Amazon Web Services EC2 Community Appliance Quick Start Guide

Quick Start Guide for the Amazon Web Services EC2 Community Appliance (AMI)

Please register for an account on our website to purchase licenses for your Access Server EC2 Appliance: https://openvpn.net/index.php/login.html

Current appliance version is: 2.1.9

Last updated: June 29, 2017

Introduction

The Amazon Web Services EC2 appliance (AMI) is a 64-bit based appliance you can quickly launch on your Amazon EC2/VPC in order to quickly setup your VPN server on the web. To make it more convenient for you to deploy your server in the region closest to you, we currently offer the AMI in all of Amazon's publicly available regions.

Launching the AMI

To get started, log on to your AWS Management Console. Once logged on, select EC2 from the list of services available to you. You may then select the region you want to launch your instance(s) in by using the drop down menu on the top right-hand corner (e.g. Oregon). Afterward, click the Launch Instance button to begin the process of launching the appliance.

LaunchInstance

On the left-hand navigation bar, select Community AMIs:

CommunityAMIs

When the AMI selection dialog appears, type OpenVPN Access Server 2.1.9 in the search box as indicated below. The designated AMI should then appear. Click the Select button to continue with the launch process.

Important: You will see multiple results when searching for the AMI. If you are looking for the community AMI, please select the instance with the exact AMI ID match. The longer instance IDs are for our Marketplace offerings, and will have a different pricing model. For more information regarding our Marketplace offering, please see the Marketplace Quick Start Guide for more information.

The current AMI offering are as follows (please always use the latest AMI IDs when searching for the instance):

US East (Virginia) - ami-d7576bc1
US East (Ohio) - ami-5f35143a
US West (Oregon) - ami-d10819a8
US West (Northern California) - ami-ee89a58e
EU West (Ireland) - ami-015fbb78
EU West (London) - ami-022f3966
EU Central (Frankurt) - ami-906ccdff
Asia Pacific (Singapore) - ami-76ef6715
Asia Pacific (Tokyo) - ami-eb9c8f8c
Asia Pacific (Seoul) - ami-d4459aba
Asia Pacific (Sydney) - ami-f981929a
Asia Pacific (Mumbai) - ami-fca0de93
South America (Sao Paulo) - ami-349af058
Canada (Central) - ami-9d912ef9

AMISelect

In the Instance Type section, select the appropriate instance properties appropriate for your deployment.

Instance Type: Micro is usually sufficient to run a basic VPN server setup. If you believe your server has a load that exceeds what is offered in the Micro tier, select a higher tier here. If you need more information on Amazon EC2 tiers, please refer to the Amazon EC2 documentation for more information. Some of these tiers require that you launch your instance in a VPC network. For instructions on how to create a VPC network, please refer to the Amazon VPC Getting Started Guide.

After you have selected the correct instance tier, click Next: Configure Instance Details.

In the Configure Instance Details dialog, configure the instance as follows:

Number of instances: Unless you have another reason to run more than one instances, leave this number at 1.
Purchasing option: The Request Spot Instances checkbox should be Unchecked if you plan to apply a purchased license key to this instance, as Spot Instances have a very short lifespan and may negatively affect your license validity if your license has exceeded its reactivation limits. Please consider using our Marketplace tiered instances for spot instances as no license keys are required for those types of instances.
Network: Generally speaking, you should group your instances inside a VPC for optimal VPN connectivity. If you have already done this, select the appropriate VPC here. If you have no plans to use a VPC, select the Launch into EC2-Classic option (note this option is not available if you are selecting a HVM based tier). If you do not want to manage an elastic IP for your VPN server while inside a VPC, select the Auto-assign Public IP option and make sure this is set to Enable or that the default has this option turned on. Unlike an elastic IP, however, please note that the auto-assigned IP is not portable and you will not be able to reclaim this IP for use within another instance of your VPC. You will also need to reconfigure your instance / clients every time your IP changes if the auto-assigned IP address is used. For this reason, it is highly recommended that you use an Elastic IP for your deployments. The Elastic IP can always be added at a later time, and will be covered by this guide at a later step.
IAM role: If your organization is using IAM based ACLs, select the proper IAM role here.
Shutdown behavior: It is strongly encouraged that you select Stop (and not Terminate) here, unless you are performing testing and would like the instance to be deleted upon shutdown.
Enable termination protection: Check this box if you would like to disable the ability for users to delete this instance without disabling this protection first.
Monitoring: Select this option if you would like to enable detailed CloudWatch monitoring for the instance.
Tenancy: Shared tenancy is suitable for most workloads. If your workload demands are high and you find that your VPN server is suffering from performance-related issues, you may consider using a Dedicated instance here. Additional charges will apply.

