Accessing Private resources in AWS using Point-to-Site VPN (OpenVPN)

The present approach allows accessing private subnet resources via the Bastion Server, but it necessitates opening the Bastion Server’s security group to the world. However, this setup comes with certain drawbacks.

Disadvantages of Using a Jump Server:

1. Single Point of Failure: If the Jump server experiences downtime or faces a security breach, access to the entire network could be compromised. The dependency on this single server for access could potentially create a bottleneck or complete outage.
2. Increased Complexity: Implementing and managing a Jump server adds complexity to the network setup. It requires regular maintenance, monitoring, and security measures to ensure it remains a secure gateway.
3. Potential Misuse: There’s a risk of misuse or abuse of privileges if the Jump server isn’t properly secured. If an attacker gains access to the Jump server, they could potentially gain access to the private servers it’s meant to protect.
4. Limited Scalability: As the network grows and more users need access, the Jump server might face limitations in handling increased traffic and user connections. This can lead to performance issues.

Introducing OpenVPN, a point-to-site VPN solution, serves as a viable solution to address these challenges. This approach eliminates the need for direct SSH access to servers. Instead, authorised users possessing the .oven file or a client URL gain access to the OpenVPN server. Once connected, they seamlessly access the private servers, enhancing security and access control.

Below are the steps for installing and configuring the OpenVPN:

Step-1: Selecting an appropriate EC2 instance within the Public Subnet is the initial step. Opting for the OpenVPN AMI from the AWS Marketplace AMIs, users encounter variations like the BYOL model (bring your own license). By default, this model allows connections for 2 users, but should there be a need for more connections, users must procure and activate additional licenses. Alternatively, the AMI offers variations accommodating 5, 10, 25 connected devices, among other options. Choosing the suitable AMI depends on the specific connectivity requirements.

Fig-1 OpenVPN AMI comes with different variations like BYOL,10 Connected devices

Step-2: Proceed by choosing the necessary instance type and generating the key pair. Define the network setup, specifying the VPC for the OpenVPN creation. Select the public subnet and maintain default settings for the remaining configurations.

Fig-2 Select the required Instance type,Key Pair and the network, choose Public Subnet

Step-3: To ensure continuity, assign an Elastic IP to the OpenVPN server. This action secures the Public IP, maintaining consistency even if the server experiences downtime, hangs, or undergoes a stop/start cycle. Consequently, the client URL remains unchanged, fostering a seamless and reliable connection for users.

Fig-3 OpenVPN EC2 instnace created and it has Elastic IP

Step-4: Upon successful creation of EC2 instance, proceed to log in to the OpenVPN instance using the provided keypair. Utilize the default user “openvpnas” via the SSH command: “ssh -i <keypair name> openvpnas@<OpenVPN IP>”. Once connected to the EC2 instance, adhere to the agreement and select the necessary options. Subsequently, set the password for the default user, “openvpn,” required for accessing the OpenVPN admin and client interfaces. Following the password setup, allow time for configuration. Upon completion, the configuration will furnish URLs for the client and admin access.

Fig-4 Connecting to the OpenVPN instance using the ssh command

Fig-5 Adhering to the OpenVPN agreement post login to the OpenVPN instance

Fig-6 Select the default options post adhering to the agreement of the OpenVPN

Fig-7 Set the password for the openvpn user or create your own user for the Admin UI

Step-5 Once you selected all the options it will configure openvpn and will give the URL for the Admin and Client.

Fig-8 URL of Client UI and the Admin UI

Step-6 Upon receiving the client URL, download the OpenVPN Connect tool from the OpenVPN link(https://openvpn.net/client/). Launch the OpenVPN Connect and navigate to the “+” symbol located in the lower left corner. Add the client URL, initiating a request to accept or reject the certificate. Once accepted, input the username “openvpn” and the designated password. For future access, connect to your profile and input the password. Upon successful connection, the tool will display ‘connected’.

Fig-9 Add the Client URL to Import Profile

Fig-10 Accept the Certificate

Fig-11 Enter the user name and the credentials

Fig-12 Once you enter the correct credentials VPN status will show as connected

Step-7 After establishing the VPN connection, verify its success by attempting to access a private server using the Private IP. A successful connection confirms the ability to access resources through the VPN

I have a Private server running on the same VPC and I will try to connect to the private server from my local system.

Fig-13 EC2-Dev-Server is a Private server running on the Same VPC where OpenVPN-Server is present

Fig-14 connection to the EC2-Dev-Server from the local system is successful

Step-8: To add and create a user, log in to the admin UI, then navigate to user management. From there, choose the user permission settings. To create a new user, input the desired username in the designated “New Username” box. Access additional settings by clicking on “more settings” to set the user’s password.

Fig-15 Create user in the OpenVPN by logging in to the Admin portal

Step-9 To enable multi-factor authentication in OpenVPN, access the Authentication settings. Select TOTP multifactor authentication and set it to ‘Yes.’ Save the settings and update the running server. After logging out, upon re-login, the system will prompt for a scanner. Use any authenticator app to scan and share the generated code. Subsequently, each login attempt will require the OTP for authentication, ensuring login security.

Fig-16 Enabling MFA in the OpenVPN

Advantages of OpenVPN:

OpenVPN offers several benefits:

1. Secure Access: It provides a secure encrypted tunnel for data transmission, ensuring the confidentiality and integrity of information passing through the network.
2. Controlled User Access: OpenVPN allows for controlled and managed access to networks, enabling defined user permissions and restricting unauthorized entry.
3. Scalability: It’s scalable, accommodating varying user counts and connection needs, providing flexibility for expanding network requirements.
4. Versatility: Compatible with multiple platforms, it’s versatile and can be employed across various operating systems, devices, and cloud services.
5. Multi-Factor Authentication Support: OpenVPN supports multi-factor authentication, adding an extra layer of security for user logins, ensuring greater access control.

Conclusion:

In summary, OpenVPN excels as a formidable solution, providing secure encrypted tunnels and controlled access. Its adaptability across various platforms, scalability, and support for multi-factor authentication establish it as a versatile and indispensable tool for maintaining network security and user management.