Secure your Cloud and On-premise Infrastructure with Open-source tools

Are you looking to secure your infrastructure from the attackers in these remote working environments?

If yes, you will get the solution to secure your cloud and data-center servers with a low budget in this article. As a Cloud Engineer and DevOps Engineer, there is always a challenge of cost optimization and reliable solutions for your running UAT and Productions server.

If you are running a startup or your business might get affected by this pandemic and your sites could not be available 99% of the time. Also, the core software development team is working from home and every time they need to connect servers remotely.

For these problems, I will provide you a solution where your technical manager or resource manager definitely says “Yes”.

Let’s begin.

Since everyone is moving to the cloud. Here, we will be using AWS EC2 Ubuntu on VPC. You can implement this in any Linux environment.

Suppose you are running your servers smoothly and accessing publicly might give you any time trouble by unexpected attacks. The above architecture was designed on the basis of the current running environment of AWS EC2 and we will be adding one OpenVPN server for one VPC. We won’t be changing network architecture in running architecture. We will be adding one layer of network segmentation and creating a tunnel to connect UAT or Productions server as per need.

OpenVPN is an open-source, fast, popular program for creating a VPN (Virtual Private Network). It uses both the TCP and UDP transmission protocols, and VPN tunnels are secured with OpenVPN protocol with SSL/TLS authentication, certificates, credentials, and optionally MAC address lock as well as multi-factor authentication. It has a client-server architecture.

So now, let’s install.

Before installation, I will recommend you to identify and mark the public IP, which is used by this VPN server. This will be required later for the setup.

First access the remote Ubuntu server where OpenVPN will be going to install.

$ ssh ubuntu@public_ip

Download the scripts and make the file executable:

$ cd ~

$ curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh

$ chmod +x openvpn-install.sh

Now, we are ready to run the scripts in the Linux terminal.

$ sudo bash openvpn-install.sh

When executed for the first time, the script will ask you some questions, read them carefully, and provide answers according to your preferences, to set up your OpenVPN server.

Cloud and On-premise Infrastructure

Run OpenVPN installer Script

Once the VPN installation process is complete, a client configuration file will be written under the current working directory in .ovpn format. This file will be used by the user to connect the VPN client.

Let’s confirm whether our OpenVPN service is up and running or not.

$ sudo systemctl status openvpn

If you check your network interfaces, a new interface has been created for a VPN tunnel, you can confirm this by using this command.

$ ip addr

VPN Tunnel Interface

Our VPN server is ready to connect AWS infrastructure in private and securely. Bonus point is VPN client connection could be done in any OS platforms (Windows, MacOS, Linux, Mobile OS: Android and iOS).

Suggestions:

After completely installing, I encountered two issues for improvement to achieve our goal successfully. I would suggest changing these as per your need in the Network layer of AWS VPC.

  1. VPN Server side:
    IP-forwarding from VPN network interface (10.8.0.0/24) to VPC private networks (172.31.1.0/24) should be done as given above. For example:

push “route 172.31.1.0 255.255.255.0”

Add this line in server.conf which could be available in /path/to/openvpn/server.conf and restart the vpn service. This will forward your VPN network to the VPC private network.

$ sudo systemctl restart openvpn

  1. Client side:

For windows users, comment out these two lines on provided ovpn file.

  |  #ignore-unknown-option block-outside-dns

  |  #setenv opt block-outside-dns # Prevent Windows 10 DNS leak

We are ready to connect our VPN server.

Final step:

We need to restrict public access of the server connections like SSH, Database, Redis, Kafka, RabbitMQ etc. ports in security groups of EC2. And white list those IP addresses which should connect server and resources directly including our VPN service private IP.

In this way, the developers team could connect servers in a more secure way in your infrastructure resources privately. On the cost part, t3.medium server could easily handle 30–60 connections of users smoothly. Lastly, please change default configurations as per your need. This will be best for production implementation.

Happy Learning……

References:

Install OpenVPN in Ubuntu 20.04