Secure your Cloud and On-premise Infrastructure with Open-source tools.

Are you looking to secure your infrastructure from the attackers in these remote working environment?

If yes, you will get the solution to secure your cloud and data-center servers with low budget in this article. As a Cloud engineer and DevOps Engineer, there is always a challenge of cost optimization and reliable solutions for your running UAT and Productions server.

If you are running startup or your business might got affected by this pandemic and your sites could not be available for 99% of time. Also core software development team are working from home and every time they need to connect servers remotely.

For these problems, I will provide you a solution where your technical manager or resource manager definitely say “Yes”.

Let’s begin.

Since everyone are moving to the cloud. Here, we will go with AWS EC2 Ubuntu on running VPC. You can implement this in any Linux environments.

Simple AWS EC2 Architecture.

Suppose you are running your servers smoothly and accessing publicly might give you any time trouble by unexpected attacks. The above architecture was designed on the basis of the current running environment of AWS EC2 and we will be adding one OpenVPN servers for one VPC. We won’t be changing network architecture in running architecture. We will be adding one layer of network segmentation and create tunnel to connect UAT or Productions server as per need.

OpenVPN is an open-source, fast, popular program for creating a VPN (Virtual Private Network). It uses both the TCP and UDP transmission protocols, and VPN tunnels are secured with OpenVPN protocol with SSL/TLS authentication, certificates, credentials, and optionally MAC address lock as well as multi-factor authentication. It has a client-server architecture.

So now, let’s install.

Before installation, I will recommend you to identify and mark the public IP, which is used by this VPN server. This will be required later for the setup.

First access the remote Ubuntu server where OpenVPN will be going to install.

$ ssh ubuntu@public_ip

Download the scripts and make the file executable:

$ cd ~
$ curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
$ chmod +x openvpn-install.sh

Now, we are ready to run the scripts in Linux terminal.

$ sudo bash openvpn-install.sh

When executed for the first time, the script will ask you some questions, read them carefully, and provide answers according to your preferences, to set up your OpenVPN server.

Run OpenVPN installer Script

Once the VPN installation process is complete, a client configuration file will be written under the current working directory in .ovpn format. This file will be used by the user to connect the VPN client.

Let’s confirm our OpenVPN service is up and running or not.

$ sudo systemctl status openvpn

If you check your network interfaces, a new interface has been created for a VPN tunnel, you can confirm this by using this command.

$ ip addr

VPN Tunnel Interface

Our VPN server is ready to connect AWS infrastructure in private and securely. Bonus point is VPN client connection could be done in any OS platforms (Windows, MacOS, Linux, Mobile OS: Android and iOS).

Suggestions:

After completely installed, I encounter two issues for improvement to achieve our goal successfully. I would suggest to change these as per your need in Network layer of AWS VPC.

1. VPN Server side:
   IP-forwarding from VPN network interface (10.8.0.0/24) to VPC private networks (172.31.1.0/24) should be done as given above architecture. For example:

push “route 172.31.1.0 255.255.255.0”

Add this line in server.conf which could be available in /path/to/openvpn/server.conf and restart the vpn service. This will forward your VPN network to reach VPC private network.

$ sudo systemctl restart openvpn

2. Client side:

For windows user, comment out these two lines on provided ovpn file.

#ignore-unknown-option block-outside-dns
#setenv opt block-outside-dns # Prevent Windows 10 DNS leak

We are ready to connect our VPN server.

Final step:

We need to restrict public access of the server connections like SSH, Database, Redis, Kafka, RabbitMQ etc. ports in security groups of EC2. And white list those IP addresses which should connect server and resources directly including our VPN service private IP.

In this way, developers team could connect servers more secure way in your infrastructure resources privately. On the cost part, t3.medium server could easily handle 30–60 connections of user smoothly. Lastly, please change default configurations as per your need. This will be best for production implementation.

Happy Learning……

References:

How to Install OpenVPN in Ubuntu 20.04