Close Menu
Linux

Site-to-Site VPN in AWS: How-To Guide for OpenVPN Access Server – Linux Hint

MarkBy No Comments10 Mins Read
Site-to-Site VPN in AWS: How-To Guide for OpenVPN Access Server – Linux Hint


Introduction

Unlock seamless and secure connectivity between your on-premises network and AWS cloud resources with a robust site-to-site VPN setup. This comprehensive guide delves into configuring a Linux VPN gateway to bridge your local LAN with an AWS Virtual Private Cloud (VPC) using the powerful OpenVPN Access Server. Discover how to transform disparate networks into a unified, private environment, safeguarding your critical data and applications. Dive in to master secure cloud connectivity and empower your hybrid infrastructure.

Establishing Secure Cloud-to-On-Premises Connectivity with OpenVPN

In today’s interconnected world, safeguarding corporate resources hosted on cloud platforms like AWS is paramount. A site-to-site VPN offers an ironclad solution, creating a secure tunnel that connects two distinct networks, making them behave as a single, private entity. This setup is indispensable for companies managing sensitive data or applications on AWS, ensuring that all devices across both environments communicate securely.

This article provides a step-by-step guide to configuring a dedicated Linux machine as your Linux VPN gateway for your local network, establishing a secure site-to-site VPN connection with AWS. We’ll leverage the convenience of the OpenVPN Access Server/Self Hosted VPN (PayG) Amazon Machine Image (AMI), enabling a swift, one-click deployment on an EC2 instance, bypassing complex manual installations.

Preparing Your AWS Environment for Site-to-Site VPN

Before deploying the OpenVPN on AWS Access Server, we must ensure our AWS network is properly configured. This involves setting up a Virtual Private Cloud (VPC) and essential networking components to host our VPN solution.

Getting Your AWS Network Ready

To begin, access your AWS Management Console and navigate to the VPC service.

Creating a Dedicated AWS VPC

  1. From the VPC dashboard, click on "Your VPCs" and then "Create VPC".
  2. In the VPC Settings, select "VPC and more". Assign a memorable name tag, such as "openvpn-vpc".
  3. Crucially, set the IPv4 CIDR Block to 10.0.0.0/16. This provides ample expansion capacity for subnets and, more importantly, avoids IP address overlap with common home networks (e.g., 192.168.x.x), which is critical for smooth routing.
  4. Retain all other default settings.
    Upon successful creation, AWS automatically provisions necessary networking components including public and private subnets, routing tables, and an internet gateway. You can inspect these by clicking on their respective IDs.

Deploying OpenVPN Access Server on AWS EC2

With your AWS network ready, the next step is to deploy the OpenVPN on AWS Access Server.

Subscribing to OpenVPN Access Server AMI

  1. Navigate to the AWS Marketplace and subscribe to the "OpenVPN Access Server/Self Hosted VPN (PayG)" offering. This pay-as-you-go model offers scalability and flexibility.
  2. Select your desired contract duration and the number of simultaneous connections. For this tutorial, 2 connections (a free tier option) will suffice, but choose according to your needs.
  3. Add a Purchase Order (PO) if required, then double-check your selections and subscribe.

Launching the OpenVPN Access Server Stack

  1. After successful subscription, click "Set up your account" to create or sign in to your OpenVPN account.
  2. On your OpenVPN dashboard, select your preferred AWS region. For optimal latency, choose a region geographically close to your location.
  3. Click "Launch Now" to proceed to the stack creation page.
  4. Select the VPC you created earlier and ensure the Public Subnet ID belongs to this VPC.
  5. Name your EC2 instance (e.g., openvpn-server), choose an instance type (e.g., t4g.small), and select an existing SSH key pair. If you don’t have one, create it via the EC2 dashboard under "Key Pairs", ensuring you download the .pem file and keep it secure.
  6. Acknowledge the terms and click "Create stack". Upon successful stack creation, you’ll see a confirmation screen.

Accessing the OpenVPN Admin Portal

  1. Navigate to the "Outputs" tab of your newly created stack. Here, you’ll find the Admin Portal’s URL, the default username (openvpn), and a temporary password.
  2. Access the URL. You may encounter a browser warning due to the self-signed certificate; proceed by clicking "Advanced" then "Proceed".
  3. Log in using the provided username and temporary password. Accept the license agreement. You now have full access to your OpenVPN Access Server portal.

