This blog post will explain the process for setting up a client to site connectivity on AWS. This allows you to connect to your AWS resources from anywhere using a VPN client. There are several ways to do this but this post shows you one of the quickest ways to do it using a pre-built community image by OpenVPN available in AWS.

AWS Marketplace

AWS Marketplace is a great place to find any pre-built solutions created by AWS ISV’s or enthusiasts for a wider community benefit. The offerings cover from things such as commercial and community AMIs, SaaS to selling Reserved instances. While there may be software costs associated with the use of them – which are built into the hourly charges – some do not charge extra to use other than the cost of running the EC2 instances.

The setup

The following is an overview diagram of my setup. Note that this post does not cover HA setup although it is possible to extend it further by running the instances in multiple AZs.

VPCVPNSetup

In our VPC, we have public and private subnets: in our public subnet, we have the openVPN instance and in our private subnet we have the web server (server 1). This configuration allows you to separate public & private traffic by terminating all internet traffic at the public subnet layer. It is possible to have your internal instances in the public subnet where your VPN instance is located but the above model provides more isolation.

The steps

To configure your VPN, perform the following:

Create a VPC

  • VPC range: 172.16.0.0
  • Public subnet:
    • Contains the VPN EC2 instance
    • Create an internet gateway
    • Attach the internet gateway to the public subnet
    • Route to the internet using Internet gateway
  • Private subnet:
    • A Windows 2012 server with IIS enabled
    • Route to the public subnet

Create a new openVPN image

  • Launch a new instance and select AWS Marketplace

AWSMarketplace

  • Search for OpenVPN

OpenVPNAMI

  • Assign the server to the public subnet and an Elastic IP
  • Security Group should have the following services opened:
    • SSH
    • HTTP
    • HTTPS
    • TCP 943
    • UDP 1194
    • ICMP

Create a new Windows Server machine in the private subnet

Win2012AMI

  • Assign the server to the private subnet and an elastic IP (the Elastic IP will later be removed)
  • Security Group should have the following services opened:
    • HTTP
    • HTTPS
    • ICMP
  • Connect to your Windows serverOpen Powershell command window and enter the following command to install IIS

[code language=”powershell”]Install-WindowsFeature web-server,web-mgmt-console[/code]

Disable source/dest check on the VPN server – to allow communications via the VPN tunnel

SourceDestCheck

Setup the VPN server

  • I used Putty to connect to the VPN machine (download). Right click the instance in EC2 and select “Connect” and follow the instructions to connect
  • The following is a snippet of openVPN prompts and their answers when you log on for the first time

======================

[code language=”bash”]
Please enter ‘yes’ to indicate your agreement [no]: yes

Once you provide a few initial configuration settings,
OpenVPN Access Server can be configured by accessing
its Admin Web UI using your Web browser.

Will this be the primary Access Server node?
(enter ‘no’ to configure as a backup or standby node)
Press ENTER for default [yes]: yes

Please specify the network interface and IP address to be
used by the Admin Web UI:
(1) all interfaces: 0.0.0.0
(2) eth0: 172.16.10.121
Please enter the option number from the list above (1-2).
Press Enter for default [2]:

Please specify the port number for the Admin Web UI.
Press ENTER for default [943]:

Please specify the TCP port number for the OpenVPN Daemon
Press ENTER for default [443]:

Should client traffic be routed by default through the VPN?
Press ENTER for default [yes]:

Should client DNS traffic be routed by default through the VPN?
Press ENTER for default [yes]:

Use local authentication via internal DB?
Press ENTER for default [no]:

Private subnets detected: [‘172.16.10.0/24’]

Should private subnets be accessible to clients by default?
Press ENTER for default [yes]:

To initially login to the Admin Web UI, you must use a
username and password that successfully authenticates you
with the host UNIX system (you can later modify the settings
so that RADIUS or LDAP is used for authentication instead).

You can login to the Admin Web UI as "openvpn" or specify
a different user account to use for this purpose.

