Create a new EC2 instance, I use the offical Amazon AMI images becasue it’s the least expensive option.
Login to the new instance using the pem and run the updates.
ssh -i my.pem ec2-user@ec2-xxx-xxx-xxx-xxx.compute-1.amazonaws.com
yum update
reboot
Let’s install openvpn
yum install openvpn easy-rsa -y --enablerepo=epel
Let’s copy the sample server configuration file into place, the location of the file might be different for you:
cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn
Edit the server.conf file
vi /etc/openvpn/server.conf
Uncomment and modify these lines:
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
user nobody
group nobody
Now on to easy rsa
cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa
vi /etc/openvpn/easy-rsa/vars
Make these changes to vars:
export KEY_COUNTRY="US"
export KEY_PROVINCE="MA"
export KEY_CITY="Boston"
export KEY_ORG="Thunderhouse"
export KEY_EMAIL="tom@thunderhouse.com"
export KEY_CN=vpn.thunderhouse.com
export KEY_NAME=server
export KEY_OU=server
Copy the OpenSSL configuration into place:
cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf
Generate the server crypto stuff:
cd /etc/openvpn/easy-rsa
source ./vars
./clean-all
./build-ca
./build-key-server server
./build-dh
cd /etc/openvpn/easy-rsa/keys
cp dh2048.pem ca.crt server.crt server.key /etc/openvpn
Generate the client certs:
cd /etc/openvpn/easy-rsa
./build-key client
27 mkdir -p /etc/openvpn/easy-rsa/keys
35 yum install lzo
36 yum-config-manager --enable epel
37 yum install easy-rsa
42 cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa
56 vi vars
57 source ./vars
58 ./clean-all
59 ./build-ca
65 ./build-key-server server
66 ./build-dh
67 cd keys/
69 cp dh2048.pem ca.crt server.crt server.key /etc/openvpn
70 cd ..
72 ./build-key macbookair
Create your iptables rule to allow NATing (routing) from the vpn subnet and save those tables to disk.
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
service iptables save
Now, add IP forwarding in sysctl
vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
client
dev tun
proto udp
remote 52.201.15.218 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 4
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
Let’s install netstat-nat to help trouble-shoot networking:
yum install netstat-nat
yum install iptstate
154 exit
155 tail -f /var/log/messages
156 history