Securing Your EC2 Instance with Inbound Rules

  1. Go to your AWS Console, search for EC2, and select "Instances".
  2. Identify your OpenVPN Access Server EC2 instance and note its Public and Private IPs.
  3. Access the instance’s security group (EC2 > Security > Group ID) and click "Edit inbound rules". Configure the following rules:
TypeProtocolPortSourcePurpose
SSHTCP220.0.0.0/0Remote login to the EC2 instance
HTTPSTCP4430.0.0.0/0VPN Client Connections
Custom TCPTCP9430.0.0.0/0Admin UI + Client UI
Custom UDPUDP11940.0.0.0/0OpenVPN Tunnel traffic

Ensure no unnecessary ports (like 945) are open to prevent potential security issues.

Configuring Your Linux Gateway and OpenVPN Tunnel

This section focuses on setting up your local Linux VPN gateway and establishing the secure tunnel.

Connecting to Your EC2 Instance via SSH

  1. Open your local Linux terminal and navigate to the directory where you saved your .pem key file (e.g., Downloads).
  2. Set the correct permissions for your key: chmod 400 openvpn-key.pem
  3. Connect to your EC2 instance using its public IP: ssh -i openvpn-key.pem ubuntu@YOUR_EC2_PUBLIC_IP
    You are now remotely connected to your AWS EC2 instance.

Essential Linux Network Configuration for Forwarding

On your AWS EC2 instance, IP forwarding is crucial for the VPN to route traffic.

  1. Verify if IP forwarding is enabled: sudo sysctl -w net.ipv4.ip_forward=1 then cat /proc/sys/net/ipv4/ip_forward. A result of 1 indicates it’s active.
  2. To make this permanent, edit /etc/sysctl.conf: sudo nano /etc/sysctl.conf. Uncomment the line #net.ipv4.ip_forward=1 by removing the #. Save and exit (CTRL+O, Enter, CTRL+X).
  3. Apply changes: sudo sysctl -p
  4. Configure Network Address Translation (NAT) on the EC2 instance: sudo iptables -t nat -A POSTROUTING -o ens5 -j MASQUERADE (replace ens5 with your EC2 instance’s primary network interface if different). This allows VPN clients to communicate with external networks by translating traffic to the instance’s IP.
  5. Verify iptables changes: sudo iptables -t nat -L -v -n
  6. Install iptables-persistent to save rules across reboots: sudo apt install iptables-persistent -y. Select "Yes" for both IPv4 and IPv6.
  7. Save the current iptables rules: sudo netfilter-persistent save

Fine-Tuning OpenVPN Global Access Rules

Return to your OpenVPN Admin UI.

  1. Go to "Access Controls" > "Global Access Rules".
  2. Select "Route" and check "Allow access from the private subnets to all VPN client IP addresses and subnets". Ensure the subnet is 10.0.0.0/16 (your AWS VPC CIDR). Save changes.
  3. In the "InterClient Communication" tab, select "Allow user-to-user connections" and save.
  4. Now, add your local LAN network (e.g., 192.168.1.0/24) to the Global Access Rules. This tells OpenVPN that AWS-side traffic can reach devices on your local network, completing the bi-directional communication for your site-to-site VPN setup.

Generating and Installing the VPN Client Profile on Linux

  1. In the OpenVPN Admin Dashboard, go to "Users" > "Connection Profiles" > "New Connection Profile".
  2. Select "User-locked" and download the connection profile (.ovpn file).
  3. On your local Linux machine, install the OpenVPN client: sudo apt install openvpn -y

Activating the Site-to-Site VPN Tunnel

  1. In your local Linux terminal, navigate to your downloads directory where the .ovpn profile is saved.
  2. Connect to the OpenVPN Access Server: sudo openvpn --config <em>profile-userlocked.ovpn</em>
  3. Enter your OpenVPN username and password. The connection will establish, and you’ll see "Initialization sequence completed", confirming the secure tunnel between your local LAN and AWS network. Leave this terminal window running.

Verifying VPN Connectivity and Routing on Linux

Open a new terminal window on your local Linux machine.

