You want to host a private EC2 instance (e.g., a backend app, database, or admin tool) that is not accessible to the public. To access it securely, you'll use an OpenVPN server on AWS to create a private, encrypted tunnel into your AWS environment.
[Your Laptop]
|
| OpenVPN (encrypted tunnel)
|
[AWS OpenVPN EC2 Instance (public IP)]
|
| (internal AWS network)
|
[Private EC2 Server (no public IP)]
-
Launch an EC2 instance
- AMI: Ubuntu Server 22.04
- Type: t2.micro
- Key Pair: Create or use an existing one (e.g.,
vpn-key.pem) - Security Group: Allow:
- UDP 1194 (OpenVPN)
- TCP 22 (SSH)
-
SSH into the instance
ssh -i vpn-key.pem ubuntu@<openvpn-ec2-public-ip>- Install OpenVPN with an installer script
wget https://git.io/vpn -O openvpn-install.sh
chmod +x openvpn-install.sh
sudo ./openvpn-install.sh-
Follow the prompts:
- Public IP: accept default
- Protocol: UDP
- Port: 1194
- Client name:
client1
-
Transfer the client configuration to your laptop:
scp -i vpn-key.pem ubuntu@<openvpn-ec2-public-ip>:client1.ovpn .-
Launch a second EC2 instance
- No Public IP
- Place it in the same VPC and subnet as the OpenVPN server
- Use the same key pair
- Security Group:
- Allow SSH (port 22) from the OpenVPN server's private IP only
-
Note the private IP of this EC2 instance (e.g.,
172.31.24.22)
- Install OpenVPN Connect (GUI) or openvpn CLI on your laptop
- Import
client1.ovpn - Click Connect
Once connected to VPN:
ssh -i vpn-key.pem ubuntu@<private-ec2-private-ip>This works because your laptop is now inside the AWS network via VPN.
- Store
vpn-key.pemsecurely - Disable root login and password authentication on all EC2 instances
- Allow SSH only from trusted IPs or the VPN server
- Rotate VPN keys periodically
You now have:
- A secure VPN tunnel to your AWS environment
- A private EC2 server accessible only after connecting via VPN
- An infrastructure that's safe from external scanning or attack