AWS Point to Site VPN Setup (Free OpenVPN AWS Setup | EC2 | Route53 Private DNS | Ubuntu 20.04)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

openvpn allows you to create secure point-to-point or side-to-side connections in this video we will use openvpn to connect to the private aws vpc we will create a few private and public subnets and later we will push those routes to the clients also we will create a private route 53 hosted zone and push the adws dns server to the client this will allow us to resolve those private hostnames locally in the first example we will create an openvpn profile manually in the second example we will create a simple script of the maid profile generation in the last one we will use the open source gate sso project to use google single sign-on to automate cloud certificate and profile generation let's start from scratch first we need to create an aws virtual private cloud vpc let's call it main and give it a seeder 16 it will provide you with 65 000 ip addresses now to create a public subnet we need to have a internet getaway let's create one and attach it to our vpc [Music] next let's create a public subnet with a default route to the internet gateway we will use that subnet to place our openvpn server with a static public ip address you can keep no preferences for the availability zone i will place all the vms in one zone for this demo to avoid data transfer charges between different availability zones i will intentionally create all the subnets with different seeders to show you how to configure the openvpn server to push routes to the clients this one slash 22 will have 1000 ip addresses now the public subnet needs to have a route table associated with it with the internet getaway let's call it public and select our epc we're going to update routes later when we get to the nod getaway for now let's just attach it to the public subnet allocate static ip address for the not get away not get away will allow vms in those subnets with private ip addresses only to reach the internet now we can use this ip address and create a not gateway itself [Music] when you select a subnet you must place not in the subnet with the internet getaway in our case public subnet time to create a couple of private subnets just for the examples [Music] let's call the first one private large and allocate 4 000 ip addresses [Music] for the second private subnet give the name private small with only 256 addresses now we need to create a private route table and use not getaway as our default route click add route and add 0 0 0 0 which means everything that doesn't match a more specific route in this case 10 0 0 0 16 the local route within vpc will go to the out target not get away let's do the same thing with the public subnet but instead of non-getaway used internet gateway [Music] finally update route tables on private subnets instead of the main route table use the one that we just created [Music] [Music] let's quickly check that we have correct route tables associated with our subnets next let's allocate a static public ip address for our open vpn server if you decide to simply use public ip address that after assigned to the vm when you boot up the virtual machine when you stop or terminate that instance you may lose that ip forever we add those stacks just for our convenience when we get to the point when we need to associate that ip it's much easier to find using name tags let's call it simply openvpn now that ipv will belong to us keep in mind for the time that ip is not attached to any ec2 instances or network interfaces you will be charged for that ip time to create ec2 instance let's search for the latest ubuntu with a long term support and this time it is ubuntu 2004 when you just getting started you don't need to have a large instance you can always increase the instance type at any point depending on your workload the main thing that you need to watch out is a traffic because adws will charge you if you exceed a certain amount per month it's crucial for the production environment that you understand exactly all the charges that adws will place on you knowing the cost can and should affect the way you build your infrastructure and applications i'm going to pick t3 small instance type for this demo here it's very important to place your openvpn server in the public subnet with the internet getaway then make sure that you disabled after assigned public ips that's all configurations that we need here keep default 8 gigs of storage same thing here with a tag give it a name just to simplify your life and try to keep those names consistent we need a new security group let's give it a name openvpn that will be the only one instance in our infrastructure that will be open to any source to ssh when we deploy our openvpn server we will use the security group as a source for any other ec2 instances that we want to ssh i'll show you an example later then we need a udp port for our server you may want to use tcp in some situations but it generally recommended to stick with udp i'll attach some links for pros and cons 1194 is a well-known openvpn server port you may customize it when you configure the server later as a shortcut you can use anywhere it will automatically fill in all ipv4 and ipv6 ip addresses for gate sso we need to open additional port later if you don't have a key pair or you want to use a new one select create a new key pair you can choose either old rca key or new elliptic curve which allows you to use smaller keys and in general faster give it a name devops and download a private key [Music] let's wait a few minutes till the ec2 instance transition to the running state you can see that we have only private ip for now let's go to the elastic ip addresses and attach our public ip address to this instance choose the openvpn ec2 instance and select the private ip in adws the public ip address is not exposed to the vm itself it's knotted through the private ip address now you can see the public ip address before we can ssh to ubuntu we need to restrict who can access the private key the default user for ubuntu 2004 is ubuntu and also let's grab our public ip from the console the first step is to update default ubuntu repositories [Music] before you install any ubuntu package you can check the candidate version by running up policy and then the package name in our case openvpn default ubuntu repositories contains 2.4.7 version which is not the latest one if you want to use the latest version the best way is to use official repositories provided by the vendor of the software itself and not the standard packages let's see what versions are available now if you go to the openvpn github page to the tags section you will find that you have a newer version 2.5.3 that you can install instead let's do that since we would need to run a few commands with the sudo access it's easier to become root for a while first let's add gpg key that is used to verify the integrity of the downloaded package then add the openvpn ubuntu repository it's a best practice to create a separate list let's update the index again and let's see what candy that is available now alright we have a new version available for installation optionally you can use equal sign to specify the exact version next we need some kind of tool to manage our pki public key infrastructure it's very common to use openvpn with easy rca since it's a tool built by the openvpn community but you don't have to you can use something like cf ssl or any other way to create and maintain your certificates you can even simply use open ssl the same thing with easy rca first let's see what candidate is available and also let's check the latest release okay it's 3.0.6 if you go to github you will find a newer version 3.0.8. [Music] let's just download the tarball and put it on the path [Music] now we have the tar and the folder with easy rc let's clean up a little it's common to place easy rca under openvpn i would suggest following the same locations since we will use this tool later to optimize certificate generation optionally you can create a soft link to the user local bin let's just make sure that easy rc is available and ready to use the first step to manage public key infrastructure with easyrc is to initialize the folder structure for keys and certificates we can create vars file to customize the certificates you can provide some common variables such as country province and others i think the only one that you need to pay attention here is a type of the algorithm we will use elliptic curves elliptic curve cryptography provides more security and eliminates the need for a dv helmet parameter file i have to warn you at this point if this private key is stolen anyone will be able to issue a certificate and connect to your openvpn server you need to decide for yourself how securely you want to maintain your ca you may decide to keep it offline and only access it when you need to sign a new client or server certificate the biggest security hole here is to emit a passphrase when you generate a ca it is a password that you need to provide each time when you sign a certificate for this demo i will emit passphrase just automate the certificate and profile generation with git ssl in general it's a terrible practice anyway let's generate one confirm the command name it can be anything related to your company it's done we have a new ca cert located under pki directory all the private keys including the ci key will be stored in pki private folder since we will use public key cryptography we need to generate certificates both for the server and the client let's make one for the openvpn server first same no pass flag to skip passphrase in the case of the client server search it's a two-step process first generate key pair with a certificate request then you need to use ca to sign that certificate request and issue a valid certificate to sign use sign rack command alright we have our first certificate the next step is to create another secret that is not related to pki it's called tak this is kind of like a crypto firewall each packet going over the internet will be signed using a shared secret on both servers and the clients when openvpn receives a packet it will calculate a signature and check it against the signature provided in received packet if it doesn't match openvpn will drop the packet when coupled with udp this can be a good way to avoid troubles with port scanners as it will not see open vpn port at all this feature is also a good way to protect yourself against unknown bugs in the ssl library or protocol as it reduces the attack surface to only your own users enabling tls authentication is highly recommended this secret needs to be securely copied to all open vpn clients and servers to properly function we need to make sure that ip forwarding is enabled by default it is committed out in ubuntu 2004 we need to remove the command and enable it we also need to configure iptable rule to use the server as a nod to translate client ips to openvpn server ip that's a reason why we use the openvpn security group as a source for any instance in our epc let's list some default policies by default they are all set to accept some tutorials using high level firewall tools such as ufw if you enable it it will create a bunch of rules for this tutorial to be as much as possible transparent i simply want to add a single iptable role first we need to find the default network interface that is used by the server it will be ens5 create a nut rule that will translate all the source ip coming from this range 10 8 0 0 24 to open vpn ubuntu server ip this range is a virtual network that we defined later for vpn all the clients and openvpn server will get ip from this range if you are using plain iptables you need a way to save them and reapply those rules after reboot one way to do that is to use the iptables persistent package it will ask you if you want to save your current iptables ipv4 rules you should say yes for the second one ipv6 we don't have anything time to configure the openvpn server this will be the main configuration for the server first picaport the default openvpn port is 1194. then you need to select the protocol either udp or tcp generally udp is recommended i'll attach a link with explanation we need to choose between top or ton devices same here you will find a link generally stick with a ton device you want up if you want to transport non-ip based traffic or ipv6 traffic on openvpn 2.2 or older releases or you want to breach next is the location of the ca certificate you can use relative a full path here you can even insert your cert inline in the config you'll