There are many manuals on the network how to raise your VPN server on the Amazon AWS cloud, but under unix-like systems, but how to raise it on Windows is not considered at all.
Since I did not find any manuals, I wanted to sort it out myself and make a bundle of Amazon EC2 based on Windows Server + OpenVPN + Android OpenVPN Client.
Go!
The article is not designed for beginners, so some general questions have been omitted.
')
I’m not going to describe the registration process on Amazon AWS — it's simple. I have not registered before, so I was surprised that the confirmation comes to the phone number. Write a work number. After registration, go to the
Dashboard https://console.aws.amazon.com/console/homeWe stamp in the menu
Services →
Compute →
EC2 →
Instances . Click
Launch Instance to open the
Wizard . In the list of available AMI choose
Microsoft Windows Server 2008 R2 Base - ami-59fc7439In the second step, we select the available version
t2.micro (Free tier) - we have enough of its capabilities with interest. Do not rush to click
Launch - click
Next: Configure Instance Details (I assume that you have VPC configured by default, have default subnets and KeyPairs are created. If the keys are not created, then go first to
Dashboard →
Key Pairs →
Create . By the way, I rebuilt VPC from scratch, leaving only one network in it (10.100.11.0/24).
We leave the default settings, but set
Auto-assign Public IP to Enable . Then click on
Preview and Launch. We are waiting for a few minutes until the instance is created.
In the left
Dashboard select the section
Network & Security →
Security Groups . Choose a group that is associated with our instance. From the bottom, on the tabs
Inbound, Outbound , we temporarily add permissions to allow all traffic to pass (alltraff).
Currently, only RDP is allowed there. Those in a hurry can enable port 1194 for OpenVPN and ICMP on both tabs. Now that the instance is up and running, we need to connect to it. Choose our instance, click
Connect .
A window appears asking you to download the RDP file and get the password. Download Click
Get Password , specify our key file, decrypt, get the password. The first half of the case is complete. Open the RDP, connect to the host.
Before us is a clean OS. What do we need next?
1. Download Google Chrome to make it easier to check.
2. Download OpenVPN.
3. Raise the server with the default configuration.
4. Raise NAT.
There should be no problems with the first two points, unless you have to download via IE. OpenVPN we swing from an official site (MSI), we put with default settings, we change nothing.
Through Chrome, go to
ipleak.net and check your IP. It will be somewhere in the US / Oregon region. How to make server and client certificates for OpenVPN I will not paint, there are enough materials on this topic. Be sure to create a PAM file (Diffie-Hellman), without it the server will not start.
Ok, everything downloaded, installed. On our server, open the
Server Manager , go to the
Services section. We find the
OpenVPN Legacy Service , open its properties - specify Startup type:
Automatic and start the service. This is necessary so that after restarting our instance, the OpenVPN server starts up on its own.
Now open
C: \ Program Files \ OpenVPN \ config - there we drop the CA.key, server.key, ta.key and dh2048.pem keys and CA and server certificates. Open
C: \ Program Files \ OpenVPN \ sample-config and from there copy the file server.ovpn to
C: \ Program Files \ OpenVPN \ config .
Overwrite content like this:
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
# virtual network of our VPN
server 172.10.10.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
max-clients 100
persist-key
persist tun
dev-node "HomeVPN"
#HomeVPN is the TAP created when installing OpenVPN. I renamed it for convenience
# it is necessary that all clients can be routed without straining
push "route 0.0.0.0 0.0.0.0"
# specify our DNS, but it is not necessary
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
verb 3
explicit-exit-notify 1
We save.
Server setup is complete. Select
server.ovpn , open the context menu, select
Start OpenVPN on this config file .
After that, the terminal opens and the download process goes. If everything is done correctly, you will see
Initialization Sequence Complete at the end.
Now, in order to avoid problems with client connections, you need to do one thing (to choose from), either write the rules for passing OpenVPN traffic in Windows Firewall and enable port 1194, or simply turn off the Firewall. I chose the
second item .
Now you need to create a client configuration. It is assumed that the OpenVPN Client is installed on your client (Android) and all the necessary certificates and keys are available, including the client one.
The client configuration is as follows:
client
dev tun
proto udp
remote xxx-xx-xxx-xxx-xxx.us-west-2.compute.amazonaws.com 1194
resolv-retry infinite
route-method exe
nobind
persist-key
persist tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
auth SHA1
verb 3
route 0.0.0.0 0.0.0.0 vpn_gateway
In android OpenVPN import configuration. On the
Basic tab, we set the authentication type
Certificates , since we basically have no password. Checking the
Server List tab, your Amazon server, port 1194, and UDP type must be specified. On the
IP address and DNS tab, the
Request parameters option should be set.
On the
Routing for IPv4 tab, the
Use default route option should be set.
Save the configuration.
Trying to connect to your server. If the connection is not established, check the
Network & Security →
Security Groups and firewall. If everything is OK, then
SUCCESS will appear and you will receive any of the IP VPN network. In my case, this is 172.10.10.6/30.
On the client, we try to open any site ... There is a connection, but the sites do not open.
What is the matter? The point is NAT.
The network has manuals on how to configure NAT on Amazon, with the creation of additional AMI, Internet Gate, IP Elastic and other bullshit. None of this is necessary.
Everything is much simpler.
We return to our server, create the role of
Network Police and Access Services . It includes the role of
Routing and Remote Access . Open the context menu, select
Configure and Enable .
Select the last item to create your configuration. In the next step, we choose the last two points,
NAT and
LAN routing .
After reveal the role of
Routing and Remote Access →
IPv4 →
NAT . Create an interface:
LAN1 - the one that looks on the Internet. In the properties we set the
Public interface and
Enable NAT on this interface . Open the
Address Pool tab. Click
Add .
Here we need to add the IP address of our machine, not our network, namely the machine (ipconfig / all)
I remind you that my network is
10.100.11.0/24 , VPN network is
172.10.10.0/24 , the address of the machine is
10.100.11.20 .
Start address we specify 10.100.11.20 and
End address we specify it. Mask 255.255.255.0
We save.
Now in the same mode, click the
Reserve Addresses button. We need to “connect” the VPN client's address (it was 172.10.10.6/30 when connected) with the address of the machine.
Click
AddReserve this public IP set
10.100.11.20 , and below we write
172.10.10.6We
do not set the Allow incoming option.
We save.
Now there is the last step - we add another interface to NAT - TAP. I called him HomeVPN. There are no settings for it, it is Private Interface. NAT is not set for him.
This is
how the “redirection”
from VPN to LAN turned out: 172.10.10.6 → 10.100.11.20 .
We make a reconnect on the client, wait for the VPN to rise, open ipleak.net and watch.
The client's IP address will be in the
USA / Oregon region, and the WebRTC IP address will have to show the IP address of our VPN server, i.e.
172.10.10.6 .
If everything is so, then you have succeeded. If not, then at some step you made a mistake, or hurried.
In conclusion, go to the
Dashboard → section
Network & Security → Security Groups. Choose a group that is associated with our instance. On the tabs
Inbound, Outbound, remove permissions to skip all traffic. We leave RDP, and who have not done it before, add rules for port 1194 and allow ICMP.
For the sim - everything. Thank you.
PS I did not test it on Windows clients, but I think everything should be the same as on android.