This project sets up an OpenVPN server on an EC2 instance that can be
used to reduce the risk of using open and public WiFi access points.
Recommendations for using a VPN are common and wide spread
simply search for how to safely use public wifi.
This project sets up a VPN on an Amazon EC2 compute instance. The VPN is community edition of OpenVPN. It will be deployed on Ubuntu because I am familiar with Ubuntu, there are packaged versions of OpenVPN in the distro repository, and there is a Amazon Machine Image (AMI) for Ubuntu that is elible for the AWS Free Usage Tier.
AWS account setup is not covered here, but is well documented at the AWS web site. These links are good starting points:
Easy-RSA is used to create and sign the credentials. Easy-RSA is included in the openvpn package on Ubuntu 12.04. On Ubuntu 14.04 it is a separate package. Some guides (the [Ubuntu Guide][ubuntu_openvpn] for example) use Easy-RSA from those packages and create the credentials on the server itself. This project will create the credentials on your local host both to minimize the work on the server and to keep unnecessary sensitive files off the server.
Download a release tarball from https://github.com/OpenVPN/easy-rsa/releases. These instructions are for v2.2.2
$ wget https://github.com/OpenVPN/easy-rsa/releases/download/2.2.2/EasyRSA-2.2.2.tgz
$ tar -xzf EasyRSA-2.2.2.tgz
$ cd EasyRSA-2.2.2/
Edit the vars file and adjust the following to your environment. If
its not clear to you what the value should be, you can use an
arbitrary string (such as MyVPN). The values aren't that important
unless you are going to be signing things for others.
export KEY_COUNTRY="US"
export KEY_PROVINCE="NC"
export KEY_CITY="Winston-Salem"
export KEY_ORG="Example Company"
export KEY_EMAIL="steve@example.com"
export KEY_OU="MyVPN"
export KEY_NAME="MyVPN"
export KEY_CN="MyVPN"
Now generate the master Certificate Authority (CA). The values you
adjusted in the vars file will be the default answers to the questions
asked by ./build-ca.
$ source ./vars
$ ./clean-all
$ ./build-ca
The resulting CA file is keys/ca.crt.
Next build the server certificate and the Diffie Hellman parameters
file. myserver is a literal argument that will be used to construct
the file names for the server certificate and key. If you use a
different value you will need to modify the server.conf file and the
installation scripts.
Accept defaults for all the values, leaving the challenge password and
optional company name empty. You will have to answer y to the Sign the certificate? and 1 out of 1 certificate requests certified, commit? questions.
$ ./build-key-server myserver
$ ./build-dh
The files your are going to use are: keys/myserver.crt,
keys/myserver.key, and keys/dh2048.pem.
You will need at least one client certificate, but it is a good idea to use a different certificate for each of your computers and mobile devices. There are several EasyRSA scripts to build the client certificates. Creating a PKCS#12 archive simplifies installing the keys and since it is an encrypted archive it can be safely moved over insecure channels.
clientID will used as part of the certificate file name. Accept the
default values, leave challenge password and optional company anem
empty. Answer y to the Sign the certificate? and 1 out of 1 certificate requests certified, commit? questions.
DO NOT FORGET THE Export Password
$ cd EasyRSA-2.2.2/
$ ./build-key-pkcs12 clientID
There is only one file you will need: keys/clientID.p12 where
clientID is the argument you specified.
This is somewhat optional. If you don't want to setup a dynamic DNS host name, you can use an ElasticIP or even the public IP assigned when the EC2 instance gets started. The down side of the ElasticIP is that it costs you money when you EC2 instance is not running. The down side of the EC2 public IP is that it changes every time the instance is stopped and restarted. You will have to update the configuration files on the instance and on your clients each time you stop and start the EC2 instance.
It is much easier to a use a dynamic DNS (DDNS) service. The scripts in this project will automatically update the IP address at the DDNS when the VPN is started. These scripts are specific to freeDNS, but should be easy to modify for other services.
