AWS instance as a VPN

[Theguywhobea]

Hi, I'm testing out some network stuff for work. We can't seem to find a VPN solution that works correctly yet for accessing customer sites. Yesterday I setup a EC2 instance on AWS just under the free tier. I was wondering if there's an easy or good way to use this EC2 instance as a VPN server(?) I guess. 

[Blade of Grass]

It depends how much traffic you're going to make. Data transfer costs are quite costly, so if you're looking to be moving a lot of data a traditional VPN service would serve you better (or even renting from a provider that gives you a lot of data transfer for a lower cost). 

[Theguywhobea]

1 minute ago, Blade of Grass said:

It depends how much traffic you're going to make. Data transfer costs are quite costly, so if you're looking to be moving a lot of data a traditional VPN service would serve you better (or even renting from a provider that gives you a lot of data transfer for a lower cost). 

Yeah I get that, if anything this is more in the proof of concept stage. I'm fooling around a bit with OpenVPN but it has some many different options and configurations I'm a bit intimidated by it. I'm sure it's super powerful but I couldn't see trying to get a customer to use something like this.

[BurningSky]

Have you had a look at OpenVPN's AWS pre-bundled stuff? It's pretty simple to get a user to use, but I guess it depends on what you mean by using it to access a customers site?

 

https://openvpn.net/index.php/access-server/on-amazon-cloud.html

[Theguywhobea]

Just now, BurningSky said:

Have you had a look at OpenVPN's AWS pre-bundled stuff? It's pretty simple to get a user to use, but I guess it depends on what you mean by using it to access a customers site?

Yeah I just starting looking at that. Essentially we just want to be able to access a customers HVAC system remotely, and since everyone and their brother has been getting hacked lately, both our customers and us don't want to leave there system exposed to the open internet. We've started experimenting with routers that already run their own OpenVPN servers inside them essentially, as well as some routers from Tosibox, but it's been a pain for sights that wont give us any network access at all so we have to use a USB cellular modem. My thought was even if we used a USB cell modem for the network connection we could still route it through a cloud based server. I don't know, maybe it's more work than it needs to be.

[BurningSky]

I'm assuming you work in one location and they work in another? Sounds more like you would want the vpn server sat on their network rather than in AWS or to have a site-to-site VPN. Do they have virtual infrastructure that could host the OpenVPN appliance? Or if they have a firewall that has VPN built into it?

[Theguywhobea]

1 minute ago, BurningSky said:

I'm assuming you work in one location and they work in another? Sounds more like you would want the vpn server sat on their network rather than in AWS or to have a site-to-site VPN. Do they have virtual infrastructure that could host the OpenVPN client? Or if they have a firewall that has VPN built into it?

This is where the real issue comes in. It's not one client, we have loads of clients (not sure the exact number) who we'd like to have remote access to. We also do government jobs and military jobs who have all their systems 1000% locked down and unavailable to us. I'm looking for a system I can deploy quickly and be able to move it around to different sites, and doesn't rely on anything running on a clients system. It's hard enough to get a lot of clients these days to open a port on their internal network so the guy upstairs can see the webserver running in their boiler room haha.

[BurningSky]

Sorry, I misread some of that! My bad. You would have their remote network connected to a server then you would also connect to that server as well? In which case you could have the OpenVPN AS appliance hosted at your office and have them connect into that rather than adding the AWS hop.

I know the pains of gov and military work, I wouldn't like to be the one suggesting taking in a cellular device to connect up to anything!

[Theguywhobea]

1 minute ago, BurningSky said:

Sorry, I misread some of that! My bad. You would have their remote network connected to a server then you would also connect to that server as well? In which case you could have the OpenVPN AS appliance hosted at your office and have them connect into that rather than adding the AWS hop

Hmmm, yeah maybe something like that could work, I'll look into something like that. I guess that would still require a network connection out from the customer site. Maybe we could use a router with a USB cell modem providing the network access, then somehow direct that traffic to the OpenVPN AS hosted at our office? I'll have to take a look at our routers here. Thanks for the help and ideas dude.

[BurningSky]

How much data do you need to send over the link and how do you interface with the HVAC? Could you use a Raspberry Pi with linux and the OpenVPN client loaded on it and a 4G dongle? No problem

[Theguywhobea]

Just now, BurningSky said:

How much data do you need to send over the link and how do you interface with the HVAC? Could you use a Raspberry Pi with linux and the OpenVPN client loaded on it and a 4G dongle? No problem

Yeah I was actually thinking that earlier. It's typically not that much data, although I don't know how much for sure. We have some USB cell modems here that I think have unlimited data on them anyway? Not exactly sure but I've never seen anything about data overages.

[BurningSky]

That would be a pretty simple, headless solution if you could use it to get what you needed from the systems, especially if you can then connect it via USB or ethernet to the end device and pull the data. Obviously, as with any headless device it might not work 100% of the time so maybe a tablet with vpn client might work if it has the right connectivity. You could probably put the sim from a usb modem into a tablet.

 

The OpenVPN virtual appliance is fair straight forward to get a basic configuration going and you can have 2 concurrent connections for free, I use it to access my home network while I'm away, but obviously you would have to check the ELA to see if you can use the free part for commercial use.

[kumar2702]

@Theguywhobea What are you finally fixed to? 

Are you using Tosibox or any other secure network provider?

[Theguywhobea]

On 10/8/2020 at 1:18 AM, kumar2702 said:

@Theguywhobea What are you finally fixed to? 

Are you using Tosibox or any other secure network provider?

I did get OpenVPN working in an AWS instance, however I never used it for anything really. Typically now if we have a customer that needs remote access through a VPN we use Contemporary Control's Remote VPN service.

[eece_ret]

Look at Fortinet SDWAN stuff.  Pretty much exactly what you are looking for.

[bdk74]

Why not use appliance like asav?

[bdk74]

3 hours ago, eece_ret said:

Look at Fortinet SDWAN stuff.  Pretty much exactly what you are looking for.

 meraki..they also have virtual and it's cookie cutter

[eece_ret]

Meraki....  A Cisco company.