Do you wish to login to the Admin UI as "openvpn"?
Press ENTER for default [yes]:

Please specify your OpenVPN-AS license key (or leave blank to specify later):

Initializing OpenVPN…
Adding new user login…
useradd -s /sbin/nologin "openvpn"
Writing as configuration file…
Perform sa init…
Wiping any previous userdb…
Creating default profile…
Modifying default profile…
Adding new user to userdb…
Modifying new user as superuser in userdb…
Getting hostname…
Hostname: ip-172-16-10-121
Preparing web certificates…
Getting web user account…
Adding web group account…
Adding web group…
Adjusting license directory ownership…
Initializing confdb…
Generating init scripts…
Generating PAM config…
Generating init scripts auto command…
Starting openvpnas…

NOTE: Your system clock must be correct for OpenVPN Access Server
to perform correctly. Please ensure that your time and date
are correct on this system.

Initial Configuration Complete!

You can now continue configuring OpenVPN Access Server by
directing your Web browser to this URL:

https://172.16.10.121:943/admin
Login as "openvpn" with the same password used to authenticate
to this UNIX host.

During normal operation, OpenVPN AS can be accessed via these URLs:
Admin UI: https://172.16.10.121:943/admin
Client UI: https://172.16.10.121:943/
[/code]

  • Reset the openvpn user

user@ip-172-16-10-121:~# passwd openvpn
Enter new UNIX password
Retype new UNIX password:
Reset the openvpn user
passwd: password updated successfully

  • Logon to OpenVPN UI from your Windows machine and verify your logon: https://172.16.10.121:943/admin

openVPNLogin

    • Go to VPN Settings and allow access to the private subnet and remove access to the public subnet

PrivSubnet

    • Click Save Settings
    • Click Update Running Server
  • Once you have completed above tasks, remove the Elastic IP address assigned to your EC2 web server

Test your new VPN server

  • From your own desktop machine – download and install an appropriate openVPN client: http://openvpn.net/index.php/access-server/download-openvpn-as-sw/357.html
    • Connect to your VPN server and accept the security certificate when prompted

OpenVPNClient OpenVPNClient1

    • Open a command prompt and confirm connectivity – you should not be able to ping your VPN private IP as intended

testVPN

    • Ping the web server, confirm that ICMP is working

testVPN1

  • Open a browser from your desktop and browse to http://172.16.11.151

testVPN2

That’s it

This should all what’s needed to setup VPN connection to your AWS environment. The openVPN AS license allows you to have  two concurrent connections at a time – additional licenses can be purchased at OpenVPN site (link). You should consider locking down the environment if you plan to use it for production eg. creating a different user in the openVPN console, applying ACLs at the subnet level, restricting the security groups even further, or running VPN instances in multiple Availability Zones for a High Availability configuration.

With the recent openSSL vulnerability, ensure that your version of openVPN is updated to 2.0.6 – details are available here

Category:
Amazon Web Services, Cloud Infrastructure

Join the conversation! 21 Comments

  1. If i create the windows vm in the private subnet and attach an elastic ip i can’t connect to that machine… how to solve this?

    • There are different ways, but one way to to connect to your instance in the private subnet is by way of bastion host or remote desktop gateway in the public subnet. This rdg needs an elastic IP attached and internet gateway setup as its default gateway. From the bastion host you then be able to connect to your private instances. With this approach, you shouldn’t need to attach an eip on the private instance.

  2. Once I have a VPN server set up and use AWS to attach it as a gateway to my VPC, is there any impact to existing instances in a public subnet? Would I still be able to connect to them without connecting to the VPN first or does the VPN block all access to anything in the VPC?

    Also is there value in hosting production servers in a private subnet vs the default public one? Would that block their ability to communicate to the outside world, e.g. making an API call to some other company’s service?

    • If you set up a VPN server as a gateway in the public subnet, it will affect instances in the public subnet. Rather than setting your VPN as the default gateway (0.0.0.0/0), you can restrict it further to your on-prem network eg. 192.168.1.0/24. This way it will allow public instances to communicate publicly. If you require a site to site VPN – more often I would recommend to use hardware VPN as it provides more stability. http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_VPN.html

      The main difference between private and public subnet is whether an internet gateway is employed. Depending on your spec. requirement, best practice is to use a NAT on the public subnet to be used by instances in the private subnet (via a route table). For instances that are accessed publicly, place them on the public subnet eg. web servers, and vice versa for private instances deploy them onto the private subnet eg. app or db servers.

