Using OpenVPN to create a simple VPN for AWS with SSL/Let's Encrypt
I continue to find a need for a simple and inexpensive VPN solution for Amazon Web Services. The VPN solutions AWS provides feel like extended pricing overkill for what I am typically looking for. I also want to add SSL for the HTTPS side of the configuration via Let’s Encrypt.
Goals (pick 2) and Process
In the Good, Fast, Cheap triangle I am working towards Fast and Cheap here. Overall I want to connect to my AWS VPC via VPN, access resources and then disconnect. I do not have a goal beyond that. Thus… here is the walk-through I use to stand up an OpenVPN server in an Amazon Web Services (AWS) account and use Let’s Encrypt to provide the SSL certificate.
Create the Instance
First, in my AWS account I locate OpenVPN image in the AWS marketplace:
I then launch this AMI as a t3.nano with a public IP (we will switch to elastic here in a bit). I also use their generated security group, BUT, I add port 80 due to the Let’s Encrypt challenge process.
Elastic IP and DNS (Route53)
I turn my VPN up and down with the AWS CLI when I need it. Because of this I prefer to have the instance on an Elastic IP. Thus, I associate an Elastic IP to the instance. Then I add the correct DNS names via Route53.
Login and Configuration
After the instance is up I ssh into the system (note: the system username is openvpnas but the admin username for the web app is openvpn to keep you on your toes).
1
2
DOMAIN=[your_domain]
ssh -i key.pem openvpnas@$DOMAIN
On the initial login you’ll be presented with the welcome and you’ll be walked through the init screen.
1
2
3
4
5
6
7
8
9
10
11
12
Please enter 'yes' to indicate your agreement [no]: yes
Will this be the primary Access Server node? yes
Please specify the network interface and IP address to be used by the Admin Web UI: 1 - all interfaces
Please specify the port number for the Admin Web UI: 943
Please specify the TCP port number for the OpenVPN Daemon: 443
Should client traffic be routed by default through the VPN? no
Should client DNS traffic be routed by default through the VPN? yes
Use local authentication via internal DB? yes
Private subnets detected: XXX.XXX.XXX.XXX/16 (default)
Should private subnets be accessible to clients by default? yes
Do you wish to login to the Admin UI as "openvpn"? yes
Please specify your OpenVPN-AS license key (or leave blank to specify later): blank
Next, I setup the two variables I’ll need to setup the rest of the server and I set the admin password (how you will login to the web app portion of the setup)
1
2
3
DOMAIN=[your_domain]
EMAIL=[your_email]
sudo passwd openvpn
Let’s Encrypt - SSL
1
2
3
4
5
6
7
8
9
10
11
12
sudo apt-get -y install software-properties-common
sudo apt-get -y update
sudo apt-get -y install certbot
sudo service openvpnas stop
sudo certbot certonly \
--standalone \
--non-interactive \
--agree-tos \
--email $EMAIL \
--domains $DOMAIN \
--pre-hook 'sudo service openvpnas stop' \
--post-hook 'sudo service openvpnas start'
Assuming that process worked we need to load this into OpenVPN
1
2
3
sudo ln -s -f /etc/letsencrypt/live/$DOMAIN/cert.pem /usr/local/openvpn_as/etc/web-ssl/server.crt
sudo ln -s -f /etc/letsencrypt/live/$DOMAIN/privkey.pem /usr/local/openvpn_as/etc/web-ssl/server.key
sudo service openvpnas start
Next, the site will pull up with a correct HTTPS SSL connection via the domain you used above and port 943.
1
https://DOMAIN:943/admin
Note: in my experience this takes a few seconds to start working correctly, unclear why specifically
Cleanup
Inside of the admin area I do a few things:
- Change the hostname from the IP to the domain name
- Add a user for myself
Turning it Up & Down
I will typically boot and shutdown the instance when I am not using it. Here is the AWS CLI command I use for this. Please note that I use Named Profiles to get this done.
Starting
1
aws --region=us-west-2 --profile=aztec ec2 start-instances --instance-ids i-0eafc16349ac669a3
Stopping
1
aws --region=us-west-2 --profile=aztec ec2 stop-instances --instance-ids i-0eafc16349ac669a3
Done!
Next, I install the OpenVPN client on my machine(s) and connect!
Odd Notes
- Occasionally I will find the web services have died on a few of my instances. I have to log into them and kick the vpn server to restore them. I am unclear why this happens right now but it seems to happen from time-to-time. I restart it with:
sudo service openvpnas restart
NOTES: 2020-04-09 was able to remove ppa for the certbot install - thanks to Amarapal Singh!