Difference between revisions of "Setup OpenVPN Server in AWS VPC"

Latest revision as of 22:39, 6 March 2023

Purpose

We'll build an OpenVPN server with CentOS 7 in AWS VPN.
This server will be run 24x7 and user as client can connect into it to access all resources & services to the VPC.
Let say this VPN name will be my-vpn which use my-vpn.gejoreuy.com as its public address.
Make sure we have configured our dns my-vpn.gejoreuy.com with the correct public ip address!!!

Preparation

[root@openvpn ~]# yum update
[root@openvpn ~]# hostnamectl set-hostname my-vpn.gejoreuy.com --static (gave static IP and put this in Route 53)
[root@openvpn ~]# timedatectl set-timezone Asia/Jakarta
[root@openvpn ~]# yum install epel-release
[root@openvpn ~]# yum install p7zip wget zip unzip autossh pv java-1.8.0-openjdk-devel htop lvm2 samba sysstat glibc figlet telnet firewalld srm
[root@openvpn ~]# systemctl start firewalld
[root@openvpn ~]# systemctl enable firewalld
[root@openvpn ~]# firewall-cmd --add-service openvpn --permanent
[root@openvpn ~]# firewall-cmd --add-service https --permanent
[root@openvpn ~]# firewall-cmd --add-masquerade --permanent
[root@openvpn ~]# firewall-cmd --reload

Install OpenVPN Server

Install OpenVPN server.

[root@openvpn ~]# yum install openvpn easy-rsa
[root@openvpn ~]# mkdir /etc/openvpn/easy-rsa
[root@openvpn ~]# cp -R /usr/share/easy-rsa/3.0.8/* /etc/openvpn/easy-rsa
[root@openvpn ~]# cd /etc/openvpn/easy-rsa

Edit easyrsa to extend expiry of certs to 9 years

[root@openvpn easy-rsa]# vi easyrsa

Change this below value :

set_var EASYRSA_CERT_EXPIRE     3080 # new default of 9 years

Setup the certs and keys and sign key for the server :

[root@openvpn easy-rsa]# ./easyrsa init-pki
[root@openvpn easy-rsa]# ./easyrsa build-ca
[root@openvpn easy-rsa]# ./easyrsa gen-dh
[root@openvpn easy-rsa]# ./easyrsa gen-req server nopass
[root@openvpn easy-rsa]# ./easyrsa sign-req server server

Go up one level to /etc/openvpn and generate a TLS key to slow down DDOS attacks.

[root@openvpn easy-rsa]# cd ..
[root@openvpn openvpn]# openvpn --genkey --secret ta.key

Put the passphrase you used for ca.key in a text file for future admins :

[root@openvpn openvpn]# vi ca-passphrase.txt

Configure System

In /etc/sysctl.conf enable ip forwarding :

[root@openvpn openvpn]# vi /etc/sysctl.conf

Add this :

# For OpenVPN
net.ipv4.ip_forward = 1

Reboot now for good measure :

[root@openvpn openvpn]# reboot

Test your config :

[centos@openvpn ~]$ cat /proc/sys/net/ipv4/ip_forward
1

Configure Server

Create file /etc/openvpn/server/my-vpn.conf :

[root@openvpn ~]# vi /etc/openvpn/server/my-vpn.conf

port 443
proto tcp
dev tun
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key  # This file is server's secret
dh /etc/openvpn/easy-rsa/pki/dh.pem
server 172.16.31.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 172.31.184.2"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
tls-auth /etc/openvpn/ta.key 0 # This file is secret shared between server and clients
cipher AES-256-CBC
max-clients 50
persist-key
persist-tun
status openvpn-status.log
log-append  openvpn.log
verb 3 # verbosity 0 to 15
crl-verify /etc/openvpn/easy-rsa/pki/crl.pem

Notes on this file:

The server address space is 172.16 + the 2nd byte of the VPC it connects to. Not important - could be almost anything.
The subnet mask restricts how many clients can use the VPN - in this case 252.
Check /etc/resolve.conf on the OpenVPN server for DNS hints. 8.8.4.4 is a backup public DNS.
push means this config is for the clients.

