OpenVPN Technologies has provided their SSL VPN solution in a free virtual machine image that can be hosted in the Amazon cloud. This allows anyone to quickly setup their own VPN solution to provide secure internet access, or a secure network between local and remote locations. With Amazon EC2 the cost can be free for the first year, and then can cost less than one US cent ($.005) per hour depending on configuration and bandwidth needs. The OpenVPN license is free for the first two users.
The instructions given by OpenVPN are thorough and easy to follow. They also describe an optional step on how to setup an Amazon static IP address. For free tier or other users who will leave the instance running full-time there is zero cost for this static IP, but for users who plan to only run the VPN on an hourly basis there will be additional ip "reservation" cost for every downtime hour. To avoid this possible cost, I have added instructions on assigning the new instance's dynamic IP address to an external dynamic DNS hostname (DDNS). Even if you have a static address, DDNS creates an easy to remember "yourvpn.yourhost.com" instead of something like this "54.99.99.999".
-
Follow this OpenVPN guide.
-
Skip optional step labeled "provide instance specific user-data"
-
If you plan to use DDNS, skip optional step labeled "Although not strictly necessary, you should allocate a static IP address"
-
After completing the openvpn documented steps, do not exit the terminal command window. In case you missed this step earlier, be sure to create a new password for the openvpn admin. At the command line, enter the following command to choose a secure password.
passwd openvpn
# If you did not follow these instructions before, do so now
apt-get update && apt-get upgrade
- If you plan to use DDNS instead of Amazon Elastic IP, configure your DDNS service to be updated for every launch of your OpenVPN server. There are many free and for pay DDNS services. This ddns client setup suggests dyndns.com, easydns.com, dslreports.com, zoneedit.com, and "other". For "other", ChangeIP.com may be a good free option.
-
Setup a new DDNS host name at your DDNS service provider. You may need to assign an A-Record IP address, which for now can be set to a dummy 127.0.0.1 address.
-
Optional documentation about the ddnclient script is here: http://sourceforge.net/p/ddclient/wiki/Home/
-
At the terminal command window run the ddclient install with the following command, and answer the config prompts when asked:
apt-get install ddclient
- Choose your DDNS service.
- Give your DDNS service username
- Give your DDNS service password
- Say "yes" to checkip.*****.com question (or similar)
- Choose "Manually" for select which host name to update. Be sure you have already setup this host at your DDNS service.
- Fill in the "**** fully qualified domain name". e.g.
myopenvpn.example.com
- "Run ddclient on PPP connect?"
NO
- "Run ddclient as daemon?"
YES
- "Interval between ddclient runs:"
1d
Next, make some additional ddclient configuration changes:
# make a backup
cp /etc/ddclient.conf /etc/ddclient.conf.bak
# only need to update at reboot
echo 'daemon=0' >> /etc/ddclient.conf
# be secure
echo 'ssl=yes' >> /etc/ddclient.conf
If you ever need to configure the ddnclient from the beginning, optionally follow this step
dpkg-reconfigure ddclient
Reboot the new instance:
shutdown -r now
For DDNS users waiting on the new amazon openVPN instance to restart, optionally concat the following lines to your local ~/.ssh/config file to avoid warnings when connecting to a new instance. This is a file on your local Mac OS X or linux/unix machine. Windows users can skip this step, or search for the equivalent steps.
# for example. You must use your DDNS name echo 'Host YOUR_DDNS_SUBDOMAIN.YOUR_DDNS_SERVICE.com' >> ~/.ssh/config echo ' StrictHostKeyChecking no' >> ~/.ssh/config exho ' UserKnownHostsFile /dev/null' >> ~/.ssh/config
- For users who did not follow the above DDNS steps, reboot the new instance:
shutdown -r now
- Wait until it is restarted. Test the connection to the new VPN instance.
# Test the connection with your new DDNS hostname or Static Amazon Elastic IP address
# e.g. ssh -i myec2openvpnkey.pem root@openvpn.myexampleDDNS.changeip.com
# or e.g. ssh -i myec2openvpnkey.pem root@54.242.99.99
ssh -i YOUR_EC2_KEY.pem root@YOUR_DDNS_SUBDOMAIN.YOUR_DDNS_SERVICE.com
# Answer yes when you are prompted at SSH connect
# The authenticity of host '.... (99.999.999.99)' can't be established.
#...Are you sure you want to continue connecting (yes/no)? yes
- Your OpenVPN server is now installed on EC2. Now follow the admin configuration instructions to complete setup of your VPN users:
- Choose an OpenVPN client to download and install on your Windows, Mac, IOS (iPhone), Android, or Linux.
- https://openvpn.net/index.php?option=com_content&id=357
- Or, for example, your new server will instruct you on how to download and setup a new VPN client:
- The client will need to import vpn "profile" one time. Every OS client type has slightly different install instructions described in the above link.
- Once the VPN server is configured and tested for all your VPN users, follow the Amazon instructions for backing up your instance as a new AMI image. The new AMI image can be launched at any time as a new instance or a new spot instance, and will contain the configuration of OpenVPN server which was completed in all the previous steps.
Here is an even quicker way to create an OpenVPN Endpoint on AWS https://github.com/ttlequals0/autovpn