Ref Arch: How to connect to an OpenVPN server from a Linux machine
A customer asked: > How can I connect to one of the OpenVPN servers in the Ref Arch from a Linux machine? --- <ins datetime="2022-07-07T21:19:08Z"> <p><a href="https://support.gruntwork.io/hc/requests/108941">Tracked in ticket #108941</a></p> </ins>
# How to access a RefArch OpenVPN server from a Linux machine ### Install openvpn3 client Follow [these instructions](https://openvpn.net/cloud-docs/openvpn-3-client-for-linux/) to install the `openvpn3` client on your Linux machine. ### Join the OpenVPN IAM Group To get access to an OpenVPN server, your IAM User needs access to SQS queues used by that OpenVPN server. Since our IAM Users are defined in one AWS account (security) and the OpenVPN servers are defined in separate AWS accounts (stage, prod, etc), that means you need to "switch" to the accounts with the OpenVPN servers by assuming an IAM Role that has access to the SQS queues in those accounts. To be able to assume an IAM Role, your IAM User needs to be part of an IAM Group with the proper permissions, such as `_account.xxx-full-access` or `_account.xxx-openvpn-users`, where `xxx` is the name of the account you want to access (`stage`, `prod`, etc). See [Configure other IAM Users](https://github.com/gruntwork-io/terraform-aws-service-catalog/blob/master/examples/for-production/infrastructure-live/docs/02-authenticate.md#configure-other-iam-users) for instructions on adding users to IAM Groups. ### Use openvpn-admin to generate a configuration file To connect to an OpenVPN server, you need an OpenVPN configuration file, which includes a certificate that you can use to authenticate. To generate this configuration file, do the following: 1. Install the latest [openvpn-admin binary](https://github.com/gruntwork-io/terraform-aws-openvpn/releases) for your OS. 2. [Authenticate to AWS via the CLI](https://github.com/gruntwork-io/terraform-aws-service-catalog/blob/master/examples/for-production/infrastructure-live/docs/02-authenticate.md#authenticate-to-aws-via-the-cli). You will need to assume an IAM Role in the AWS account with the OpenVPN server you're trying to connect to. This IAM Role must have access to the SQS queues used by OpenVPN server. Typically, the `allow-full-access-from-other-accounts` or `openvpn-server-allow-certificate-requests-for-external-accounts` IAM Role is what you want. 3. Run `openvpn-admin request --aws-region <AWS REGION> --username <YOUR IAM USERNAME>`. Note that this command will work whether or not you have a valid IAM user 4. This will create your OpenVPN configuration file in the current folder. It will be named `<YOUR IAM USERNAME YOU SUPPLIED>.ovpn` . ### Load your config file into openvpn3 client and connect 1. Load this configuration file into your OpenVPN client by running `openvpn3 config-import --config ${MY_CONFIGURATION_FILE}` where `MY_CONFIGURATION_FILE` is the path to your `<your-name>.ovpn` file 2. Start a session using this configuration (connect to the VPN server) by running `openvpn3 session-start --config ${CONFIGURATION_PROFILE_NAME}` 3. Once your session has been established, you’ll see `Connected` printed out to your terminal. You can now also interrogate your sessions by running `openvpn3 sessions-list` ### Resolve hostnames, and connect to private IP addresses This following section will explain how to connect to a private Jenkins instance that you might have running in a private subnet behind your OpenVPN server, for example. This will only be true if you selected to have Jenkins deployed when you initially configured your Reference Architecture. 1. Grab the private SSH key for the Jenkins machine. During deployment, this was automatically stored in your shared account’s secrets manager. Be sure you are viewing the exact region you have set as your `PrimaryRegion` in your `reference-architecure-form.yml` form. The secret will be named `jenkins-admin-v1` and its description will indicate it is the Back up SSH key for EC2 instances of class jenkins-admin-v1 1. Save the key to your `~/.ssh/` directory and give it a unique name, such as `~/.ssh/jenkins-key` 1. Run `chmod 0400 ~/.ssh/jenkins-key` so that it can only be read by your user 1. Run `ssh-add ~/.ssh/jenkins-key` . If you get an error about your `ssh-agent` not being available, run `eval $(ssh-agent)` and then try running your `ssh-add` command again. Once you see a message about the identity being successfully added, and when you can see your key loaded when running `ssh-add -l`, you’re good to go, as your SSH agent will present this key to the server when attempting to negotiate an SSH connection. 1. Now that you are connected to the OpenVPN server, you can resolve any hostnames that are private to this network, as well as resolve any hosts by their private IP. This means you can now look up your Jenkins instance, for example - if you selected Jenkins - on your AWS Web console’s EC2 page and use its private IP address when SSH’ing to it: `ssh ubuntu@<private-ip-address>`