Amazon Web Services (VPC + NAT + OpenVPN)

So in the process of setting up a few bits and pieces on AWS and the first area (well second after a couple of quick deploys using Elastic Beanstalk) is to get a Jenkins server up and running.

So I’m looking to deploy the Jenkins box within a Virtual Private Cloud (VPC) to block off access to Jenkins and also any test slaves it will eventually spin up.  To ensure smooth access into the VPC I’m using OpenVPN.  First step is use the VPC wizard to create the basics, I went with the “VPC with Public and Private Subnets” as this handily creates the NAT Gateway box to allow servers inside the VPC to access the interwebs.

Once built and tagged (to ensure ease of visibility in the billing) it was time to look at the next steps.  My original plan was to now add in an OpenVPN box using their AMI but with a “spare” instance in place as the NAT gateway it made sense to put OpenVPN on to that box, and so begins the tale of woe (well more like a bit of stress and some google action)

Installing and running OpenVPN seemed to go pretty well, except for the lack of init.d scripts created and the fact I couldn’t then authenticate.

Once you provide a few initial configuration settings,
OpenVPN Access Server can be configured by accessing
its Admin Web UI using your Web browser.

Will this be the primary Access Server node?
(enter 'no' to configure as a backup or standby node)
> Press ENTER for default [yes]:

Please specify the network interface and IP address to be
used by the Admin Web UI:
(1) all interfaces: 0.0.0.0
(2) eth0: 10.0.0.121
Please enter the option number from the list above (1-2).
> Press Enter for default [2]: 1

Please specify the port number for the Admin Web UI.
> Press ENTER for default [943]:

Please specify the TCP port number for the OpenVPN Daemon
> Press ENTER for default [443]:

Should client traffic be routed by default through the VPN?
> Press ENTER for default [no]:

Should client DNS traffic be routed by default through the VPN?
> Press ENTER for default [no]:

Use local authentication via internal DB?
> Press ENTER for default [yes]:

Private subnets detected: ['10.0.0.0/16']

Should private subnets be accessible to clients by default?
> Press ENTER for EC2 default [yes]:

To initially login to the Admin Web UI, you must use a
username and password that successfully authenticates you
with the host UNIX system (you can later modify the settings
so that RADIUS or LDAP is used for authentication instead).

You can login to the Admin Web UI as "openvpn" or specify
a different user account to use for this purpose.

Do you wish to login to the Admin UI as "openvpn"?
> Press ENTER for default [yes]:

> Please specify your OpenVPN-AS license key (or leave blank to specify later):

Initializing OpenVPN...
Adding new user login...
useradd -s /sbin/nologin "openvpn"
Writing as configuration file...
Perform sa init...
Wiping any previous userdb...
Creating default profile...
Modifying default profile...
Adding new user to userdb...
Modifying new user as superuser in userdb...
Getting hostname...
Hostname: 52.48.26.62
Preparing web certificates...
Getting web user account...
Adding web group account...
Adding web group...
Adjusting license directory ownership...
Initializing confdb...
Generating PAM config...
Generating init scripts auto command...
Error: Could not generate server script auto.

To try and work out the issues I spun up the OpenVPN instance and ran through the basic config and started to look for the issues.

Once you provide a few initial configuration settings,
OpenVPN Access Server can be configured by accessing
its Admin Web UI using your Web browser.

Will this be the primary Access Server node?
(enter 'no' to configure as a backup or standby node)
> Press ENTER for default [yes]:

Please specify the network interface and IP address to be
used by the Admin Web UI:
(1) all interfaces: 0.0.0.0
(2) eth0: 10.0.0.121
Please enter the option number from the list above (1-2).
> Press Enter for default [2]: 1

Please specify the port number for the Admin Web UI.
> Press ENTER for default [943]:

Please specify the TCP port number for the OpenVPN Daemon
> Press ENTER for default [443]:

Should client traffic be routed by default through the VPN?
> Press ENTER for default [no]:

Should client DNS traffic be routed by default through the VPN?
> Press ENTER for default [no]:

Use local authentication via internal DB?
> Press ENTER for default [yes]:

Private subnets detected: ['10.0.0.0/16']

Should private subnets be accessible to clients by default?
> Press ENTER for EC2 default [yes]:

To initially login to the Admin Web UI, you must use a
username and password that successfully authenticates you
with the host UNIX system (you can later modify the settings
so that RADIUS or LDAP is used for authentication instead).

