How to install and configure an Open-VPN with NAT server inside AWS VPC

aws-logoWe are using AWS VPC to create an logically Isolated area for our servers. We have complete control on the networking for our AWS VPC. We can customize our networking like public facing subnet and private-facing subnets. We can put our webservers in the public-facing subnets that has internet access and all other backend servers like application servers and database servers in the private-facing subnet. But there is an issue that the instances belongs to private facing subnet will not able to connect to the internet. So we need to install a NAT server to provide internet connection to the instance belongs to private facing subnet. Another question is how to connect the instances in private facing subnet? And the best answer is to install and configure a VPN server to connect to those instances. So in this article I will describe you how to install and configure VPN and NAT in a single instance.

Create an Instance in your public facing subnate using AWS AMI. Assign an EIP to it. We are going to make it as our NAT instance also. For this you need to do few more steps.

From the EC2 console select the newly made instance and right click and select .Change Source / Dest Check.

Then press Yes, Disable

Then SSH to your instance and start working over it.

We have to enable EPEL repository on our Instance:

Before continuing to the installation we should update our current machine:

Install OpenVPN :

Copy the easy-rsa directory from template directory to your /etc/openvpn/ directory

Create a new directory named “keys” inside the easy-rsa

Now we’ll edit the “vars” file which provides the easy-rsa scripts with required information

Modify the below lines as per your requirement.

Copy the openssl configuration file:

Now we’ll build our Certificate Authority, or CA.

Now we’ll create our certificate for the OpenVPN server.

Also we need to generate our Diffie Hellman key exchange files using the build-dh script and then copy all of our files into /etc/openvpn

For client authentication we need to generate client certificates too.

Create an iptables rule to allow proper routing of our VPN subnet.

Enable IP Forwarding in sysctl:

Replace 0 with 1

Now we will create our OpenVPN server configuration file:

Add the below configurations:

Now start the OpenVPN server:

Please add the port 1194 to your security group.

Now we need to configure our client machine:

Copy all client keys to the client machine including the ca.crt

Now we will create a client configuration file on the client machine named client.ovpn

Add the below lines to that file

Start the OpenVPN with below command:

Now we will configure NAT on our OpenVPN server:

Create a file ” /usr/local/sbin/configure-pat.sh”

Append the below lines:

Make it executable.

Edit /etc/rc.local file:

Add the line “/usr/local/sbin/configure-pat.sh” to it

Reboot your instance.

Now you can add this instance to your private facing subnate routing table.

The following two tabs change content below.

Tapas Mishra

Sr. Engineer (DevOps)
Loves to work on Opensource products. Having experience on Linux environment. Knowledge on Public cloud services like AWS, Rackspace, DigitalOcean, Linode. Please don't hesitate to give a comment on the posts. Your comments are my strength.

Leave a Reply