Video Tutorial
Key aspects
- Removed the complexity of configuration.
- All or partial traffic option.
- UDP is the default protocol with a fall back to TCP over 443 if the UDP port is blocked.
- Configurable certificate key size.
- Minimized downtime thanks to our custom resilience feature.
- No more stress to recreate all the users if you lose the server.
- The downtime minimized to the time it takes to boot the EC2 Instance and mount the EFS drive.
Example use cases
Your imagination is your limit, but here are some ideas that are worth considering:
- Route all the traffic over the VPN server for remote workers.
- Secure offline resources in a private subnet and allow partial traffic for employees to access them.
- Connect two or more offices together with a secure link.
Additional details
Resilience
Our VPN Server has built in resilience to make sure that you don't lose all your users, lose the VPN configuration, or lose connectivity by a changing IP. For this to work, you'll need to allocate an Elastic IP and create an EFS Drive.
Security
This product was designed for public access, but we recommend you don't allow SSH connections from the public Internet. Expose only the VPN ports and allow SSH access from the local subnet once you make your first profile for yourself.
Complete feature list
This section lists all the features of this product for easy referencing.
Detailed list
The product itself
- No soft limits on how many users you can create.
- No soft limits on how many users can connect to the VPN.
- Part of the configuration is done through the EC2 Instance UserData section.
- Unique server settings are stored into a EFS drive, this way it is saved to be able to terminate an instance and not lose any custom configuration (users, key, certificates etc).
If you were to use our CloudFormation file, you’d also get
- An Alarm to check for CPU Bursts.
- An Alarm to check for CPU Load.
- An Alarm to check for Disk usage.
- An Alarm to auto recover the instance if it gets terminated suddenly by AWS due to hardware failure.
- An Alarm for EC2 Instance termination protection.
- A SNS Topic to receive notifications from the above alarms.
Deploy Automatically
First, subscribe to the product on the AWS Marketplace, and then deploy this CloudFormation file.
What will be deployed
- 1x EC2 instance with 0x4447 custom AMI:
- 1x IAM Role.
- 1x IAM Policy.
- 1x Security Group.
- 1x Instance profile.
- 1x Elastic IP.
- 1x Elastic IP Association.
- 4x CloudWatch Alarms:
- CPU Burst.
- CPU Load.
- Disk Usage.
- EC2 Instance Recovery.
- 1x SNS Topic:
- 1x SNS Policy.
- 1x Topic Subscription.
- 1x CloudWatch Dashboard for instance overview.
- 1x EFS drive:
- 1x Mount target.
- 1x Security group.
- 1x Backup:
- 1x Plan.
- 1x Role.
- 1x Selection.
- 1x Vault.
Deploy Manually
Before launching our product, you'll have to do some manual work to make everything work correctly. Please follow these steps (the steps are generally described since Cloud experience is expected):
WARNING
Text starting with PARAM_
needs to be replaced with real values.
Custom Role
Before you can set the UserData, you have to attach a Role to the Instance with a Policy that has this Document:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DetachVolume",
"ec2:AttachVolume"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ec2:DescribeVolumes",
"Resource": "*"
}
]
}
This Policy Document will give the Instance the ability to attach the EFS drive to itself. The "Resource": "*"
is stated this way intentionally, since the action is not resource specific.
Managed Policy Recommendation
We also recommend adding the following policies managed by AWS to the role:
arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy
arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
EFS Drive
When creating an EFS drive, make sure to do the following:
- Create the drive in the same AZ as the EC2 instance.
- Make sure to set the correct Security Group on the drive. The drive needs to be able to talk on port 2049 with the instance.
- Same goes for the EC2 Instance.
Bash Script for UserData
Our product needs a few dynamic values custom to your setup. To get access to these values our product checks for the content of this file /home/ec2-user/.env
. By using the UserData option that AWS provided for each EC2 Instance, you can create the .env
file with ease by referencing the bash script from below - make sure to replace the placeholder values with your own.
#!/bin/bash
echo EFS_ID=PARAM_EFS_ID >> /home/ec2-user/.env
echo EASYRSA_KEY_SIZE=EASYRSA_KEY_SIZE >> /home/ec2-user/.env
Explanation
- Set the ID of the EFS drive
- Provide the certificate key size (optional): be aware, most OpenVPN clients won’t accept profiles with a key size smaller than 1024, and if you have a client application that can go lower, you can’t go lower than 512, since a key smaller than that won’t be accepted by the SSL library itself.
Understand how UserData works
It is important to note that the content of the UserData field will be only executed once, which occurs when the instance starts for the first time. This means that the content of the UserData won't be triggered if you stop and start the instance.
This means you won't be able to update the UserData, stop the instance, and have the changes executed. If you need to make changes to the UserData, you have the following options:
- Follow this AWS solution for a work around.
- Terminate the instance and redeploy the product from scratch.
