In this post, I'll create a new security group and connect it to my office network via a VPN tunnel. Then, I'll route packets to instances running in that security group through the tunnel, just as if it were on my local office LAN. You just need a single port open to the security group to create the tunnel. I'll also mention that you can spend a lot of money and pay for something similar, however by rolling your own you have way more flexibility. It's an investment to understand how it all works together to be sure but once I got it down I feel like I'm on another, higher level of understanding networking. For me it was a really great project.
So, let's get started. First, I'm going to create a new security group and call it vpc for virtual private cloud:
ec2-add-group VPC -d "Virtual Private Cloud" GROUP VPC Virtual Private Cloud
Now, I'm going to authorize two ports for my group, 1194 for the tunnel and 22000 for sshd while I get everything configured. Keep in mind I usually run sshd on a port other than 22 because of annoying scan-bots. I'll de-authorize port 22000 when I'm up and running.
# ec2auth -Ptcp -p22000 VPC # ec2auth -Pudp -p1194 VPC
Now, I'll spin up an instance, install openvpn and configure the service. The following instance is an AMI I created that doesn't have OpenVPN installed.
# ec2run -k joeyssh -g VPC pmi-182a79e7
Ok, I'm going to start another instance in that VPC so we can test end-to-end connectivity once we get the tunnel setup. Same command as above.
Now I can check the IP's of my instances and login.
Ok, now I'm logged into one of the instances I'm going to rename openvpn-server because it's going to be my OpenVPN server system.
# hostname openvpn-server
Next, I'm going to add the RPMForge repos to this system and install it. The nice thing about doing it this way is that you'll solve all of OpenVPN's dependencies at the same time. They are stuff like openssl-devel, lzo-devel, pam-devel, etc.
So, install the RPMForge RPM for your architecture:
# rpm -Uhv http://apt.sw.be/redhat/el5/en/x86_64/rpmforge/RPMS//rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm
Then, install OpenVPN:
# yum -y install openvpn
Now that the software is installed, let's configure the OpenVPN server. We're going to create a set of certificates for authenticating connections. We're going to create 3 certs. One is the certificate authority, or CA. This will be used to sign both the server certificate and the client certificate. Next, I'll create the server and client certs that will be used to authenticate and encrypt the tunnel. In order to do this, I'll use the 'EasyRSA' software that comes with openvpn. This is specific to CentOS, your distro's methods may vary.
Copy easy-rsa into /etc/openvpn/
# rsync -a /usr/share/doc/openvpn-2.1.4/easy-rsa/2.0/ /etc/openvpn/easy-rsa/
Before we create our certificates and keys, I'm going to edit the vars file which contains the default values for my certificates. They're at the very bottom of the file, look for KEY_COUNTRY through KEY_EMAIL and customize them for your environment:
# vi /etc/openvpn/easy-rsa/vars
This is a bit of a hack but for some reason all the shell scripts that easy-rsa provides aren't marked as executable. So, to fix that I ran:
# cd /etc/openvpn/easy-rsa/ # file * | perl -lane 'system "chmod 755 $1" if (/(.*?):.*?Bourne.*?/)'
Next, source the vars file and build the Certificate Authority certificate:
# cd /etc/openpvn/easy-rsa/ # . vars # ./clean-all # ./build-ca
Ok, next we'll create the openpvn server's certificate:
# ./build-key-server openvpn-server
Next, we build the Diffie-Hellman key:
And finally, we'll build our client certificate which will be installed on a PC at the office to setup the tunnel.
