VPN (vpn.yaml)
- Creates a single
OpenVPNinstance in the first public subnet of the specified VPC. - Uses exported outputs of the specified VPC stack to get VPC values.
- Attaches a new EIP, and creates a Security Group with all the needed rules.
- Adds VPN rules to the VPC's public NACL's
- Creates a Route53 entry for the VPN instance (requires a Route53 Public Zone).
- Connect up to 500 devices and users. You must accept the license agreement at the AWS Marketplace.
- Create your VPCs.
- Create your private hosted zone (optional)
- Use the vpn.yaml template to create a single VPN instance in the first public zone.
- Follow the simple configuration instructions.
- Stack Name: E.g.,
vpn-corp - VPC Stack: The name of the VPC stack where the VPN will be deployed. E.g.,
vpc-corp. - Version: The OpenVPN version.
- NumberOfDevices: Does not include instance charges. You must accept the license agreement in the AWS Marketplace.
- Instance Type: The AWS instance type that will be used.
- Key Name: The key that will be used to SSH into the host.
- Host Name: The DNS host name of the VPN server. E.g.,
vpn.corp.us-east-1 - Domain Name: The domain name of the Route53 public hosted zone that will contain the DNS record. E.g.,
mycompany.net - SSH CIDR: The IPv4 CIDR allowed to SSH into the VPC's public zones. E.g.,
0.0.0.0/0
- These steps are done after the stack has been created.
- SSH to the instance. The domain name is the outputs of the stack.
$ ssh -i your.pem openvpnas@vpn.nonprod.us-east-1.mycompany.net
- The setup will start automatically.
- Agree to the license terms.
- Accept the default settings for each parameter.
$ sudo bash
# passwd openvpn
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
- Go to the Admin UI in a browser. The address is in the outputs of the stack.
https://YOUR_DOMAIN_NAME:943/admin/
- Log in as the
openvpnuser with the password you created in the previous step.
- Go to
Server Network Settings - For
Hostname ot IP Address, Enter the domain name of the VPN instance. E.g.,vpn.nonprod.us-east-1.mycompany.com - Click the
Save Settingsbutton at the bottom of the page. - Click the
Update Running Serverbutton at the top of the page.
- Go to
VPN Settings - Scroll to the
DNS Settingssection. - Select
Have clients use the same DNS servers as the Access Server host - Scroll to
DNS resolution zones - For
DNS zonesenter the domain name of the private hosted zone that the VPC is associated with. E.g.,myco.net. See hosted-zone.md for details on how to add your VPCs to a private hosted zone. If you did not set up a private zone, you can enter the AWS provided private domain name. Forus-east-1the AWS provided domeain name isec2.internal. For other regions it is<REGION>.compute.internal. - Click the
Save Settingsbutton at the bottom of the page. - Click the
Update Running Serverbutton at the top of the page.
- Go to
User Permissions - Enter a new username in the
New Usernamefield. - Click
Showin theMore Settingscolumn. - Enter a password in the
Local Passwordinput box. - Check the
Allow Auto-loginbox. - Check the box that says
Require user permissions record for VPN access. - Click the
Save Settingsbutton. - Click the
Update Running Serverbutton.
- Log out of the admin console.
- Go to the Client login page by simply removing
/adminfrom the browser's current address. - This is where you can
Connectto the VPN, orLoginto download the OpenVPN Connect Client and/or client configuration files. - Enter the username and password you created, and select
Loginfrom the dropdown menu. - Download the
Yourself (autologin profile) - Import the file into a supported VPN client, e.g., Tunnelblick or OpenVPN Connect.
- Optionally you can select
OpenVPN Connect foryour OS. It will come pre-configured for the logged in user. - NOTE I have had issues with DNS working correctly with the MacOS OpenVPN client when it is connected to the VPN. It seems the DNS servers are not pushed to the client. For that reason I use Tunnelblick.