Start Server

Start, check status, and enable to start automatically upon reboot :

[root@openvpn]# systemctl -l start openvpn-server@my-vpn
[root@openvpn]# systemctl -l status openvpn-server@my-vpn
\u25cf openvpn-server@my-vpn.service - OpenVPN service for my-vpn
   Loaded: loaded (/usr/lib/systemd/system/openvpn-server@.service; disabled; vendor preset: disabled)
   Active: active (running) since Tue 2019-10-01 14:19:12 AEST; 26s ago
     Docs: man:openvpn(8)
           https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
           https://community.openvpn.net/openvpn/wiki/HOWTO
 Main PID: 8954 (openvpn)
   Status: "Initialization Sequence Completed"
   CGroup: /system.slice/system-openvpn\x2dserver.slice/openvpn-server@my-vpn.service
           \u2514\u25008954 /usr/sbin/openvpn --status /run/openvpn-server/status-my-vpn.log --status-version 2 --suppress-timestamps --config my-vpn.conf

Oct 01 14:19:12 my-vpn-openvpn.gejoreuy.com systemd[1]: Starting OpenVPN service for my-vpn...
Oct 01 14:19:12 my-vpn-openvpn.gejoreuy.com systemd[1]: Started OpenVPN service for my-vpn.
[root@openvpn]# systemctl -l enable openvpn-server@my-vpn
Created symlink from /etc/systemd/system/multi-user.target.wants/openvpn-server@my-vpn.service to /usr/lib/systemd/system/openvpn-server@.service.

Configure Clients

Each client needs their own secure, signed key and config file.
Copy the shared items to the client folder :

[root@openvpn]# cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/client/
[root@openvpn]# cp /etc/openvpn/ta.key /etc/openvpn/client/

Make client config in the client folder:

[root@openvpn]# vi /etc/openvpn/client/my-vpn.ovpn

client
dev tun
proto tcp
route 172.17.0.0 255.255.252.0  #this is the subnet address of the vpc where openvpn server running
remote my-vpn.gejoreuy.com 443  #this is the openvpn server address, change it to the real address
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert USERNAME.crt
key USERNAME.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3

Note this config can't work unless there is a cert and key for user "USERNAME". This is a template only.
To generate user keys we need a list of usernames and passwords. Here's a script that does it for you and packages it all up into a 7-zip file encrypted with the same password :

[root@openvpn]# cd /etc/openvpn
[root@openvpn]# vi generateuser.sh

#!/bin/bash
cd /etc/openvpn/easy-rsa
echo username is $1 and PASSWORD is $2
echo use this password twice when asked to Enter PEM pass phrase.
/etc/openvpn/easy-rsa/easyrsa gen-req $1
clear
echo next to sign the key you need the passphrase for ca.key bbsadgassadgasdga
/etc/openvpn/easy-rsa/easyrsa sign-req client $1
TEMP_DIR=`mktemp -d -t openvpn-XXXXXXXXXXX`
cp /etc/openvpn/client/ca.crt $TEMP_DIR
cp /etc/openvpn/client/ta.key $TEMP_DIR
sed 's/USERNAME/'${1}'/g' /etc/openvpn/client/my-vpn.ovpn > $TEMP_DIR/my-vpn.ovpn
cp /etc/openvpn/easy-rsa/pki/private/${1:-username}.key $TEMP_DIR
cp /etc/openvpn/easy-rsa/pki/issued/${1:-username}.crt $TEMP_DIR
chown -R root:root $TEMP_DIR
chmod -R 777 $TEMP_DIR
cd $TEMP_DIR
ls -la
rm -f /root/${1:-username}-keys.7z
7za a -p${2:-password} /root/${1:-username}-keys.7z ./*
chown root:root /root/${1:-username}-keys.7z
echo "your file is here: /root/${1:-username}-keys.7z"
srm -rf $TEMP_DIR

[root@openvpn]# chmod ugoa+x generateuser.sh

Revoke OpenVPN User

When an OpenVPN user not needed anymnore, we need to revoke it. We can create script like this.

