AWS Connectivity : Enterprise grade
This article provides step-by-step instructions for setting up an Amazon ClientVPN and OpenVPN server using easyRSA on a Windows machine. easyRSA is a simple RSA key management tool included with OpenVPN that can be used to generate the necessary certificates and keys for setting up a VPN connection. The instructions cover the process of creating a Virtual Private Cloud (VPC) and EC2 in Amazon Web Services (AWS), as well as installing and configuring OpenVPN on both the client and server sides. After following these steps, you should have a working VPN connection that you can use to securely connect to your AWS resources.
1. First, you will need to have Amazon Web Services (AWS) account and have the AWS CLI (Command Line Interface) installed on your machine. You can sign up for an AWS account at the following link: https://aws.amazon.com/
2. Next, you will need to install OpenVPN on your Windows machine. You can download the latest version of OpenVPN from the following link: https://openvpn.net/community-downloads/
3. Once OpenVPN is installed, you will need to generate the necessary certificates and keys for setting up the VPN connection. For this, you will need to use easyRSA, which is a simple RSA key management tool included with OpenVPN.
4. To set up easyRSA, open a command prompt and navigate to the easyRSA directory within the OpenVPN installation folder. On most systems, this will be located at "C:\Program Files\OpenVPN\easy-rsa".
5. In the easyRSA directory, run the following command to initialize the easyRSA configuration:
init-config
6. Next, run the following command to generate the certificate authority (CA) certificate and key:
./easyrsa build-ca
7. Follow the prompts to enter the required information for the CA certificate. This includes the Common Name (e.g., "My VPN CA"), Organization (e.g., "My Company"), and email address.
8. After the CA certificate and key have been generated, you can generate a server certificate and key by running the following command:
./easyrsa build-server-full server
9. Follow the prompts to enter the required information for the server certificate. This includes the Common Name (e.g., "server"), Organization (e.g., "My Company"), and email address.
10. Next, generate a client certificate and key by running the following command:
./easyrsa build-client-full client
11. Follow the prompts to enter the required information for the client certificate. This includes the Common Name (e.g., "client"), Organization (e.g., "My Company"), and email address.
12. After generating the necessary certificates and keys, you will need to create a configuration file for the OpenVPN server. To do this, create a new text file in the easyRSA directory and add the following lines:
port 119
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
cipher AES-256-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 34
13. Save the file as "server.ovpn" in the easyRSA directory. This will be the configuration file for the OpenVPN server.
14. Next, you will need to upload the necessary certificates and keys to your Amazon Web Services (AWS) account. To do this, you will need to use the AWS CLI.
15. First, you will need to create a new Virtual Private Cloud (VPC) in your AWS account. To do this, log in to your AWS management console and navigate to the VPC dashboard. From the dashboard, click the "Create VPC" button.
16. Follow the prompts to create a new VPC with a public subnet. Make sure to specify a name and IP range for your VPC.
17. After creating the VPC, you will need to create a new security group. To do this, navigate to the "Security Groups" page in the VPC dashboard and click the "Create Security Group" button.
18. Follow the prompts to create a new security group, specifying a name and description. Make sure to add a rule to allow incoming traffic on UDP port 1194, as this is the port that the OpenVPN server will be listening on.
19. After creating the security group, you will need to create a new Elastic IP address. To do this, navigate to the "Elastic IPs" page in the VPC dashboard and click the "Allocate new address" button.
20. Follow the prompts to create a new Elastic IP address and associate it with your VPC.
21. Next, you will need to create a new Amazon Machine Image (AMI) in your AWS account. To do this, log in to your AWS management console and navigate to the EC2 dashboard. From the dashboard, click the "Launch Instance" button.
22. Follow the prompts to create a new EC2 instance, selecting an Amazon Linux AMI as the base image. Make sure to specify the public subnet of your VPC as the network, and select the security group that you created earlier.
23. After creating the EC2 instance, you will need to connect to it using SSH. To do this, you will need to use a tool such as PuTTY.
24. Once you are connected to the EC2 instance via SSH, you will need to install OpenVPN on the instance. To do this, run the following command:
sudo yum install openvpn
25. After installing OpenVPN, you will need to copy the necessary certificates and keys from your local machine to the EC2 instance. To do this, you can use a tool such as scp.
领英推荐
26. From the command prompt on your local machine, navigate to the easyRSA directory and run the following command to copy the CA certificate to the EC2 instance:
scp ca.crt ec2-user@<EC2_INSTANCE_IP>:/home/ec2-user/
27. Replace <EC2_INSTANCE_IP> with the IP address of your EC2 instance.
28. Repeat the above step for the server certificate, server key, and DH parameter file (dh.pem).
29. After copying the necessary files to the EC2 instance, you will need to move them to the OpenVPN directory on the instance. To do this, run the following commands:
sudo mv ca.crt /etc/openvpn
sudo mv server.crt /etc/openvpn/
sudo mv server.key/
30. After copying the necessary files to the EC2 instance, you will need to move them to the OpenVPN directory on the instance. To do this, run the following commands:
sudo mv ca.crt /etc/openvpn
sudo mv server.crt /etc/openvpn/
sudo mv server.key /etc/openvpn/
sudo mv dh.pem /etc/openvpn//
31. Next, you will need to create a configuration file for the OpenVPN server on the EC2 instance. To do this, create a new text file in the /etc/openvpn/ directory on the instance and add the following lines:
port 119
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
cipher AES-256-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 34
32. Save the file as "server.conf" in the /etc/openvpn/ directory on the instance.
33. After creating the server configuration file, you will need to start the OpenVPN server on the EC2 instance. To do this, run the following command:
sudo systemctl start openvpn@server
34. You can verify that the OpenVPN server is running by checking the status with the following command:
sudo systemctl status openvpn@server
35. Next, you will need to create a client configuration file for the Amazon VPN client. To do this, create a new text file on your local machine and add the following lines:
clien
dev tun
proto udp
remote <EC2_INSTANCE_IP> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
comp-lzo
verb 3t
36. Replace <EC2_INSTANCE_IP> with the IP address of your EC2 instance.
37. Save the file as "client.ovpn" on your local machine.
38. Next, you will need to copy the client certificate and key to your local machine. To do this, run the following command from the easyRSA directory on your local machine:
scp ec2-user@<EC2_INSTANCE_IP>:/home/ec2-user/client.crt
scp ec2-user@<EC2_INSTANCE_IP>:/home/ec2-user/client.key ..
39. Replace <EC2_INSTANCE_IP> with the IP address of your EC2 instance.
40. After copying the client certificate and key to your local machine, you will need to import them into the OpenVPN client on your machine. To do this, open the OpenVPN client and click the "Import" button.
41. Navigate to the "client.ovpn" file that you created earlier and select it.
42. Click the "Import" button to import the client configuration file.
43. Next, click the "Add" button to add the client certificate and key to the OpenVPN client.
44. Navigate to the "client.crt" and "client.key" files that you copied from the EC2 instance and select them.
45. Click the "Add" button to add the client certificate and key to the OpenVPN client.
46. After importing the client certificate and key, you can start the OpenVPN client by clicking the "Connect" button.
47. If the connection is successful, you should see a message indicating that the client has connected to the server.
48. You can verify that the connection is working by visiting a website such as www.whatismyip.com, which should show the IP address of your EC2 instance.
49. If you want to disconnect from the VPN, simply click the "Disconnect" button in the OpenVPN client.