Use the fully qualified host
name (circled in green) and the URL associated with the DirectURL link
(circled in red) from the this table on the freeDNS:Dynamic
DNS page to configure dynamicSetup.sh and client.ovpn.
-
Edit
dynamicSetup.shand setDDNS_URL. -
Edit
client.ovpnand replaceSERVER_DNS_OR_IPwith the fully qualified host name of your server
You will need an SSH Key to login to the EC2 instance. The easiest thing
to do is to import the you local default key (~/.ssh/id_rsa.pub) into
your AWS account. If you don't have the /.ssh/id_rsa.pub file, then
follow the instructions in this article at
GitHub
The instructions for importing your key are in the AWS Documentation
You are finally ready to launch you EC2 instance. If you haven't done this before, then it is worth your time work through the AWS Getting Started example.
These are the key configuration details:
- Select the
Ubuntu Server 14.04 LTS (PV), 64-bitAMI - Select a Micro Instance (
t1.micro) - Select the SSH key you imported above
- Configure the security group with a Custom UDP Rule for the OpenVPN port:
The following are suggestions/guidelines that work well for me:
- Do not leave the Name tag empty, set a name that will make it clear to you what will be running on the instance.
- Do not reuse an existing security group. If you try to reuse security groups then you have to balance how the settings will effect each instance in the group.
- Do not accept the default Security Group name and description. Make it clear that the security group is associated with the instance you are creating.
- The best security is to limit SSH access to only known IP addresses (see the image above).
Note: you can also log onto the instance via ssh through the VPN (just use the server address on the VPN subnet, typically 10.8.0.1), so there is seldom a good reason to open the SSH access beyond your known IP addresses.
Log on to the EC2 instance. Use either the public IP or the AWS DNS name.
local$ ssh ubunut@ec2XXXXXXXXXX.compute-1.amazonaws.com
Enter passphrase for key xxxxxxxxxxxxxxxxx:
Welcome to Ubuntu 14.04 LTS ...
...
ubuntu@domU:~$
Install OpenVPN:
ubuntu#domU:~$ sudo apt-get install openvpn
Copy and install the configuration files on the server. Restart OpenVPN and clean up.
local$ ./pkg_server_files.sh
local$ scp server_files.tgz ubunut@ec2XXXXXXXXXX.compute-1.amazonaws.com:.
local$ ssh ubunut@ec2XXXXXXXXXX.compute-1.amazonaws.com
ubuntu@domU:~$ tar -xzf server_files.tgz
ubuntu@domU:~$ cd server_files
ubuntu@domU:~$ sudo ./setup_server.sh
ubuntu@domU:~$ sudo service openvpn restart
ubuntu@domU:~$ cd ..
ubuntu@domU:~$ rm -rf server_files/ server_files.tgz
Install network-manager support for OpenVPN:
$ sudo apt-get install network-manager-openvpn-gnome
You need the client.ovpn file and the
EasyRSA-2.2.2/keys/clientID.p12 files to setup up an new VPN
connection.
Starting at the Network Icon in the top bar, the add the new
connection:
Network Icon->VPN Connections->Configure VPN->VPN->Add->Import
Select the client.ovpn file. An Editing client dialog will appear.
The Gateway field will have the DNS name (or IP address) for the
OpenVPN server.
Load the clientID.p12 file as the User Certificate. The CA Certificate and the Private Key fields should automatically show
clientID.p12.
Now you need to enter the export password from above and
then you will be able to click on the Save button.
Enable and disable the VPN from the Network VPN Connnectons list:
Network Icon->VPN Connections
If you are not going to use the VPN for an extended period of time, and you Free Tier at AWS has expired, you can save some money by stopping the EC2 instance. The smaller cost for EBS (Elastic Block Storage) will still accrue.
When you restart the EC2 instance, the VPN will start automatically and the dynamic DNS service will be upated with the new IP address for the instance.
If you terminate, rather than stop, the EC2 instance the file system storage on EBS will also be deleted. Now there will be no on-going charges assoicated with the VPN.
To restart the VPN after the EC2 instance has been terminated, repeat the instructions above starting at Launch EC2 Instance.