see when we get to the client profile then the location of the server certificate private key then we can disable the diffic helmet parameter since we're using elliptic curves then the secret that we generated to check each packet signature the value should be 0 on the server and one on the client the cipher to use auth used to authenticate received packages virtual network config ip range and a mask it will be slash 24 it will give you 256 hosts that's how many clients you can connect at the same time you may want to increase if you wish location to save records of client virtual ip addresses then ping like messages optionally you can reduce open vpn privileges just make sure that you have nobody user otherwise openvpn server will fail to start same thing for the group few more parameters status location this can be used by prometheus exporter to extract current usage and visualize it in grafana for example network topology set to subnet if you don't need to support legacy windows clients then the most important part of configuring the server you need to push routes to the client of the available subnets in abs if you remember we created the public subnet 1000 22 which translates to 255 subnet mask this particular route needs to be pushed if you want to access the private ip addresses of vms in that public subnet next route for private large subnet with a 240 subnet mask 10320 is a private small lbs subnet then we want to be able to resolve private route 53 hostnames we need to push the dns server ip address to the client route 53 dns ip is always your vpc seeder plus 2 which in our case is 1002 let's quickly check if you have nobody user and no group use systemctl to start openvpn check the status for any errors it's active and we don't have any errors in the output enable just automatically start after a server reboot if your openvpn fails to start the best way to find error in the logs you can use the journalctl command and filter by unit name looks good let's continue now let's create our first client profile we need to generate a client certificate you need to pay attention to the paths we will use them later to extract shorts and keys [Music] let's sign it [Music] let's create a profile with all vpn extension you can then install open vpn client such as tunnel blink on mac and double click this file to import it we need to indicate that it is a client profile same tan device sn server most of these parameters must mimic configurations in the server since i already go over most of them i'll skip it here you can use the public ip address of the open vpn server or you can create a dns record and use that hostname i'll add some scripts that need to be uncommented out based on the system if your linux machine doesn't use a system resolver use the first one otherwise the second one if you're on mac or windows you don't need it then we need to include certificates and keys you can use file path or you can include search directly in the profile first for certificate authority you need open and close tags let's paste the content inside same thing for the client certificate [Music] private client key [Music] and finally the ta key that we created with open pin [Music] now let's install open vpn client if you're on windows you can use the official open pn client if you unmark tunnel blink is the de facto default open source client let's navigate and double-click the profile you can get this configuration panel if you click on vpn details or you can use that drop down menu to connect to the vpn select the profile that we just imported and click connect let's open the server logs just to see if we get any errors it will help to debug you may get the warning that your public ip was not different this setup is not used to hide your public ip it is to be able to connect to your private adobe usb pc if you want to hide your ip it is possible to route absolutely all network traffic over the vpn you need to add a server push directive push redirect gateway dev1 and on the client redirect getaway dev1 in the server locks you can see that the example1 client is connected also just to debug you can list your network routes on your machine on the mac you can run netstat r here we have all the private subnets and public subnet routes pushed to the client it's a very similar setup on gcp you just need to use different dns server ip and push that route as well let me know in the comments if you want me to set up open npn in gcp to test the connection let's create another ec2 instance put it in the private subnet here is an important part now you can use the openvpn security group to grant access to the ec2 instances if you just want to ssh get the open security group id and replace the source [Music] [Music] this will significantly improve your infrastructure security since those parts will be opened to vpn clients only let's wait a little bit and try to ssh to that server private ip address you must be connected to the vpn all right we successfully ssh to the new ec2 instance using only private ip now let's create a private route 53 hosted zone you can give any name you'd like let's call it devops.pvt select private hosted zone and select the vpc create a sample record to test dns resolution you can give any ip address in just for the test while we still on vpn let's try to use dig to get dns records it may not work you can see that we didn't get the ip address for private zone to work you must enable dns hostnames and dns support let's check in adobe's console also check if you have the correct dns name server on mac you can open network settings under dns you should see the nbs dns server 1002 first dns resolution it's already enabled then host names you need to check the box and save it then you may need to wait for 5 or 10 minutes before you can resolve that test hostname all right we got our ip let's disconnect from the vpn next i'll show you how to revoke access to the vpn you just need to revoke the client's certificate generate the certificate revocation list and update the server config you have the warning that you also need to generate crl with a gen crl command keep a note of the location let's add this to the openvpn config on the bottom [Music] [Music] save it and restart the openmpn server open logs to see the error message now let's try to connect you're going