[root@openvpn]# cd /etc/openvpn
[root@openvpn]# vi revokeuser.sh

#!/bin/bash

cd /etc/openvpn/easy-rsa
/etc/openvpn/easy-rsa/easyrsa revoke $1
/etc/openvpn/easy-rsa/easyrsa gen-crl
cat /etc/openvpn/easy-rsa/pki/index.txt | grep -i $1
echo "if you see an 'R' (for Revoked) on the first column from the left for the user that revoked, it's mean the user has been revoked successfully"

[root@openvpn]# chmod ugoa+x revokeuser.sh

@@ Line 1: / Line 1: @@
 == Purpose ==
-We'll build an OpenVPN server with CentOS 7 in AWS VPN.
+<br>We'll build an OpenVPN server with CentOS 7 in AWS VPN.
-This server will be run 24x7 and user as client can connect into it to access all resources & services to the VPC.
+<br>This server will be run 24x7 and user as client can connect into it to access all resources & services to the VPC.
+<br>Let say this VPN name will be '''my-vpn''' which use '''my-vpn.gejoreuy.com''' as its public address.
+<br>Make sure we have configured our dns my-vpn.gejoreuy.com with the correct public ip address!!!
 == Preparation ==
@@ Line 8: / Line 10: @@
 <pre>
 [root@openvpn ~]# yum update
-[root@openvpn ~]# hostnamectl set-hostname ims-openvpn.nova-ten.net --static (gave static IP and put this in Route 53)
+[root@openvpn ~]# hostnamectl set-hostname my-vpn.gejoreuy.com --static (gave static IP and put this in Route 53)
-[root@openvpn ~]# timedatectl set-timezone Australia/Brisbane
+[root@openvpn ~]# timedatectl set-timezone Asia/Jakarta
 [root@openvpn ~]# yum install epel-release
 [root@openvpn ~]# yum install p7zip wget zip unzip autossh pv java-1.8.0-openjdk-devel htop lvm2 samba sysstat glibc figlet telnet firewalld srm
@@ Line 27: / Line 29: @@
 [root@openvpn ~]# yum install openvpn easy-rsa
 [root@openvpn ~]# mkdir /etc/openvpn/easy-rsa
-[root@openvpn ~]# cp -R /usr/share/easy-rsa/3.0.6/* /etc/openvpn/easy-rsa
+[root@openvpn ~]# cp -R /usr/share/easy-rsa/3.0.8/* /etc/openvpn/easy-rsa
 [root@openvpn ~]# cd /etc/openvpn/easy-rsa
 </pre>
@@ Line 96: / Line 98: @@
 == Configure Server ==
-Create file /etc/openvpn/server/ims.conf :
+Create file /etc/openvpn/server/my-vpn.conf :
 <pre>
-[root@openvpn ~]# vi /etc/openvpn/server/ims.conf
+[root@openvpn ~]# vi /etc/openvpn/server/my-vpn.conf
 </pre>
@@ Line 123: / Line 125: @@
 log-append  openvpn.log
 verb 3 # verbosity 0 to 15
+crl-verify /etc/openvpn/easy-rsa/pki/crl.pem
 </pre>
@@ Line 137: / Line 140: @@
 <pre>
-[root@openvpn]# systemctl -l start openvpn-server@server
+[root@openvpn]# systemctl -l start openvpn-server@my-vpn
-[root@openvpn]# systemctl -l status openvpn-server@server
+[root@openvpn]# systemctl -l status openvpn-server@my-vpn
-\u25cf openvpn-server@ims.service - OpenVPN service for ims
+\u25cf openvpn-server@my-vpn.service - OpenVPN service for my-vpn
     Loaded: loaded (/usr/lib/systemd/system/openvpn-server@.service; disabled; vendor preset: disabled)
     Active: active (running) since Tue 2019-10-01 14:19:12 AEST; 26s ago
@@ Line 147: / Line 150: @@
   Main PID: 8954 (openvpn)
     Status: "Initialization Sequence Completed"
-    CGroup: /system.slice/system-openvpn\x2dserver.slice/openvpn-server@ims.service
+    CGroup: /system.slice/system-openvpn\x2dserver.slice/openvpn-server@my-vpn.service
-            \u2514\u25008954 /usr/sbin/openvpn --status /run/openvpn-server/status-ims.log --status-version 2 --suppress-timestamps --config ims.conf
