Help setting up OpenVPN Router with AWS?


I have a number of devices at my office that need to connect to a 3rd party service on the internet in order to work correctly. For security reasons, this 3rd party service only accepts connections from whitelisted IP addresses. It's a bit of a long winded process to request an IP address to be whitelisted, and unfortunately, my ISP keeps changing my external IP address every day or two.

So I set up an Amazon EC2 / AWS server with a static IP address and provided this for the whitelist. I followed an online tutorial to set up the EC2 server and connect to it using OpenVPN:

This works great using OpenVPN client on my PC. However, I now need to connect other devices to the 3rd party service. These devices aren't PC's, don't let me configure or install software on them. So not like I can just install OpenVPN on them and let them connect in the same way. Then I heard it was possible to set up OpenVPN on a router.

To that end, I bought an Archer C7 v2 and put LEDE on it, plus OpenVPN. My thinking was, all the devices would connect to this router. The router would then use OpenVPN to tunnel through to my Amazon EC2/AWS server. And any traffic coming into the router (from LAN cables) would go through the tunnel, out through the EC2 server, and so appear to the outside world to have the whitelisted IP address.

However, I've spent all day trying to follow various tutorials online for setting up OpenVPN on my router. Yet I just can't seem to make what I want to happen work. I'm a front-end app developer by trade, so slightly out of my comfort zone with this stuff.

So two questions:

1). Is what I'm trying to do even possible? Or have I been barking up the wrong tree the whole time?

2). If it is possible, what settings do I need to set on my router in LEDE and OpenVPN to make it happen?

The alternatives to this are getting a new ISP and/or finding a new office with a static IP, so if anyone can help me avoid that, would be a massive help!

James Coote

@JamesCoote - Yes, this is entirely possible. In my case, I have a small router (TL-MR3020 and now migrating to a TL-WR902AC) that I can take with me when I travel internationally -- all my devices connect via this router, through an OpenVPN tunnel to an LEDE router w/ OpenVPN Server that I have at home. Traffic from my devices appears to originate through my home. In your case, you'll be doing the same thing, but the OpenVPN will be running on the AWS systems instead.

How far have you gotten?

Your first step should be to ensure that the OpenVPN server on AWS is fully up and running. Are you able to connect to it using a desktop or mobile OpenVPN client? If not, work through this first. You will want to know that the remote end is working properly first. I personally can't really help much with the AWS part as I've never done that, but maybe someone else can lend a hand if this is the problem.

If/once everything is working on AWS, what is your current status with the LEDE box (C7)? Generally speaking, this should be fairly easy to configure, but it does take a bit of learning to get there, especially the first time.

When I setup my first mobile-VPN solution, I used a guide from Logan Marchione to get everything setup. He was also using an MR3020 (on OpenWRT at the time), but you should be able to do everything more-or-less the same (you probably won't need to extroot, though). This is a great tutorial!

Also, there is an OpenVPN LuCI app if you prefer to work with a GUI. There are some advantages to setting up the config file manually, but this can be helpful, too.

Finally, depending on where you get stuck, you will probably need to post some of your config files and/or logs.

There are multiple ways to configure OpenVPN client on OpenWrt/LEDE, one of them is to drop the .ovpn file on your router. If you have the connection from your PC to your OVPN server at AWS, you can likely use the same .ovpn file on your router, possibly only adding another line referring to the text file with login and password, so that your router can login to your OVPN server automatically. You might also have to copy the certificate/key files to your router.

I can't recall the exact directory on the router where you can place an .ovpn file, I hope either others or OpenWrt wiki can fill that gap.

PS. Maybe you should start with the OVPN config you've used on your PC to connect to your OVPN server at AWS -- just make sure to sanitize it so that no personal info (passwords, private certs) is uploaded to the forum.