Updated:

This page contains notes from my various tests and experiments. It is a raw record of what I did, without correction for errors, or later update for things that I learn. Use at your own risk.

Setting up an Amazon Web Services (AWS) virtual machine usable by OpenVPS

Here I’ll describe how to setup an simple virtual machine using AWS, configured to be usable as an OpenVPN gateway. These instructions are designed to work on Ubuntu, but should work on other Linux-based systems as well.

I assume basic Linux and networking knowledge. Also these instructions are to launch a demo machine you intend to throw away, for permanent use you may want tighter security.

Get an Amazon Web Services account

Open the AWS Management console, create an account and login to the console.

Select EC2 from Services.

Get and configure an IP address for the virtual machine

Select Elastic IPs

Select Allocate Elastic IP Address

Select Allocate

After you have the IP address, the easiest way to use it will be to add this to the hosts file on your computer. That is, as root edit /etc/hosts and add a line for the ros-openvpn host. That is, I got the IP address 44.232.53.80 which I added to /etc/hosts as:

44.232.53.80 ros-openvpn

Create and configure a Key Pair

From the AWS EC2 console, select Key Pairs

Select Create Key Pair

Enter a name, in this example I’ll use ros-openvpn. Accept the defaults (RSA type, .pem format)

Select Create key pair

At this point, you will be prompted to download a file with the key file. Save this file and move it to the directory ~/.ssh

Tighten the security on the .pem file:

cd ~/.ssh
chmod 400 ros-openvpn.pem

Edit the file ~/.ssh/config and add the lines:

Host ros-openvpn
  HostName ros-openvpn
  IdentityFile ~/.ssh/ros-openvpn.pem
  User ubuntu
  StrictHostKeyChecking no

I used the StrictHostKeyChecking no option because I created and destroyed many AWS EC2 instances while testing stuff, so this lets me login to a new system with old credentials and the same IP address. Not recommended for a permanent system.

Create a security group with SSH and OpenVPN access

From the EC2 console, select Security Groups

Select Create security group

Set the Security group name to openvpn-gateway

Set the Description to SSH OpenVPN Ping

Add Inbound rules for UDP port 1194, SSH (TCP port 22), and ICMP Echo Request, each with Anywhere-IPv4 Source.

Select Create security group

When finished, the Inbound rules for the security group should look like:

Inbound Rules

Launch an instance

From the EC2 console, select Instances

Select Launch Instances

At Step 1: Choose an Amazon Machine Image (AMI) you’ll need to find an appropriate image from a massive list. We are looking for a recent official minimal Ubuntu image, version 20.04. Here’s how I have found to search for the correct image.

Select Community AMIs

In the search field, enter Canonical Minimal amd64 20.04 /images/ YYYYMM where YYYYMM is the current year and month. At the time this is written, that is 202110 so the full search field is:

Canonical Minimal amd64 20.04 /images/ 202110

Click Select for the most recent of these images (though any should work).

Click Review and Launch which brings you to Step 7: Review Instance Launch.

By Security Groups select Edit Security Groups. Under Assign a security group, select Select an existing security group and select the security group we created previously (openvpn-gateway).

Select Review and Launch then Launch

On the popup screen Select an existing keypair or create a new key pair make sure that Choose an existing key pair is selected, with Select a key pair set to the key pair we created previously (called ros-openvpn). Select I acknowledge … then Launch Instances.

Select View Instances

Assign the allocated Elastic IP to the instance

At the EC2 console, select Elastic IPs Select the Ip we allocated, then under Actions select Associate IP Address. There accept the default Resource type of Instance, select the search box with the Choose and instance text, and select the now-running instance that we just launched. Select Allow this Elastic IP address to be reassociated, then Associate.

If all works as expected, you should be able to ping the new instance:

$ ping ros-openvpn
PING ros-openvpn (44.232.53.80) 56(84) bytes of data.
64 bytes from ros-openvpn (44.232.53.80): icmp_seq=1 ttl=31 time=11.7 ms
64 bytes from ros-openvpn (44.232.53.80): icmp_seq=2 ttl=31 time=11.7 ms
64 bytes from ros-openvpn (44.232.53.80): icmp_seq=3 ttl=31 time=11.3 ms
64 bytes from ros-openvpn (44.232.53.80): icmp_seq=4 ttl=31 time=11.3 ms

You should also be able to ssh to the instance:

$ ssh ros-openvpn
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.11.0-1020-aws x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


This system has been minimized by removing packages and content that are
not required on a system that users do not log into.

To restore this content, you can run the 'unminimize' command.

0 updates can be applied immediately.

Last login: Sun Oct 24 21:41:19 2021 from 50.35.65.128
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

ubuntu@ip-172-31-17-172:~$ 

There may be ssh error messages about host changed, but the StrictHostKeyChecking no option we recommended should allow login regardless.

You know have a gateway that can be used to test ROS networking with AWS nodes.