Getting the following error tried with nano and small instance types as well

➜  autovpn git:(master) ./autovpn -C -r us-east-1 -k us-east-1_vpnkey.pem
Creating ec2 instance in us-east-1. This can take some time...
Traceback (most recent call last):
  File "./scripts/create_ec2.py", line 69, in <module>
    auto_vpn()
  File "./scripts/create_ec2.py", line 54, in auto_vpn
    user_data=user_data)
  File "/usr/local/lib/python2.7/site-packages/boto/ec2/connection.py", line 977, in run_instances
    verb='POST')
  File "/usr/local/lib/python2.7/site-packages/boto/connection.py", line 1208, in get_object
    raise self.ResponseError(response.status, response.reason, body)
boto.exception.EC2ResponseError: EC2ResponseError: 400 Bad Request
<?xml version="1.0" encoding="UTF-8"?>
<Response><Errors><Error><Code>VPCResourceNotSpecified</Code><Message>The specified instance type can only be used in a VPC. A subnet ID or network interface ID is required to carry out the request.</Message></Error></Errors><RequestID>112fa4aa-383c-4511-8120-6117b6574974</RequestID></Response>
Error code 4

Thanks for a great repo, I'm trying to get this to work but can't find a way to boot a t2.micro instance since it says that it has to be inside a VPC? How can we specify a VPC id?

autovpn_1  | Creating ec2 instance in us-east-1. This can take some time...
autovpn_1  | Traceback (most recent call last):
autovpn_1  |   File "./scripts/create_ec2.py", line 69, in <module>
autovpn_1  |     auto_vpn()
autovpn_1  |   File "./scripts/create_ec2.py", line 54, in auto_vpn
autovpn_1  |     user_data=user_data)
autovpn_1  |   File "/usr/local/lib/python3.6/site-packages/boto/ec2/connection.py", line 977, in run_instances
autovpn_1  |     verb='POST')
autovpn_1  |   File "/usr/local/lib/python3.6/site-packages/boto/connection.py", line 1208, in get_object
autovpn_1  |     raise self.ResponseError(response.status, response.reason, body)
autovpn_1  | boto.exception.EC2ResponseError: EC2ResponseError: 400 Bad Request
autovpn_1  | <?xml version="1.0" encoding="UTF-8"?>
autovpn_1  | <Response><Errors><Error><Code>VPCResourceNotSpecified</Code><Message>The specified instance type can only be used in a VPC. A subnet ID or network interface ID is required to carry out the request.</Message></Error></Errors><RequestID>3e3576b0-8b22-4239-9e4a-27b2bd11e15d</RequestID></Response>
autovpn_1  | Error code 4

So, I am getting bail 4 error and upon further investigation, it seems that the ip_address being returned is None. Any help?

[feature request]
Add support for AWS LightSail (less-expensive alternative to EC2).

Hi there,

when i am running ./autovpn -C -r us-east-1 -k macbook I am getting the following error:

Creating ec2 instance in us-east-1. This can take some time...
Traceback (most recent call last):
  File "create_ec2.py", line 66, in <module>
    auto_vpn()
  File "create_ec2.py", line 51, in auto_vpn
    user_data=user_data)
  File "/usr/local/lib/python2.7/site-packages/boto/ec2/connection.py", line 977, in run_instances
    verb='POST')
  File "/usr/local/lib/python2.7/site-packages/boto/connection.py", line 1208, in get_object
    raise self.ResponseError(response.status, response.reason, body)
boto.exception.EC2ResponseError: EC2ResponseError: 400 Bad Request
<?xml version="1.0" encoding="UTF-8"?>
<Response><Errors><Error><Code>VPCResourceNotSpecified</Code><Message>The specified instance type can only be used in a VPC. A subnet ID or network interface ID is required to carry out the request.</Message></Error></Errors><RequestID>b864dabb-12b9-421a-8485-b675359b71dd</RequestID></Response>
Error code 4

Help is much appreciated
Thank you!
Ben

I successfully started an instance with autovpn -C -r us-east-1 -k private_key 2>&1 | tee autovpn.txt. I then ran sudo openvpn2 us-east-1_aws_vpn.ovpn 2>&1 | tee openvpn.txt. Chrome reports an error.

