AWS – OpenVPN Access Server

Introduction

We will set up OpenVPN in AWS, providing a secure and convenient method for remote access to the AWS environment. Furthermore, OpenVPN offers Multi-Factor Authentication (MFA) through a simple setup process. This allows us to eliminate potentially risky RDP connections over the internet. An advantage of this approach is the ability to utilize a locally hosted virtual machine, which often boasts more power than a T2.Micro instance, while being part of our AWS resources. This setup allows us to work efficiently in an environment that minimizes costs.

Speaking of costs, we utilize a free license for OpenVPN Access Server, granting us the ability to establish two VPN connections without any charge. Additionally, we employ the “Free Tier Eligible” T2.Micro instance. Despite these minimal specifications, the setup performs admirably within a small lab setting. Consequently, we can fully leverage the AWS environment through a secure VPN connection without significant concerns about ongoing expenses.

Image of the VPC we are setting up in this blog

1. Plan
2. Install OpenVPN to EC2

0:50 – Setup Elastic IP (Public IP Addess)
2:20 – Register A Record in Route 53
3:17 – Select OS to install OpenVPN Access Server
4:26 – Deploy EC2 instance
6:24 – Associate Elastic IP to VPN Server
7:10 – Remote login VPN Server and install OpenVPN
8:17 – Remote access to the management page of OpenVPN

2-1. Switch to Super User

sudo su

2-2. Install OpenVPN Access Server (Amazon Linux 2)
Reference: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html#create-nat-ami

yum -y remove openvpn-as-yum
yum -y install https://as-repository.openvpn.net/as-repo-amzn2.rpm
yum -y install openvpn-as
3. NAT Configuration (Easy)

0:18 – Login to OpenVPN Admin page
0:48 – Activate the license
1:59 – Create a new user and the reset password
3:18 – Change the network settings
4:45 – Change the VPN Settings
6:50 – Login to OpenVPN User page
7:43 – Install OpenVPN Client
9:09 – Establish a VPN connection
10:43 – Remote access to a private EC2 instance
11:52 – Close Port 22 for SSH connection
12:43 – Enable “Change termination protection”

4. MFA (Multi Factor Authentication)

0:15 – Login by username and password
0:28 – Enable Multi-factor Authentication (MFA)
1:02 – Setup MFA for “openvpn” user
1:44 – Setup MFA for a regular user
2:19 – Establish VPN connection with MFA

5. Join Active Directory over VPN

1:02 – Establish VPN connection from the Host machine
2:16 – Join a virtual machine to a domain
4:00 – Check the status of the virtual machine
4:47 – Establish VPN connection from the virtual machine
5:31 – Delete the bastion server

6. Routing Configuration (Advanced)

1:40 – Check the connection from VPN client to EC2 instance
2:29 – Check the connection from EC2 instance to VPN client
3:22 – Setup “Routing” option on OpenVPN page
4:24 – Change “Route table”
5:33 – Eable “Change source/destination check”
5:58 – Change “Security Group”
7:56 – “Security Group” – Add inbound rules by CLI
9:24 – The first check — Failure
10:06 – Change the security group of VPN Server
11:12 – The second check — Failure
11:24 – Troubleshooting
12:25 – Found the root cause
12:42 – The third check — Success

Command to add inbound rules to Security Group
aws ec2 --profile {PROFILE NAME} authorize-security-group-ingress --group-id {SECURITY GROUP ID} --protocol udp --port 123 --cidr {CIDER OF VPC}
aws ec2 --profile {PROFILE NAME} authorize-security-group-ingress --group-id {SECURITY GROUP ID} --protocol tcp --port 135 --cidr {CIDER OF VPC}
aws ec2 --profile {PROFILE NAME} authorize-security-group-ingress --group-id {SECURITY GROUP ID} --protocol tcp --port 1723 --cidr {CIDER OF VPC}
aws ec2 --profile {PROFILE NAME} authorize-security-group-ingress --group-id {SECURITY GROUP ID} --protocol tcp --port 3268 --cidr {CIDER OF VPC}
aws ec2 --profile {PROFILE NAME} authorize-security-group-ingress --group-id {SECURITY GROUP ID} --protocol tcp --port 3269 --cidr {CIDER OF VPC}
aws ec2 --profile {PROFILE NAME} authorize-security-group-ingress --group-id {SECURITY GROUP ID} --protocol tcp --port 389 --cidr {CIDER OF VPC}
aws ec2 --profile {PROFILE NAME} authorize-security-group-ingress --group-id {SECURITY GROUP ID} --protocol udp --port 389 --cidr {CIDER OF VPC}
aws ec2 --profile {PROFILE NAME} authorize-security-group-ingress --group-id {SECURITY GROUP ID} --protocol tcp --port 445 --cidr {CIDER OF VPC}
aws ec2 --profile {PROFILE NAME} authorize-security-group-ingress --group-id {SECURITY GROUP ID} --protocol tcp --port 464 --cidr {CIDER OF VPC}
aws ec2 --profile {PROFILE NAME} authorize-security-group-ingress --group-id {SECURITY GROUP ID} --protocol udp --port 464 --cidr {CIDER OF VPC}
aws ec2 --profile {PROFILE NAME} authorize-security-group-ingress --group-id {SECURITY GROUP ID} --protocol tcp --port 49152-65535 --cidr {CIDER OF VPC}
aws ec2 --profile {PROFILE NAME} authorize-security-group-ingress --group-id {SECURITY GROUP ID} --protocol tcp --port 53 --cidr {CIDER OF VPC}
aws ec2 --profile {PROFILE NAME} authorize-security-group-ingress --group-id {SECURITY GROUP ID} --protocol udp --port 53 --cidr {CIDER OF VPC}
aws ec2 --profile {PROFILE NAME} authorize-security-group-ingress --group-id {SECURITY GROUP ID} --protocol tcp --port 636 --cidr {CIDER OF VPC}
aws ec2 --profile {PROFILE NAME} authorize-security-group-ingress --group-id {SECURITY GROUP ID} --protocol tcp --port 88 --cidr {CIDER OF VPC}
aws ec2 --profile {PROFILE NAME} authorize-security-group-ingress --group-id {SECURITY GROUP ID} --protocol udp --port 88 --cidr {CIDER OF VPC}