- See also OpenVPN on ChromeOS and Android
OpenVPN on an AWS EC2 T2.Nano Instance
The T2.Nano instance is the smallest instance generally available for AWS EC2. As of 17-June-2017, the Nano includes the following resources:
- 512mb RAM
- 1 vcpu (30 credits + 3/hr, up to 72 credits)
- 1gb network out traffic
Alternatively, a $5 USD Amazon Lightsail instance can be used (see below)
Amazon Linux AMI
For those who prefer RHEL/CentOS, these are not available for the T2.Nano instance, rather Amazon Linux AMI is the only RHEL-derrived OS available. Note that Amazon AMI Linux is akin to CentOS 6.x (no systemd). Alternatively, Ubuntu is also available for the Nano.
Note, there is now (Dec 2017) an Amazon Linux 2 option. Some say not to use any Amazon Linux. I tend to agree, though the main reason of not being able to use AMI outside of EC2 isn't correct, as there are container versions available for use locally.
Amazon Lightsail as an Alternative to EC2 T2.Nano
Amazon Lightsail is a VPS package that provides simplified control panel, and greater resources. For $5 USD/month, the smallest Lightsail instance is essentially a T2.Nano plus Elastic IP address, 20gb EBS storage, 1tb of outbound data, and Route53 DNS interface. Since outbound data can run 0.10/gb (with elastic IP), this is potentially $10/mo in database. The EBS storage is ~$2 USD, Route53 is $0.50 USD, and a nano instance with 1 year contract is ~$3.50 USD. This means for $5 USD/mo, one gets between $6-106 USD in AWS resources. For the $10 USD Lightsail, the value consists of a T2.Micro, and all the rest, which is worth $11-$211 USD in services due to an increase to 30gb EBS and 2TB data transfer out.
- Amazon Lightsail FAQ
Note: on Lightsail, the Security Groups are port-based only, so any IP filtering needs to be done wiht a separate firewall, such as
Steps to install OpenVPN on AMI - Pre-Installation
These steps are similar for a Nano instance. This should work on a Lightsail instance, though some control panel settings may be in different places.
Set the hostname, timezone, nameservers
Set the timezone
Change the ZONE line to appropriate continent/city, e.g.,
ZONE="Continent/City" UTC=false ARC=false
Create a symbolic link
rm -rf /etc/localtime ln -sf /usr/share/zoneinfo/Continent/City /etc/localtime
Update nameservers (using dns.watch resolvers)
echo "nameserver 188.8.131.52" > /etc/resolv.conf echo "nameserver 184.108.40.206" >> /etc/resolv.conf
Edit the network sysconfig
Change HOSTNAME to server.domain.tld Check to ensure the change with the command:
Don't worry about /etc/hosts for now...
Update yum, configure EPEL
Note that we want the Amazon EPEL Repository
yum clean all yum update yum -y install epel-release yum -y install yum-utils yum-config-manager --enable epel
Update AMI without EPEL
This is done by disabling the repositories, which can be enabled later, including:
yum-config-manager --disable epel yum clean all yum update cat /etc/system-release uname -r
After the update version is confirmed, then re-enable the repositories with:
yum-config-manager --enable epel
make sure of the following:
PasswordAuthentication no PermitRootLogin no
If you want to do fancy stuff like have an sftp login inside of a web directory, and need different than 700, 750, or 755 rights (say, for example, having the group be apache, and the user be a login) then include:
service sshd restart
Install and enable MOSH
yum -y install mosh
Mosh makes connections more resilient, but there is a cost of disabling the ability to scroll up in the console.
firewalld or ufw
This may or may not be desirable, in addition to the AWS firewall configuration. Likely desirable.
Install OpenVPN on AMI
yum -y install openvpn
Install Easy-RSA on AMI
Note that since there is a version 3.x, have to get an older distribution or it won't work. Note the below might still be a bit of a mess. Inspect directories as you go.
cd /etc/openvpn wget -v https://github.com/OpenVPN/easy-rsa/releases/download/2.2.2/EasyRSA-2.2.2.tgz tar -xvzf EasyRSA-2.2.2.tgz mkdir easy-rsa mv EasyRSA-2.2.2 /etc/openvpn/easy-rsa cd easy-rsa mv EasyRSA-2.2.2 2.0 mkdir -p /etc/openvpn/easy-rsa/keys cp -R /usr/share/easy-rsa/2.0/ /etc/openvpn/easy-rsa/
NAT routing using iptables
Put in nat routing, ensure that the network on the masquarade is the same as in /etc/openvpn/server.conf
First edit the iptables-config file
Change most things to yes, with a final config looking like:
IPTABLES_MODULES="" IPTABLES_MODULES_UNLOAD="yes" IPTABLES_SAVE_ON_STOP="yes" IPTABLES_SAVE_ON_RESTART="yes" IPTABLES_SAVE_COUNTER="no" IPTABLES_STATUS_NUMERIC="yes" IPTABLES_STATUS_VERBOSE="yes" IPTABLES_STATUS_LINENUMBERS="yes"
Now do the rest of the iptables configuration
touch /etc/sysconfig/iptables chkconfig iptables on service iptables start modprobe iptable_nat echo 1 | tee /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE service iptables save service iptables restart
Edit the Easy RSA settings
Find and modify these values:
# These are the default values for fields # which will be placed in the certificate. # Don't leave any of these fields blank. export KEY_COUNTRY="CA" export KEY_PROVINCE="" export KEY_CITY="SanFrancisco" export KEY_ORG="Fort-Funston" export KEY_EMAIL="[email protected]" export KEY_OU="MyOrganizationalUnit"
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
Initialize Easy RSA and create Certs and Keys
cd /etc/openvpn/easy-rsa/2.0 chmod 0755 * source ./vars ./clean-all ./build-ca
ls -la keys
Now build the cert and key
Note: leave the challenge password and optional company name blank
Next, Verify success
ls -la keys
Next build a cert and key for each vpn user:
Provide this with a challenge password
Next, build the .pem
Next, build the ta.key
// rather forget about this, just comment out, it is trouble // get this going later
openvpn --genkey --secret /etc/openvpn/easy-rsa/2.0/keys/ta.key
Copy the keys and certs
cd /etc/openvpn/easy-rsa/2.0/keys cp dh2048.pem ca.crt server.crt server.key username.crt username.key /etc/openvpn
Create OpenVPN Config File
Note that previously a version was copied and edited from the /usr/share/doc directory, but latest versions of OpenVPN no longer include this. Instead touch and then use the following file below as the base server.conf:
touch /etc/openvpn/server.conf cd /etc/openvpn chmod 0644 dh2048.pem ca.crt server.crt server.key server.conf username.crt username.key
Next, edit server.conf
Here is an example of server.conf. Ensure the masquerade iptables and server configuration are identical.
port 1194 proto udp dev tun tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 reneg-sec 0 ca ca.crt cert server.crt key server.key # This file should be kept secret dh dh2048.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 220.127.116.11" push "dhcp-option DNS 18.104.22.168" duplicate-cn keepalive 10 120 ;cipher BF-CBC # Blowfish (default) ;cipher AES-128-CBC # AES ;cipher DES-EDE3-CBC # Triple-DES comp-lzo user nobody group nobody persist-key persist-tun status openvpn-status.log verb 3 explicit-exit-notify 0
Change ip forwarding to 1
net.ipv4.ip_forward = 1
Restart networking services
service network restart
Enable and start the OpenVPN service
chkconfig openvpn on service openvpn restart
Install and Configure OpenVPN Client
For OSX, there is Tunnelblick, which sucks, and Viscosity which sucks less (but costs $9).
An example Viscosity config file looks like:
#viscosity startonopen false #viscosity protocol openvpn #viscosity dns off #viscosity usepeerdns false #viscosity autoreconnect true #viscosity name host.domain.tld #viscosity dhcp true remote 22.214.171.124 1194 udp nobind dev tun redirect-gateway def1 tun-mtu 1500 pull tls-client ca ca.crt cert cert.crt key key.key push "redirect-gateway def1" comp-lzo mssfix 1450 resolv-retry infinite tun-mtu-extra 32 reneg-sec 0
For installing an OVPN command line client on Linux, simply taking the config.conf file, along with ca.crt, cert.crt, and key.key files.
Installation on a Debian system looks like:
sudo apt-get update apt-get install openvpn
Then scp the four files into the home directory and run:
After this works, then set up OVPN as a service with scripts for automation.
- See also OpenVPN on ChromeOS and Android