We raise our VPN server on Amazon EC2 under Windows Server 2008 r2
There are many manuals on the network how to raise your VPN server on the Amazon AWS cloud, but under unix-like systems, but how to raise it on Windows is not considered at all.
Since I did not find any manuals, I wanted to sort it out myself and make a bundle of Amazon EC2 based on Windows Server + OpenVPN + Android OpenVPN Client.
Go!
The article is not designed for beginners, so some general questions have been omitted.
')
I’m not going to describe the registration process on Amazon AWS — it's simple. I have not registered before, so I was surprised that the confirmation comes to the phone number. Write a work number. After registration, go to the Dashboard https://console.aws.amazon.com/console/home
We stamp in the menu Services → Compute → EC2 → Instances . Click Launch Instance to open the Wizard . In the list of available AMI choose Microsoft Windows Server 2008 R2 Base - ami-59fc7439
In the second step, we select the available version t2.micro (Free tier) - we have enough of its capabilities with interest. Do not rush to click Launch - click Next: Configure Instance Details (I assume that you have VPC configured by default, have default subnets and KeyPairs are created. If the keys are not created, then go first to Dashboard → Key Pairs → Create . By the way, I rebuilt VPC from scratch, leaving only one network in it (10.100.11.0/24).
We leave the default settings, but set Auto-assign Public IP to Enable . Then click on Preview and Launch. We are waiting for a few minutes until the instance is created.
In the left Dashboard select the section Network & Security → Security Groups . Choose a group that is associated with our instance. From the bottom, on the tabs Inbound, Outbound , we temporarily add permissions to allow all traffic to pass (alltraff).
Currently, only RDP is allowed there. Those in a hurry can enable port 1194 for OpenVPN and ICMP on both tabs. Now that the instance is up and running, we need to connect to it. Choose our instance, click Connect .
A window appears asking you to download the RDP file and get the password. Download Click Get Password , specify our key file, decrypt, get the password. The first half of the case is complete. Open the RDP, connect to the host.
Before us is a clean OS. What do we need next?
1. Download Google Chrome to make it easier to check.
2. Download OpenVPN.
3. Raise the server with the default configuration.
4. Raise NAT.
There should be no problems with the first two points, unless you have to download via IE. OpenVPN we swing from an official site (MSI), we put with default settings, we change nothing.
Through Chrome, go to ipleak.net and check your IP. It will be somewhere in the US / Oregon region. How to make server and client certificates for OpenVPN I will not paint, there are enough materials on this topic. Be sure to create a PAM file (Diffie-Hellman), without it the server will not start.
Ok, everything downloaded, installed. On our server, open the Server Manager , go to the Services section. We find the OpenVPN Legacy Service , open its properties - specify Startup type: Automatic and start the service. This is necessary so that after restarting our instance, the OpenVPN server starts up on its own.
Now open C: \ Program Files \ OpenVPN \ config - there we drop the CA.key, server.key, ta.key and dh2048.pem keys and CA and server certificates. Open C: \ Program Files \ OpenVPN \ sample-config and from there copy the file server.ovpn to C: \ Program Files \ OpenVPN \ config .
Overwrite content like this:
We save.
Server setup is complete. Select server.ovpn , open the context menu, select Start OpenVPN on this config file .
After that, the terminal opens and the download process goes. If everything is done correctly, you will see Initialization Sequence Complete at the end.
Now, in order to avoid problems with client connections, you need to do one thing (to choose from), either write the rules for passing OpenVPN traffic in Windows Firewall and enable port 1194, or simply turn off the Firewall. I chose the second item .
Now you need to create a client configuration. It is assumed that the OpenVPN Client is installed on your client (Android) and all the necessary certificates and keys are available, including the client one.
The client configuration is as follows:
In android OpenVPN import configuration. On the Basic tab, we set the authentication type Certificates , since we basically have no password. Checking the Server List tab, your Amazon server, port 1194, and UDP type must be specified. On the IP address and DNS tab, the Request parameters option should be set.
On the Routing for IPv4 tab, the Use default route option should be set.
Save the configuration.
Trying to connect to your server. If the connection is not established, check the Network & Security → Security Groups and firewall. If everything is OK, then SUCCESS will appear and you will receive any of the IP VPN network. In my case, this is 172.10.10.6/30.
On the client, we try to open any site ... There is a connection, but the sites do not open.
What is the matter? The point is NAT.
The network has manuals on how to configure NAT on Amazon, with the creation of additional AMI, Internet Gate, IP Elastic and other bullshit. None of this is necessary.
Everything is much simpler.
