How to set up OpenVPN access server in AWS EC2

You are currently viewing How to set up OpenVPN access server in AWS EC2

OpenVPN: A Brief Overview
OpenVPN is a widely recognized and utilized open-source Virtual Private Network (VPN) solution, designed to create secure point-to-point or site-to-site connections. Its adaptability allows it to be deployed on various platforms, including servers, routers, and IoT devices.

Why AWS EC2 for OpenVPN Access Server?
Amazon Web Services (AWS) offers a vast infrastructure that can host a wide range of applications and services. When it comes to hosting OpenVPN on AWS’s Elastic Compute Cloud (EC2), users benefit from the following:

  • Scalability: Easily scale up or down based on the number of connected clients.
  • Reliability: Benefit from AWS’s data centers spread across multiple geographical locations.
  • Security: Implement AWS-specific security measures to protect your VPN server.

2. Prerequisites

Setting Up an AWS Account
Before we dive into the specifics, ensure you have an active AWS account. If you’re new to AWS, they offer a free tier that provides users with a limited set of resources at no cost, suitable for testing or small-scale deployments.

Understanding EC2 and VPC
A basic grasp of AWS EC2 and Virtual Private Cloud (VPC) is crucial. EC2 provides resizable compute capacity in the cloud, allowing you to run servers, while VPC lets you provision a private, isolated section of the AWS Cloud.

OpenVPN Licensing
OpenVPN Access Server provides two licensing models: a tiered access model where you pay based on the number of simultaneous connections, and a flat licensing model for unlimited connections. Decide which suits your needs best. Note that while OpenVPN does have a free tier, it’s limited to two simultaneous connections.

Choosing the Right EC2 Instance Type

Tailoring Based on Expected Traffic
The number of clients you expect to connect simultaneously plays a significant role in the EC2 instance type you should choose. For smaller deployments (up to 50 clients), a t2.medium might suffice. However, for larger deployments with hundreds of clients, consider more robust instances like m5.large or c5.large.

Cost Considerations
AWS pricing varies based on the instance type, region, and purchase option (on-demand, reserved, or spot). Before committing, use the AWS Pricing Calculator to estimate your monthly costs. Remember that network traffic and additional AWS services (like data storage or backup) might add to the cost.

Enhanced Network Performance
For high-traffic VPNs, consider instances that support Enhanced Networking. This feature utilizes single root I/O virtualization (SR-IOV) to provide high-performance networking capabilities, reducing network jitter and achieving higher packet per second (PPS) performance.

Setting Up the AWS Environment

VPC Creation and Configuration
Start by setting up a Virtual Private Cloud (VPC) for your OpenVPN server. While you can utilize the default VPC, it’s often a good idea to create a dedicated VPC to maintain a clear boundary for resources:

  • VPC Configuration: Ensure you specify a CIDR block — a unique range of IP addresses — that doesn’t overlap with your on-premises network (if you have one).
  • Subnets: Create a public subnet for the OpenVPN Access Server. This is crucial for enabling internet access. If redundancy is a concern, consider creating subnets in different availability zones.

Security Group Setup
Security groups function as virtual firewalls. For OpenVPN, set the following rules:

  • Inbound Rules: Allow UDP and TCP traffic on ports 943 (admin web interface) and 1194 (VPN traffic). Ensure to limit the source IPs for administrative access to only trusted IPs for added security.
  • Outbound Rules: Typically, the default rule (allow all outbound) is sufficient. Adjust based on your organization’s policy.

Launching the EC2 Instance
Choose an Amazon Machine Image (AMI) with a compatible operating system, typically Ubuntu or CentOS. Ensure the instance is launched within your defined VPC and associated with the correct security group.

Installing OpenVPN Access Server

Downloading the Package
Navigate to the official OpenVPN website and locate the Access Server download page. Choose the package suitable for your EC2 instance’s operating system.

Installation Process
SSH into your EC2 instance:

ssh -i path_to_your_key.pem ec2-user@your_ec2_ip_address

After accessing your instance, download and install the OpenVPN package:

sudo wget [OpenVPN_Download_Link]
sudo dpkg -i [OpenVPN_Package_Name].deb

or 

sudo rpm -i [OpenVPN_Package_Name].rpm

The installation process should guide you through the necessary configurations.

Initial Configuration

Accessing the Admin Web Interface
Once the installation is complete, you can access the admin interface by navigating to:

https://your_ec2_ip_address:943/admin

Use the ‘openvpn’ username along with the password you set during the installation process.

Basic Setup

  • User Management: Create VPN user accounts, assign passwords, and manage access privileges.
  • Server Network Settings: Adjust the VPN server’s network settings, such as the server’s VPN IP address and the client IP address range.
  • Routing and NAT: Define how traffic should be routed between the VPN clients and the resources they need to access.
  • VPN Settings: Customize VPN settings, such as encryption methods, protocols, and authentication settings.

Remember to save configurations and restart the OpenVPN service for changes to take effect.