  1. Verify the VPN tunnel interface: ip a. You should see a new virtual interface, typically tun0, representing the established VPN tunnel. This tun0 interface will be the conduit for all communication between your local devices and the AWS network.
  2. Verify routing configuration: ip route. You should observe routes similar to:
    • 10.0.0.0/16 via 172.27.232.1 dev tun0 (directs AWS VPC traffic through tun0)
    • 192.168.1.0/24 via 172.27.232.1 dev tun0 (confirms local LAN traffic routing via tun0)
      These routes confirm that traffic for both the AWS VPC and your local LAN network is correctly routed through the VPN tunnel, solidifying your site-to-site VPN setup.

Enabling IP Forwarding and NAT for Seamless LAN Integration

For your local Linux machine to act as a proper Linux VPN gateway, it must forward packets between interfaces and handle NAT for your local LAN.

  1. Enable IP forwarding permanently on your local Linux gateway: sudo nano /etc/sysctl.conf. Uncomment net.ipv4.ip_forward=1. Save and apply changes: sudo sysctl -p.
  2. Configure NAT for local LAN traffic: sudo iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o tun0 -j MASQUERADE. This translates LAN traffic when it traverses the VPN tunnel.
  3. Allow forwarding between your local LAN interface (e.g., wlx5091e326480e) and the VPN tunnel interface (tun0):
    sudo iptables -A FORWARD -i wlx5091e326480e -o tun0 -j ACCEPT
    sudo iptables -A FORWARD -i tun0 -o wlx5091e326480e -j ACCEPT
    (Replace wlx5091e326480e with your actual local network interface name).
  4. Save all firewall rules to persist across reboots: sudo netfilter-persistent save.
    Linux Tip: While iptables-persistent is robust, for modern Linux distributions, you might also consider nftables or firewalld for managing firewall rules, offering more advanced features and simpler syntax for some configurations. However, given the scope, iptables-persistent remains highly effective.

Conclusion

You have successfully deployed OpenVPN Access Server on AWS and established a resilient site-to-site VPN setup between your AWS VPC and your local LAN network using a dedicated Linux VPN gateway. We walked through preparing the AWS network, deploying the Access Server, and meticulously configuring both the cloud instance and your local Linux machine. By setting up routing rules, generating connection profiles, and enabling crucial IP forwarding and NAT, we’ve created a functional and secure cloud connectivity infrastructure.

For this type of setup, we highly recommend using a dedicated Linux server machine, ideally running a lightweight server OS like Ubuntu Server, for enhanced stability and performance. The core procedure outlined in this guide remains consistent across various Linux distributions. With this configuration, both your AWS and local LAN networks can communicate seamlessly and securely through the VPN tunnel, realizing the full potential of your hybrid cloud environment.

FAQ

Q1: What are the advantages of using a Linux machine as a VPN gateway for AWS site-to-site connections?
A1: Using a Linux machine offers unparalleled control, flexibility, and cost-effectiveness. Linux provides a robust, open-source platform, allowing for deep customization of networking parameters, advanced scripting for automation, and enhanced security hardening. It’s often more affordable than proprietary hardware solutions and allows you to precisely tailor the gateway’s performance and security features to your specific hybrid cloud environment needs.

Q2: Can I use other VPN protocols besides OpenVPN for site-to-site connectivity on AWS?
A2: Yes, while OpenVPN is highly versatile, AWS also natively supports IPsec-based VPN connections (AWS Site-to-Site VPN). Additionally, you could self-host other open-source solutions like WireGuard on a Linux EC2 instance or a local Linux gateway. Each protocol has its trade-offs in terms of setup complexity, performance, and features, so choose based on your specific requirements for speed, encryption, and ease of management.

Q3: What should I consider for performance optimization for this OpenVPN on AWS setup?
A3: Performance optimization is key for a smooth site-to-site VPN setup. Consider selecting an appropriate EC2 instance type with sufficient CPU and network performance (e.g., compute-optimized instances). Ensure your network bandwidth on both the AWS and local sides is adequate. Proper MTU (Maximum Transmission Unit) settings can prevent fragmentation and improve throughput. Also, ensure your OpenVPN Access Server is in an AWS region close to your physical location for lower latency.
Linux Tip: On your Linux gateway, you can further fine-tune network performance by adjusting sysctl kernel parameters. For instance, increasing net.core.rmem_max and net.core.wmem_max can improve TCP buffer sizes, which is beneficial for high-bandwidth VPN connections. Always test changes incrementally.



Read the original article

Like this
Share.

Related Posts

Add A Comment
Leave A Reply