Setup OpenVPN Server in AWS VPC

From Gejoreuy
Jump to navigation Jump to search


We'll build an OpenVPN server with CentOS 7 in AWS VPN. This server will be run 24x7 and user as client can connect into it to access all resources & services to the VPC.


[root@openvpn ~]# yum update
[root@openvpn ~]# hostnamectl set-hostname --static (gave static IP and put this in Route 53)
[root@openvpn ~]# timedatectl set-timezone Australia/Brisbane
[root@openvpn ~]# yum install epel-release
[root@openvpn ~]# yum install p7zip wget zip unzip autossh pv java-1.8.0-openjdk-devel htop lvm2 samba sysstat glibc figlet telnet firewalld srm
[root@openvpn ~]# systemctl start firewalld
[root@openvpn ~]# systemctl enable firewalld
[root@openvpn ~]# firewall-cmd --add-service openvpn --permanent
[root@openvpn ~]# firewall-cmd --add-service https --permanent
[root@openvpn ~]# firewall-cmd --add-masquerade --permanent
[root@openvpn ~]# firewall-cmd --reload

Install OpenVPN Server

Install OpenVPN server.

[root@openvpn ~]# yum install openvpn easy-rsa
[root@openvpn ~]# mkdir /etc/openvpn/easy-rsa
[root@openvpn ~]# cp -R /usr/share/easy-rsa/3.0.6/* /etc/openvpn/easy-rsa
[root@openvpn ~]# cd /etc/openvpn/easy-rsa

Edit easyrsa to extend expiry of certs to 9 years

[root@openvpn easy-rsa]# vi easyrsa

Change this below value :

set_var EASYRSA_CERT_EXPIRE     3080 # new default of 9 years

Setup the certs and keys and sign key for the server :

[root@openvpn easy-rsa]# ./easyrsa init-pki
[root@openvpn easy-rsa]# ./easyrsa build-ca
[root@openvpn easy-rsa]# ./easyrsa gen-dh
[root@openvpn easy-rsa]# ./easyrsa gen-req server nopass
[root@openvpn easy-rsa]# ./easyrsa sign-req server server

Go up one level to /etc/openvpn and generate a TLS key to slow down DDOS attacks.

[root@openvpn easy-rsa]# cd ..
[root@openvpn openvpn]# openvpn --genkey --secret ta.key

Put the passphrase you used for ca.key in a text file for future admins :

[root@openvpn openvpn]# vi ca-passphrase.txt

Configure System

In /etc/sysctl.conf enable ip forwarding :

[root@openvpn openvpn]# vi /etc/sysctl.conf

Add this :

# For OpenVPN
net.ipv4.ip_forward = 1

Reboot now for good measure :

[root@openvpn openvpn]# reboot

Test your config :

[centos@openvpn ~]$ cat /proc/sys/net/ipv4/ip_forward

Configure Server

Create file /etc/openvpn/server/ims.conf :

[root@openvpn ~]# vi /etc/openvpn/server/ims.conf
port 443
proto tcp
dev tun
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key  # This file is server's secret
dh /etc/openvpn/easy-rsa/pki/dh.pem
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS"
push "dhcp-option DNS"
keepalive 10 120
tls-auth /etc/openvpn/ta.key 0 # This file is secret shared between server and clients
cipher AES-256-CBC
max-clients 50
status openvpn-status.log
log-append  openvpn.log
verb 3 # verbosity 0 to 15

Notes on this file:

  • The server address space is 172.16 + the 2nd byte of the VPC it connects to. Not important - could be almost anything.
  • The subnet mask restricts how many clients can use the VPN - in this case 252.
  • Check /etc/resolve.conf on the OpenVPN server for DNS hints. is a backup public DNS.
  • push means this config is for the clients.

Start Server

Start, check status, and enable to start automatically upon reboot :

[root@openvpn]# systemctl -l start openvpn-server@ims
[root@openvpn]# systemctl -l status openvpn-server@ims
\u25cf openvpn-server@ims.service - OpenVPN service for ims
   Loaded: loaded (/usr/lib/systemd/system/openvpn-server@.service; disabled; vendor preset: disabled)
   Active: active (running) since Tue 2019-10-01 14:19:12 AEST; 26s ago
     Docs: man:openvpn(8)
 Main PID: 8954 (openvpn)
   Status: "Initialization Sequence Completed"
   CGroup: /system.slice/system-openvpn\x2dserver.slice/openvpn-server@ims.service
           \u2514\u25008954 /usr/sbin/openvpn --status /run/openvpn-server/status-ims.log --status-version 2 --suppress-timestamps --config ims.conf

Oct 01 14:19:12 systemd[1]: Starting OpenVPN service for ims...
Oct 01 14:19:12 systemd[1]: Started OpenVPN service for ims.
[root@openvpn]# systemctl -l enable openvpn-server@ims
Created symlink from /etc/systemd/system/ to /usr/lib/systemd/system/openvpn-server@.service.

Configure Clients

Each client needs their own secure, signed key and config file.
Copy the shared items to the client folder :

[root@openvpn]# cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/client/
[root@openvpn]# cp /etc/openvpn/ta.key /etc/openvpn/client/

Make client config in the client folder:

[root@openvpn]# vi /etc/openvpn/client/ims.ovpn
dev tun
proto tcp
remote 443  #this is the openvpn server address, change it to the real address
resolv-retry infinite
ca ca.crt
cert USERNAME.crt
key USERNAME.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3

Note this config can't work unless there is a cert and key for user "USERNAME". This is a template only.
To generate user keys we need a list of usernames and passwords. Here's a script that does it for you and packages it all up into a 7-zip file encrypted with the same password :

[root@openvpn]# cd /etc/openvpn
[root@openvpn]# vi
cd /etc/openvpn/easy-rsa
echo username is $1 and PASSWORD is $2
echo use this password twice when asked to Enter PEM pass phrase.
/etc/openvpn/easy-rsa/easyrsa gen-req $1
echo next to sign the key you need the passphrase for ca.key bbsadgassadgasdga
/etc/openvpn/easy-rsa/easyrsa sign-req client $1
TEMP_DIR=`mktemp -d -t openvpn-XXXXXXXXXXX`
cp /etc/openvpn/client/ca.crt $TEMP_DIR
cp /etc/openvpn/client/ta.key $TEMP_DIR
sed 's/USERNAME/'${1}'/g' /etc/openvpn/client/ims.ovpn > $TEMP_DIR/ims.ovpn
cp /etc/openvpn/easy-rsa/pki/private/${1:-username}.key $TEMP_DIR
cp /etc/openvpn/easy-rsa/pki/issued/${1:-username}.crt $TEMP_DIR
chown -R centos:centos $TEMP_DIR
chmod -R 777 $TEMP_DIR
ls -la
rm -f /home/centos/${1:-username}-keys.7z
7za a -p${2:-password} /home/centos/${1:-username}-keys.7z ./*
chown centos:centos /home/centos/${1:-username}-keys.7z
echo "your file is here: /home/centos/${1:-username}-keys.7z"
srm -rf $TEMP_DIR