Skip to content
/ aws-openvpn-solution Public

A guide on how to secure your AWS infrastructure with a simple OpenVPN deployment

License

MIT license
5 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

osodevops/aws-openvpn-solution

BranchesTags

Repository files navigation

AWS OpenVpn Solution

This is a deployment guide on how to get OpenVPN onto your AWS infrastructure, in order to quickly secure your infrastructure.

In this guide we will be using the OpenVpn Access Server instead of the community edition, which most engineers will be familiar with. This product comes with a nice GUI and several other features out to box allowing you to quickly spin up an ISO 27001 compliant VPN service.

The OpenVPN Access Server can be selected from the AWS Marketplace with different license options, based on concurrent users and size of ec2 instance.

How does the VPN solution work?

The OpenVPN client establishes connection to the VPN server using the UDP protocol. The virtual tunnel is established with a dynamic ip from the following range: 172.16.223.0/24. Internet traffic is not tunneled over the VPN connection for security reasons, splitting the VPN tunnel traffic. End user can only access internal servers & services on the private subnets, any other subnet or VPC is off-limits. The OpenVPN user access database controls the access privileges to the subnets, different rules can be applied to users. All config data is stored within the Mysql RDS instance. Internal DNS domains are forwarded from Route 53 by OpenVPN, allowing the client to query AWS for internal domain resolution.

Please see the diagram below:

Architecture

Notes from the diagram:

  • The RDS Mysql database provides greater redundancy than the original file based SQlite database.

How to deploy

There are several ways to deploy this solution. In this example we are using CloudFormation and bash in the userdata field to complete the setup process. We have included some Ansible playbooks which could be used instead during the deployment. However they will require the user to setup S3 buckets in their respective AWS accounts, we have also included a few short python scripts for that.

Once you have completed the CloudFormation deployment, please SSH onto the new ec2 instance and complete the OpenVPN initial installation wizard that is run the moment you SSH onto the instance. Hence this solution does require a bit of manual work before the solution is automated.

Post CF deployment tasks:

  1. Go through the OpenVPN wizard
    1. Set a IP range for VPN tunnel traffic
    2. Set which subnets the VPN should access
    3. Create users
  2. Migrate SQLite DB to RDS
  3. Restart application with the RDS connection enabled
  4. Deployment complete!

For more information on how to secure your AWS infrastructure. Please contact us on: info@osodevops.io

About

A guide on how to secure your AWS infrastructure with a simple OpenVPN deployment

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

5 stars

Watchers

4 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages