Thomas Mullaly

DevOps, Security and IT Leadership

OpenVPN on Amazon Ec2

Create a new EC2 instance, I use the offical Amazon AMI images becasue it’s the least expensive option.

Login to the new instance using the pem and run the updates.

ssh -i my.pem ec2-user@ec2-xxx-xxx-xxx-xxx.compute-1.amazonaws.com
yum update
reboot

Let’s install openvpn 

yum install openvpn easy-rsa -y --enablerepo=epel

Let’s copy the sample server configuration file into place, the location of the file might be different for you:

cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn

Edit the server.conf file

vi /etc/openvpn/server.conf

Uncomment and modify these lines:

push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
user nobody
group nobody

Now on to easy rsa

cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa
vi /etc/openvpn/easy-rsa/vars

Make these changes to vars:

export KEY_COUNTRY="US"
export KEY_PROVINCE="MA"
export KEY_CITY="Boston"
export KEY_ORG="Thunderhouse"
export KEY_EMAIL="tom@thunderhouse.com"
export KEY_CN=vpn.thunderhouse.com
export KEY_NAME=server
export KEY_OU=server

Copy the OpenSSL configuration into place:

cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf

Generate the server crypto stuff:

cd /etc/openvpn/easy-rsa
source ./vars
./clean-all
./build-ca
./build-key-server server
./build-dh
cd /etc/openvpn/easy-rsa/keys
cp dh2048.pem ca.crt server.crt server.key /etc/openvpn

Generate the client certs:

cd /etc/openvpn/easy-rsa
./build-key client
27  mkdir -p /etc/openvpn/easy-rsa/keys
   35  yum install lzo
   36  yum-config-manager --enable epel
   37  yum install easy-rsa
   42  cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa
   56  vi vars 
   57  source ./vars
   58  ./clean-all
   59  ./build-ca
   65  ./build-key-server server
   66  ./build-dh 
   67  cd keys/
   69  cp dh2048.pem ca.crt server.crt server.key /etc/openvpn
   70  cd ..
   72  ./build-key macbookair

Create your iptables rule to allow NATing (routing) from the vpn subnet and save those tables to disk.

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
service iptables save

Now, add IP forwarding in sysctl

vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
client
dev tun
proto udp
remote 52.201.15.218 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 4
ca ca.crt
cert client.crt
key client.key
ns-cert-type server

Let’s install netstat-nat to help trouble-shoot networking:

yum install netstat-nat
yum install iptstate
154  exit
  155  tail -f /var/log/messages 
  156  history