# ./build-key openvpn-client
Now, we'll configure the openvpn server. Before doing so, we need to know two things. One, the network information for my office LAN and the network information for the AWS LAN. In my case, they are:
That plays into my config file, notice the customizations, "push route" and "route". Note also that for the tunnel itself I'm using 172.16.130.0/24. You can just leave that alone, or change it. It doesn't really matter what you use there. It's less confusing to use something that doesn't overlap with either your office or AWS networks though. Create a file (/etc/openvpn/vpc.conf) and add the following:
# OpenVPN Server Config port 1194 proto udp dev tun # Certificates ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/openvpn-server.crt key /etc/openvpn/easy-rsa/keys/openvpn-server.key # This file should be kept secret dh /etc/openvpn/easy-rsa/keys/dh1024.pem server 172.16.130.0 255.255.255.0 push "route 10.19.237.80 255.255.255.240" log-append /var/log/openvpn.vpc.log verb 3 status /etc/openvpn/vpc_status.log keepalive 20 100 persist-tun persist-key push "dhcp-option DNS 22.214.171.124" client-to-client client-config-dir /etc/openvpn/ccd route 172.20.0.0 255.255.255.0 user nobody group nobody comp-lzo
We haven't configured OpenVPN to use pre-shared (aka static) keys because that's less secure. Static keys are bad because if a system with the shared key is lost or stolen, the shared key must be regenerated and replaced on all systems running OpenVPN. We're running asymmetric (or two-way) encryption to ensure the identity of the VPN partner. The way that works, is the client and server both have a public and private key. They trade public keys when the connection starts and start encrypting traffic for the partner with the public key. They decrypt traffic with the private key. Only the recipient's private can decrypt data encoded by his public key. If a system is lost or stolen an administrator can simply revoke the certificates (on openvpn-server) that belong to the client in question.
In our configuration we're using asymmetric public key encryption to establish a session, then OpenVPN negotiates a static key between hosts for tunnel encryption. These expire on a regular basis and are regenerated. I see things in my logs like:
TLS: tls_process, killed expiring key
I think this is because if there's a man-in-the-middle type of attack, by the time they decrypt that static key and can actually eavesdrop on the session, the key has expired and been regenerated. By default, the time is 60 seconds - which seems good to me? :)
Now, before we start the service, it's important that both systems have accurate clocks. If the time is off by more than 5 minutes on either side, the tunnel goes away and doesn't come back until the clocks are back in sync. The easiest way to manage that is just run ntpd:
yum -y install ntp chkconfig ntpd on service ntpd start
Now, let's fire up OpenVPN:
# chkconfig openvpn on # service openvpn start
You should now see openvpn running as user nobody and listening on port 1194:
# lsof -i:1194 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME openvpn 1448 nobody 4u IPv4 4866 UDP *:openvpn
If you have any trouble starting the service, look in: /var/log/openvpn.vpc.log for errors.
Ok, so that's the server side config. Now, we need an OpenVPN client on your LAN to create our tunnel. So, pick a box on the network and install OpenVPN. In my case, I'm going to use a Xen instance on an existing infrastructure system but you can use a desktop system or an old PC or whatever.
If you're running CentOS x86_64, use the instructions above to install RPMForge and OpenVPN.
I've called this system 'openvpn-client' and installed the software I need. So now, I need to copy down the keys I generated for this host from the OpenVPN Server in the cloud. To do this, simply:
# mkdir /etc/openvpn/keys/ # cd /etc/openvpn/keys/ # scp -P 22000 -i ~/.ssh/mykey root@publicipofopenvpnserver:/etc/openvpn/easy-rsa/keys/openvpn-client.crt . # scp -P 22000 -i ~/.ssh/mykey root@publicipofopenvpnserver:/etc/openvpn/easy-rsa/keys/openvpn-client.key . # scp -P 22000 -i ~/.ssh/mykey root@publicipofopenvpnserver:/etc/openvpn/easy-rsa/keys/ca.crt .
