Host OpenVPN on an Amazon EC2 instance
Shell

README.md

OpenVPN Community Edition on an AWS EC2 instance

This project sets up an OpenVPN server on an EC2 instance that can be used to reduce the risk of using open and public WiFi access points. Recommendations for using a VPN are common and wide spread simply search for how to safely use public wifi.

This project sets up a VPN on an Amazon EC2 compute instance. The VPN is community edition of OpenVPN. It will be deployed on Ubuntu because I am familiar with Ubuntu, there are packaged versions of OpenVPN in the distro repository, and there is a Amazon Machine Image (AMI) for Ubuntu that is elible for the AWS Free Usage Tier.

Table of Contents

Preparation

AWS Account

AWS account setup is not covered here, but is well documented at the AWS web site. These links are good starting points:

Credentials

Easy-RSA is used to create and sign the credentials. Easy-RSA is included in the openvpn package on Ubuntu 12.04. On Ubuntu 14.04 it is a separate package. Some guides (the [Ubuntu Guide][ubuntu_openvpn] for example) use Easy-RSA from those packages and create the credentials on the server itself. This project will create the credentials on your local host both to minimize the work on the server and to keep unnecessary sensitive files off the server.

Setup

Download a release tarball from https://github.com/OpenVPN/easy-rsa/releases. These instructions are for v2.2.2

$ wget https://github.com/OpenVPN/easy-rsa/releases/download/2.2.2/EasyRSA-2.2.2.tgz
$ tar -xzf EasyRSA-2.2.2.tgz
$ cd EasyRSA-2.2.2/

Edit the vars file and adjust the following to your environment. If its not clear to you what the value should be, you can use an arbitrary string (such as MyVPN). The values aren't that important unless you are going to be signing things for others.

export KEY_COUNTRY="US"
export KEY_PROVINCE="NC"
export KEY_CITY="Winston-Salem"
export KEY_ORG="Example Company"
export KEY_EMAIL="steve@example.com"
export KEY_OU="MyVPN"
export KEY_NAME="MyVPN"
export KEY_CN="MyVPN"

Now generate the master Certificate Authority (CA). The values you adjusted in the vars file will be the default answers to the questions asked by ./build-ca.

$ source ./vars
$ ./clean-all
$ ./build-ca

The resulting CA file is keys/ca.crt.

Server

Next build the server certificate and the Diffie Hellman parameters file. myserver is a literal argument that will be used to construct the file names for the server certificate and key. If you use a different value you will need to modify the server.conf file and the installation scripts.

Accept defaults for all the values, leaving the challenge password and optional company name empty. You will have to answer y to the Sign the certificate? and 1 out of 1 certificate requests certified, commit? questions.

$ ./build-key-server myserver
$ ./build-dh

The files your are going to use are: keys/myserver.crt, keys/myserver.key, and keys/dh2048.pem.

Client

You will need at least one client certificate, but it is a good idea to use a different certificate for each of your computers and mobile devices. There are several EasyRSA scripts to build the client certificates. Creating a PKCS#12 archive simplifies installing the keys and since it is an encrypted archive it can be safely moved over insecure channels.

clientID will used as part of the certificate file name. Accept the default values, leave challenge password and optional company anem empty. Answer y to the Sign the certificate? and 1 out of 1 certificate requests certified, commit? questions.

DO NOT FORGET THE Export Password

$ cd EasyRSA-2.2.2/
$ ./build-key-pkcs12 clientID

There is only one file you will need: keys/clientID.p12 where clientID is the argument you specified.

DDNS Hostname

This is somewhat optional. If you don't want to setup a dynamic DNS host name, you can use an ElasticIP or even the public IP assigned when the EC2 instance gets started. The down side of the ElasticIP is that it costs you money when you EC2 instance is not running. The down side of the EC2 public IP is that it changes every time the instance is stopped and restarted. You will have to update the configuration files on the instance and on your clients each time you stop and start the EC2 instance.

It is much easier to a use a dynamic DNS (DDNS) service. The scripts in this project will automatically update the IP address at the DDNS when the VPN is started. These scripts are specific to freeDNS, but should be easy to modify for other services.

