: author

Enter the name and description of the VPN and specify the following inbound rules on the ports 22, 443, 943And 1194,

Comment:protocol for port 1194 is UDP.

image credit: author

Comment: If the IP addresses your team uses are static, you can add another layer of security by specifying an IP address range in the source of your rules. However, if you want your team to be able to connect from any IP, you’ll want to leave the source open somewhere, as they may be working from a hotel, home, cafe, etc.

Return to the EC2 dashboard, and then click Launch Instances:

image credit: author

Select Ubuntu (of course, you can select almost any other OS running OpenVPN, but this tutorial is tailored for Ubuntu)

image credit: author

select t2.micro:

image credit: author

Comment: You can use a Nano instance instead of a Micro instance, but Nano instances are not eligible for the free tier.

In the Network Settings section, select your default VPC and disable the Auto-assign public IP option. Then, select both your default security group and the security group you created above for the VPN.

image credit: author

Click on Launch Instance

From the list of instances, select the VPN instance and then check Actions -> Networking -> Change Source/Destination from the dropdown menu.

image credit: author

Select Stop, and click Save. This is needed otherwise, your VPN server will not be able to connect to your other AWS resources.

image credit: author

Overview: When an EC2 instance is stopped and restarted, the public IP address changes. We want the IP address of our VPN server to be static, so we will be using an elastic IP address.

From the E2C Dashboard, select Elastic IP:

image credit: author

Click on Allocate Elastic IP Address:

image credit: author

Take note of your new Elastic IP address, as this will be the public IP address of your VPN server. We will refer to this address later PUBLIC-IP-OF-VPN-SERVER,

Select the IP address you just created and click Associate Elastic IP Address:

image credit: author

Then, select Elastic IP and click on Associate Address from the dropdown menu.

Select the EC2 instance you created above and click Associate:

image credit: author

SSH into your VPN server:

$ ssh ubuntu@PUBLIC-IP-OF-VPN-SERVER

Download our helper script and set up a default configuration:

$ git clone https://github.com/redgeoff/openvpn-server-vagrant
$ cd openvpn-server-vagrant
$ cp config-default.sh config.sh

edit config.sh and enter your configuration. Comment: PUBLIC_IP Must be equal to the Elastic IP address you created above.

$ nano config.sh

switch to root:

$ sudo su -

Now you will update Ubuntu.

Note: You will be prompted several times and when you do, press Enter key.

$ /home/ubuntu/openvpn-server-vagrant/ubuntu.sh

Now, install OpenVPN.

Note: You will be prompted several times and when you do, press Enter key.

$ /home/ubuntu/openvpn-server-vagrant/openvpn.sh

At this time, the OpenVPN server is running.

Routes must be added to the server, so that clients on your team know which traffic to route to the VPN server.

You can determine the proper subnet by returning to your list of EC2 instances, clicking on the target instance, and identifying the private IP.

Your network would be the first two parts of the private IP appended with zeros, for example, 172.31.0.0,

on the vpn server, edit /etc/openvpn/server/server.conf and add something like the following:

push "route 172.31.0.0 255.255.0.0"

Then, restart the VPN server with the following:

$ systemctl restart openvpn-server@server.service

Note: We assume that you are still SSH’d into the VPN and logged in as root.

Run the following command, and make sure to replace client with a unique name for your user/client at the bottom.

$ /home/ubuntu/openvpn-server-vagrant/add-client.sh client

Then you will get a configuration file

~/client-configs/files/client-name.ovpn

You will want to provide this file to the person on your team who is connecting to your VPN. scp is as easy as downloading this .ovpn file from your vpn server.

Your team can use one of various VPN clients, such as tunnelblick (OS X) and openvpn (Linux, iOS, Android and Windows). After installing one of these clients, they will be able to set up the VPN configuration by simply double-clicking on the .ovpn file.

Note: Once connected to the VPN, your users will want to access the private IPs of your AWS resources. You may want to use nslookup to look up an IP address from AWS custom domain names provided by AWS. You’ll probably want to use Route53 to create subdomain records that route to private IPs.

Note: We assume that you are still SSH’d into the VPN and logged in as root.

Run the following command, and make sure to replace client with a unique name for your user/client at the bottom.

$ /home/ubuntu/openvpn-server-vagrant/revoke-full.sh client

If your VPN client reports a TLS handshake failed error, it is most likely because your VPN security group (Step 1) is incorrect. Make sure you have the correct port and protocol specified – a common problem is not specifying a port for UDP 1194,

Leave a Reply