Instances in VPC are not accessible from the Internet unless you associate an elastic IP to them. If you don’t want to expose your instances to the public, you may want to consider setting up an OpenVPN Access Server to create a secure VPN tunnel to access your instances. The server comes with 2 concurrent user licenses. In this post, i will show you how to set up an OpenVPN Access server in Amazon VPC with the following few simple steps:
- Launch a OpenVPN Access Server Instance
- Run the Initial Configuration Tool
- Set up Network and VPN Settings
Launch a OpenVPN Access Server Instance
Go to EC2 Management Dashboard and click Launch Instance button to bring up the Create a New Instance window. You will need to select AWS Marketplace and put OpenVPN to the search box.
Once you click Go button, you should be able to get the OpenVPN Access Server in the result. Click the OpenVPN Access Server title to proceed.
It will give you more details about the OpenVPN Access Server. Select the region you would like to launch the OpenVPN Access Server instance and click Continue button. In this demonstration, I have selected US West (Northern California).
It will select Standard Small (m1.small) by default as the EC2 Instance Type. You can change it to Standard Micro (t1.micro) which is sufficient. Select the VPC and Subnet you would like to use. I highly recommend to launch it in VPC. It provides you an option to change security groups if needed after launching. if you launch it in EC2-Classic, you will stuck with the security group assignment. Make sure you supply a key pair. Amazon will install the public key to the instance and you will need the private key to SSH to the instance to do additional setup later on.
Click Launch with 1-Click button to proceed. If you don’t see the VPC Settings section, you will need to use Launch with EC2 Console option instead. i have seen the VPC Settings section does not show up occasionally lately.
Run the Initial Configuration Tool
It will take 10-15 minutes for the instance to be ready. Wait until the Status Checks changing from initializing to 2/2 checks passed. In the meantime, let’s allocate and associate a public IP (elastic IP) with the OpenVPN Access Server instance. You can go to the Elastic IPs section in the EC2 Management Console to accomplish it. See Getting Started with Amazon VPC to learn more about it.
You will need to SSH into the instance with you key pair that you supplied to run the OpenVPN Access Server Initial Configuration Tool. The user ID associated with the key pair is root. In your SSH client, you will need to login as root@[public IP of your OpenVPN Access Server].
For example, firstname.lastname@example.org
The tool will start automatically. It will prompt you to answer a list of the questions below. You will pretty much hit the Enter key to take the default setting except the first question about the license agreement which you have to type yes to proceed.
- Please enter ‘yes’ to indicate your agreement [no]: yes
- Will this be the primary Access Server node? yes
- Please specify the network interface and IP address to be used by the Admin Web UI: 2
- Please specify the port number for the Admin Web UI: 943
- Please specify the TCP port number for the OpenVPN Daemon: 443
- Should client traffic be routed by default through the VPN? yes
- Should client DNS traffic be routed by default through the VPN? yes
- Use local authentication via internal DB? no
- Should private subnets be accessible to clients by default? yes
- Do you wish to login to the Admin UI as “openvpn”? yes
- Please specify your OpenVPN-AS license key (or leave blank to specify later):
Once the initial configuration is complete, you will need to set the password for the admin user. If you take the default admin user name, you will use passwd openvpn to set it. Otherwise, replace openvpn with whatever the admin user name you have chosen.
Set up Network and VPN Settings
You will need to log into the Admin web UI to do few more updates. Then you are good to go. The Admin web UI is https://%5Bpublic IP of your OpenVPN Access Server]:943/admin.
For example: https://220.127.116.11:943/admin
On the Admin web UI, update Hostname or IP Address to the public IP of your OpenVPN Access Server under Configuration > Server Network Settings. Then click Save Settings button which is located at the bottom of the page.
Whenever you make any changes to the settings, you will need to click Update Running Server button to apply it. The button is on the top of the page after you make the changes.
If you have any subnets or networks that you want to access through your OpenVPN Access Server but they are not listed in the Routing section under Configuration > VPN Settings, you will need to add them there . Once again, you will need to click Save Settings and Update Running Server button to apply the changes. In the screen shot below, I have 10.10.0.0/16 and 10.20.0.0/16. In fact, the 10.10.0.0/16 was added by the system automatically. The OpenVPN Access Server is in the 10.10.0.0/16 network. I only had to add 10.20.0.0/16 manually.
Another setting you may want to change is User Authentication under Authentication > General. You can set the preferred authentication method there. By default, it is using PAM which is authenticated by the underneath Operating System (Linux). If you want to add a user to connect to the OpenVPN Access Server, you will need to add the user from the Linux console and set the password there.
At this point, you should be able to access instances in 10.10.0.0/24 and 10.20.0.0/24 network assuming security groups are set up properly to allow connections from your OpenVPN Access Server.