      The inherent benefit with this model is that your instances are segregated from security standpoint without affecting the ability for private instances to access the internet via NAT (but not necessarily allow them to be accessed from outside).

      Regards.

  3. We have a single public web server on one instance and that’s it. Does it makes sense to even enable VPC for this configuration?

    If we did do it, and decided to launch a new instance specifically for OpenVPN Access Server so we could secure access to the web server, what’s the minimum spec AMI we could get away with while still ensuring good performance?

    • Hi, if you just need one web server for serving websites then I would recommend to use a PaaS solution, Azure Website is an example. You no longer need to maintain the underlying server, and there are ways to administer the websites (note you have no access to the underlying OS).

      Should you feel the need to go down the server route, then I still recommend VPC as it’s now the default in AWS anyway and you will accommodate for future growth.

      In terms of the size of openVPN server, it depends on the scenario, how many people may login, how much data you plan to pump into the web server etc. I suggest start with the smallest instance and upgrade to a higher instance type as needed.

      • Thanks for the reply. Sorry, I didn’t really provide enough information here initially. We are an existing AWS customer and have had 1 EC2 M1 image for a number of years. Today we just use standard EC2 classic security with sec groups. It’s time to upgrade for us to a newer generation instance and we noticed that some instances are only available under VPC for some reason, hence the reason we are looking at it.

        So the question is more about if we’re already committed to AWS and plan to launch a new instance with VPC, what’s the easiest, most cost effective way to administer the instance, assuming we need periodic RDP access to the instance and such? It seems like a waste to spin up a second instance just to act a VPN server (we’d prefer not to put any non-core software on the web server), but maybe that’s the only option?

        As as side note, I had hoped there was a way to use VPN client software to talk directly to Amazon VPC to get access that way, but it appears that’s not possible.

      • VPN maybe a little excessive for such a scenario, but I wouldn’t use the web as the terminal server either if you can. Once you have a VPC, you could for example spin up a ‘secure’ bastion host and have that scheduled to only be up for the day and shutdown after hours to save costs. If you want to be more adventurous, you could script-up the environment using cloudformation which will save more costs as you would literally destroy and re-create the bastion host on-demand.

  4. hello , i am some how new to AWS i am trying to learn as quickly as i can. I have two servers hosted on different platforms ( AWS AND AZURE) i want to be able to connect this two servers together for log shipping using a VPN. Any takers on how to go about with this..
    Thanks

  5. Hello,

    I would like to know how to allow users to access a file server or their shares using OpenVPN?

    • This is definitely possible with Microsoft routing and remote access role. I just finished working on a similar project . Let me know when you decide to head that way i can share my experience with you .

      • Hi Dawarlord, can you please help. Am trying to setup WINDOWS RRAS on an instance, then connect to the VPC from LAN, sending data from one pc through the instance and back to another PC, both PC are on uni campus. Instance has 2 NIC cards to route,

  6. I have the following AWS configuration:
    1. EC2 instance in public subnet which has supervisor (Process Control System on Unix) on it
    2. OpenVPN server in the same public subnet

    I want to access the monitoring link of the supervisor from VPN clients. I have followed the same steps as mentioned here. The only difference is that the machine which I want to access via VPN is in public subnet rather than private subnet.

    I tried the setup of OpenVPN server in public subnet and the EC2 machine with supervisor process in private subnet and the VPN setting: “Should VPN clients have access to private subnet” is set as “Yes via NAT”. This works perfectly fine.

    But, I want to have access to the services running in the public subnets via VPN.
    Note: The EC2 machine with supervisor process is in public subnet but the security group does not allow access from anywhere. Currently, I am specifying it to be accessed via OpenVPN server.

    Thanks in advance.

  7. Hi,
    I am trying to connect my local system to ec2 in VPC without any VPN clients like OpenVPN. I followed the link below http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_VPN.html from aws. I am using fortinet as firewall in my local side. I downloaded the configuration and set it. But am not able to connect or ping to the ec2 instance from my local instance. I configured All ICMP – IPv4 in my instance security group.

    Looking forward for your valuable commands.

    Thanks in advance.

  8. I want my ec2 instance to communicate with on premises client machine. After configuration of open VPN does it will communicate both the way ec2 on premises client machine.

Comments are closed.