A Complete Guide to Deploying an IPv6 OpenVPN Server on AWS EC2
As the internet gradually transitions to IPv6, ensuring your remote access solutions are future-proof is more critical than ever. An IPv6-native VPN not only prepares your network for the future but can also provide a more direct and efficient connection path. This guide will walk you through the complete process of setting up a secure and robust IPv6 OpenVPN server on an AWS EC2 instance running Rocky Linux.
By following these steps, you can build your own private VPN, giving you full control over your data and security while leveraging the power of modern networking protocols.
What You’ll Need Before You Begin
Before diving into the configuration, ensure you have the following prerequisites in place:
- An active AWS account.
- Basic familiarity with the Linux command line and networking concepts.
- An EC2 instance running Rocky Linux (or a similar RHEL-based distribution like AlmaLinux or CentOS Stream).
- Your VPC and subnet must be configured to support IPv6.
Step 1: Launch and Configure Your AWS EC2 Instance
The foundation of our VPN is a properly configured EC2 instance. The most crucial part of this step is ensuring it has a public IPv6 address.
- Launch an EC2 Instance: When launching your instance, select a Rocky Linux AMI.
- Configure Networking: In the “Network settings” section, ensure your chosen VPC and subnet have an associated IPv6 CIDR block. Critically, you must enable the “Auto-assign IPv6 address” feature for the instance. This provides your server with a public, globally reachable IPv6 address.
- Set Up a Security Group: Create a security group that allows incoming traffic for your VPN. At a minimum, you need to add a rule to allow inbound UDP traffic on port 1194 (the default OpenVPN port) from the source
::/0to permit connections from any IPv6 address. You should also allow SSH access (TCP port 22) from your IP address for management.
Once the instance is running, connect to it via SSH to begin the software setup.
Step 2: Prepare the Rocky Linux Environment
With your instance ready, the next step is to install the necessary software packages.
First, update your system to ensure all packages are current:
sudo dnf update -y
Next, install the EPEL (Extra Packages for Enterprise Linux) repository, which contains OpenVPN and its dependencies:
sudo dnf install epel-release -y
Finally, install OpenVPN and Easy-RSA, the tool we’ll use to manage our security certificates:
sudo dnf install openvpn easy-rsa -y
Step 3: Build Your Certificate Authority and Keys
A secure VPN relies on a robust Public Key Infrastructure (PKI). We will use Easy-RSA to create a Certificate Authority (CA) and generate server and client certificates.
Initialize the PKI:
Create a directory for your PKI and initialize it.mkdir ~/easy-rsa cp -r /usr/share/easy-rsa/3/* ~/easy-rsa/ cd ~/easy-rsa ./easyrsa init-pkiBuild the Certificate Authority (CA):
This command creates your root certificate. You will be prompted to enter a passphrase; choose a strong passphrase and store it securely../easyrsa build-caGenerate the Server Certificate and Key:
Now, generate a certificate request and key for the OpenVPN server. Usenopassso the server can restart without manual intervention../easyrsa gen-req server nopassSign the Server Certificate:
Use your CA to sign the server’s certificate request../easyrsa sign-req server serverGenerate a Client Certificate and Key:
Repeat the process for each client that will connect to the VPN../easyrsa gen-req client1 nopass ./easyrsa sign-req client client1Generate Diffie-Hellman Parameters:
This is a crucial step for securing the key exchange process.
bash
./easyrsa gen-dh
After these steps, copy the necessary files to the OpenVPN directory:
sudo cp pki/ca.crt /etc/openvpn/server/
sudo cp pki/issued/server.crt /etc/openvpn/server/
sudo cp pki/private/server.key /etc/openvpn/server/
sudo cp pki/dh.pem /etc/openvpn/server/
Step 4: Configure the OpenVPN Server
Create the main server configuration file at /etc/openvpn/server/server.conf. This file dictates how the VPN server operates. The following configuration is optimized for a secure IPv6 setup.
port 1194
# Use udp6 for IPv6-specific communication
proto udp6
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
# Define the IPv6 subnet for VPN clients
server-ipv6 2001:db8:1:1::/64
push "redirect-gateway def1"
# Push DNS servers to clients (using Google's public IPv6 DNS)
push "dhcp-option DNS 2001:4860:4860::8888"
push "dhcp-option DNS 2001:4860:4860::8844"
# Ensure all IPv6 traffic is routed through the VPN
push "route-ipv6 2000::/3"
keepalive 10 120
cipher AES-256-GCM
auth SHA256
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
Key IPv6 directives in this configuration include:
proto udp6: This explicitly tells OpenVPN to listen for connections over IPv6 UDP, which is essential.server-ipv6 [address]/[prefix]: This defines the virtual IPv6 subnet that will be assigned to connecting clients.push "route-ipv6 2000::/3": This command instructs the client to route all public IPv6 traffic through the VPN, ensuring a secure and private connection.
Step 5: Configure Networking and Firewall Rules
For the server to route traffic from VPN clients to the internet, you must enable IP forwarding and configure the firewall.
Enable IPv6 Forwarding:
Edit the system control configuration file:sudo nano /etc/sysctl.confAdd the following line to enable IPv6 packet forwarding:
net.ipv6.conf.all.forwarding=1Apply the change immediately without rebooting:
sudo sysctl -pConfigure the Firewall:
We will usefirewalldto allow OpenVPN traffic and set up masquerading, which allows clients to use the server’s public IP address.
bash
# Allow the OpenVPN service
sudo firewall-cmd --add-service=openvpn --permanent
# Enable IPv6 masquerading
sudo firewall-cmd --add-masquerade --permanent
# Reload the firewall to apply changes
sudo firewall-cmd --reload
Enabling masquerading is a critical security step that hides the clients’ virtual IP addresses behind the server’s public IP.
Step 6: Start and Enable the OpenVPN Service
With all configurations in place, it’s time to start the OpenVPN server.
# Start the OpenVPN server using our configuration file
sudo systemctl start openvpn-server@server
# Enable the service to start automatically on boot
sudo systemctl enable openvpn-server@server
You can check the status of the service to ensure it’s running without errors:
sudo systemctl status openvpn-server@server
Step 7: Create and Configure the VPN Client
The final step is to create a configuration file (.ovpn) for your client device. This file bundles the client certificate, key, and server connection details into a single package.
Create a base configuration file,
client1.ovpn, on your local machine.client dev tun # Use udp6 to connect over IPv6 proto udp6 # Replace with your server's public IPv6 address remote [YOUR_EC2_IPV6_ADDRESS] 1194 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server cipher AES-256-GCM auth SHA256 verb 3Crucially, the
remotedirective must point to your EC2 instance’s public IPv6 address.Embed Certificates and Key:
Open theclient1.ovpnfile and append the contents of your CA, client certificate, and client key. You will need to securely transfer these files from your server. The final file should look like this:# ... (previous configuration) ... <ca> -----BEGIN CERTIFICATE----- (Content of ca.crt) -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- (Content of client1.crt) -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- (Content of client1.key) -----END PRIVATE KEY----- </key>
Import this .ovpn file into your OpenVPN client software (like Tunnelblick for macOS or the official OpenVPN Connect client for Windows/Linux) and connect. If everything is configured correctly, you will have a secure, encrypted connection, and your public IP address will appear as your server’s IPv6 address.
Source: https://www.lisenet.com/2025/ipv6-openvpn-server-setup-on-aws-ec2-using-rocky-linux/
