In today’s cloud-centric world, secure remote access to private resources is paramount. OpenVPN is a powerful tool that allows you to establish a secure connection to your AWS EC2 instances, even when they reside in private subnets. This blog post will guide you through setting up OpenVPN on an EC2 instance, configuring security groups, installing the OpenVPN client, and establishing a secure connection to access private EC2 instances.

Launching an EC2 Instance for OpenVPN Server

Selecting an Instance Type and Operating System

You must launch an EC2 instance to serve as your OpenVPN server. When selecting the instance type, consider the expected traffic load. For most small—to medium-sized deployments, a t2.micro instance should suffice. Next, choose an operating system. Ubuntu 20.04 LTS is popular due to its stability and extensive community support.

  1. Navigate to the EC2 dashboard in your AWS console.
  2. Click on “Launch Instance” and select Ubuntu Server 20.04 LTS (HVM).
  3. Choose the t2.micro instance type.
  4. Configure instance details per your needs and click “Next: Add Storage.”
  5. Add storage (8 GB is usually sufficient) and click “Next: Add Tags.”
  6. Add tags if necessary, and proceed to “Next: Configure Security Group.”

Connecting to the Instance via SSH

After launching your EC2 instance, you must connect to it using SSH. Ensure your security group allows SSH access (port 22) from your IP address.

  1. Open a terminal or SSH client on your local machine.
  2. Use the following command to connect to your instance:

    ssh -i /path/to/your-key.pem ubuntu@your-ec2-public-ip

 

Installing OpenVPN on the EC2 Instance

Downloading and Running the OpenVPN Installer Script

Once connected to your EC2 instance, you must download and run the OpenVPN installer script. The script automates the installation process, making it straightforward.

  1. Update your package list and install the necessary dependencies:

    sudo apt-get update

sudo apt-get install -y wget

  1. Download the OpenVPN installer script:

    wget https://git.io/vpn -O openvpn-install.sh
  1. Run the script:

    sudo bash openvpn-install.sh

Completing the Installation Wizard

The script will guide you through a simple wizard to configure your OpenVPN server. You’ll need to provide some basic information, such as your server’s IP address, and select options like protocol (UDP is recommended) and port (the default is 1194). Once the wizard completes, the script generates a .ovpn configuration file for your client.

Configuring Security Groups for OpenVPN Access

Allowing Inbound UDP Traffic on Port 1194

To ensure your OpenVPN server can communicate with clients, you must configure your EC2 instance’s security group to allow inbound traffic on port 1194.

  1. Go to the EC2 dashboard and select “Security Groups” from the left-hand menu.
  2. Select the security group associated with your OpenVPN server instance.
  3. Click “Edit Inbound Rules.”
  4. Add a new rule:
    • Type: Custom UDP Rule
    • Port Range: 1194
    • Source: Anywhere (0.0.0.0/0) or restricted to a specific IP range.
  5. Click “Save rules.”

Downloading and Installing the OpenVPN Client

Selecting the Appropriate Client for Your Operating System

Next, you’ll need to install the OpenVPN client on the device you plan to connect to your private EC2 instances. OpenVPN provides clients for various operating systems, including Windows, macOS, and Linux.

  1. Visit the OpenVPN community downloads page.
  2. Download and install the client for your specific operating system.

Importing the .ovpn Configuration File

After installing the client, import the .ovpn configuration file generated during the OpenVPN server installation.

  1. Open the OpenVPN client on your device.
  2. Locate the .ovpn file on your local machine. You can transfer this file from your EC2 instance using SCP or download it from your preferred file-sharing method.
  3. Import the .ovpn file into the OpenVPN client.

Establishing the OpenVPN Connection

Initiating the Connection through the OpenVPN Client

With the client configured, you can now establish a secure connection to your EC2 instance.

  1. Open the OpenVPN client on your device.
  2. Select the profile you just imported.
  3. Click “Connect” to initiate the VPN connection.

Verifying Connection to Private Subnet Instances

Now that you have established a VPN connection, you can securely access instances in private subnets.

Launching an Instance in a Private Subnet

To test your VPN connection, launch a new EC2 instance in a private subnet within the same VPC as your OpenVPN server.

  1. Follow the standard EC2 instance launch process, but ensure you select a private subnet during the configuration.
  2. Assign a security group that allows inbound SSH traffic (port 22).

Connecting to the Instance via SSH Using Private IP

With your active OpenVPN connection, you can SSH into the private EC2 instance using its IP address.

  1. Open a terminal or SSH client on your local machine.
  2. Use the following command to connect to your private instance:

    ssh -i /path/to/your-key.pem ubuntu@your-private-ip
  1. Verify that you are connected to the private instance.

Conclusion

Setting up OpenVPN on an EC2 instance effectively secures access to private resources in your AWS environment. Following this guide, you can establish a secure VPN connection, enabling you to connect to private EC2 instances using their private IP addresses, ensuring your infrastructure remains safe and accessible.

References

Setting up OpenVPN Access Server in Amazon VPC

Getting started with AWS Site-to-Site VPN