Difference between revisions of "Setup OpenVPN Server in AWS VPC"

Purpose

We'll build an OpenVPN server with CentOS 7 in AWS VPN.
This server will be run 24x7 and user as client can connect into it to access all resources & services to the VPC.
Let say this VPN name will be my-vpn which use my-vpn.gejoreuy.com as its public address.
Make sure we have configured our dns my-vpn.gejoreuy.com with the correct public ip address!!!

Preparation

[root@openvpn ~]# yum update
[root@openvpn ~]# hostnamectl set-hostname my-vpn.gejoreuy.com --static (gave static IP and put this in Route 53)
[root@openvpn ~]# timedatectl set-timezone Asia/Jakarta
[root@openvpn ~]# yum install epel-release
[root@openvpn ~]# yum install p7zip wget zip unzip autossh pv java-1.8.0-openjdk-devel htop lvm2 samba sysstat glibc figlet telnet firewalld srm
[root@openvpn ~]# systemctl start firewalld
[root@openvpn ~]# systemctl enable firewalld
[root@openvpn ~]# firewall-cmd --add-service openvpn --permanent
[root@openvpn ~]# firewall-cmd --add-service https --permanent
[root@openvpn ~]# firewall-cmd --add-masquerade --permanent
[root@openvpn ~]# firewall-cmd --reload

Install OpenVPN Server

Install OpenVPN server.

[root@openvpn ~]# yum install openvpn easy-rsa
[root@openvpn ~]# mkdir /etc/openvpn/easy-rsa
[root@openvpn ~]# cp -R /usr/share/easy-rsa/3.0.8/* /etc/openvpn/easy-rsa
[root@openvpn ~]# cd /etc/openvpn/easy-rsa

Edit easyrsa to extend expiry of certs to 9 years

[root@openvpn easy-rsa]# vi easyrsa

Change this below value :

set_var EASYRSA_CERT_EXPIRE     3080 # new default of 9 years

Setup the certs and keys and sign key for the server :

[root@openvpn easy-rsa]# ./easyrsa init-pki
[root@openvpn easy-rsa]# ./easyrsa build-ca
[root@openvpn easy-rsa]# ./easyrsa gen-dh
[root@openvpn easy-rsa]# ./easyrsa gen-req server nopass
[root@openvpn easy-rsa]# ./easyrsa sign-req server server

Go up one level to /etc/openvpn and generate a TLS key to slow down DDOS attacks.

[root@openvpn easy-rsa]# cd ..
[root@openvpn openvpn]# openvpn --genkey --secret ta.key

Put the passphrase you used for ca.key in a text file for future admins :

[root@openvpn openvpn]# vi ca-passphrase.txt

Configure System

In /etc/sysctl.conf enable ip forwarding :

[root@openvpn openvpn]# vi /etc/sysctl.conf

Add this :

# For OpenVPN
net.ipv4.ip_forward = 1

Reboot now for good measure :

[root@openvpn openvpn]# reboot

Test your config :

[centos@openvpn ~]$ cat /proc/sys/net/ipv4/ip_forward
1

Configure Server

Create file /etc/openvpn/server/my-vpn.conf :

[root@openvpn ~]# vi /etc/openvpn/server/my-vpn.conf

port 443
proto tcp
dev tun
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key  # This file is server's secret
dh /etc/openvpn/easy-rsa/pki/dh.pem
server 172.16.31.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 172.31.184.2"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
tls-auth /etc/openvpn/ta.key 0 # This file is secret shared between server and clients
cipher AES-256-CBC
max-clients 50
persist-key
persist-tun
status openvpn-status.log
log-append  openvpn.log
verb 3 # verbosity 0 to 15
crl-verify /etc/openvpn/easy-rsa/pki/crl.pem

Notes on this file:

• The server address space is 172.16 + the 2nd byte of the VPC it connects to. Not important - could be almost anything.
• The subnet mask restricts how many clients can use the VPN - in this case 252.
• Check /etc/resolve.conf on the OpenVPN server for DNS hints. 8.8.4.4 is a backup public DNS.
• push means this config is for the clients.