I have attached both logs.

autovpn.txt
openvpn.txt

Let me know if you need anything else, or if I've done something stupid. And here is the .ovpn file.

us-east-1_aws_vpn.txt

Python 2 is end of life at the first of the year.

How hard would it be to add the ability to deploy this into an existing VPC?

Funny thing, I deleted my default VPC. How do we set the VPC we want to use?

Hi,

Great script, helps tons !
We tried to use the same config file that was generated on multiple clients but each time it disconnects the other one.

It seems only one user would be allowed at the same time.
Do you know of a way to generate multiple client keys for the OpenVPN Server (one per client) ?
Can you think of a better way ? Maybe username/password for each client ?

Thanks

I tried to follow the step-by-step but couldn't generate a keypair because something was broken in the authentication step.

Googling revealed that most ~/.aws/credentials files have a header of [default], and when I changed my credentials file to use that section header the -G flag worked.

I recommend updating docs in Dependencies, step 3 to reflect this.

(on MacOS Sierra latest)

Running

./autovpn -G -r us-east-1

I get the following error

Generating new keypair for us-east-1.
Traceback (most recent call last):
  File "./scripts/keygen.py", line 36, in <module>
    generate_key()
  File "./scripts/keygen.py", line 20, in generate_key
    key = ec2.get_all_key_pairs(keynames=[key_name])[0]
  File "/usr/local/lib/python2.7/dist-packages/boto/ec2/connection.py", line 2836, in get_all_key_pairs
    [('item', KeyPair)], verb='POST')
  File "/usr/local/lib/python2.7/dist-packages/boto/connection.py", line 1186, in get_list
    raise self.ResponseError(response.status, response.reason, body)
boto.exception.EC2ResponseError: EC2ResponseError: 403 Forbidden
<?xml version="1.0" encoding="UTF-8"?>
<Response><Errors><Error><Code>UnauthorizedOperation</Code><Message>You are not authorized to perform this operation.</Message></Error></Errors><RequestID>1774ef84-4d05-4f66-8774-737b5db4202b</RequestID></Response>
Key already exists in AWS

Ok, the key already exists. However, the next step

./autovpn -C -r us-east-1 -k us-east-1_vpnkey

also results in an error

Traceback (most recent call last):
  File "./scripts/create_ec2.py", line 69, in <module>
    auto_vpn()
  File "./scripts/create_ec2.py", line 30, in auto_vpn
    group = ec2.get_all_security_groups(groupnames=[group_name])[0]
  File "/usr/local/lib/python2.7/dist-packages/boto/ec2/connection.py", line 2984, in get_all_security_groups
    [('item', SecurityGroup)], verb='POST')
  File "/usr/local/lib/python2.7/dist-packages/boto/connection.py", line 1186, in get_list
    raise self.ResponseError(response.status, response.reason, body)
boto.exception.EC2ResponseError: EC2ResponseError: 403 Forbidden
<?xml version="1.0" encoding="UTF-8"?>
<Response><Errors><Error><Code>UnauthorizedOperation</Code><Message>You are not authorized to perform this operation.</Message></Error></Errors><RequestID>5fcb205d-a147-45ea-91f1-05c5a7515af4</RequestID></Response>
Error code 4

Any idea what operation is not authorized and how I give myself permissions? I checked the username in IAM associated with my secret key and it has AdministratorAccess permissions. I also verified my aws_access_key_id.

autovpn -S -r us-east-1

reports

No instances running in us-east-1

I deleted the keypair using

autovpn -C -r us-east-1 -D us-east-1_vpnkey

but I still get an EC2ResponseError: 403 Forbidden message.

I also used the IAM Policy Simulator to check the create/delete key policy, and it reports allowed.

Hi,

I may fork your script as it's very close to my need.
I would suggest an option to set an elastic-ip to the started ec2 instance : useful in case you have some IP-based security.