to get a timeout in about 60 seconds on the server you can see that the client's certificate was revoked and a tls error on a client you will see an error as well let's cancel it now let's create a simple script that can help to generate clan profiles create a client configs folder to store profiles then let's create a base profile exactly the same parameters as before [Music] [Music] you can still generate certificates manually and use a script to populate your profile or you can include this step as well in the script it's up to you create key pair and sign that serve create gen clan profile sh file define folders with keys and charts and then just use card with the base config and insert certificates and keys it's pretty much the same as we did with the first profile the script just automates it [Music] now make the script executable run it with the profile name it must match the certificate that you created before let's cut that generated profile [Music] [Music] let me just copy it from the server and paste it to the visual studio you may want to use secure copy command to copy file securely you can double click and import it all right we successfully connected just a quick check use dig to verify the vpn connection it has to be able to reach a private ad bs dns server to be able to resolve it works the last example will help you to optimize profile generation using google single sign-on this is by no means a production-ready setup it's just to demonstrate the basic concepts first we need to install docker on that ubuntu server we will use docker to run mysql container you can find all the commands in the redmi file the link is attached to this video add docker repository [Music] [Music] then install a docker let's also use docker compose to define the workload in the yaml instead of using the cli flux for the gate sso we need to use mysql 5.7 create a volume to persist data between restarts you may want to consider rds or a dedicated database installed on a separate vm for production use also map port from the container to the localhost create environment variable to set a root password [Music] to start run docker compose up with a dash d to run it in the background let's check if the mysql container is up we need to install the mysql client and configure the user inside the database if you just run up install mysql client it will install the client for my sql 8 server but it still will work for us let's connect to the server use 127001 instead of localhost it will use a different connection mechanism create gate user with devops123 password grant access for development and test databases for initial tests gate sso is a ruby on rails app we need to have ruby installed to be able to run it right now it's missing we need to install a certain ruby version to do that let's use rvm first you will get an error you can fix it by importing the gpg keys then re-run it [Music] git sso was developed using 243 ruby version you can find it in the source code [Music] install the bundler jam now we need to clone the gate sso project and install dependencies run bundle install if you get an error you can fix it by installing missing packages let's rerun bundle install [Music] it also requires node.js runtime let's install it as well [Music] now initialize by running rake app init we need to update few variables in the env file first get url we will use http here but i highly recommend running nginx in front of it and getting a tls certificate from let's encrypt for production use git.devos by example.io will point to the public ip address of the openvpn server now client id to be able to configure google single sign on you need to have a gcp account i have already created the gcp project you need to navigate to api and services and create auth consent screen first i already created it but it's very simple let me click edit just give it a name and email later you can customize if you want when you finish with the consent screen create a new set of credentials [Music] it has to be a web application type [Music] add redirect uri here it has to be your domain users of google callback will stay the same copy your client id and the secret update domain and add your google org domain if you want to grant access to anyone outside of your organization you need to secure that url with https and mark it in gcp as external mysql host and a password we need to create a public dns record for the gate [Music] before you're going to run it run setup it will run few tests [Music] [Music] let's open port 80 on the openvpn server git sso will not generate your profiles it will only invoke a couple of the scripts let's create them and launch the app the first script will be run if the client doesn't have a key pair yet i'm not going to go over each line here just keep in mind that you can use any pki tool not only easy rca [Music] [Music] the second script will be run if you already have a private key and you want to generate a new cert for example it was expired already [Music] now let's run it for production you want to run puma and bind it to the unix circuit instead then in nginx you can use that unique socket as a upstream server plus secured with the surfboard and lessen grip [Music] finally let's go to gate dot devos by example.io and try to generate the profile click on sign in with google choose the account and then just click download open vpn profile [Music] you have all the necessary files in that folder ca certificate key and the profile itself double click to install it go to the terminal and test the vpn it works let's also ssh to the server using a private ip address that's all for this video and i'll see you in the next one [Music] you

Info

Channel: Anton Putra

Views: 428

Rating: 5 out of 5

Keywords: aws point to site vpn setup, openvpn aws setup, openvpn aws setup free, aws openvpn server setup, openvpn server, openvpn setup, openvpn cloud, openvpn linux, openvpn ubuntu, openvpn aws, free vpn, amazon web services, aws tutorial, free vpn for pc, aws, openvpn aws ec2, openvpn aws configuration, openvpn aws vpc, openvpn aws free, aws openvpn access server, openvpn server aws, point to site vpn, anton putra, devops, cloud, private route 53 zone, sre, aws cloud, aws vpc

Id: yaXiAqH-4LE

Channel Id: undefined

Length: 51min 53sec (3113 seconds)

Published: Sun Sep 26 2021