This post is to continue on the my previous post about Setting up OpenvPN Access Server in Amazon VPC. To make it easy to launch it in an existing AWS VPC. I have put together a CloudFormation template to automate the process. You can find the CloudFormation template in my github repository.
You will be able to set up a OpenVPN Access Server with the cloudformation template in the CloudFormation Management Console.
Click Create New Stack button to start the process.
Give a stack name and specify where the template. The stack name is case-sensitive and has to be unique within your AWS account. It must start with a letter and can only contains alphanumeric characters. In other words, no spaces or special characters are allowed.
You will need to enter a few inputs to specify things like VPC ID, Subnet ID, Admin user name, password and the like.
Add optional tags to mark whatever resources that are created by the stack to help identify them.
The final step is to review and click Continue button. The stack will be created and ready shortly. You should be able to get the OpenVPN’s URLs in the Outputs tab of the stack.
I am going to go through each section of the CloudFormation template. It consists of four sections:
The Parameters section defines the inputs that you will need to to create the OpenVPN Access Server and related infrastructure components.
- Instance Type – Instance type for the OpenVPN Access Server
- VPC ID – ID of your VPC where the OpenVPN Access Server will be lanuched
- Subnet ID – ID of your Subnet where the OpenVPN Access Server will be launced
- Group Description – Security group description
- Admin User – Admin user name
- Admin Password – Admin user password
- Admin CIDR IP – IP block where you will be accessing the Admin portal
- Key Name – Keypair to ssh the OpenVPN Server’s console
The Mappings sections define what AMI should be used while launching the OpenVPN Access Server. It is essential a mapping table between regions and AMIs. Each region uses a different AMI.
The Resources section consists of the resources that will be created in a specific order:
- SecurityGroup – A security group for the OpenVPN Access Server
- IPAddress – An Elastic IP for the OpenVPN Access Server
- Instance – The OpenVPN Access Server
- IPAssoc – An association between the elastic IP and the OpenVPN Access Server
The SecurityGroup resource defines the firewall rules for the OpenVPN Access Server in the VPC you have specified. The following are the minimum ports you will need:
- TCP 443 – Users log into the OpenVPN servers via this port.
- UDP 1192 – VPN connections are running through this port.
- TCP 943 – Admin Portal is running out of this port by default.
These ports can be changed in the OpenVPN Admin portal if needed.
The IPAddress resource allocates a public IP (elastic IP) which will be associated with the OpenVPN Access Server. Users will need to access the OpenVPN Access Server via this public IP.
The Instance resource launches the OpenVPN Access Server. Depending on the region you run the cloudformation template, it will select the appropriate AMI accordingly. It will supply the admin user name, initial password and public IP as user-data to the instance. You no longer have to SSH to the OpenVPN Access Server console to run the initial configuration. Since the user-data is stored as clear-text in user-data, you probably want to change the password afterward.
The IPAssoc resource associates the public IP with the OpenVPN Access Server instance.
The Outputs section outputs a few things that you will need to access the OpenVPN Access Server after the stack is created:
- OpenVPN Server Admin Portal – The URL for the Admin portal
- OpenVPN Server URL – The URL for the server
- Group Name – The security group name