Sprint 2 Documentation - drewwbikk/capstone GitHub Wiki

Setup AWS Account

Navigate to AWS on a browser.

Choose Create an AWS Account.

In Root user email address, enter your email address, edit the AWS account name, and then choose Verify email address. An AWS verification email will be sent to this address with a verification code.

Following this, input your and your business's contact and billing information to complete account setup.

When complete, you will be brought to a brand new AWS dashboard.

AWS console

Create Virtual Private Cloud (VPC), Internet Gateway (IGW), Subnet, and Route Table

Navigate to the VPC service, and then select VPC Dashboard on the side panel. Then, Create New VPC. Use the following settings:

image

💡 Note: The network address MUST be different than the network address used on-premise. For example, f you use 10.0.0.0 on premise, use 192.168.0.0 on AWS. Differentiating these this much also helps when setting up the network and VPN. DNS will be integrated later.

Then, create the VPC. Next, create a subnet attached to the VPC you just created with the following settings:

image

Next, create an Internet Gateway (IGW), and attach it to the VPC you created. Finally, create a Route table associated with the new VPC. For now, just add the following route (the local route will be there by default):

Destination Target
192.168.0.0/16 local
0.0.0.0/0 your-IGW

Then, associate the Route table to your subnet.

Deploy EC2 Instances

To deploy EC2 instances, navigate to the EC2 service. Then, select Launch instance.

Name the machine ad02. Select the Windows Server 2019 Base Amazon Machine Image (AMI). Then, select an instance type. For this project, we'll be using t2.micro for the free tier benefits. However, more compute power would be needed outside of this exercise.

Create a new key pair for login, and use the .pem file format.

Use the following network settings:

image

Configure the amount of storage needed. Again, for the exercise, only 30GB will be selected, but more is likely needed outside of this exercise.

Launch the instance.

image

The EC2 console should then look something like this:

image

On the side panel, select Elastic IPs. We will need to Allocate an Elastic IP address and associate it with this instance. Select Allocate Elastic IP address, leave settings default, and click Allocate.

Then, select the new Elastic IP and click Assocaite Elastic IP address. Choose the ad02 instance.

Now, when you select the ad02 instance in the dashboard, it should show the elastic public IP.

image

Now, connect to the instance by clicking Connect. Use the RDP client by downloading the RDP file. Then, use the key file created earlier to get the password. Open the RDP file and connect.

image

You are now connected to the Windows Server machine that will be used for ADDS, DNS, and DHCP.

💡 Optional: Change the Administrator password to be something more user-friendly.

Open Server Manager and select Local Server. Change the Hostname and restart. There is no need to reconnect to the RDP for now.

image

Now, repeat these steps to launch the web server. Name it web02, select the RHEL-8 AMI, and use the following network settings:

image

Launch the instance.

For now, create another Elastic IP address and associate it with the web02 instance. Then, connect to it using SSH and the keypair.

image

Create Site-to-Site VPN

To do this, you'll need an EC2 instance running Ubuntu server on AWS, and a CentOS or Ubuntu Server machine on premise. For this, a CentOS machine was used.

In theory, it would be easier to use AWS's site-to-site VPN option and integrate it with pfSense, which would therefore eliminate the need for these VPN machines. However, OpenVPN Access is an open-source tool that can be used to connect any networks site-to-site, which therefore has more functional applications than using AWS's solution.

Launch a new instance called vpn02 using a CentOS 7 AMI. Associate an elastic IP with this machine as well (for now). Then, run the following commands to install OpenVPN Access Server:

yum update
timedatectl # be sure to set the time zone. VPNs need accurate time to work correctly.

yum -y install https://as-repository.openvpn.net/as-repo-centos7.rpm
yum -y install openvpn-as

Let that run, and at the end, a success message will display, similar to the following:

+++++++++++++++++++++++++++++++++++++++++++++++ 
Access Server 2.10.0 has been successfully installed in /usr/local/openvpn_as
Configuration log file has been written to /usr/local/openvpn_as/init.log

Access Server Web UIs are available here:
Admin UI: https://192.168.0.242:943/admin
Client UI: https://192.168.0.242.943 
Login as "openvpn" with "<password>" to continue
(password can be changed on Admin UI)
+++++++++++++++++++++++++++++++++++++++++++++++

On the ad02 instance, navigate to the Admin Web UI page to finish setup. Log in and change the password.

Navigate to VPN Settings. Set Should VPN clients have access to private subnets to Yes, use routing. Then, in the text box below, specify the subnet which this instance is located. Make the option below is selected to Yes, as well.

image

Next, go to User Permissions and create a new user and password. This will be the only user, as there is only one client. On this new user, allow auto-login privileges. Then, set the Configure VPN Gateway option to yes and enter the subnet that the client gateway will be installed (on-premise).

image

Optionally, navigate to VPN Settings and change the Network Address of the VPN network. I changed it to the following:

image

Lastly, back in the AWS console, it is important to do the following for all instances:

In the EC2 Instances dashboard, select Actions -> Networking -> Change source/destination check. Make sure Source / destination checking is stopped. Otherwise, the instances will not be able to send or receive the traffic from the VPN.

image

Now, it's time to set up the VPN client. On vpn01 (on-premise), configure the network so that it has a static IP address (I used 10.0.0.25). Then, run the following commands to install OpenVPN Access Client:

apt update
apt upgrade
dpkg-reconfigure tzdata # Make sure to select the right time zone!

apt-get install openvpn

Next, we must generate a .conf file to put into the /etc/openvpn directory to set up the gateway client. Back on ad02 (in AWS), navigate to the OpenVPN Access Server's client UI on the web browser, and login to the new account you created. Then, locate the auto-login profile and download it. It will download a file called client.ovpn.

image

Copy or transfer this file to the client system (hint: use SCP) and place it in the /etc/openvpn directory, but with a file extension of .conf. That is the only filetype OpenVPN will recognize.

image

Next, edit the .conf file and change the remote XX.XX.XX.XX IP addresses from the auto-generated private address of the AWS instance to its Elastic IP.

image

Now, we must configure pfSense to direct the traffic to these new subnets. In the web configurator, navigate to System / Routing / Gateways and add a gateway on the LAN interface pointing at the static IP of the VPN client.

image

Next, add the following static routes in pfSense:

image

Now, add the following routes in the Route table you created in AWS:

Destination Target
10.0.0.0/24 your-vpn-instance
172.16.0.0/24 your-vpn-instance

image

Now, reboot the client machine (using the reboot command). After reboot, you can check to see if the connection was successful by looking at the Admin web interface on ad02:

image

If there is a client connected, the connection was successful. Now, a site-to-site VPN connection is established between the AWS VPC and your on-premise network. You can test this with ping and traceroute.

💡 Note: Be sure to configure firewalls and security groups to allow the traffic types you want/need.

On-premise:

image

AWS:

image

⚠️ **GitHub.com Fallback** ⚠️