Archival Notice
This guide was written for Amazon Linux 1 and legacy OpenVPN v2.4 deployments on AWS EC2. Please note that Amazon Linux 1 has reached End of Life (EOL), and modern OpenVPN releases utilize updated Easy-RSA v3 PKI initialization parameters. Please adapt package installations and syntax to current environment standards.
When provisioning secure remote access for engineering teams to access private cloud subnets, deploying a dedicated virtual private network (VPN) gateway is standard practice. While managed VPN services exist, running an open-source OpenVPN server on an AWS EC2 instance provides absolute control over cryptographic cipher suites, client authentication mechanisms, and networking routing.
In this guide, I will walk you through deploying an OpenVPN server on AWS EC2, configuring Security Groups, installing OpenVPN and Easy-RSA packages, establishing a Public Key Infrastructure (PKI), generating server and client certificates, and routing client traffic through IP masquerading.
Prerequisites
You will need an AWS account with privileges to launch EC2 instances and manage Security Groups, alongside an allocated Elastic IP address.
Step 1: Launching the EC2 Instance and Security Group
Launch an Amazon Linux EC2 instance attached to your public VPC subnet. Assign an Elastic IP address so remote clients can establish reliable tunnels.
Configuring Security Group (EU-P-LWA001)
Create a dedicated Security Group and allow incoming OpenVPN traffic alongside SSH for administration:
UDP Port 1194: OpenVPN Client TunnelsTCP Port 22: Administrative SSH access (restricted to your management IP)
Step 2: Package Installation and PKI Initialization
Connect to your EC2 instance via SSH, update system packages, and install OpenVPN alongside Easy-RSA from the EPEL repository.
# Update system packages
yum update -y
# Install OpenVPN and Easy-RSA
yum install openvpn easy-rsa -y --enablerepo=epel
Establishing Public Key Infrastructure (PKI)
To generate cryptographic certificates, copy the Easy-RSA directory structure and initialize the PKI:
# Copy Easy-RSA generation scripts
mkdir -p /etc/openvpn/easy-rsa/keys
cp -ai /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
# Configure PKI environment variables
cd /etc/openvpn/easy-rsa/
source ./vars
./clean-all
# Build Certificate Authority (CA)
./build-ca
Step 3: Generating Server and Client Certificates
With the CA initialized, generate the OpenVPN server certificate, Diffie-Hellman parameters for key exchange, and client access certificates.
# Generate OpenVPN Server Certificate and Private Key
./build-key-server server
# Generate Diffie-Hellman Parameters (2048-bit)
./build-dh
# Generate Client Access Certificate and Key
./build-key client1
Copy the generated keys to the primary OpenVPN directory:
cd /etc/openvpn/easy-rsa/keys/
cp ca.crt server.crt server.key dh2048.pem /etc/openvpn/
Step 4: Configuring OpenVPN Daemon and IP Masquerading
Create the primary server configuration file /etc/openvpn/server.conf:
# /etc/openvpn/server.conf
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
cipher AES-256-CBC
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
Enabling IP Forwarding and Masquerading
To allow connected VPN clients to route traffic out to the internet through the EC2 instance's elastic interface, enable IP forwarding and configure iptables masquerading:
# Enable kernel IP forwarding
sed -i 's/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/g' /etc/sysctl.conf
sysctl -p
# Configure iptables NAT masquerading
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
service iptables save
Enable and start the OpenVPN server daemon:
chkconfig openvpn on
service openvpn start
Step 5: Structuring Client OVPN Profiles
To allow remote clients to connect instantly, bundle the client certificate, private key, and CA certificate into a unified .ovpn profile.
# client.ovpn
client
dev tun
proto udp
remote <YOUR_ELASTIC_IP> 1194
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
cipher AES-256-CBC
comp-lzo
verb 3
<ca>
-----BEGIN CERTIFICATE-----
... Insert ca.crt content ...
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
... Insert client1.crt content ...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
... Insert client1.key content ...
-----END PRIVATE KEY-----
</key>
OpenVPN Gateway Online
Your AWS EC2 OpenVPN server is now fully operational and ready to accept encrypted client tunneling connections!