+            \u2514\u25008954 /usr/sbin/openvpn --status /run/openvpn-server/status-my-vpn.log --status-version 2 --suppress-timestamps --config my-vpn.conf
-Oct 01 14:19:12 ims-openvpn.nova-ten.net systemd[1]: Starting OpenVPN service for ims...
+Oct 01 14:19:12 my-vpn-openvpn.gejoreuy.com systemd[1]: Starting OpenVPN service for my-vpn...
-Oct 01 14:19:12 ims-openvpn.nova-ten.net systemd[1]: Started OpenVPN service for ims.
+Oct 01 14:19:12 my-vpn-openvpn.gejoreuy.com systemd[1]: Started OpenVPN service for my-vpn.
-[root@openvpn]# systemctl -l enable openvpn-server@server
+[root@openvpn]# systemctl -l enable openvpn-server@my-vpn
-Created symlink from /etc/systemd/system/multi-user.target.wants/openvpn-server@ims.service to /usr/lib/systemd/system/openvpn-server@.service.
+Created symlink from /etc/systemd/system/multi-user.target.wants/openvpn-server@my-vpn.service to /usr/lib/systemd/system/openvpn-server@.service.
 </pre>
@@ Line 169: / Line 172: @@
 <pre>
-[root@openvpn]# vi /etc/openvpn/client/ims.ovpn
+[root@openvpn]# vi /etc/openvpn/client/my-vpn.ovpn
 </pre>
@@ Line 176: / Line 179: @@
 dev tun
 proto tcp
-route 172.31.184.0 255.255.252.0
+route 172.17.0.0 255.255.252.0  #this is the subnet address of the vpc where openvpn server running
-remote openvpn.gejoreuy.com 443  #this is the openvpn server address, change it to the real address
+remote my-vpn.gejoreuy.com 443  #this is the openvpn server address, change it to the real address
 resolv-retry infinite
 nobind
@@ Line 211: / Line 214: @@
 cp /etc/openvpn/client/ca.crt $TEMP_DIR
 cp /etc/openvpn/client/ta.key $TEMP_DIR
-sed 's/USERNAME/'${1}'/g' /etc/openvpn/client/ims.ovpn > $TEMP_DIR/ims.ovpn
+sed 's/USERNAME/'${1}'/g' /etc/openvpn/client/my-vpn.ovpn > $TEMP_DIR/my-vpn.ovpn
 cp /etc/openvpn/easy-rsa/pki/private/${1:-username}.key $TEMP_DIR
 cp /etc/openvpn/easy-rsa/pki/issued/${1:-username}.crt $TEMP_DIR
-chown -R centos:centos $TEMP_DIR
+chown -R root:root $TEMP_DIR
 chmod -R 777 $TEMP_DIR
 cd $TEMP_DIR
 ls -la
-rm -f /home/centos/${1:-username}-keys.7z
+rm -f /root/${1:-username}-keys.7z
-za a -p${2:-password} /home/centos/${1:-username}-keys.7z ./*
+za a -p${2:-password} /root/${1:-username}-keys.7z ./*
-chown centos:centos /home/centos/${1:-username}-keys.7z
+chown root:root /root/${1:-username}-keys.7z
-echo "your file is here: /home/centos/${1:-username}-keys.7z"
+echo "your file is here: /root/${1:-username}-keys.7z"
 srm -rf $TEMP_DIR
+</pre>
+<pre>
+[root@openvpn]# chmod ugoa+x generateuser.sh
+</pre>
+== Revoke OpenVPN User ==
+When an OpenVPN user not needed anymnore, we need to revoke it. We can create script like this.
+<pre>
+[root@openvpn]# cd /etc/openvpn
+[root@openvpn]# vi revokeuser.sh
+</pre>
+<pre>
+#!/bin/bash
+cd /etc/openvpn/easy-rsa
+/etc/openvpn/easy-rsa/easyrsa revoke $1
+/etc/openvpn/easy-rsa/easyrsa gen-crl
+cat /etc/openvpn/easy-rsa/pki/index.txt | grep -i $1
+echo "if you see an 'R' (for Revoked) on the first column from the left for the user that revoked, it's mean the user has been revoked successfully"
+</pre>
+<pre>
+[root@openvpn]# chmod ugoa+x revokeuser.sh
 </pre>

Difference between revisions of "Setup OpenVPN Server in AWS VPC"

Latest revision as of 22:39, 6 March 2023

Contents

Purpose

Preparation

Install OpenVPN Server

Configure System

Configure Server

Start Server

Configure Clients

Revoke OpenVPN User

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Tools