OpenVPN

Setting up OpenVPN on an AWS EC2 instance to access your home computer from anywhere requires several steps:

Author

Benedict Thekkel

Step 1: Launch an EC2 Instance

Log in to AWS Console and go to EC2.
Click Launch Instance and choose:
- Amazon Linux 2, Ubuntu, or Debian (recommended for compatibility).
- Instance type: t2.micro (free-tier eligible, but t3.small for better performance).
- Enable SSH (port 22) and UDP 1194 in Security Groups.
- Assign an Elastic IP (so your VPN server always has the same IP).
- Attach a key pair for SSH access.
Once the instance is running, connect via SSH:
```
ssh -i your-key.pem ec2-user@your-ec2-ip
```

Step 2: Install OpenVPN

Update system packages:

sudo yum update -y   # For Amazon Linux
sudo apt update && sudo apt upgrade -y  # For Ubuntu/Debian

Install OpenVPN and Easy-RSA (for certificate management):

sudo yum install openvpn easy-rsa -y  # Amazon Linux
sudo apt install openvpn easy-rsa -y  # Ubuntu/Debian

Step 3: Configure OpenVPN

Copy sample OpenVPN configuration files:

sudo cp -r /usr/share/easy-rsa /etc/openvpn
cd /etc/openvpn/easy-rsa
sudo chown -R $(whoami) /etc/openvpn/easy-rsa

Initialize the Public Key Infrastructure (PKI):

./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa gen-req server nopass
./easyrsa sign-req server server

Generate Diffie-Hellman parameters:
```
./easyrsa gen-dh
```

Move generated files to OpenVPN directory:

sudo cp pki/ca.crt pki/private/server.key pki/issued/server.crt pki/dh.pem /etc/openvpn/

Step 4: Create OpenVPN Server Configuration

Create a new OpenVPN config file:
```
sudo nano /etc/openvpn/server.conf
```

Add the following configuration:

port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
cipher AES-256-CBC
auth SHA256
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
verb 3

Start OpenVPN:

sudo systemctl start openvpn@server
sudo systemctl enable openvpn@server

Step 5: Configure AWS Security Groups & Route Traffic

Modify AWS Security Group to allow:
- UDP 1194 (OpenVPN traffic).
- TCP 22 (for SSH access).
- ICMP (for testing with ping).

Enable IP forwarding:

echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

Add NAT rules:

sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
sudo iptables-save | sudo tee /etc/iptables.rules

Step 6: Create Client Configuration

Generate client certificates:

cd /etc/openvpn/easy-rsa
./easyrsa gen-req client1 nopass
./easyrsa sign-req client client1
sudo cp pki/issued/client1.crt pki/private/client1.key /etc/openvpn/

Create client config file (client1.ovpn):

sudo nano client1.ovpn

Add the following:

client
dev tun
proto udp
remote YOUR_EC2_PUBLIC_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
auth SHA256
verb 3
<ca>
-----BEGIN CERTIFICATE-----
(Insert CA Certificate)
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
(Insert Client Certificate)
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
(Insert Client Key)
-----END PRIVATE KEY-----
</key>

Step 7: Connect to VPN from Your Home Computer

Download OpenVPN for Windows, macOS, or Linux.
Transfer client1.ovpn to your home computer.
Import and connect using OpenVPN client.

Step 8: Route Traffic to Your Home Computer

To access your home network while connected to OpenVPN: 1. Find your home computer’s IP (192.168.1.x). 2. Add a route to your home network from the VPN server: sh sudo ip route add 192.168.1.0/24 via 10.8.0.1 dev tun0 3. On your home router, enable port forwarding: - Forward UDP 1194 to your home computer’s IP.

Now, you should be able to remotely access your home computer securely via OpenVPN! 🚀

Let me know if you need help debugging! 😃