Security Best Practices

Enabling Multi-Factor Authentication (MFA) for OpenVPN
To enhance security, integrate MFA with OpenVPN. This ensures that users provide two or more pieces of evidence (password and a second factor like a token or SMS) before they’re granted access.

Regularly Updating OpenVPN Software
As with any software, vulnerabilities can be discovered over time. Regularly check for updates to OpenVPN and apply them to protect your server against known vulnerabilities.

Hardening the EC2 Instance
Here are some steps to secure your instance further:

  • Disable Root Access: Ensure that the root account is not accessible via SSH.
  • Implement Fail2Ban: This tool bans IPs that show malicious signs like too many password failures.
  • Audit Regularly: Use tools like Lynis to audit your server for vulnerabilities.
  • Limit Unnecessary Services: Deactivate any services or applications not needed for your VPN operations.

Implementing VPC Flow Logs and AWS CloudWatch for Monitoring
Activate VPC Flow Logs to monitor the traffic that reaches your EC2 instance. With CloudWatch, you can set up alarms to notify you of suspicious activities, ensuring proactive measures in case of security breaches.

Connecting Clients to OpenVPN

Downloading the OpenVPN Connect Client
Users can download the appropriate client directly from the OpenVPN website or, more conveniently, from:

https://your_ec2_ip_address:943/

This will provide a client tailored to your server setup.

Configuring Client Settings and Connecting to the Server
After installation, users should:

  • Import Profile: Load the server-specific profile (typically a .ovpn file) into the client.
  • Enter Credentials: Provide the assigned username and password.
  • Connect: Once credentials are verified, they can connect securely to the VPN.

Monitoring and Maintenance

Monitoring EC2 Health and Performance
AWS provides various tools to keep an eye on your EC2 instance:

  • CloudWatch Metrics: Monitor CPU utilization, data transfer, and disk activity.
  • EC2 Instance Status Checks: Two types of checks, system, and instance, help identify any issues with your instance.

OpenVPN Tools and Logs for Troubleshooting
OpenVPN logs can be invaluable for diagnosing connection problems:

  • Server Logs: Typically found at /var/log/openvpn.log.
  • Client Logs: Accessible from the OpenVPN client interface.

Regularly reviewing logs can help in preemptively identifying issues before they escalate. Also, consider setting up log rotation to manage storage efficiently.

Backup
Ensure you regularly back up the OpenVPN server configuration and user profiles. AWS offers snapshot capabilities for EC2 instances – use this feature to create point-in-time backups of your instance.

A step-by-step guide is provided here for setting up the OpenVPN server in AWS.

Frequently Asked Questions

1. Why choose AWS EC2 for hosting OpenVPN over other cloud providers?
AWS EC2 offers a mature infrastructure, extensive documentation, and global data centers. Additionally, AWS’s integration capabilities with other services, like CloudWatch and VPC, make monitoring and management more streamlined.

2. How much does it cost to run OpenVPN on AWS EC2?
Costs depend on the EC2 instance type, data transfer, storage, and additional AWS services used. AWS provides a cost calculator to estimate monthly expenses. Remember, OpenVPN also has licensing costs based on simultaneous connections.

3. What’s the benefit of integrating Multi-Factor Authentication (MFA) with OpenVPN?
MFA adds an additional layer of security by requiring two or more verification methods. This ensures that even if a password is compromised, unauthorized access is thwarted by the second verification method.

4. How often should I back up my OpenVPN configuration?
While the frequency depends on how often changes are made, a good practice is to back up after any significant changes. Weekly or bi-weekly backups are also recommended for redundancy.

5. How do I handle performance issues or dropped connections with OpenVPN on EC2?
Start by checking OpenVPN logs for any errors. Monitoring tools provided by AWS, such as CloudWatch, can also help identify bottlenecks or issues with the EC2 instance itself. Ensure your instance type aligns with the number of users and traffic loads.

6. Can I scale my OpenVPN setup on AWS if the number of users increases?
Absolutely. One of the advantages of AWS EC2 is its scalability. You can easily upgrade your instance type or implement load balancers to distribute VPN traffic if the user count grows.

Conclusion

Implementing OpenVPN on AWS EC2 merges the power of one of the world’s most reliable cloud services with a robust open-source VPN solution. This setup not only provides an added layer of security to data transfers but also ensures the scalability and reliability that enterprises and individual users need in today’s digital landscape. While the setup and management might seem daunting at first, by adhering to best practices and regularly monitoring and updating the system, you can maintain a secure and efficient VPN connection. The versatility of AWS and the robustness of OpenVPN create a formidable combination that’s both powerful and manageable.

Atiqur Rahman

I am MD. Atiqur Rahman graduated from BUET and is an AWS-certified solutions architect. I have successfully achieved 6 certifications from AWS including Cloud Practitioner, Solutions Architect, SysOps Administrator, and Developer Associate. I have more than 8 years of working experience as a DevOps engineer designing complex SAAS applications.

Leave a Reply