Step by Step Tutorial for installing OpenVPN on the Amazon EC2 Cloud

By | March 16, 2014

OpenVPN Linuxbrainbox

Step by step tutorial to install OpenVPN on redhat/centos 6.X servers in the Amazon EC2 Cloud.

Login to the Amazon EC2 Cloud

Install the following

# yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel -y

o1

Next download LZO RPM and the repo RPMForge has to be configured

o2

# wget http://openvpn.net/release/lzo-1.08-4.rf.src.rpm

Prior to adding correct repo to OpenVPN Server Check if the server supports 64 bit or 32 bit using the command

# getconf LONG_BITo4

if it is 32 download

# wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-1.el6.rf.i686.rpm

if it is 64 bit then download

# wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm

Next build the package lzo

# rpmbuild –rebuild lzo-1.08-4.rf.src.rpm

# rpm -Uvh lzo-*.rpm

# rpm -Uvh rpmforge-release*

o13

Post the above initial configuration install OpenVPN

# yum install openvpn -y

Copy easy-rsa folder to /etc/openvpn/

# cp -R /usr/share/doc/openvpn-2.2.2/easy-rsa/ /etc/openvpn/

Edit

# vi /etc/openvpn/easy-rsa/2.0/vars

Replace the line

export KEY_CONFIG=’$EASY_RSA/whichopensslcnf $EASY_RSA’

with

export KEY_CONFIG=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf

o17

Now create certificates

# cd /etc/openvpn/easy-rsa/2.0

# chmod 755 *

# source ./vars

# ./vars

# ./clean-all

o18

Next build the ca file

# ./build-ca o19

Fill the Details as per your organization or Personal Details

Country Name: enter your country details or Just Press Enter for Defaults

State or Province Name: Enter your State or Just Press Enter for Defaults

City: Enter your City or Just Press Enter for Defaults

Org Name: Enter your Organization Name or Just Press Enter for Defaults

Org Unit Name: Enter your Org Unit Name or Just Press Enter for Defaults

Common Name: Enter a Name for Your VPN Server

Email Address: Enter your admin email details

Build Key Server

# ./build-key-server server

Values can be entered same as you entered for the command ./build.ca

with few changes

Common Name: server

A challenge password: press enter to leave it blank

Optional company name: Optional value

sign the certificate: y

1 out of 1 certificate requests: y

o20

build Diffie Hellman

# ./build-dh

o21

Edit /etc/openvpn/server.conf  and insert the lines followed by

# vi /etc/openvpn/server.conf

 
port 1194 #- port
proto udp #- protocol
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
reneg-sec 0
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login #- Comment this line if you are using FreeRADIUS
#plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf #- Uncomment this line if you are using FreeRADIUS
client-cert-not-required
username-as-common-name
server 10.8.0.0 255.255.255.0
push “redirect-gateway def1”
push “dhcp-option DNS 8.8.8.8”
push “dhcp-option DNS 8.8.4.4”
keepalive 5 30
comp-lzo
persist-key
persist-tun
status 1194.log
verb 3
 

 

Start the OpenVPN Service

 

# service openvpn start

 

enable IP forwarding in the file /etc/sysctl.conf

Edit and save the file /etc/sysctl.conf

# vi /etc/sysctl.conf

Replace

net.ipv4.ip_forward = 0

as

net.ipv4.ip_forward = 1

load the modified changes

sysctl -p

Create a Normal Username ( i have used linuxbrainbox ) which will also allow to login to OpenVPN

# useradd linuxbrainbox -s /bin/false

o25

create password for the user linuxbrainbox

# passwd linuxbrainbox

Route command for iptables

# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

# iptables -t nat -A POSTROUTING -o venet0 -j SNAT –to-source 54.84.***.***

# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT –to-source 54.84.***.***

Note : Replace 54.84.***.*** with your OpenVPN Server’s Public IP

Save Iptables

# service iptables save

Client Side Configuration

on a windows Client

Create a file server.opvn and copy the below

client
dev tun
proto udp
remote 54.84.***.***  1194 # – Replace with Your OpenVPN Server IP & Port
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ca ca.crt
auth-user-pass
comp-lzo
reneg-sec 0
verb 3
 

Save the above file in the OpenVPN installed config directory

Using winscp ( file copy software from windows client and linux machine) and logging in to the openvpn server copy the file ca.crt from the folder /etc/openvpn/easy-rsa/2.0/keys/ca.crt  to the OpenVPN config folder of your windows client machine

Now Check logging in with username linuxbrainbox and its password ( which i created on the server side: replace with the username you created in the server side)

user login openvpn

One important point to be noted if after connecting to the VPN if client machine is not getting the internet do the following once again

# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

connected to server

Prior to connecting to VPN check IP Address using www.whatismyip.comLocal IP

After connecting to OpenVPN Check your IP Address once again using www.whatismyip.com to be using the OpenVPN Server Internet Service Provider IP Address

Amazon IP Address

 

 

2 thoughts on “Step by Step Tutorial for installing OpenVPN on the Amazon EC2 Cloud

  1. Mauvis Ledford

    Just wanted to say thanks. Your directions were a little sloppy but 100% helpful in getting OpenVPN working on EC2!

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *