Reclaim some lost privacy and security by using a fully automated OpenVPN server solution in AWS! Readily available as a one-stop Terraform module on GitHub.

WiFi Hotspots and Unsolicited Baggage

Ever used a WiFi hotspot such as ubiquitously found in coffee shops, hotels, or conference venues around the globe?

If you’re like me, the most likely answer is “Well, duh! — I need to get back online!”. Followed by a cognitive micro-pause. And the slightly intriguingly sounding follow up question “Why are you asking in the first place…?!”!

So, for a fee — or sometimes nothing at all — you’re getting back online. But is that really all you’re getting?! Is there any hidden baggage? Things you didn’t ask for or maybe never wanted but got anyways?

Why Reliable Connections Matter

The last time you connected to a WiFi hotspot that you didn’t own or control — how comfortable were you with the security offered by the WiFi hotspot?

How could you be sure that the main additional security threat to worry about were physical shoulder surfers? That there was nothing inside the WiFi hotspot tampering with your connection? Sending you to dodgy pages that looked just like the real ones but were actually just phishing for your personal information?

Ever noticed some sites or services being unavailable or blocked when connecting to a WiFi hotspot? That’s when the WiFi hotspot provider is effectively tampering with your connection (for reasons that can be absolutely legitimate).

Why Privacy Matters

But even with security being rock solid and no one tampering with your connection — how comfortable were you with the privacy offered by the WiFi hotspot?

How could you be sure that the main additional threat to privacy were again physical shoulder surfers? There was nothing inside the WiFi hotspot snooping on your every Google search, social network visit, or video binge-watching? That there wasn’t a little minion creating a meticulous log of you. Your every activity, thought, or action.

Sure, you might dismiss these privacy concerns as “a concept from the last millennium” that is “no longer applicable to the new age” and you “have nothing to hide”. If that’s the case, then the following shouldn’t really be a problem for you.

If you have nothing to hide, then please send me your primary email address alongside the corresponding password to dominic at how-hard-can-it.be

I have been running this experiment for some years now and my inbox is still waiting for the first email address and password combination to arrive.

How to Reclaim Control with VPNs

While the above may seem like doom and gloom for security and privacy to some extent, the good news it that not all hope is lost.

In fact, there are many well established technologies readily available at scale that can mitigate the above concerns to some extent. One option is to use a Virtual Private Network (in short VPN).

There are many myths around what VPNs actually are and what they can and cannot do. Let’s demistify VPNs first before exploring their benefits and limitations.

What a VPN is

In essence, a VPN is

A network of computers that use public networks to establish secure connections to create the illusion of a private network.

Wikipedia has a more detailed description of a VPN that also covers the origins and additional benefits for corporations.

How to Leverage VPNs

The crucial observation that can be made from the above definition of a VPN is the following.

If your machine is connected to a VPN that has a route to the internet and you’re routing all your network traffic through the VPN, you’re effectively routing all traffic to the internet through the VPN.

Note that this way, your internet provider will see you only having a single connection — the one to the VPN. Dull but effective when combined with the following observation.

When routing all network traffic through a VPN, all traffic to the internet egresses at the VPN and is hence only subjected to the restrictions imposed by the VPN.

What this means is that VPNs can be used to create secure private networks with arbitrary internet egress restrictions. Just what we were after in the first place.

What VPNs Can Do For You

Let’s revisit the scenario of using a WiFi hotspot described above. But this time, we’re using a secure connection to a VPN controlled by you and routing all network traffic through the VPN. What has changed?

First, the WiFi hotspot can no longer tamper with your connections. The single connection to the VPN that is used for all network (and hence internet) traffic is secure and tamper-proof. However, this does not stretch beyond the VPN!

Second, snooping on your connections by the WiFi hotspot is no longer possible. Again, the single connection to the VPN that is used for all network (and hence internet) traffic is encrypted. However, this again does not stretch beyond the VPN!

Third, access to sites and services blocked by the WiFi hotspot should be restored as you are no longer subject to the internet egress restrictions imposed by the WiFi hotspot.

Fourth, depending on the internet egress of the VPN, region specific sites or services may be blocked or unlocked. Bear in mind that you are effectively entering the internet from wherever the internet egress of the VPN is located at.

Fifth, depending on the stability of the internet egress, the VPN may allow you to obtain and use a static IP over a rather long period of time. This may be especially useful when using sites or services that rely on IP whitelisting as a layer of access control such as commonly used in AWS VPC security groups.

What VPNs Can’t Do For You

Even with the above benefits, it’s important to be aware of the intrinsic limitation of VPNs. They are not a silver bullet and only solve a very limited set of problems.

Bare in mind that as described and used in this article, VPNs are basically just an internet egress at another physical (or logical location) with a secure connection to the internet egress.

This especially means that they cannot provide any anonymity apart from hiding your connections from the original WiFi hotspot. You are still you at the point of egress. Use with caution! You have been warned.

Available Options Regarding VPNs

So, VPNs do have some neat benefits that make them quite attractive. Now, how to get hold of one?!