(give the eip-alloc id as option argument is probably what I'll try)

feel free to close, it's just a suggestion.

i got the some errors,

Generating new keypair for eu-central-1.
Traceback (most recent call last):
  File "./scripts/keygen.py", line 11, in <module>
    conn_region = boto.ec2.connect_to_region(region)
  File "/usr/local/lib/python2.7/site-packages/boto-2.45.0-py2.7.egg/boto/ec2/__init__.py", line 66, in connect_to_region
    return region.connect(**kw_params)
  File "/usr/local/lib/python2.7/site-packages/boto-2.45.0-py2.7.egg/boto/regioninfo.py", line 187, in connect
    return self.connection_cls(region=self, **kw_params)
  File "/usr/local/lib/python2.7/site-packages/boto-2.45.0-py2.7.egg/boto/ec2/connection.py", line 103, in __init__
    profile_name=profile_name)
  File "/usr/local/lib/python2.7/site-packages/boto-2.45.0-py2.7.egg/boto/connection.py", line 1100, in __init__
    provider=provider)
  File "/usr/local/lib/python2.7/site-packages/boto-2.45.0-py2.7.egg/boto/connection.py", line 569, in __init__
    host, config, self.provider, self._required_auth_capability())
  File "/usr/local/lib/python2.7/site-packages/boto-2.45.0-py2.7.egg/boto/auth.py", line 997, in get_auth_handler
    'Check your credentials' % (len(names), str(names)))
boto.exception.NoAuthHandlerFound: No handler was ready to authenticate. 1 handlers were checked. ['HmacAuthV4Handler'] Check your credentials
Key already exists in AWS

what could it be meaning ?

On Ubuntu 16.10, i have a error. Permission problems on know_hosts ?
Thanks for your help

Instance has been created XX.XXX.XXX.XXX
Giving new instance some time to fully boot up...
XX.XXX.XXX.XXX is still booting...
XX.XXX.XXX.XXX is still booting...
Setting up VPN on XX.XXX.XXX.XXX
Warning: Permanently added 'XX.XXX.XXX.XXX' (ECDSA) to the list of known hosts.
Permission denied (publickey).
lost connection
Error code 5

Since the EC2 instance is solely for openvpn (at least for some of the users), it would make sense to use a port with QoS, for example 443.

It would be great to make 443 the default port, or add the option to specify the port wanted.

Gets this far:

Giving new instance some time to fully boot up...
xx.xx.xx.xx is still booting...
Setting up VPN on xx.xx.xx.xx
Warning: Permanently added 'xx.xx.xx.xx' (ECDSA) to the list of known hosts.
Permission denied (publickey).
lost connection
Error code 5

Not sure what the debug procedure would be here. Likely PEBCAK, but I'm stuck.

I am trying to test the -p flag for custom port. I want to start from scratch and have deleted keys but everytime I am trying to create a new key in different region aws I am getting the message "key already exists in aws"

I think the reason is
boto.exception.EC2ResponseError: EC2ResponseError: 401 Unauthorized
what did I miss ?

Set the -p flag on port 443 and created two vpn in two different regions successfully.
In both region I had issue connection to the VPN. The connection was not successful probably due to some DNS issue; time out on the connection which is very symptomatic of bad DNS. The connection to the VPN was always successful. I do not have that issue with standard port.
Anyone else had the issue ?

Hi,

Thanks again for this excellent script. I'm using it with AWS and it works perfectly.
Do you know of a similar existing project for deployment on Microsoft Azure.

Do you think it would take a lot of work to adapt it to work with Azure ?

Thanks !

Hi,

Just wonder what I should do for enabling dual ways connections? Have done:

1. [AWS] Disable source / destination check on EC2 instance <script launched instance> > Actions > Networking > Change Source/Destination check
2. [AWS] VPC > Route Tables > > Routes > Edit > <given on-premise subnet CIDR block for Destination, and select the script launched instance as Target> > Save. [On-premise] Router (home router) does similar things on LAN, but change destination subnet to AWS VPC CIDR block (e.g. 172.31.0.0/16) Current result: On-premise could ping instances on AWS VPC instances, but AWS VPC instances can't ping those VMs on on-premise. For example, my on-premise VM IP address is 10.10.11.5, and AWS VPC instance private ip (not script launched instance) is 172.31.19.33, 172.31.21.175, etc. 10.10.11.5 -> 172.31.19.33 / 172.31.21.175 OK, but 172.31.19.33 / 172.31.21.175 -> 10.10.11.5 failed.

