Run a Free VPN Server on AWS
🖥️
Running a free VPN server on AWS can run a VPN server that acts as a gateway to protected EC2 instances. We can also be free to block access to our entire network just by revoking access through our VPN server. The following tutorial will take you through the steps of setting up an EC2 instance that will be running an OpenVPN server. It will then cover how to grant and revoke access through a VPN server. We’ll assume that all your EC2. The instances are members of the default security group, and this defaults. The security group does not allow access from the outside world.
Jeff Cox
Programmer with a passion for JS, React, GraphQL, Docker and Serverless
AWS has a great firewall built into its core services that can easily be used to ensure that only certain ports are open to the outside world. One additional step we can take is to run a VPN server that acts as a gateway to your protected EC2 instances. We can then turn off direct SSH access to our EC2 instances and also have the freedom to block access to our entire network just by revoking access through our VPN server. The latest version is very useful if you need to revoke access for a former employee.
The following tutorial will take you through the steps of setting up an EC2 instance that will be running an OpenVPN server. It will then cover how to grant and revoke access through a VPN server.
Step 1 – Create a VPN Security Group
Overview: Security suites allow your servers to communicate with each other in a private cloud while exposing certain ports to the world. We will create a security group to allow VPN access to our VPN server. We will assume that all other EC2 instances are members of the default security group and that the default security group does not allow access from the outside world.
Log in at https://aws.amazon.com, type EC2 in the search box and click on the target to go to the EC2 dashboard.
From the EC2 Dashboard, click Security groups
click Create a security group
Enter a name and description for vpn Define incoming rules on ports 22, 443, 943, and 1194. Note: The protocol for port 1194 is UDP.
Note: If the IP addresses your team uses are static, you can add another layer of security by specifying that IP address range in source of your rules. However, you’ll want to leave a file source Blank if you want your team to be able to connect from different IP addresses because they might be working from a hotel, house, coffee shop, etc…
Step 2 – Create an EC2 Instance
Return to EC2 Dashboard and click launch instance
Select Ubuntu (You can, of course, choose almost any other operating system that runs OpenVPN, but this tutorial is specifically designed for Ubuntu)
Choose t2.nano and click Review and start up
On the next screen, tap Edit security groups
select file vpn And hypothetical Security groups and click Review and start up
click release, Choose your key pair and click Launch Instances
Step 3 – Disable source/destination checking
From the list of instances, select the VPN instance and then Networking->Change source/destination. Check from the dropdown menu. then press Yes, disable. This is required otherwise your VPN server will not be able to connect to other EC2 instances.
Step 4 – Create an Elastic IP Address
Overview: When an EC2 instance is stopped and restarted, the public IP address changes. We want our VPN server’s IP address to remain static so we will use a flexible IP address.
From the E2c dashboard, select Flexible IPs
click Customize a new address
click Customize and then Nearby.
Make a note of your flex IP as the public IP address of your VPN server will be.
Then select Elastic IP and click Affiliate address from the dropdown menu.
Select the EC2 instance you just created and click assistant.
Step 5 – Install and configure the OpenVPN server
SSH into your VPN server:
Download our helper scripts and set up a default configuration:
Edit config.sh and enter your configuration. Note: PUBLIC_IP must be equal to the Elastic IP address you created above.
Switch to root
Update Ubuntu and install OpenVPN. Note: You will be prompted twice and when you do, select Keep the local version currently installed
$ /home/ubuntu/openvpn-server-vagrant/ubuntu.sh
$ /home/ubuntu/openvpn-server-vagrant/openvpn.sh
At this point, the OpenVPN server is running.
Step 6 – Add the path
Routes must be added to the server so that your team’s clients know which traffic should be routed to the VPN server.
You can select the appropriate subnet by going back to your list of EC2 instances, clicking on the target instance and selecting the private IP address.
Your network will be the first two parts of the private IP address appended with zeros, eg 172.31.0.0
On the VPN server, edit /etc/openvpn/server.conf And add something like the following:
Push “Route 172.31.0.0 255.255.0.0”
Then restart the VPN server with:
Step 7 – Grant Access to Your VPN
Note: We assume that you are still using SSH in the VPN and you are logged in as root.
Run the following command and make sure to replace it Client Below with a unique name for your user/client.
$/home/ubuntu/openvpn-server-vagrant/add-client.sh . client
You will then find a configuration file in
~/client-configs/files/client-name.ovpn
You’ll want to present this file to the individual on your team who will be connecting to your VPN. SCP is useful for downloading this .ovpn file from your VPN server.
Your team can use one of several VPN clients such as Tunnelblick (OS X) and OpenVPN (Linux, iOS, Android, Windows). After installing one of these clients, they should be able to set up a VPN configuration by simply double-clicking on the .ovpn file.
Note: Once connected to the VPN, users will want to use the private IP addresses of your EC2 instances. You may want to use Route 53 to create sub-domain records that point to private IP addresses.
Step 8 – Revoke access to your VPN
Note: We assume that you are still using SSH in the VPN and you are logged in as root.
Run the following command and make sure to replace it Client Below with a unique name for your user/client.
$ /home/ubuntu/openvpn-server-vagrant/revoke-full.sh client
find the mistakes and resolve it
- If your VPN client reports a file TLS connection failed False, this is most likely because the VPN security suite (step 1) is incorrect. Make sure the correct ports and protocols are selected – A common problem is that UDP does not specify port 1194.
About the author
Geoff Cox is the creator of MSON, a new declarative programming language that allows you to create applications in JSON. He’s been self-employed for the better part of the past fifteen years, and loves to take on ambitious, but fidgety projects, like building a database and a distributed data sync system. You can access it @redgeoff7or on github.
Related stories
Tags
[ad_1]
Don’t forget to share this post with friends !