Commercial Offerings

There is a plethora of commercial VPN providers out there with varying levels of services. It’s beyond the scope of this article to discuss any of them.

If you need a VPN that comes with guarantees and don’t mind paying for the service then the search engine of your choice should have a rather lengthy selection of articles on which commercial VPN provider is currently offering the best service, deal, etc.

Open Source Software

If you are comfortable running your own VPN server then a well established open source alternative is OpenVPN.

It does what it says on the tin and provides an open source VPN server. OpenVPN has been around for nearly two decades now with a commercial offering supporting the development of the open source version.

Excellent one-stop GitHub projects such as openvpn-install make the process of installing and configuring OpenVPN on a wide range of Linux boxes straightforward. The openvpn-install project even ships with an interactive CLI that allows to manage the OpenVPN server as well as provision user access.

OpenVPN in AWS

However, one prerequisite of the openvpn-install project is a readily available Linux box on which OpenVPN can be subsequently installed.

The cloud makes it straightforward to provision a dedicated Linux box and seems like the natural place to host an OpenVPN server. While there are several automated scripts out there that provision a Linux box or an OpenVPN server, I was unable to find a fully automated comprehensive OpenVPN server solution in AWS. Basically, I need

A one-stop solution that dishes out ready to use OpenVPN servers in AWS for everyone!

A Comprehensive OpenVPN Server Solution in AWS with Terraform

The GitHub repository openvpn-terraform-install contains a one-stop Terraform module that creates a single node OpenVPN Server cluster in a dedicated AWS VPC and subnet.

The OpenVPN server is configured to be readily accessible by the users supplied in the Terraform input file. The same Terraform input file can be used to subsequently update the list of authorised users.

You Have

Before you can use the Terraform module in the repository out of the box, you need

• an AWS account
• a Terraform CLI
• a list of users to provision with OpenVPN access

Moreover, you probably had enough of people snooping on you and want some privacy back or just prefer to have a long lived static IP.

You Want

After running the Terraform module in the repository you get

• an EC2 node running in a dedicated VPC and subnet
• an OpenVPN server bootstrapped on the EC2 node by the excellent openvpn-install.sh Bash script from https://github.com/angristan/openvpn-install
• SSH access to the OpenVPN sever locked down to the IP address of the machine executing the Terraform module (see the FAQs for how to handle drift over time)
• the list of users supplied as input to the Terraform module readily provisioned on the OpenVPN server
• the configuration of each user supplied in the Terraform configuration downloaded onto the local machine and ready for use
• the option to provision and revoke users from the OpenVPN server by simply re-running the Terraform module

Setup

The minimal setup leverages as much of the default settings in variables.tf as possible. However some input is required.

Providing SSH Keys

In order to bootstrap as well as manage the OpenVPN server, the Terraform module needs to SSH into the EC2 node. By default, it uses the public key in settings/openvpn.pub and the private key in settings/openvpn. Both can be created by executing the following command from the root directory of the repository

cd settings
ssh-keygen -f openvpn -t rsa

Here, hit return when prompted for a password in order to make the SSH keys passwordless.

Configuring Your Settings

The minimum input variables for the module are defined in settings/example.tfvars to be

aws_region = "<your-region>"

shared_credentials_file = "/path/to/.aws/credentials"

profile = "<your-profile>"

ovpn_users = ["userOne", "userTwo", "userThree"]

Here, you need to replace the example values with your settings.

Moreover, note that users userOne, userTwo, and userThree will be provisioned with access to the OpenVPN sever and their configurations downloaded to the default location generated/ovpn-config.

Each user provisioned via input ovpn_users should preferably be defined as a single word (i.e., no whitespace), consisting only of ASCII letters and numbers with underscores as delimiters; in technical terms, each user should adhere to ^[a-zA-Z0-9_]+$.

Execution

All Terraform interactions are wrapped in helper Bash scripts for convenience.

Initialising Terraform

Initialise Terraform by running

./terraform-bootstrap.sh

Applying the Terraform Configuration

The OpenVPN server can be created and updated by running

./terraform-apply.sh <input-file-name>

where <input-file-name> references input file settings/<input-file-name>.tfvars. When using input file settings/example.tfvars configured above, the command becomes

./terraform-apply.sh example

Under the bonnet, the terraform-apply.sh Bash script with input example

• selects or creates a new workspace called example
• executes terraform apply where the inputs are taken from input file settings/example.tfvars
• does not ask for permission to proceed as it uses -auto-approve when running the underlying terraform apply command

Terraform Outputs

By default, all .ovpn configurations for the users provisioned with access to the OpenVPN server in input ovpn_users are automatically downloaded to generated/ovpn-config.

Additionally, the Terraform module also outputs

• the ec2_instance_dns
• the ec2_instance_ip and
• a connection_string that can be used to SSH into the EC2 node

Deletion

The OpenVPN server can be deleted by running

./terraform-destroy.sh <input-file-name>

where <input-file-name> again references input file settings/<input-file-name>.tfvars. When using input file settings/example.tfvars configured above, the command becomes

./terraform-destroy.sh example

Under the bonnet, the terraform-destroy.sh Bash script with input example

• selects the example workspace
• executes terraform destroy where the inputs are taken from file settings/example.tfvars
• does ask for permission to proceed when running the terraform apply command

Testing VPN Connectivity

Once the Terraform module execution has successfully completed, the connection to the OpenVPN can be tested as follows.

