Skip to content
Indus LeveL
openvpn aws ec2 vpn linux sysadmin security networking

Deploying an OpenVPN Server on AWS EC2

A comprehensive sysadmin guide to deploying an OpenVPN server on AWS EC2, configuring security groups, initializing Easy-RSA PKI, and generating client ovpn profiles.

2 min read
Cover illustration representing OpenVPN server deployment on AWS EC2, secure client tunneling, and Easy-RSA PKI certificate generation

When provisioning secure remote access for engineering teams to access private cloud subnets, deploying a dedicated virtual private network (VPN) gateway is standard practice. While managed VPN services exist, running an open-source OpenVPN server on an AWS EC2 instance provides absolute control over cryptographic cipher suites, client authentication mechanisms, and networking routing.

In this guide, I will walk you through deploying an OpenVPN server on AWS EC2, configuring Security Groups, installing OpenVPN and Easy-RSA packages, establishing a Public Key Infrastructure (PKI), generating server and client certificates, and routing client traffic through IP masquerading.

Prerequisites

You will need an AWS account with privileges to launch EC2 instances and manage Security Groups, alongside an allocated Elastic IP address.


Step 1: Launching the EC2 Instance and Security Group

Launch an Amazon Linux EC2 instance attached to your public VPC subnet. Assign an Elastic IP address so remote clients can establish reliable tunnels.

Configuring Security Group (EU-P-LWA001)

Create a dedicated Security Group and allow incoming OpenVPN traffic alongside SSH for administration:

  • UDP Port 1194: OpenVPN Client Tunnels
  • TCP Port 22: Administrative SSH access (restricted to your management IP)

Step 2: Package Installation and PKI Initialization

Connect to your EC2 instance via SSH, update system packages, and install OpenVPN alongside Easy-RSA from the EPEL repository.

# Update system packages
yum update -y

# Install OpenVPN and Easy-RSA
yum install openvpn easy-rsa -y --enablerepo=epel

Establishing Public Key Infrastructure (PKI)

To generate cryptographic certificates, copy the Easy-RSA directory structure and initialize the PKI:

# Copy Easy-RSA generation scripts
mkdir -p /etc/openvpn/easy-rsa/keys
cp -ai /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa/

# Configure PKI environment variables
cd /etc/openvpn/easy-rsa/
source ./vars
./clean-all

# Build Certificate Authority (CA)
./build-ca

Step 3: Generating Server and Client Certificates

With the CA initialized, generate the OpenVPN server certificate, Diffie-Hellman parameters for key exchange, and client access certificates.

# Generate OpenVPN Server Certificate and Private Key
./build-key-server server

# Generate Diffie-Hellman Parameters (2048-bit)
./build-dh

# Generate Client Access Certificate and Key
./build-key client1

Copy the generated keys to the primary OpenVPN directory:

cd /etc/openvpn/easy-rsa/keys/
cp ca.crt server.crt server.key dh2048.pem /etc/openvpn/

Step 4: Configuring OpenVPN Daemon and IP Masquerading

Create the primary server configuration file /etc/openvpn/server.conf:

# /etc/openvpn/server.conf
port 1194
proto udp
dev tun

ca ca.crt
cert server.crt
key server.key
dh dh2048.pem

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt

push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

keepalive 10 120
cipher AES-256-CBC
comp-lzo

user nobody
group nobody

persist-key
persist-tun
status openvpn-status.log
verb 3

Enabling IP Forwarding and Masquerading

To allow connected VPN clients to route traffic out to the internet through the EC2 instance's elastic interface, enable IP forwarding and configure iptables masquerading:

# Enable kernel IP forwarding
sed -i 's/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/g' /etc/sysctl.conf
sysctl -p

# Configure iptables NAT masquerading
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
service iptables save

Enable and start the OpenVPN server daemon:

chkconfig openvpn on
service openvpn start

Step 5: Structuring Client OVPN Profiles

To allow remote clients to connect instantly, bundle the client certificate, private key, and CA certificate into a unified .ovpn profile.

# client.ovpn
client
dev tun
proto udp
remote <YOUR_ELASTIC_IP> 1194
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
cipher AES-256-CBC
comp-lzo
verb 3

<ca>
-----BEGIN CERTIFICATE-----
... Insert ca.crt content ...
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
... Insert client1.crt content ...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
... Insert client1.key content ...
-----END PRIVATE KEY-----
</key>

References

Back to Blog
Share:

Follow along

Stay in the loop — new articles, thoughts, and updates.