We return to our server, create the role of Network Police and Access Services . It includes the role of Routing and Remote Access . Open the context menu, select Configure and Enable .
Select the last item to create your configuration. In the next step, we choose the last two points, NAT and LAN routing .
After reveal the role of Routing and Remote Access → IPv4 → NAT . Create an interface: LAN1 - the one that looks on the Internet. In the properties we set the Public interface and Enable NAT on this interface . Open the Address Pool tab. Click Add .
Here we need to add the IP address of our machine, not our network, namely the machine (ipconfig / all)
I remind you that my network is 10.100.11.0/24 , VPN network is 172.10.10.0/24 , the address of the machine is 10.100.11.20 . Start address we specify 10.100.11.20 and End address we specify it. Mask 255.255.255.0
We save.
Now in the same mode, click the Reserve Addresses button. We need to “connect” the VPN client's address (it was 172.10.10.6/30 when connected) with the address of the machine.
Click Add
Reserve this public IP set 10.100.11.20 , and below we write 172.10.10.6
We do not set the Allow incoming option.
We save.
Now there is the last step - we add another interface to NAT - TAP. I called him HomeVPN. There are no settings for it, it is Private Interface. NAT is not set for him.
This is how the “redirection” from VPN to LAN turned out: 172.10.10.6 → 10.100.11.20 .
We make a reconnect on the client, wait for the VPN to rise, open ipleak.net and watch.
The client's IP address will be in the USA / Oregon region, and the WebRTC IP address will have to show the IP address of our VPN server, i.e. 172.10.10.6 .
If everything is so, then you have succeeded. If not, then at some step you made a mistake, or hurried.
In conclusion, go to the Dashboard → section Network & Security → Security Groups. Choose a group that is associated with our instance. On the tabs Inbound, Outbound, remove permissions to skip all traffic. We leave RDP, and who have not done it before, add rules for port 1194 and allow ICMP.
For the sim - everything. Thank you.
PS I did not test it on Windows clients, but I think everything should be the same as on android.
Since I did not find any manuals, I wanted to sort it out myself and make a bundle of Amazon EC2 based on Windows Server + OpenVPN + Android OpenVPN Client.
Go!
The article is not designed for beginners, so some general questions have been omitted.
')
I’m not going to describe the registration process on Amazon AWS — it's simple. I have not registered before, so I was surprised that the confirmation comes to the phone number. Write a work number. After registration, go to the Dashboard https://console.aws.amazon.com/console/home
We stamp in the menu Services → Compute → EC2 → Instances . Click Launch Instance to open the Wizard . In the list of available AMI choose Microsoft Windows Server 2008 R2 Base - ami-59fc7439
In the second step, we select the available version t2.micro (Free tier) - we have enough of its capabilities with interest. Do not rush to click Launch - click Next: Configure Instance Details (I assume that you have VPC configured by default, have default subnets and KeyPairs are created. If the keys are not created, then go first to Dashboard → Key Pairs → Create . By the way, I rebuilt VPC from scratch, leaving only one network in it (10.100.11.0/24).
We leave the default settings, but set Auto-assign Public IP to Enable . Then click on Preview and Launch. We are waiting for a few minutes until the instance is created.
In the left Dashboard select the section Network & Security → Security Groups . Choose a group that is associated with our instance. From the bottom, on the tabs Inbound, Outbound , we temporarily add permissions to allow all traffic to pass (alltraff).
Currently, only RDP is allowed there. Those in a hurry can enable port 1194 for OpenVPN and ICMP on both tabs. Now that the instance is up and running, we need to connect to it. Choose our instance, click Connect .
A window appears asking you to download the RDP file and get the password. Download Click Get Password , specify our key file, decrypt, get the password. The first half of the case is complete. Open the RDP, connect to the host.
Before us is a clean OS. What do we need next?
1. Download Google Chrome to make it easier to check.
2. Download OpenVPN.
3. Raise the server with the default configuration.
4. Raise NAT.
There should be no problems with the first two points, unless you have to download via IE. OpenVPN we swing from an official site (MSI), we put with default settings, we change nothing.
Through Chrome, go to ipleak.net and check your IP. It will be somewhere in the US / Oregon region. How to make server and client certificates for OpenVPN I will not paint, there are enough materials on this topic. Be sure to create a PAM file (Diffie-Hellman), without it the server will not start.
Ok, everything downloaded, installed. On our server, open the Server Manager , go to the Services section. We find the OpenVPN Legacy Service , open its properties - specify Startup type: Automatic and start the service. This is necessary so that after restarting our instance, the OpenVPN server starts up on its own.