Use the fully qualified host name (circled in green) and the URL associated with the DirectURL link (circled in red) from the this table on the freeDNS:Dynamic DNS page to configure dynamicSetup.sh and client.ovpn.

alt text

  • Edit dynamicSetup.sh and set DDNS_URL.

  • Edit client.ovpn and replace SERVER_DNS_OR_IP with the fully qualified host name of your server

SSH Key

You will need an SSH Key to login to the EC2 instance. The easiest thing to do is to import the you local default key (~/.ssh/id_rsa.pub) into your AWS account. If you don't have the /.ssh/id_rsa.pub file, then follow the instructions in this article at GitHub

The instructions for importing your key are in the AWS Documentation

Launch EC2 Instance

You are finally ready to launch you EC2 instance. If you haven't done this before, then it is worth your time work through the AWS Getting Started example.

These are the key configuration details:

  • Select the Ubuntu Server 14.04 LTS (PV), 64-bit AMI
  • Select a Micro Instance (t1.micro)
  • Select the SSH key you imported above
  • Configure the security group with a Custom UDP Rule for the OpenVPN port:

alt text

The following are suggestions/guidelines that work well for me:

  • Do not leave the Name tag empty, set a name that will make it clear to you what will be running on the instance.
  • Do not reuse an existing security group. If you try to reuse security groups then you have to balance how the settings will effect each instance in the group.
  • Do not accept the default Security Group name and description. Make it clear that the security group is associated with the instance you are creating.
  • The best security is to limit SSH access to only known IP addresses (see the image above).

Note: you can also log onto the instance via ssh through the VPN (just use the server address on the VPN subnet, typically 10.8.0.1), so there is seldom a good reason to open the SSH access beyond your known IP addresses.

Configure Server

Log on to the EC2 instance. Use either the public IP or the AWS DNS name.

local$ ssh ubunut@ec2XXXXXXXXXX.compute-1.amazonaws.com
Enter passphrase for key xxxxxxxxxxxxxxxxx:
Welcome to Ubuntu 14.04 LTS ...
...
ubuntu@domU:~$ 

Install OpenVPN:

ubuntu#domU:~$ sudo apt-get install openvpn

Copy and install the configuration files on the server. Restart OpenVPN and clean up.

local$ ./pkg_server_files.sh
local$ scp server_files.tgz ubunut@ec2XXXXXXXXXX.compute-1.amazonaws.com:.
local$ ssh ubunut@ec2XXXXXXXXXX.compute-1.amazonaws.com
ubuntu@domU:~$ tar -xzf server_files.tgz
ubuntu@domU:~$ cd server_files
ubuntu@domU:~$ sudo ./setup_server.sh
ubuntu@domU:~$ sudo service openvpn restart
ubuntu@domU:~$ cd ..
ubuntu@domU:~$ rm -rf server_files/ server_files.tgz

Configure Client

Ubuntu

Install network-manager support for OpenVPN:

$ sudo apt-get install network-manager-openvpn-gnome

You need the client.ovpn file and the EasyRSA-2.2.2/keys/clientID.p12 files to setup up an new VPN connection.

Starting at the Network Icon in the top bar, the add the new connection:

Network Icon->VPN Connections->Configure VPN->VPN->Add->Import

Select the client.ovpn file. An Editing client dialog will appear. The Gateway field will have the DNS name (or IP address) for the OpenVPN server.

Load the clientID.p12 file as the User Certificate. The CA Certificate and the Private Key fields should automatically show clientID.p12.

Now you need to enter the export password from above and then you will be able to click on the Save button.

Enable and disable the VPN from the Network VPN Connnectons list:

Network Icon->VPN Connections

Stop/Start EC2 Instance

If you are not going to use the VPN for an extended period of time, and you Free Tier at AWS has expired, you can save some money by stopping the EC2 instance. The smaller cost for EBS (Elastic Block Storage) will still accrue.

When you restart the EC2 instance, the VPN will start automatically and the dynamic DNS service will be upated with the new IP address for the instance.

If you terminate, rather than stop, the EC2 instance the file system storage on EBS will also be deleted. Now there will be no on-going charges assoicated with the VPN.

To restart the VPN after the EC2 instance has been terminated, repeat the instructions above starting at Launch EC2 Instance.