OpenVPN on AWS EC2

OpenVPN on AWS EC2

Introduction

A Virtual Private Network (VPN) allows you to give yourself a sense of anonymity while browsing the internet. Personally, I have been using a VPN to evade my school’s network policy of blocking all ports other than ports used for HTTP or FTP.. and to play online games (sad to say it’s MapleStory) with my FYP group mates. I was introduced to create a VPN server on Azure by my friend Zane the author of this awesome guide on Spiffy teaching you how to do so.

However, I was looking for an alternative VPS service as my subscription to Azure is ending. I chose Amazon Web Service (AWS) because of it’s year long free tier so I adapted the Azure guide for AWS.

*Note this guide was created in 2015.

Pre-Requisite

First off we need to obtain the following:

Getting Started

Important Notes

If your school/organisation blocks ports then the default port 1194 used for this guide will probably be blocked too. In order, to fix this problem change all the port 1194 to 443 (used for HTTPS so it should not be blocked). If you do change the port to 443 ensure that you have changed all the ports during the configuration of the OpenVPN server and the creation of OVPN files.

Setting up the VM in AWS EC2

  1. Login into AWS and access EC2.
  2. Once you are in EC2 Management Console. Click Launch Instance
  3. Select an Ubuntu Server 14.04 LTS Image.
    Create Instance - OpenVPN on AWS EC2
  4. Select the instance type that you desire (Recommend: T2.Micro as it is eligible for the free tier)
    Instance Type Selection - OpenVPN on AWS EC2
  5. Click 6: Configure Security Group at the top
  6. Add a new TCP Port
    Port Config - OpenVPN on AWS EC2
     

    • Port: 1194* (Change to 443 if your school/organisation blocks port 1194)
    • Source: Select Anywhere.
  7. Click Review and Launch.
  8. Click Launch.
  9. A pop up regarding the creation of a new key pair appears create a new one, download it and keep it in a safe place as we will need it later.
  10. Now we wait for the instance to launch…

Connecting to the VM

  1. Before you continue obtain the following details from your newly created VM in the EC2 Console:
    • Public DNS
  2. Remember the Key Pair we created and downloaded just now? We need it now.
    [tabs] [tab title=”Windows”]PuTTYGen - OpenVPN on AWS EC2
     

    • Launch PuTTYGen
    • Click Load
    • Choose ‘All File Types‘ and then load the key pair you download (.pem file)
    • (Optional) Enter a key phrase
    • Click ‘Save private key‘ and remember the location of where it is saved toPuTTY PPK Config - OpenVPN on AWS EC2
    • Launch PuTTY
    • Click SSH and then click Auth at the left side
    • Click Browse and select the private key file (.ppk) you generated file
    • Click Session at the left side then move on to the next step below
    [/tab] [tab title=”OS X”]Fire up Termnial and run the command:

    chmod 400 /path/key-pair.pem
    [/tab] [/tabs]
  3. If you are using Windows fire up PuTTy and OS X users should fire up Terminal.
  4. Once your SSH Client has fired up. Enter the following details/command in order for you to connect to the VM.
    [tabs] [tab title=”PuTTy”]Windows Login - OpenVPN on AWS EC2[/tab] [tab title=”Terminal”]Terminal Login - OpenVPN on AWS EC2
    Enter the following code to connect to the VM:
    (Change ‘/path/key-pair.pem’ and ‘Public_DNS’ accordingly

    sudo ssh -i /path/key-pair.pem [email protected]_DNS
    [/tab] [/tabs]
  5. An error would most likely appear. Just click Yes for PuTTY and type yes for Terminal.

Installing & Configuring OpenVPN

For this part of  the guide I will be using Windows only. The linux commands will be same so fear not.

Continuing from where we left off in the previous step.