Security Group
Our product configuration in the AWS Marketplace already has set all the ports that need to be open for the product to work. But if for whatever reason the correct Security Group is not created by AWS, bellow you can find a list and descriptions of all the ports needed:
22
overTCP
for remote management.443
overTCP
for VPN connections.1194
overUDP
for VPN connections.2049
overTCP
for EFS to be mounted.
The First Boot
The boot time of our product will be slower than if you started an instance from a clean AMI, this is due to our custom code that needs to be executed in order to prepare the product for you. This process can take a few minutes longer than usual.
Connecting to the Server
To connect to the server: get it's IP, connect to the instance over SSH with the username ec2-user
, while using the private key you selected at deployment time. If successfully connected, you should be greeted with a custom MOTD detailing the product information.
User Management
How to create a user
Run this command to send all the traffic through the VPN:
sudo ov_user_add -u USER_NAME -t all
Run this command to send only the traffic for the remote network through the VPN:
sudo ov_user_add -u USER_NAME -t partial
How to copy the profiles locally
Every time you do so, a new .ovpn
file will be created in the openvpn_users
folder located in the ec2-user
folder. You can copy the new file to your local computer using the SCP
command, like so:
scp -i ./ssh.key ec2-user@SERVER_IP:/home/ec2-user/openvpn_users/USER_NAME.ovpn .
How to delete a user
Just run the following command:
sudo ov_user_delete -u USER_NAME
How to list all the users
Since every time you create a user a .ovpn
configuration file is created, you can just list the content of the openvpn_users
folder, like so:
ls -la /home/ec2-user/openvpn_users
The output is the list of all the users you have available for your VPN server.
VPN Clients
Final Thought
Test the setup
Before you go into production, make sure to test the product. This ensures that you get used to how it works.
Security Concerns
Below we give you a list of potential ideas to consider regarding security, but this list is not exhaustive – it is just a good starting point.
- Expose to the public only the ports needed for clients to connect to the VPN
- Block public SSH access
- Allow SSH connection only from limited subnets
- Ideally allow SSH connection only from another central instance
- Don't give root access to anyone but yourself
Backup Your Data
Make sure you regularly backup your drive(s). One simple solution would be to use AWS backup.
How To
How to change the instance type
If you need more memory and CPU capacity, you can change your instance type to a bigger one. To do so, follow these instructions:
- Go to the CloudFormation console
- Click on the stack that you want to update.
- Click the
Update
button. - Keep the default selection and click
Next
- On the new
Parameters
page, change the instance type from the drop down. - Click
Next
till the end.
Wait for the stack to finish updating.
How to restore from a backed up EFS drive
Restoring from a backed up EFS drive is not straightforward due to how AWS restores the drive. By design AWS restores the data (even on a new and empty drive) in special folders called: aws-backup-restore_timestamp-of-restore
. Meaning they do not recreate the original folder structure. Check how AWS restores EFS Backups to learn more.
This means you have to reorganize the drive before you use it with our product. To do so, you have two options:
- Launch a temporary EC2 Instance, mount the drive and reorganize it.
- Or you can reorganize it using our SFTP Server - Single User Setup product.
Make sure all the resources are in the same VPC, subnet, and have the correct Security Groups.
F.A.Q
These are some of the common solutions to problems you may run into:
Not authorized for images
My CloudFormation stack failed with the following error API: ec2:RunInstances Not authorized for images:...
in the Event tab.
Solution
You have to accept the subscription from the AWS Marketplace first, before you use our CloudFormation file.
The product is misbehaving
I did follow all the instructions from the documentation.
Solution
Check if the values entered in the UserData reached the instance itself.
sudo cat /var/lib/cloud/instance/user-data.txt
UserData seams ok
The UserData reached the instance, and yet the product is not acting as it should.
Solution
Use the following command to see if there were any errors during the boot process.
sudo cat /var/log/messages | grep 0x4447
Issue with remote access
Unable to access the server over SSH.
Solution
- Ensure that your public IP address is allowed to access the EC2 instance. You will need to add an inbound rule to the Security Group used by the EC2 instance.
- Ensure you are using the right EC2 Key Pair that you provided when you launched your stack.
- Ensure you are not using the
root
user to login as this is disabled. You need to login asec2-user
Issue with user management
The below error indicates that this instance failed to mount your EFS drive.
sudo ov_user_add -u USER_NAME
No such file or directory
You will also see the following message in your dmesg.
amazon/efs/mount.log:2020-09-04 23:29:58,803 - ERROR - Failed to mount fs-90d252e8.efs.us-east-2.amazonaws.com at /etc/openvpn/easy-rsa: retu Connection timed out"
Solution
Ensure that your EFS Drive allows inbound connections on TCP Port 2049
from your Elastic IP and the EC2 subnet being used by the VPN Server.
Support
If the above section has not helped you come up with a solution to your problem, feel free to get in touch with us, we'll try to help you out the best way we can.
Feedback
If you have any feedback regarding our products, feel free to reach us through our feedback page.