Now open C: \ Program Files \ OpenVPN \ config - there we drop the CA.key, server.key, ta.key and dh2048.pem keys and CA and server certificates. Open C: \ Program Files \ OpenVPN \ sample-config and from there copy the file server.ovpn to C: \ Program Files \ OpenVPN \ config .
Overwrite content like this:
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
# virtual network of our VPN
server 172.10.10.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
max-clients 100
persist-key
persist tun
dev-node "HomeVPN"
#HomeVPN is the TAP created when installing OpenVPN. I renamed it for convenience
# it is necessary that all clients can be routed without straining
push "route 0.0.0.0 0.0.0.0"
# specify our DNS, but it is not necessary
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
verb 3
explicit-exit-notify 1
We save.
Server setup is complete. Select server.ovpn , open the context menu, select Start OpenVPN on this config file .
After that, the terminal opens and the download process goes. If everything is done correctly, you will see Initialization Sequence Complete at the end.
Now, in order to avoid problems with client connections, you need to do one thing (to choose from), either write the rules for passing OpenVPN traffic in Windows Firewall and enable port 1194, or simply turn off the Firewall. I chose the second item .
Now you need to create a client configuration. It is assumed that the OpenVPN Client is installed on your client (Android) and all the necessary certificates and keys are available, including the client one.
The client configuration is as follows:
client
dev tun
proto udp
remote xxx-xx-xxx-xxx-xxx.us-west-2.compute.amazonaws.com 1194
resolv-retry infinite
route-method exe
nobind
persist-key
persist tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
auth SHA1
verb 3
route 0.0.0.0 0.0.0.0 vpn_gateway
In android OpenVPN import configuration. On the Basic tab, we set the authentication type Certificates , since we basically have no password. Checking the Server List tab, your Amazon server, port 1194, and UDP type must be specified. On the IP address and DNS tab, the Request parameters option should be set.
On the Routing for IPv4 tab, the Use default route option should be set.
Save the configuration.
Trying to connect to your server. If the connection is not established, check the Network & Security → Security Groups and firewall. If everything is OK, then SUCCESS will appear and you will receive any of the IP VPN network. In my case, this is 172.10.10.6/30.
On the client, we try to open any site ... There is a connection, but the sites do not open.
What is the matter? The point is NAT.
The network has manuals on how to configure NAT on Amazon, with the creation of additional AMI, Internet Gate, IP Elastic and other bullshit. None of this is necessary.
Everything is much simpler.
We return to our server, create the role of Network Police and Access Services . It includes the role of Routing and Remote Access . Open the context menu, select Configure and Enable .
Select the last item to create your configuration. In the next step, we choose the last two points, NAT and LAN routing .
After reveal the role of Routing and Remote Access → IPv4 → NAT . Create an interface: LAN1 - the one that looks on the Internet. In the properties we set the Public interface and Enable NAT on this interface . Open the Address Pool tab. Click Add .
Here we need to add the IP address of our machine, not our network, namely the machine (ipconfig / all)
I remind you that my network is 10.100.11.0/24 , VPN network is 172.10.10.0/24 , the address of the machine is 10.100.11.20 . Start address we specify 10.100.11.20 and End address we specify it. Mask 255.255.255.0
We save.
Now in the same mode, click the Reserve Addresses button. We need to “connect” the VPN client's address (it was 172.10.10.6/30 when connected) with the address of the machine.
Click Add
Reserve this public IP set 10.100.11.20 , and below we write 172.10.10.6
We do not set the Allow incoming option.
We save.
Now there is the last step - we add another interface to NAT - TAP. I called him HomeVPN. There are no settings for it, it is Private Interface. NAT is not set for him.
This is how the “redirection” from VPN to LAN turned out: 172.10.10.6 → 10.100.11.20 .
We make a reconnect on the client, wait for the VPN to rise, open ipleak.net and watch.
The client's IP address will be in the USA / Oregon region, and the WebRTC IP address will have to show the IP address of our VPN server, i.e. 172.10.10.6 .
If everything is so, then you have succeeded. If not, then at some step you made a mistake, or hurried.
In conclusion, go to the Dashboard → section Network & Security → Security Groups. Choose a group that is associated with our instance. On the tabs Inbound, Outbound, remove permissions to skip all traffic. We leave RDP, and who have not done it before, add rules for port 1194 and allow ICMP.
For the sim - everything. Thank you.
PS I did not test it on Windows clients, but I think everything should be the same as on android.
Source: https://habr.com/ru/post/327676/
All Articles