  1. Click Open (only for PuTTY)
  2. When promoted with ‘login as:’ type ubuntu (Default user is ubuntu)
  3. Enter the passphrase you set if you entered it previously.
  4. Enter the following commands.
    sudo -i
    apt-get install openvpn easy-rsa
    mkdir /etc/openvpn/easy-rsa/
    cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/
    cd /etc/openvpn/easy-rsa/
    source vars
    ./clean-all
    ./build-ca
    ./build-key-server techreunion
    ./build-dh
    cd keys/
    cp techreunion.crt techreunion.key ca.crt dh2048.pem /etc/openvpn/
    nano /etc/sysctl.conf

    Note: build-ca and build-key-server will prompt you to enter details to generate the certificate. Enter the details appropriately and answer ‘y’ when prompted. 

  5. Find the line
    #net.ipv4.ip_forward=1

    and remove the “#

    net.ipv4.ip_forward=1
  6. Save by pressing Ctrl + O and then Ctrl + X
  7. Enter the following commands:
    cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
    gzip -d /etc/openvpn/server.conf.gz
    nano /etc/openvpn/server.conf
  8. Edit the following:
    *Only if you specify another port above
    From: 

    # open up this port on your firewall.
    port 1194
    *Only if you specify another port above
    To: 

    # open up this port on your firewall.
    port YOUR_PORT
    From: 

    # TCP or UDP server?
    ;proto tcp
    proto udp
    To: 

    # TCP or UDP server?
    proto tcp
    ;proto udp
    From: 

    ca ca.crt
    cert server.crt
    key server.key # This file should be kept secret
    To: 

    ca ca.crt
    cert techreunion.crt
    key techreunion.key # This file should be kept secret
    From: 

    # 2048 bit keys.
    dh dh1024.pem
    To: 

    # 2048 bit keys.
    dh dh2048.pem
    From: 

    # (The OpenVPN server machine may need to NAT
    # or bridge the TUN/TAP interface to the internet
    # in order for this to work properly).
    ;push “redirect-gateway def1 bypass-dhcp”
    To: 

    # (The OpenVPN server machine may need to NAT
    # or bridge the TUN/TAP interface to the internet
    # in order for this to work properly).
    push “redirect-gateway def1 bypass-dhcp”
    From: 

    # The addresses below refer to the public
    # DNS servers provided by opendns.com.
    ;push “dhcp-option DNS 208.67.222.222″
    ;push “dhcp-option DNS 208.67.220.220″
    To: 

    # The addresses below refer to the public
    # DNS servers provided by opendns.com.
    push “dhcp-option DNS 208.67.222.222″
    push “dhcp-option DNS 208.67.220.220″
  9. Save by pressing Ctrl + O and then Ctrl + X
  10. Enter the following command:
    nano /etc/rc.local
  11. Edit the following:
    From: 

    # By default this script does nothing.
    exit 0
    To: 

    # By default this script does nothing.
    iptables -t nat -A POSTROUTING -s “10.8.0.0/24″ -j MASQUERADE
    exit 0

We have finally configured OpenVPN. We are almost there. Hold on! Let’s move on to the next section we will be generating the certificates and keys to connect to our VPN server.

Keys & Certificates

  1. Run the following commands to generate the certificates and keys:
    cd /etc/openvpn/easy-rsa/
    source vars
    ./build-key user
    cd keys/
  2. Note: In this step pay extra attention to ensure that you have copied the certificates and keys contents correctly
    Run the command:
     

    nano ca.crt
    nano user.crt
    nano user.key
  3. Copy the contents of each file into a text editor of your choice and save it with same name (ca, user) with the proper extensions  (.crt, .key).
  4. You should end up with 3 files ca.crt, user.crt and user.key.
  5. Run the following commands and you’re done with the VM:
    service openvpn start
    reboot

VPN Client Configuration

  1. Create a new text file called user.ovpn with the following content:
    Edit Public_DNS and Port_Num below according to fit your VPN Server.
    Public_DNS: Is the public DNS of your VM.
    Port_Num: 1194* ortheportyouhavechosenpreviously (443). 

