How to Set Up OpenVPN on EC2: A Cost-Effective VPN Solution for Businesses

In the era of remote work, the security of data transmission is paramount. A Virtual Private Network (VPN) serves as a secure tunnel for data transfer across the internet. OpenVPN, a robust and flexible VPN solution, can be deployed on an Amazon EC2 instance to provide businesses with a secure, private connection to their cloud resources. This guide details the setup process, including the use of an Elastic IP for reliable access, installation steps for both Ubuntu and Amazon Linux 2, Terraform for resource provisioning, client setup instructions across various operating systems, and user management.

Initial Setup: EC2 Instance and Elastic IP Configuration

Provisioning the EC2 Instance

First, launch an EC2 instance using the Amazon Web Services (AWS) Management Console. Select Ubuntu or Amazon Linux 2 as the operating system, considering that each has slightly different setup commands. For this guide, we will provide instructions for both.

Assigning an Elastic IP (EIP)

To ensure your VPN server is accessible through a static IP address, allocate and associate an Elastic IP with your EC2 instance:

1. Go to the EC2 Dashboard, navigate to “Elastic IPs” and allocate a new address.
2. Associate this new EIP with your EC2 instance to ensure a constant public IP address, facilitating reliable access to the VPN.

Terraform Automation

For those who prefer infrastructure as code, here’s a Terraform snippet to automate the creation of an EC2 instance, security group, and EIP:

provider "aws" {
  region = "your-aws-region"
}

resource "aws_instance" "vpn_server" {
  ami           = "ami-123456"  # Use the appropriate AMI for Ubuntu or Amazon Linux 2
  instance_type = "t3.micro"
  key_name      = "your-keypair-name"
  subnet_id     = "your-subnet-id"
  source_dest_check = false # Required for VPN to function
  vpc_security_group_ids = [aws_security_group.vpn_sg.id]

  tags = {
    Name = "OpenVPN-Server"
  }
}

resource "aws_security_group" "vpn_sg" {
  name        = "openvpn-sg"
  description = "Security group for OpenVPN Server"
  vpc_id      = "your-vpc-id"

  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  ingress {
    from_port   = 1194
    to_port     = 1194
    protocol    = "udp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

resource "aws_eip" "vpn_eip" {
  instance = aws_instance.vpn_server.id

  tags = {
    Name = "OpenVPN-EIP"
  }
}

Replace the placeholders with your actual configuration details to create the necessary AWS resources for your OpenVPN server.

Preparing the Instance

Regardless of the OS, certain steps are necessary to prepare your instance for OpenVPN:

• Disable Source/Destination Check: This allows the EC2 instance to route traffic not specifically addressed to it, a necessity for a VPN server.
• IP Forwarding: Ensure IP forwarding is enabled to allow traffic to flow through the VPN server to your AWS resources or the internet.

Ubuntu:

sudo sed -i '/net.ipv4.ip_forward/s/^#//g' /etc/sysctl.conf sudo sysctl -p

Amazon Linux 2:

sudo sed -i '/net.ipv4.ip_forward = 1/s/^#//g' /etc/sysctl.conf sudo sysctl -w net.ipv4.ip_forward=1

Streamlined OpenVPN Setup on EC2 Using a Popular Script

Setting up OpenVPN on an AWS EC2 instance can be significantly simplified by using a popular script that automates the installation and initial configuration process. This approach is applicable for both Ubuntu and Amazon Linux 2 operating systems, making it a convenient option for businesses seeking a quick deployment. Here’s how to use the script:

Prerequisites

• An EC2 instance running Ubuntu or Amazon Linux 2.
• SSH access to your instance.

Installation Steps

For Ubuntu and Amazon Linux 2

Step 1: Connect to Your EC2 Instance: Use SSH to connect to your instance. For Ubuntu, the default user is ubuntu, and for Amazon Linux 2, it’s ec2-user.

Step 2: Download and Execute the Script: The script automates the OpenVPN server setup, including user and server configuration. Run the following command in your EC2 instance:bash

wget https://git.io/vpn -O openvpn-install.sh && sudo bash openvpn-install.sh

Step 3: Follow the Script Prompts: The script will ask several questions to configure your VPN server, such as:

• IP address of the network interface you wish to use (automatically detected and suggested by the script).
• Port number and DNS settings.
• Client name for the first VPN user.

Step 4: Complete the Installation: Once the script completes, it will output a .ovpn file, which is used to connect to your VPN server.

Additional Configuration and Tips

• Firewall Rules: Ensure your EC2 security group allows UDP traffic on the port you selected during the setup (default is 1194).
• Managing VPN Users: The script also facilitates easy management of VPN users. To add more users or revoke access, simply re-run the script and follow the prompts.
• Elastic IP: To ensure your VPN server has a static IP address, associate an Elastic IP with your EC2 instance. This prevents changes in the server’s IP address from disrupting your VPN connections.

Using this script significantly streamlines the OpenVPN setup process on AWS EC2 instances, making it accessible even to those with minimal server management experience. By automating the installation and initial configuration, businesses can quickly establish a secure, private network connection for remote access to their resources.

Establishing VPN Connections

Linux Client Setup

• Install OpenVPN, transfer the .ovpn configuration file to your client machine, and connect using sudo openvpn --config yourfile.ovpn.

Windows Client Setup

• Download and install the OpenVPN client, add the .ovpn configuration file to the specified directory, and connect through the OpenVPN GUI.

macOS Client Setup

• Install Tunnelblick, add the .ovpn configuration file, and connect via the Tunnelblick menu.

Managing Users

Adding or removing users is crucial for maintaining your VPN’s security and efficiency. Use the OpenVPN script or manual certificate generation and revocation processes to manage user access.

• Adding Users: Run the OpenVPN installation script again or manually generate a new client certificate.
• Removing Users: Use the script’s user revocation option or manually revoke the client certificate.

Projected Cost of Running OpenVPN on a T3.Small Instance

Deploying OpenVPN on a t3.small instance on AWS is a cost-efficient way for businesses to ensure secure data transmission for their teams. Here’s a concise breakdown of the costs involved in running this setup 24/7:

EC2 Instance Costs

• Instance Type: t3.small
• Pricing: Outside the AWS Free Tier, a t3.small instance typically costs between $0.0208 and $0.0236 per hour. For continuous operation (24 hours a day for a month), the monthly cost would range from approximately $14.98 to $16.99.

Data Transfer Costs

• Data Transfer: AWS charges for data transfer out to the internet exceed the first 1 GB per month, starting at $0.09 per GB. Given the VPN usage, this cost can vary widely but remains manageable for modest data usage.

Elastic IP Costs

• Elastic IP: There’s no additional charge for an Elastic IP (EIP) as long as it remains associated with a running instance. Unassociated EIPs cost $0.005 per hour, so it’s cost-effective to keep the EIP attached to the active VPN server.

Total Monthly Cost

Given continuous operation, the total monthly cost for running an OpenVPN server on a t3.small instance, excluding significant data transfer out costs, is approximately $15 to $20. This estimate makes it a highly affordable solution for small to medium-sized businesses needing secure, remote access capabilities.

Wrapping Things Up

Deploying OpenVPN on an AWS EC2 instance provides a secure, scalable, and cost-effective VPN solution for businesses. By following this detailed guide, you can ensure reliable access to your VPN server with an Elastic IP, automate resource provisioning with Terraform, and facilitate secure connections from various operating systems. Regular user management further enhances the security and efficiency of your VPN service, supporting your business’s remote work needs and protecting sensitive data transactions.