Automate the installation and configuration of OpenVPN with CloudFormation

This is part 2 of a 3 part series that I wrote on using CloudFormation to rollout a personal VPN internet proxy. Part 2 walks you through the details of configuring OpenVPN as a personal internet proxy and automating it with CloudFormation. You can find the article posted here on Cloud Assessments:

How to roll your own VPN with AWS CloudFormation – Part two

Corresponding video walkthrough that you can find here on YouTube:

The article will guide you through the content of this template:

Using AWS as a personal on-demand VPN solution

I have been using AWS as a personal VPN solution for awhile, but I was doing so with semi-automation + a few manual steps. I decided to make a CloudFormation template to fully automate the provisioning, making it easy to only pay for the resources when you actually need to use them.

These are the steps taken by the template:

  • Create a new VPC, create a single subnet with a default route to the internet via VPC attached IGW
  • Create a new instance: t2.micro using the 2017.09 Amazon Linux AMI. As the actual AMI id differs per region, I included a static map keyed by region
  • An elastic network interface is created and a new elastic IP is associated
  • Within the EC2 instance, cfn-init handles all the bootstrapping:
    • easyrsa is installed and used to generate a ca and keys
    • openssl is used to generate a static tls key
    • An OpenVPN .ovpn client profile is generated from the concatenation of the key + cert + ca
    • openvpn server is installed and configured
  • An S3 bucket is created and the static tls key + client profile are uploaded
  • A Lambda function is created with a cfn-init event listener, when the delete stack event fires the lambda function will empty the S3 bucket and then delete it. The purpose of this Lambda function is just for this cleanup purpose as CloudFormation will not delete a bucket containing objects on it’s own.
  • A client user with access to the S3 bucket can download the profile, load into their OpenVPN client, and connect.
  • When your finished, all created resources are removed on stack deletion

Using it is simple, just run it in CloudFormation, download the ovpn client profile from S3 and your good to go. I embedded everything into a single template so that it would be as easy as possible.

You can download it here:

P.S. If you get a missing key error while connecting, it is probably because you moved the profile out of the directory after extracting it. (The profile looks for the key in the same directory, which is included in the zip file)