You can login to the Admin Web UI as "openvpn" or specify
a different user account to use for this purpose.

Do you wish to login to the Admin UI as "openvpn"?
> Press ENTER for default [yes]:

> Please specify your OpenVPN-AS license key (or leave blank to specify later):

Initializing OpenVPN...
Adding new user login...
useradd -s /sbin/nologin "openvpn"
Writing as configuration file...
Perform sa init...
Wiping any previous userdb...
Creating default profile...
Modifying default profile...
Adding new user to userdb...
Modifying new user as superuser in userdb...
Getting hostname...
Hostname: 54.194.191.108
Preparing web certificates...
Getting web user account...
Adding web group account...
Adding web group...
Adjusting license directory ownership...
Initializing confdb...
Generating init scripts...
Generating PAM config...
Generating init scripts auto command...
Starting openvpnas...

….and there’s the issue, on my NAT box the script bombs out when trying to generate the server scripts, and from looking at the list of steps on the OpenVPN box it also looks like the PAM config fails, so no authentication either.

Error: Could not generate server script auto.

Time to get busy with Google and VIM and tailing log files to get things working *cracks knuckles* and gets to work

So creating and installing the the server scripts was easy using information from this post:

$ sudo /usr/local/openvpn_as/scripts/openvpnas_gen_init --distro redhat
$ sudo chkconfig --add openvpnas
$ sudo chkconfig openvpnas on
$ sudo service openvpnas start

Which gave us the ability to run the server, but without the authentication installed there was little point, the same post also gave me a clue to a possible “fix”.  So time to edit the Python config file and comment out the init scripts element:

$ vim /usr/local/openvpn_as/bin/_ovpn-init

Comment out the lines as below (869 – 876):

# Execute gen script...
#print "Generating init scripts..."
#GEN = "/usr/local/openvpn_as/scripts/openvpnas_gen_init"
#retv = commands.getstatusoutput( GEN )
#if DEBUG: print "gen init cmd=", GEN, retv
#if retv[0] != 0:
# print "Error: Could not generate server script."
# sys.exit(1)

Re-run the config and we’re golden….

$ sudo /usr/local/openvpn_as/bin/ovpn-init --ec2
$ sudo passwd openvpn

I can login and everything …apart from some issue with ifconfig appearing in the logs….

[-] OVPN 1 OUT: 'Thu Dec 10 20:51:16 2015 /usr/sbin/ifconfig as0t1 172.27.232.1 netmask 255.255.248.0 mtu 1500 broadcast 172.27.239.255'
[-] OVPN 1 OUT: 'Thu Dec 10 20:51:16 2015 MANAGEMENT: Client disconnected'
[-] OVPN 1 ERR: 'Thu Dec 10 20:51:16 2015 Linux ifconfig failed: could not execute external program'
[-] OVPN 1 OUT: 'Thu Dec 10 20:51:16 2015 Exiting due to fatal error'

A quick

$ which ifconfig
/sbin/ifconfig

Confirms that the script is looking in the wrong place, so symbolic links to the rescue.

$ sudo ln -s /sbin/ifconfig /usr/sbin/ifconfig

Then

$ sudo service openvpnas restart

And now we’re good.

;-)

Hope this helps somebody, if not it might help me in the future although of course I now have my own AMI of the instance.

Author: David Smith

Web Technologist, Geek, Dad, Husband and Triathlete.