Ok, now we need the OpenVPN client configuration. The changes to this file you'll need to make are the name/location of the certificates and the PUBLIC IP of your OpenVPN server. Create a file on the openvpn-client system (/etc/openvpn/vpc.conf) and add the following:
client dev tun proto udp remote 126.96.36.199 1194 resolv-retry 10 nobind persist-key persist-tun ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/openvpn-client.crt key /etc/openvpn/keys/openvpn-client.key verb 3 status-version 2 log-append /var/log/openvpn.log syslog mute 10 # Enable Compression comp-lzo
Now, fire up the service on openvpn-client, which will create the tunnel:
# chkconfig openvpn on # service openvpn start
On the client, you should see that a new virtual tun interface has been created, tun0:
# ip addr show tun0 4: tun0: -POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP- mtu 1500 qdisc pfifo_fast qlen 100 link/ inet 172.16.130.6 peer 172.16.130.5/32 scope global tun0
So, we've established a connection to the VPN server, which is great. That's the magic part, it makes the systems in the cloud only one hop away through the virtual network:
# traceroute 172.16.130.1 traceroute to 172.16.130.1 (172.16.130.1), 30 hops max, 40 byte packets 1 172.16.130.1 (172.16.130.1) 110.496 ms 111.075 ms 111.100 ms
Now, you'll also notice that I have a route, automagically added by the openvpn software that makes the cloud LAN, local (in a sense). In this example, the cloud systems have LAN addresses of 10.19.237.80/28 and I have a route for that network now, through my new tunnel:
# route -n | grep ^10 10.19.237.80 172.16.130.5 255.255.255.240 UG 0 0 0 tun0
So, in theory, I should be able to ping the eth0 interface of my cloud instance, which you can see below:
# ping 10.19.237.82 PING 10.19.237.82 (10.19.237.82) 56(84) bytes of data. 64 bytes from 10.19.237.82: icmp_seq=1 ttl=64 time=202 ms 64 bytes from 10.19.237.82: icmp_seq=2 ttl=64 time=131 ms
And of course I can now access that instance directly from my LAN. No need to hit the big bad internet:
ssh -l root -i ~/.ssh/yoursshkey email@example.com -p 22000
That's a beautiful thing! Now, I can turn off (or revoke) the ACL that allows ssh access into port 22000 from my security group:
ec2-revoke VPC -Ptcp -p22000
We're still not done yet, we need to turn on packet forwarding on both openpvn-server and openvpn-client. Simply do this on both systems:
# echo 1 > /proc/sys/net/ipv4/ip_forward
Now, you're going to need to add a route, on your office gateway system. That route is going to tell all the hosts on your network that if they want to get to the AWS LAN network, they need to go through the openvpn-client system. In my case, it's something like:
# ip route add 10.19.237.80/28 via 172.20.0.9
That's because my gateway is a Linux box but all the DSL/Cable routers have the ability to add routes. Just figure out how to do that on your gateway router.
In addition, you're going to need to add routes to each instance in AWS that tells each system how to get to your office LAN. So in my case I have two instances currently running in my VPC security group. The openvpn-server and a subversion server, called svn. So, I log into the svn server and run:
# ip route add 172.16.130.0/24 via 10.19.237.82
Where 10.19.237.82 is the eth0 IP of my openvpn-server system. So now, I can ping my SVN server from my LAN. Alternatively, you could make your office the default route for all the AWS systems which may make sense in some situations.
That's pretty much scratching the surface here..
Now, what's really pretty cool about this setup, is that if you had say a San Francisco office, you could build out another openvpn-client system in SF and route packets between sites, securely through your cloud instances. Not only that but you could just make the cloud, your default route for both office networks and install Snort or whatever IDS you want and maybe a firewall distro on an instance if you want.. how about a PBX like trixbox? Total control over your networks. This concept really offers overwhelming possibilities. An office SMB share mounted on an EBS drive for example - basically you can move your IT infrastructure to the cloud.
Another possibility is that because OpenVPN supports HTTP and SOCKS proxies, you could tunnel a network from your office, through the HTTP proxy and have the public AWS systems be local to your LAN there by making those systems totally 'greenside', this is if you worked for say, some telecommunications giant with a tightly controlled internal network, for example.
If you were to run OpenVPN in bridge mode (using the tap interface) you could even route broadcast traffic and even IPX and non-IP packets to the other locations. And, there's more, traffic shaping isn't only possible it's built in to OpenVPN. In addition, if you loose your IP on the DSL office line and re-up to your Internet provider, the tunnel is re-established so quickly that none of your SSH sessions will die, they'll simply freeze up for some seconds while one of the partners gets a new IP, and then continue working normally.
Ok, also now that I've showed you how to do all this by hand, there are some dedicated firewall/gateway distro's, like Shorewall that I haven't used but that have built in support for OpenVPN, so the client config and routing stuff are done in a WebGUI. Might be a fun experiment at some point.
Then of course you can have your telecommuters or road warriors connect to OpenVPN from the road and have access to the corporate network. Again, the possibilities are overwhelming.
I'll have to do a post on getting Snort going, that would be really fun. As usual, post questions and or problems, thanks for stopping by!