Hi, I can't seem to get this working

*Installed paramiko
*Installed boto
*Installed openvpn client
*Installed python-pip

mkvirtualenv -p python2 env/
source env/bin/activate
Spits back command not found and bash: env/bin/activate: No such file or directory

I tried ./autovpn -G -r us-east-1 & ./autovpn -G -r us-west-1 with error:

Generating new keypair for us-east-1.
Traceback (most recent call last):
File "./scripts/keygen.py", line 3, in
import boto
ImportError: No module named boto
Key already exists in AWS

I type ./autovpn -C -r us-east-1 -k us-east-1_vpnkey, man page comes up, nothing else. No matter what I try.

Edit**

New error

Generating new keypair for us-east-1.
Traceback (most recent call last):
File "./scripts/keygen.py", line 11, in
conn_region = boto.ec2.connect_to_region(region)
File "/home/ubuntu/.local/lib/python2.7/site-packages/boto/ec2/init.py", line 66, in connect_to_region
connection_cls=EC2Connection, **kw_params)
File "/home/ubuntu/.local/lib/python2.7/site-packages/boto/regioninfo.py", line 220, in connect
return region.connect(**kw_params)
File "/home/ubuntu/.local/lib/python2.7/site-packages/boto/regioninfo.py", line 290, in connect
return self.connection_cls(region=self, **kw_params)
File "/home/ubuntu/.local/lib/python2.7/site-packages/boto/ec2/connection.py", line 103, in init
profile_name=profile_name)
File "/home/ubuntu/.local/lib/python2.7/site-packages/boto/connection.py", line 1100, in init
provider=provider)
File "/home/ubuntu/.local/lib/python2.7/site-packages/boto/connection.py", line 569, in init
host, config, self.provider, self._required_auth_capability())
File "/home/ubuntu/.local/lib/python2.7/site-packages/boto/auth.py", line 1021, in get_auth_handler
'Check your credentials' % (len(names), str(names)))
boto.exception.NoAuthHandlerFound: No handler was ready to authenticate. 1 handlers were checked. ['HmacAuthV4Handler'] Check your credentials
Key already exists in AWS

Hey there. I've got to step 3 of the installation instructions and I'm receiving the following error.

./autovpn -C -r us-west-2 -k us-west-2-vpnkey
Creating ec2 instance in us-west-2. This can take some time...
File "./scripts/create_ec2.py", line 31
except ec2.ResponseError, e:
^
SyntaxError: invalid syntax
Error code 4

I also tried generating a new keypair and I get the following :

./autovpn -G -r us-west-1
Generating new keypair for us-west-1.
File "./scripts/keygen.py", line 22
except ec2.ResponseError, e:
^
SyntaxError: invalid syntax
Key already exists in AWS

I'm wondering if I'm doing something wrong or if I've missed something. Any help would be appreciated. Thanks.

Hi, I keep getting this error

$ ./autovpn -G -r ap-southeast-2
Generating new keypair for ap-southeast-2.
ap-southeast-2_vpnkey has been created
Use ap-southeast-2_vpnkey as keyname to create endpoint.

