This is part 2 of a 3 part series that I wrote on using CloudFormation to rollout a personal VPN internet proxy. Part 2 walks you through the details of configuring OpenVPN as a personal internet proxy and automating it with CloudFormation. You can find the article posted here on Cloud Assessments:
I have been using AWS as a personal VPN solution for awhile, but I was doing so with semi-automation + a few manual steps. I decided to make a CloudFormation template to fully automate the provisioning, making it easy to only pay for the resources when you actually need to use them.
These are the steps taken by the template:
Create a new VPC, create a single subnet with a default route to the internet via VPC attached IGW
Create a new instance: t2.micro using the 2017.09 Amazon Linux AMI. As the actual AMI id differs per region, I included a static map keyed by region
An elastic network interface is created and a new elastic IP is associated
Within the EC2 instance, cfn-init handles all the bootstrapping:
easyrsa is installed and used to generate a ca and keys
openssl is used to generate a static tls key
An OpenVPN .ovpn client profile is generated from the concatenation of the key + cert + ca
openvpn server is installed and configured
An S3 bucket is created and the static tls key + client profile are uploaded
A Lambda function is created with a cfn-init event listener, when the delete stack event fires the lambda function will empty the S3 bucket and then delete it. The purpose of this Lambda function is just for this cleanup purpose as CloudFormation will not delete a bucket containing objects on it’s own.
A client user with access to the S3 bucket can download the profile, load into their OpenVPN client, and connect.
When your finished, all created resources are removed on stack deletion
Using it is simple, just run it in CloudFormation, download the ovpn client profile from S3 and your good to go. I embedded everything into a single template so that it would be as easy as possible.
P.S. If you get a missing key error while connecting, it is probably because you moved the profile out of the directory after extracting it. (The profile looks for the key in the same directory, which is included in the zip file)