Start Server

Start, check status, and enable to start automatically upon reboot :

[root@openvpn]# systemctl -l start openvpn-server@my-vpn
[root@openvpn]# systemctl -l status openvpn-server@my-vpn
\u25cf openvpn-server@my-vpn.service - OpenVPN service for my-vpn
   Loaded: loaded (/usr/lib/systemd/system/openvpn-server@.service; disabled; vendor preset: disabled)
   Active: active (running) since Tue 2019-10-01 14:19:12 AEST; 26s ago
     Docs: man:openvpn(8)
           https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
           https://community.openvpn.net/openvpn/wiki/HOWTO
 Main PID: 8954 (openvpn)
   Status: "Initialization Sequence Completed"
   CGroup: /system.slice/system-openvpn\x2dserver.slice/openvpn-server@my-vpn.service
           \u2514\u25008954 /usr/sbin/openvpn --status /run/openvpn-server/status-my-vpn.log --status-version 2 --suppress-timestamps --config my-vpn.conf

Oct 01 14:19:12 my-vpn-openvpn.gejoreuy.com systemd[1]: Starting OpenVPN service for my-vpn...
Oct 01 14:19:12 my-vpn-openvpn.gejoreuy.com systemd[1]: Started OpenVPN service for my-vpn.
[root@openvpn]# systemctl -l enable openvpn-server@my-vpn
Created symlink from /etc/systemd/system/multi-user.target.wants/openvpn-server@my-vpn.service to /usr/lib/systemd/system/openvpn-server@.service.

Configure Clients

Each client needs their own secure, signed key and config file.
Copy the shared items to the client folder :

[root@openvpn]# cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/client/
[root@openvpn]# cp /etc/openvpn/ta.key /etc/openvpn/client/

Make client config in the client folder:

[root@openvpn]# vi /etc/openvpn/client/my-vpn.ovpn

client
dev tun
proto tcp
route 172.17.0.0 255.255.252.0  #this is the subnet address of the vpc where openvpn server running
remote my-vpn.gejoreuy.com 443  #this is the openvpn server address, change it to the real address
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert USERNAME.crt
key USERNAME.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3

Note this config can't work unless there is a cert and key for user "USERNAME". This is a template only.
To generate user keys we need a list of usernames and passwords. Here's a script that does it for you and packages it all up into a 7-zip file encrypted with the same password :

[root@openvpn]# cd /etc/openvpn
[root@openvpn]# vi generateuser.sh

#!/bin/bash
cd /etc/openvpn/easy-rsa
echo username is $1 and PASSWORD is $2
echo use this password twice when asked to Enter PEM pass phrase.
/etc/openvpn/easy-rsa/easyrsa gen-req $1
clear
echo next to sign the key you need the passphrase for ca.key bbsadgassadgasdga
/etc/openvpn/easy-rsa/easyrsa sign-req client $1
TEMP_DIR=`mktemp -d -t openvpn-XXXXXXXXXXX`
cp /etc/openvpn/client/ca.crt $TEMP_DIR
cp /etc/openvpn/client/ta.key $TEMP_DIR
sed 's/USERNAME/'${1}'/g' /etc/openvpn/client/my-vpn.ovpn > $TEMP_DIR/my-vpn.ovpn
cp /etc/openvpn/easy-rsa/pki/private/${1:-username}.key $TEMP_DIR
cp /etc/openvpn/easy-rsa/pki/issued/${1:-username}.crt $TEMP_DIR
chown -R root:root $TEMP_DIR
chmod -R 777 $TEMP_DIR
cd $TEMP_DIR
ls -la
rm -f /root/${1:-username}-keys.7z
7za a -p${2:-password} /root/${1:-username}-keys.7z ./*
chown root:root /root/${1:-username}-keys.7z
echo "your file is here: /root/${1:-username}-keys.7z"
srm -rf $TEMP_DIR

[root@openvpn]# chmod ugoa+x generateuser.sh

Revoke OpenVPN User

When an OpenVPN user not needed anymnore, we need to revoke it. We can create script like this.

[root@openvpn]# cd /etc/openvpn
[root@openvpn]# vi revokeuser.sh

#!/bin/bash

cd /etc/openvpn/easy-rsa
/etc/openvpn/easy-rsa/easyrsa revoke $1
/etc/openvpn/easy-rsa/easyrsa gen-crl
cat /etc/openvpn/easy-rsa/pki/index.txt | grep -i $1
echo "if you see an 'R' (for Revoked) on the first column from the left for the user that revoked, it's mean the user has been revoked successfully"

[root@openvpn]# chmod ugoa+x revokeuser.sh