$ ./autovpn -C -r ap-southeast-2 -k ap-southeast-2_vpnkey.pem
Creating ec2 instance in ap-southeast-2. This can take some time...
Traceback (most recent call last):
  File "./scripts/create_ec2.py", line 66, in <module>
    auto_vpn()
  File "./scripts/create_ec2.py", line 51, in auto_vpn
    user_data=user_data)
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/boto/ec2/connection.py", line 977, in run_instances
    verb='POST')
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/boto/connection.py", line 1208, in get_object
    raise self.ResponseError(response.status, response.reason, body)
boto.exception.EC2ResponseError: EC2ResponseError: 400 Bad Request
<?xml version="1.0" encoding="UTF-8"?>
<Response><Errors><Error><Code>InvalidKeyPair.NotFound</Code><Message>The key pair 'ap-southeast-2_vpnkey.pem' does not exist</Message></Error></Errors><RequestID>af50df26-113d-40c8-921b-7a51c54feae6</RequestID></Response>
Error code 4
DESCRIPTION:
         autovpn - AWS OpenVPN Deployment Tool.
	 Project found at https://github.com/ttlequals0/autovpn
USAGE:
  ACTION	 [OPTIONS]
  -C	 Create VPN endpoint.
  -D	 Delete keypair from region.
  -G	 Generate new keypair.
  -S	 Get all running instances in a given region.
  -T	 Terminate a OpenVPN endpoint.
  -a	 Specify a custom ami.*
  -h	 Displays this message.
  -i	 AWS Instance type (Optional, Default is t2.micro)
	 t2.nano t2.micro t2.small t2.medium t2.large **
  -k	 Specify the name of AWS keypair.
  -m	 Allow multiple connections to same endpoint.
  -r	 Specify AWS Region.
	 us-east-1 us-east-2 us-west-1 us-west-2 eu-west-1 eu-west-2
	 eu-central-1 ap-southeast-1 ap-northeast-1 ap-northeast-2
	 sa-east-1 ap-southeast-2 ap-south-1 ca-central-1.
  -u	 Specify custom ssh user.***
  -y	 Skip confirmations
  -z	 Specify instance id.
EXAMPLES:
  Create OpenVPN endpoint:
	autovpn -C -r us-east-1 -k macbook
  Generate keypar in a region.
	autovpn -G -r us-east-1
  Get running instances
	autovpn -S -r us-west-1
  Terminate OpenVPN endpoint
	autovpn -T -r us-west-1 -z i-b933e00c
  Using custom options
  	autovpn -C -r us-east-1 -k macbook -a ami-fce3c696 -u ec2_user -i m3.medium
NOTES:
 * - Customs ami may be needed if changing instance type.
 ** - In reality any  instance size can be given but the t2.micro
 is more than enough.
 *** - Custom user might be need if using a custom ami.

I dont understand why it keep saying key-pair not exist. any idea guys?

there is no options for DigitalOcean ?

Currently this project works well. However you generate VPN keys and don't provide even rudimentary documentary on how to apply these settings on any OS.

First off, thank you for this and very sweat program.
I have created as a test one instance in eu-central. I terminated the instance in AWS. Tried to create a fresh key in same region but autovpn tells me the key already exist.
I have deleted the key for instance eu-central-1 which I had forgotten.
I got confused as far as the result of # ./autovpn -S -r eu-central-1. It says the instance is running which is the case but thought it still believed the OpenVPN was still running on the instance. In fact, I am getting the message "Instances running in eu-central-1" because there is indeed another instance not related to autovpn running.
Is there a possibility to clarify the statement that we know the message is not referring to autovpn instance ?

With ASG you can make sure that the instance is automatically replaced if it crashes or taken down by AWS.
With Elastic IP you can make sure that the address doesn't change when this happens.

After starting an instance, running openvpn, and terminating it, the command autovpn -T -r us-east-1 does not stop the instance.

I also tried autovpn -T -r us-east-1 -i instance_id. The instance_id can be obtained from the EC2 console or via aws ec2 describe-instances.

Getting the following error when trying to create an endpoint in eu-west-2 region.

Creating ec2 instance in eu-west-2. This can take some time...
Traceback (most recent call last):
  File "./scripts/create_ec2.py", line 66, in <module>
    auto_vpn()
  File "./scripts/create_ec2.py", line 31, in auto_vpn
    except ec2.ResponseError, e:
AttributeError: 'NoneType' object has no attribute 'ResponseError'
Error code 4

The VPN script works really well, however, just curious as to why when I create a new node without a public IP address, I am able to SSH into the machine but the machine can't connect to the internet. Any thoughts?

can't proceed further. I am getting error code 5 with no details

Any idea ?

first thanks for this tool.. I've used it countless times.. it works like a charm.. I have a customer who has a default vpc which contains the ec2 instance that runs this vpn.. and it also has a peered vpc which i can connect to if i ssh to the vpn ec2 instance.. however if i just connect to the vpn I can't ssh to the instances in the vpc that is peered to the one that the vpn ec2 is in.. sorry for being a noob.. <3