You should be able to leave the Advanced Details section untouched unless you would like to specify custom user-data. If you intend to do so, please provide it in the format below.

AWS parameters supplied as user-data
---------------------------------------------

Define as:

KEY1=VALUE1
KEY2=VALUE2
...

Do not quote keys or values or use spaces on either side
of the '=' character. All parameters are optional.

public_hostname -- hostname that clients should use to contact the server.

admin_user (default=openvpn) -- Access Server administrative account name.

admin_pw -- administrative account initial password. Note that
this parameter is communicated to the instance via a
cleartext channel. A more secure method would be to ssh
to the instance and use the passwd command to set the
password.

license -- Access Server license key (without a license key, the
Access Server will support up to 2 concurrent connections).

reroute_gw (boolean, default=0) -- if 1, clients will route internet
traffic through the VPN.

reroute_dns (boolean, default=0) -- if 1, clients will route DNS
queries through the VPN.

In addition, the VPC CIDR block (if defined) will be made accessible to
VPN clients via NAT.

After configuring your instance, select Next: Add Storage to continue with the launch process.
The default options are shown below:

The default disk size is set to 8 GB. If you need a larger disk for whatever reason, select a larger size here and click Next: Tag Instance.

TagInstance

If you have any tags you would like to enter for your appliance, you may enter it here. Otherwise, click Continue to proceed.
To specify a name for your appliance, use the key Name, and the name of your appliance as the Value (e.g. Key=Name, Value=My VPN Server).

Click Next: Configure Security Group.

VPNFW

In the Configure Security Dialog, give the group a descriptive name and description (this can be anything to your liking, e.g. VPN). Afterwards, setup the following rules for your appliance (select the appropriate rule type (e.g. TCP or UDP), add the port numbers below, and click the Add Rule button):

Custom TCP rule(s) - leave source as 0.0.0.0/0 unless you want to restrict appliance access to certain IP addresses:

22 - SSH, used to remotely administrate your appliance. It is recommended that you restrict this port to trusted IP addresses. If you do not want to do this, leave the source as 0.0.0.0/0. To restrict ports to a specific subnet, enter the port number, then the subnet in CIDR notation (e.g. 12.34.56.0/24). For single IP addresses, /32 will need to be appended at the end (e.g. 22.33.44.55/32 for IP address 22.33.44.55). Click the Add Rule button when you are done with the rule, repeat the process as needed.

443 - HTTPS, used by OpenVPN Access Server for the Client Web Server. This is the interface used by your users to log on to the VPN server and retrieve their keying and installation information. It is recommended that you leave this open to the world (i.e. leaving the source as 0.0.0.0/0). The OpenVPN Admin Web UI by default is also enabled on this port, although this can be turned off in the settings. In multi-daemon mode, the OpenVPN TCP daemon shares this port alongside with the Client Web Server, and your clients will initiate TCP based VPN sessions under this port number.

943 - The port number used by the Admin Web UI. By default, the Admin Web UI is also served on port 443. For security reasons, you can turn this setting off and restrict the Admin Web UI port to trusted IP addresses only.

Custom UDP rule(s) - leave source as 0.0.0.0/0 unless you want to restrict appliance access to certain IP addresses:

1194 - OpenVPN UDP port, used by your clients to initiate UDP based VPN sessions to the VPN server. This is the preferred way for your clients to communicate and this port should be open to all of your clients. You may change this port number in the settings to a non-standard port in the Admin Web UI if desired.

After all of the firewall rules are added, click the Review and Launch button to finalize the AMI creation process.

You may be asked to convert this instance to an SSD type. Generally, the SSD type is not needed since the VPN server will not be disk I/O bound. However, please consider converting the disk if this is appropriate for your deployment. To continue using the Magnetic disk type, select Continue with Magnetic as the boot volume for this instance. and then click Next.

Click the Launch button after you have confirmed all of the selected options are correct.

If you have previously created a key pair, select it from the list as shown. If you have not created a key pair before in the region you are attempting to launch the instance in, create a new key pair and download the key file to your hard drive. As this key file is required for accessing the instance you are about to create, it is important that you select a key pair you have access to (or create a new one).

Note: If you select a key pair which you do not have access to or has since lost the related key files, you will need to terminate the old instance, create a new key pair, and use that new key pair to create and connect to the newly created instance.

KeySelection

 

Click the Launch Instances button to initiate the launching process.

