Table of Contents

OpenVPN Access Server

Auto install with SSL Cert.

Launch an Amazon Linux 2 instance with the following user data. Security Group will need to allow;

#!/bin/bash
yum -y install ncurses-compat-libs
yum -y install https://as-repository.openvpn.net/as-repo-centos7.rpm
yum -y install openvpn-as
yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum -y install certbot
 
sudo certbot certonly -n -d VPN.DOMAIN.TLD --email hostmaster@DOMAIN.TLD --no-eff-email --agree-tos --standalone
 
sudo systemctl stop openvpnas
sudo rm /usr/local/openvpn_as/etc/web-ssl/server.key
sudo rm /usr/local/openvpn_as/etc/web-ssl/server.crt
sudo rm /usr/local/openvpn_as/etc/web-ssl/ca.crt
sudo ln -s /etc/letsencrypt/live/VPN.DOMAIN.TLD/privkey.pem /usr/local/openvpn_as/etc/web-ssl/server.key
sudo ln -s /etc/letsencrypt/live/VPN.DOMAIN.TLD/cert.pem /usr/local/openvpn_as/etc/web-ssl/server.crt
sudo ln -s /etc/letsencrypt/live/VPN.DOMAIN.TLD/chain.pem /usr/local/openvpn_as/etc/web-ssl/ca.crt
sudo systemctl start openvpnas
 
sudo /usr/local/openvpn_as/scripts/sacli --import GetActiveWebCerts
sudo /usr/local/openvpn_as/scripts/sacli start

After install SSH to instance and set password for openvpn user.

sudo passwd openvpn

Configure auto renewal of SSL Cert

Create script /home/ec2-user/cert_loader.sh

cert_loader.sh
#!/bin/bash
/usr/local/openvpn_as/scripts/sacli --key "cs.priv_key" --value_file "/usr/local/openvpn_as/etc/web-ssl/privkey.pem" ConfigPut
/usr/local/openvpn_as/scripts/sacli --key "cs.cert" --value_file "/usr/local/openvpn_as/etc/web-ssl/cert.pem" ConfigPut
/usr/local/openvpn_as/scripts/sacli --key "cs.ca_bundle" --value_file "/usr/local/openvpn_as/etc/web-ssl/chain.pem" ConfigPut
/usr/local/openvpn_as/scripts/sacli start

Edit crontab for root user to call renewal with cert loader as a post-hook.

1 1 * * 2 certbot renew --standalone --preferred-challenges http --pre-hook '' --post-hook '/home/ec2-user/cert_loader.sh' > /var/log/cert_loader.log

Old

Backup default self signed certificates;

$ mkdir old-ss-cert
$ sudo cp /usr/local/openvpn_as/etc/web-ssl/* ./old-ss-cert/


Install LetsEncrypt SSL certificate;

$ sudo systemctl stop openvpnas
$ sudo apt-get install letsencrypt
$ sudo letsencrypt certonly
$ sudo cp /etc/letsencrypt/live/CERTNAME/cert.pem /usr/local/openvpn_as/etc/web-ssl/server.crt
$ sudo cp /etc/letsencrypt/live/CERTNAME/privkey.pem /usr/local/openvpn_as/etc/web-ssl/server.key
$ sudo cp /etc/letsencrypt/live/CERTNAME/chain.pem /usr/local/openvpn_as/etc/web-ssl/ca.crt
$ sudo systemctl start openvpnas
$ sudo systemctl status openvpnas


Review LetsEncrypt SSL certificate;

$ sudo systemctl stop openvpnas
$ sudo letsencrypt renew
$ sudo cp /etc/letsencrypt/live/CERTNAME/cert.pem /usr/local/openvpn_as/etc/web-ssl/server.crt
$ sudo cp /etc/letsencrypt/live/CERTNAME/privkey.pem /usr/local/openvpn_as/etc/web-ssl/server.key
$ sudo cp /etc/letsencrypt/live/CERTNAME/chain.pem /usr/local/openvpn_as/etc/web-ssl/ca.crt
$ sudo systemctl start openvpnas