    client
    dev tun
    proto tcp
    remote Public_DNS Port_Num
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca ca.crt
    cert user.crt
    key user.key
    ns-cert-type server
    comp-lzo
    verb 3
  2. Using the VPN configuration files we have just created:
    [tabs] [tab title=”OpenVPN Gui”] 

    1. Copy the 4 files you have created into this directory (Depending on OpenVPN Gui version):
      For 64 bit: “C:\Program Files\OpenVPN Gui\Config”
      For 32 bit: “C:\Program Files (x86)\OpenVPN Gui\Config”
      OpenVPN 1 - OpenVPN on AWS EC2
    2. Run OpenVPN as Administrator.
    3. You’re done!
    [/tab] [tab title=”TunnelBlick”]
    1. Double click the ovpn file and TunnelBlick will automatically import the connection.
      TunnelBlick 1 - OpenVPN on AWS EC2
    2. You’re done!
    [/tab] [tab title=”Viscosity”] Double click the ovpn file and Viscosity will automatically import the connection.However, in the case where .ovpn is not associated with Viscosity follow the steps below:

    1. Click the Viscoisty icon in menu bar and then click preferences
      Viscosity 1 - OpenVPN on AWS EC2
    2. Click the + button at the bottom left
      Viscosity 2 - OpenVPN on AWS EC2
    3. Click Import Connection and then click From File
    4. Select the ovpn file you have created
    5. You’re done!
    [/tab] [/tabs]
  3. Connect to the VPN server using the following steps:[tabs] [tab title=”OpenVPN Gui”] 

    1. Ensure that you run OpenVPN Gui as Administrator *Important
    2. Right click the OpenVPN Gui connect at the bottom left and click Connect
      OpenVPN Connect 1 - OpenVPN on AWS EC2
    3. You should see the following as you are connecting
      OpenVPN 2 - OpenVPN on AWS EC2
    4. Once you’re connected the OpenVPN Gui icon will turn green with this pop up
      http://www.techreunion.com/b5R7X8Ib/uploads/2015/01/OpenVPN-3.png
    [/tab] [tab title=”Tunnelblick”]
    1. Click the Tunnelblick button at the menu bar and click Connect
      Tunnelblick Connect 1 - OpenVPN on AWS EC2
    2. You should see the following as you are connecting
      Tunnelblick Connect 2 - OpenVPN on AWS EC2
    3. Once you’re connected you will see the following
      Tunnelblick Connect 3 Tunnelblick Connect 3 - OpenVPN on AWS EC2
    [/tab] [tab title=”Viscosity”]
    1. Click the Viscosity button at the menu bar and click Connect
      http://www.techreunion.com/b5R7X8Ib/uploads/2015/01/Viscosity-Connect-1.png
    2. You should see the following as you are connecting (the bottom panel will only be shown if you click Details)
      Viscosity Connect 2 - OpenVPN on AWS EC2
    3. Once you’re connected this pop up will appear
      Viscosity Connect 3 - OpenVPN on AWS EC2
    [/tab] [/tabs]
  4. After we have connected. Let’s double-check to see whether our IP has changed.
    Go to What Is My IP or who.is (AWS seems to be blocking who.is) to check your IP.
    Results - OpenVPN on AWS EC2

Note: In order to allow more than one user to get access to your VPN server you have to create multiple sets of keys & certificates. Change ‘user’ in the command in step 1 of Keys & Certificate section to any name you desire (e.g. user1, user2) and follow the steps until the end of VPN Client Configuration section.

If your IP changed then you have successfully created and accessed your VPN Server. Well done! Go ahead and enjoy your personal and free (if you’re using AWS free tier) VPN service with your friends.

Comment below on your purpose of creating a VPN service or if you are facing any problems.

Credits

Adapted from Zane’s OpenVPN guide for Windows Azure. If you want to find out how to run a OpenVPN server on an Azure virtual machine you can look at his post here. Zane’s OpenVPN Community on Windows Guide

Leave a Comment

Your email address will not be published. Required fields are marked *