To confirm that the instance has successfully launched, watch the Instances section for status. You should see something similar to the following as your instance is being launched:

LaunchWait

Although not strictly necessary, you should allocate a static IP address for your appliance so the IP address can be reclaimed in case of machine failure/shutdown/reboot. To do so, visit the Elastic IPs section in the left navigation panel.

ElasticIP

Click the Allocate New Address button.

AllocateNewEIP

Select the IP address type you would like to allocate. This should match the type of instance you have launched previously. Afterward, click the Yes, Allocate button.

AllocateType

Right click the IP address that was created, and then click Associate Address.

AssociateAddr

Select the instance ID this IP address should be associated to. The instance ID can be found in the Instances section, and right next to the instance name. In our case, our instance name is i-99a04ffe.

InstanceAssoc

Connecting to your new AMI

Once your new AMI is successfully launched, you will need to SSH into the console using a SSH client software and the private key pair you have used/created previously.
In this section, we will cover the most common case for users using the Windows operating system, and the PuTTY SSH client. If you have a different configuration, please follow Amazon's specific instructions on how to connect to your instance.

If you have not done so already, download the PuTTY and the PuTTYgen tools from this page: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

Launch the PuTTYgen tool. click Conversions -> Import Key. Select the key file you have previously used or generated, and click Open.

After PuTTYgen has successfully loaded your key file, click the Save Private Key button, and save the private key to a safe place. (You may want to protect your private key with a passphrase, although this is not strictly necessary.)

The PuTTYgen tool will no longer be needed at this point. To continue, open the PuTTY client you have downloaded earlier.

In the Host name (or IP address) section, enter the static IP address you have allocated previously. In our case, this is 23.21.108.51.

Then, on the left navigation panel, navigate to SSH->Auth.

Under the Private key file for authentication: section, click Browse... and select the private key file that PuTTYgen has generated in the previous step.

To connect to the server, simply click the Open button. However, to simplify the process in the future, you may want to save these settings as a profile. To do so, return to the Session category on the top, select a name for your session under the Saved Sessions box, and then click the Save button. The settings then can be loaded back by double clicking the profile, or by selecting the profile, and then clicking the Load button.

Upon connecting, you will receive a warning that PuTTY has not seen this server before. It is safe to simply click Yes on this dialog.

When prompted, login as openvpnas, and then press Enter. (NOTE: If you are using previous versions of our appliance, the username used is root instead of openvpnas)

If the private key you have specified was correct, you should now be logged in and the OpenVPN Access Server Setup Wizard should now be started. Follow the instructions below to begin configuring your server.

Running the OpenVPN Access Server Setup Wizard (required, if no Amazon user-data was specified)

The OpenVPN Access Server Setup Wizard runs automatically upon your initial login to the appliance. If you would like to run this wizard again in the future, issue the sudo ovpn-init --ec2 command in the terminal.

Read through the EULA, and enter yes to indicate your agreement.

> Will this be the primary Access Server node?
Explanation: If this is your initial Access Server node, press Enter to accept the default setting. Otherwise, if you are setting up your failover node, change this to say no.

> Please specify the network interface and IP address to be used by the Admin Web UI:
Explanation: This will be the interface where OpenVPN Access Server will listen to Admin Web UI requests. Make sure you have access to the interface listed otherwise you will be unable to login to your server. If you are uncertain on what interface to use, select option 1 for all interfaces. Do note that if your network did not assign your appliance a DHCP lease or if you are planning to use a static IP for your server, you will need to specify all interfaces here and follow the instructions for assigning a Static IP in the later section of this article. This option may be changed any time after the completion of the wizard in the Web Admin UI.

> Please specify the port number for the Admin Web UI.
Explanation: This is the port you will use to access to the web based administration area. It is usually safe to leave this at the default port unless customization is desired.

> Please specify the TCP port number for the OpenVPN Daemon
Explanation: This is the port clients will use to connect to your VPN server. This port will have to be forwarded to the Internet if your server is behind a NAT based router. By default the web based administration area also runs on this port for your convenience, although this setting can be disabled in the Admin Web UI interface.

> Should client traffic be routed by default through the VPN?
Explanation: If you only have a small network you would like your remote users to connect over the VPN, select no. Otherwise, if you would like everything to go through the VPN while the user is connected (especially useful if you want to secure data communications over an insecure link), select yes for this option.

> Should client DNS traffic be routed by default through the VPN?
Explanation: If you would like your VPN clients to able to resolve local domain names using an on-site DNS server, select yesfor this option. Otherwise, select no. Do note that if you selected yes for the previous option, all traffic will be routed over the VPN regardless what you set for this setting here.

