COVID-19
We are here to help!
We are offering free subscriptions and cybersecurity consultancy to support companies affected by COVID-19 outbreak.
Learn more

How to setup an OpenVPN server on AWS?

In this guide we will setup a “Debian 9(stretch)” virtual machine on our Microsoft Azure account and configure a OpenVPN server.

Creating a Debian 9 Instance

Let’s begin by navigating to our AWS Management Console home page.

  • We will start by selecting to launch a virtual machine.
  • We will move to the Market Place and search for ‘debian’. Then we shall select the Debian 9 instance from the results.

We shall now continue to start configuring the instance.

  • Next we will select the type of instance.
    • If using a free tier account then the t2.small instance should be a good beginning.
    • Otherwise t3a.micro would be a good fit for a server.
  • Under the ‘Configuring Instance’ tab we can select the ‘Tenancy’.
    • A free Tier can only select a multi tenant space.
    • Otherwise having a ‘Dedicated’ or ‘Dedicated Host’ tenancy type will be the best choice.
  • Lastly we will setup the firewall rules for the instance.
    • We will set the source for the first rule to a list of IP Addresses that will be allowed to access the instance over SSH.
    • Then we will add a second rule to allow access to the instance for connecting to the VPN.
      • Here we can set the Source to ‘0.0.0.0/0’ in order to allow all incoming traffic on the VPN port.
      • If we have a list of the Public IP’s of the Clients that will be connecting then we can set that list here to restrict any other access over the port.
      • The Default port for OpenVPN is 1194 but it is a good idea to set it to a different port.
  • Finally we will move on to review the settings and launch the instance.
    • Once we click the Launch button are asked to select or create a SSH key/pair that shall be used to connect to the instance.

Configuring OpenVPN

With the instance created we can now use the SSH key/pair we downloaded during the creation of the instance to connect to it over SSH.

  • We can download a script to help us install and configure the OpenVPN server. Download the script and make it executable.
wget https://git.io/vpn -O openvpn-configuration.sh
chmod +x openvpn-configuration.sh
  • We can run the script and start configuring the VPN server.
./openvpn-configuration.sh

Upon running the script asks us about the ip address of the machine. We select the number corresponding to the Public IP address of the machine.

Next we choose to use TCP as the base connection type for our VPN.

Now we will set the port that we added an Inbound rule for so that the OpenVPN server can listen for incoming connections on that port.

The DNS option can be set as preferred.

Finally we give a name that will be used to create a certificate for a user to be allowed to connect. The script will create the required files that a user will need to be able to connect to the server.

Welcome to this OpenVPN road warrior installer!

I need to ask you a few questions before starting setup.
You can use the default options and just press enter if you are ok with them.

This server is behind NAT. What is the public IPv4 address or hostname?
Public IPv4 address / hostname [35.204.34.7]:

Which protocol do you want for OpenVPN connections?
   1) UDP (recommended)
   2) TCP
Protocol [1]: 2

What port do you want OpenVPN listening to?
Port [1194]:

Which DNS do you want to use with the VPN?
   1) Current system resolvers
   2) 1.1.1.1
   3) Google
   4) OpenDNS
   5) Verisign
DNS [1]:

Finally, tell me a name for the client certificate.
Client name [client]: 1234

Okay, that was all I needed. We are ready to set up your OpenVPN server now.
Press any key to continue...

Adding/Removing VPN Clients

With the server up and running we can run the script again in order to create new client certificates or to revoke existing certificates.

We can rerun the script we downloaded to install OpenVPN. The script will now as us if we want to add or remove a user.

Entering the number corresponding to “Add a new user” and then providing a name for the user when prompted for shall create the certificate file required for the user to connect to the VPN server.

Looks like OpenVPN is already installed.

What do you want to do?
   1) Add a new user
   2) Revoke an existing user
   3) Remove OpenVPN
   4) Exit
Select an option: 1

Tell me a name for the client certificate.
Client name: test2

Using SSL: openssl OpenSSL 1.1.0l  10 Sep 2019
Generating a RSA private key
.......................................................................+++++
...........+++++
writing new private key to '/etc/openvpn/server/easy-rsa/pki/private/test2.key.DVI9WyFmtZ'
-----
Using configuration from ./safessl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'test2'
Certificate is to be certified until Mar 21 16:49:44 2030 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Client test2 added, configuration is available at: /root/test2.ovpn

On the other hand if we enter the number corresponding to “Revoke an existing user”; we will be presented with a list of the available clients. Entering the number corresponding to the user that we intend to remove shall destroy the certificate generated for that user; resulting in them not being able to connect to the VPN.

Looks like OpenVPN is already installed.

What do you want to do?
   1) Add a new user
   2) Revoke an existing user
   3) Remove OpenVPN
   4) Exit
Select an option: 2

Select the existing client certificate you want to revoke:
     1) client
     2) test2
Select one client: 2

Do you really want to revoke access for client test2? [y/N]: y
Using configuration from ./safessl-easyrsa.cnf
Revoking Certificate 12B01D572096F0E4512D3DE9E0480C88.
Data Base Updated

Using SSL: openssl OpenSSL 1.1.0l  10 Sep 2019
Using configuration from ./safessl-easyrsa.cnf

An updated CRL has been created.
CRL file: /etc/openvpn/server/easy-rsa/pki/crl.pem


Certificate for client test2 revoked!

Since we only allow SSH connection to the machine other than the VPN; we can use any SFTP client to connect to the server and download the user certificate files.

Users can then connect to the VPN server using their ovpn certificate files.