While below instructions are specific to a recent Mac using Homebrew as a package manager, the actual underlying openvpn command should be fairly transferable to other platforms as well.

If not already present, install openvpn via brew by executing

brew install openvpn

Follow the instructions on screen and if the installation may need a little final nudge, try running

sudo brew services start openvpn

In case openvpn isn’t readily available from the terminal after the installation above, a StackOverflow answer suggests to add the openvpn executable to the $PATH environment variable by executing

export PATH=$(brew --prefix openvpn)/sbin:$PATH

Assuming a valid OpenVPN configuration has been downloaded to generated/ovpn-config/userOne.ovpn , the connection can be tested by initiating the actual openvpn connection by running

sudo openvpn --config generated/ovpn-config/userOne.ovpn 

Note that the above command will actually change your network settings and hence public IP.

Credits

The repository relies on the great openvpn-install.sh Bash script from https://github.com/angristan/openvpn-install to do the OpenVPN plumbing under the bonnet. Keep up the good work, Stanislas Lange, aka angristan!

FAQs

Below is a list of frequently asked questions.

I Cannot SSH Into the OpenVPN Server Any Longer!

Most likely, the IP address of your machine executing the Terraform module has changed since the original installation. The security groups for the OpenVPN server are designed to only permit SSH access from a single predefined IP address. As this has drifted from the original value, you are being refused SSH access. But this scenario has been incorporated into the design of the Terraform module.

Just re-run the ./terraform-apply.sh Bash script again with your <input-file-name>. Terraform should pick up your new IP address and update the ingress rules for the security groups accordingly.

Why Is There no Route 53/DNS Support for Custom Domains?

Custom domains are great for running an OpenVPN server at vpn.how-hard-can-it.be. However, depending on the domain, its age, and many other factors, a provider may choose to not resolve the domain which leaves the OpenVPN server unreachable when it may be needed the most.

Standard AWS URLs such as ec2-1-2-3-4.eu-west-2.compute.amazonaws.com tend to be resolved by most providers. It’s probably not the most memorable URL but it tends to work in the places I personally care about.

How Do I Configure OpenVPN Access on My Mac?

Please refer to the excellent guide on Downloading and Installing Tunnelblick.

How Do I Configure OpenVPN Access On My iPhone?

Please refer to the excellent guide on how to Install OpenVPN on iOS. For transferring .ovpn configurations onto your iPhone, please refer to Transfer Files to Your Mobile By Scanning a QR Code.

How Do I Configure OpenVPN Access On My Android phone?

Please refer to the excellent Guide to install OpenVPN Connect for Android. For transferring .ovpn configurations onto your Android phone, please refer to Transfer Files to Your Mobile By Scanning a QR Code.

How do I Add or Remove Users from a Provisioned OpenVPN Server?

Simply add or remove the users from the list of ovpn_users in your settings/<input-file-name>.tfvars input file and re-run ./terraform-apply.sh <input-file-name> as described above.

Why is There no Load Balancing?

This Terraform module has been deliberately kept simple. It’s intended for personal use and to reclaim some lost privacy, security, and freedom. If you require professional or enterprise level VPN services, then there is a sheer abundance of commercial VPN providers to choose from.

This isn’t to say that it wouldn’t be a fun project to put the OpenVPN servers behind ASGs and ALBs and spin up bastion hosts on demand. However, this makes the key handling a bit more complicated. If you’re interested, reach out and we can discuss over a pint.

On a side note: From personal experience, a single node OpenVPN cluster has served my digital family with a handful of more of less permanently connected devices well on a daily base over the course of the past six months. And running.

Why Is Terraform Also Being Used for User Provisioning and Maintenance?

In one word: simplicity.

Terraform is great for provisioning (fairly static) infrastructure but there are more sophisticated tools out there for provisioning and maintaining elastic infrastructure at scale, let alone user provisioning and maintenance. For sake of simplicity, Terraform is being used as the single tool of choice in this case.

Wait - There’s a Pint Bounty in the Code?!

Yes. Find it. Solve it. Bag your reward. I’m looking forward to your solutions! Teach me something new!

A Word of Advice

VPNs are a great way to reclaim some lost privacy, security, and freedom. However, as outlined in section What VPNs Can’t Do For You, they cannot provide any anonymity beyond hiding all your connections but the one encrypted one to the VPN from the original WiFi hotspot.

So, use at your own risk, know the limits, and always remember Spiderman’s words

With great power comes great responsibility!

Conclusion

The above end-to-end solution solves my problem of reclaiming some lost privacy when using a WiFi hotspot (or any other internet access I don’t control) by carefully wrapping the excellent openvpn-install.sh Bash script with more Bash and some Terraform.

While this works for me, it may be different in your case. Feel free to leave a comment or contribute to the Git repository openvpn-terraform-install, so we can make things better for everyone. Thanks!