> Use local authentication via internal DB?
Explanation: If you would like OpenVPN Access Server to keep an internal authentication database for authenticating your users, select yes for this option. When this option is turned on, you will be able to define and/or change username and passwords within the Admin Web UI. If you select no for this option, Linux PAM authentication will be used and you will need to add/change/delete users within the Linux operating system itself. If you would like to use LDAP or RADIUS as your authentication method, you will need to change this after you login to the Web Admin UI.

> Should private subnets be accessible to clients by default?
Explanation: This option defines the default security setting of your OpenVPN Access Server. When Should client traffic be routed by default through the VPN? is set to no, it defines the list of subnets that your VPN clients is able to access. You are able to add more entries to this list once you login to the Admin Web UI area. This option will have no effect if Should client traffic be routed by default through the VPN? is set to yes.

> Do you wish to login to the Admin UI as "openvpn"?
Explanation: This defines the initial username in which you would use to login to the Access Server Admin UI area. This username will also serve as your "lock out" administrator username shall you ever lock yourself out of your own server. If you would like to specify your own username, select no. Otherwise, accept yes for the default.
> > Specify the username for an existing user or for the new user account:
Explanation: Enter the initial username you would like to use instead of the default 'openvpn'.
> Type the password for the 'user' account:
> Confirm the password for the 'user' account:
Explanation: Specify the password you would like to use for the account.

> > Please specify your OpenVPN-AS license key (or leave blank to specify later):
Explanation: If you have purchased a license key for your OpenVPN Access Server software, enter it here. Otherwise, leave it blank. OpenVPN Access Server includes two free licenses for testing purposes.

After you complete the setup wizard, you can access the Admin Web UI area to configure other aspects of your VPN. Please note that as Amazon does not reveal the elastic/external IP inside the machine, the links displayed within the setup wizard will not work in accessing the web interfaces. For this reason, you will need to replace the internal IP address with the external IP that Amazon has given you. As mentioned previously, you will be able to access the Admin Web UI on both the VPN port and the Admin port unless you disable this behavior in the Admin Web UI.

Note: If you selected yes to the Do you wish to login to the Admin UI as "openvpn"? option in the setup wizard, you will need to define the password for this account by running:
sudo passwd openvpn
and press Enter.

Changing Default Hostname (optional)

If you did not assign an elastic IP prior to launching the instance, or you have a custom hostname you would like to use, you will need to login to the Web Admin UI and configure the Hostname parameter manually (inside the Server Settings section). You may either use an IP address or a hostname here, although it is strongly recommended that you use a hostname since your clients will depend on this setting to be able to know where to connect to.

Note: If you leave this setting as the default, NONE of your clients will be able to connect to your VPN server since by default it is set to a non-routable (private) IP address!

Changing Default Timezone (optional)

The default timezone is set to US (Pacific - Los Angeles). If you reside at another timezone and you would like to change this setting, run the following command (you will be asked what timezone you would like to set):

sudo dpkg-reconfigure tzdata

The system will show the new local time after this setting is configured.

Disabling the Lock Out aka (bootstrap) account (optional)

In the setup wizard, you were prompted to create an initial username and password that allowed you to login to the Admin Web UI. This username and password combination will always be active disregarding its status in the "User Permissions" area. This might be undesirable if your server is facing the Internet since anyone who has this username and password combination will have full administrator rights to change any setting on your Access Server Admin Web UI. After you have created a secondary administrator account in the Admin Web UI, you may disable this lock out account by following the steps below:

  1. Enter the command: sudo nano /usr/local/openvpn_as/etc/as.conf
  2. Press the Page Down key on your keyboard and scroll down with your Down arrow key until you see entries starting with boot_pam_users.
  3. Put a # sign before the entry correlating to the bootstrap username you have created previously. Usually this is the boot_pam_users.0= entry. DO NOT put a # sign before the boot_pam_service entry. Doing so will cause unexpected behaviors in your VPN server.
  4. Press CTRL+O, and then press Enter. Then press CTRL+X to exit the editor.
  5. Restart the VPN server by entering the following command: sudo /etc/init.d/openvpnas restart

You may choose to reenable this feature at any time by removing the # sign from the aformentioned file and restarting Access Server.

Disabling Source / Dest Check for VPN Instance (recommended)

If your VPN setup consists of a site-to-site setup between your cloud instances and your machines on-premises, you will need to disable source destination check protection on Amazon, otherwise routing will not function properly. To do this, right click on the VPN instance, select Change Source/Dest. Check and make sure the status is Disabled.

Updating Operating System Software (recommended)

From the time we have generated the appliance and the time you have downloaded and are using the appliance, many operating system updates might have became available. To make sure your appliance operating system is up to date, execute the following commands:

sudo apt-get update && sudo apt-get upgrade