Sign up for Amazon AWS. I won’t go into detail on this because there are many tutorials out there already.

Amazon entices new users with a free tier so if you don’t have an AWS account already you can get the VPN service for free!

After you have setup you AWS account Log in to AWS and go to the EC2 console

amazon-ec2-openvpn

Click Launch Instance to start up a virtual machine. Amazon calls these “ami`s”, for “Amazon Machine Image”.  We’ll be using  Ubuntu , so I browsed the community and found an AMI that runs Ubuntu 9.1 32-bit server. The ID for this AMI is “ami-4205e72b”. You can search for that ID among the Community AMIs that others have published. Click the select button.

amazon-ec2-openvpn2

 

Next, you need to configure the machine. It runs just fine using the “micro” setup – which has an added benefit of qualifying for Amazon’s free tier (if your AWS account is less than a year old). Choose “micro” and accept the other defaults and press Continue.

amazon-ec2-openvpn3

 

Just click Continue at the next screen, which lets you configure a RAM disk and Kernel ID.

You can give your VM an ID, which is very helpful when you have lots of them on at a time.

amazon-ec2-openvpn4

 

Next, you need to configure a public/private key pair for SSH connectivity. Choose “create key pair”, unless you already have a key pair. You can use the same key pair for multiple VMs. Give your key pair a name and click to download your private key. This is a .PEM file.

amazon-ec2-openvpn5

 

You need to set up a security group for your VM, which controls the ports that will be open or closed. I called mine “VPN Security” and opened these ports: VPN (1194) and SSH (22) – I also had 500 TCP and UDP open and 4500 UDP:

amazon-ec2-openvpn6

 

Then click Launch to start your machine! After a few seconds you will be able to see the machine as RUNNING in the Instances portion of the control panel:

amazon-ec2-openvpn7

 

Next we will add an “Elastic IP” to our server – this is a static IP that never changes and as long as you use the once you have allocated they are free. It will list the AWS dashboard. It lists the current running instances, snapshots and elastic IPs. Click on the “Elastic IPs” link.

amazon-ec2-openvpn8

In the Elastic IP dashboard, all the available elastic IPs are listed.  Click on the “Allocate New Address” button to add the elastic IP for that region.

amazon-ec2-openvpn9

 

Select whether the user wants to have the elastic IP for the EC2 or VPC services. Select “EC2” and click on “Yes, Allocate”.

amazon-ec2-openvpn10

 

AWS will provide an elastic IP address to the user’s account for that region.

amazon-ec2-openvpn11

 Then we will assosiate the address with the instance – simply select you instance and click – Yes, Associate

 amazon-ec2-openvpn12

Next, we’ll use PuTTy to SSH into our running VM and get a shell prompt. Before we can do that, we need to convert our .PEM key into a .PPK key that PuTTY can use. Launch the PuTTYGen utility that comes with PuTTY, load your private .PEM key (be sure to choose “all files” so that you can see .PEM extension files), then click Save Private Key. You can give a passphrase, but I just skipped this (thus answering YES to the prompt). Now you have a .PPK key file.

amazon-ec2-openvpn14

 

Start PuTTY, and enter the Elastic address for your VM and your PPK key for authentication (under SSH | Auth). Click Open to connect. You’ll get a cached key warning; just click YES. Enter a login name “ubuntu” and you should connect:

In SSH, you can now install the package run this code:sudo apt-get update

sudo apt-get upgrade -y<br />sudo apt-get install -y openvpn<br />sudo modprobe iptable_nat<br />echo 1 | sudo tee /proc/sys/net/ipv4/ip_forwardsudo iptables -t nat -A POSTROUTING -s 10.4.0.1/2 -o eth0 -j MASQUERADEN<br /><br />
<em id="__mceDel"></em>

Next we will Generate certificates for the server. In order to do this I will setup my own Certificate Authority using the provided easy-rsa scripts in the /usr/share/doc/openvpn/examples/easy-rsa/ directory. Another alternative is using the graphical program tinyca to create your CA.

  • Copy files to the /etc/openvpn/easy-rsa/ directory
    sudo mkdir /etc/openvpn/easy-rsa/ 
    sudo cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
  • Edit /etc/openvpn/easy-rsa/vars
    sudo vi /etc/openvpn/easy-rsa/vars

    Change these lines at the bottom so that they reflect your new CA.

    export KEY_COUNTRY="US"
    export KEY_PROVINCE="CA"
    export KEY_CITY="SanFrancisco"
    export KEY_ORG="Fort-Funston"
    export KEY_EMAIL="[email protected]"
  • Setup the CA and create the first server certificate
    cd /etc/openvpn/easy-rsa/ 
    sudo chown -R root:admin . 
    sudo chmod g+w .
    source ./vars
    ./clean-all
    ./build-dh
    ./pkitool --initca
    

## If you get this error: ## “The correct version should have a comment that says: easy-rsa version 2.x” ##

Try This:

sudo ln -s openssl-1.0.0.cnf openssl.cnf

./pkitool --server server

cd keys openvpn –genkey –secret ta.key

sudo cp server.crt server.key ca.crt dh1024.pem ta.key ../../

 

The Certificate Authority is now setup and the needed keys are in /etc/openvpn/

No lets configuring openvpn itself.

sudo vi /etc/openvpn/server.conf<br /><br />and paste this into the file<br /><br />

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
tls-auth ta.key 0
server 10.4.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push “redirect-gateway def1”
push “dhcp-option DNS 10.4.0.1”
push “dhcp-option DNS 10.4.0.1”
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log /var/log/openvpn.log
verb 3

Now we can start the server

sudo /etc/init.d/openvpn restart<br /><br />

Generating Client Certificate and Key

cd /etc/openvpn/easy-rsa
source ./vars
./pkitool client-name<br /><br />
## Note: if you get a 'TXT_DB error number 2' error you may need to specify
## a unique KEY_CN, for example: KEY_CN=client ./pkitool client
<br /><br /><br />
How to: Amazon EC2 / AWS Ubuntu OpenVPN

Leave a Reply

Your email address will not be published. Required fields are marked *