Setting Up OpenVPN for Secure Access to Data Rooms on AWS

This tutorial will explain how to set up an OpenVPN server on AWS to secure remote access to a data room.

OpenVPN Overview

OpenVPN is an open-source software application that enables the creation of secure, encrypted tunnels between a client and server, allowing users to securely access private networks over the internet. This setup is ideal for data rooms, where sensitive information needs to be accessible to authorized users but kept out of reach from unauthorized access.

Scenario

Suppose your company has a data room hosted on AWS, where confidential files are stored in an S3 bucket. To protect this sensitive data, you want to restrict access only to users who are securely connected via VPN. Setting up OpenVPN on an AWS EC2 instance allows you to create a secure entry point for users, ensuring that only authenticated users can access the data room.

Prerequisites

Before you begin, make sure you have:

An AWS account with administrative access.
Basic knowledge of AWS services and EC2 instances.
An EC2 instance running Amazon Linux or Ubuntu.

Step 1: Launching an EC2 Instance

Log in to your AWS Account:
- Navigate to AWS Management Console > Services > EC2 > Instances.
Launch a New Instance:
- Click on Launch Instance.
- Select Amazon Linux 2 or Ubuntu as the AMI (Amazon Machine Image).
- Choose an instance type based on your expected load; for minimal usage, a t2.micro instance should suffice.
- Configure network settings, ensuring your instance is in a VPC with security groups that allow SSH (port 22) and OpenVPN (default is port 1194).
Allocate Elastic IP (Optional):
- To ensure a consistent IP for clients to connect, allocate an Elastic IP to your instance. This IP address remains the same even if the instance is restarted.
Security Groups Configuration:
- Add rules to the instance’s security group to allow SSH (port 22) for management access and UDP port 1194 for VPN connections.
- Click Review and Launch and then Launch.

Step 2: Installing OpenVPN on the EC2 Instance

SSH into the Instance:
- Use SSH to connect to your instance:
  ssh -i "your-key.pem" ec2-user@your-elastic-ip
Install OpenVPN and Easy-RSA:
- Update the system:
  sudo yum update -y
- Install OpenVPN:
  sudo yum install -y openvpn
- Install Easy-RSA for generating server and client certificates:
  sudo yum install -y easy-rsa

Step 3: Configuring OpenVPN

Set Up the PKI (Public Key Infrastructure):
- Easy-RSA provides tools to create the certificates and keys required for the OpenVPN setup.
- Copy the Easy-RSA scripts to the OpenVPN directory:
  make-cadir ~/openvpn-ca cd ~/openvpn-ca
- Initialize the PKI:
  ./easyrsa init-pki
- Build the Certificate Authority (CA):
  /easyrsa build-ca You will be prompted to set a password and provide a common name, e.g., “DataRoomVPN”.
Generate Server Certificate and Key:
- Build the server’s certificate and key:
  ./easyrsa build-server-full server nopass
Generate Diffie-Hellman Parameters:
- Generate Diffie-Hellman parameters to secure the key exchange process:
  ./easyrsa gen-dh
Generate Client Certificate and Key:
- For each user, generate a unique client certificate:
  ./easyrsa build-client-full client1 nopass
- This certificate will be used by each authorized user to access the data room securely.

Step 4: Configuring OpenVPN Server Settings

Create Server Configuration File:
- Copy the sample OpenVPN server configuration file to /etc/openvpn/:
  sudo cp /usr/share/doc/openvpn*/sample/sample-config-files/server.conf /etc/openvpn/
- Edit the configuration file:
  sudo nano /etc/openvpn/server.conf
- Update the following lines:
  ca ca.crt
  cert server.crt
  key server.key
  dh dh2048.pem
- Set up IP forwarding by enabling the net.ipv4.ip_forward parameter:
  sudo sysctl -w net.ipv4.ip_forward=1
Configure Firewall Rules:
- Modify firewall rules to allow VPN traffic:
  sudo iptables -A INPUT -i eth0 -p udp –dport 1194 -j ACCEPT
  sudo iptables -A FORWARD -m state –state RELATED,ESTABLISHED -j ACCEPT
  sudo iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
Start the OpenVPN Service:
- Start and enable OpenVPN:
  sudo systemctl start openvpn@server
  sudo systemctl enable openvpn@server

Step 5: Configuring Client Access

Download the Client Certificate and Key:
- The client needs the following files from the server: ca.crt, client1.crt, and client1.key.
- You can use SCP or another secure transfer method to copy these files to the client device.
Setting Up OpenVPN on the Client Device:
- Download and install the OpenVPN client software on your device.
- Create a configuration file (e.g., client.ovpn) with the following content:
  client
  dev tun
  proto udp
  remote your-elastic-ip 1194
  resolv-retry infinite
  nobind
  persist-key
  persist-tun
  ca ca.crt
  cert client1.crt
  key client1.key
  remote-cert-tls server
  cipher AES-256-CBC
  auth SHA256
- Transfer the ca.crt, client1.crt, and client1.key files to the same directory as client.ovpn.

Step 6: Testing the VPN Connection

Connecting to OpenVPN:
- Start the OpenVPN client and load the client.ovpn configuration file.
Verifying Access to the Data Room:
- Once connected, the client should be able to securely access the S3 bucket or any other resources permitted by the network policies.
Additional Security Measures:
- For enhanced security, enable multi-factor authentication (MFA) and logging for all user activities within the VPN.

Conclusion

Setting up OpenVPN on AWS EC2 enables secure remote access to data rooms (more about dataroom significato is here), safeguarding sensitive data by allowing only authorized, VPN-authenticated users. This configuration provides an additional layer of security, especially for distributed teams or remote employees, ensuring that only secure, encrypted connections can access critical assets within the AWS environment.