When we use AWS, often we will use RDS, for security reason, is better to not to expose to public.

RDS settings

What if we want to access via MySQL client? Here’s why we need VPN.

1. Create an EC2 instance

After you created an EC2 instance (I chose Ubuntu 18.04), then create an elastic IP and associate with this instance.

Because we don’t want risk the IP to change when the instance restarted.

AWS Elastic IP

2. Follow this post.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
ubuntu@ip-172-xxx-xxx-xxx:~$ sudo bash openvpn-install.sh

Welcome to this OpenVPN "road warrior" installer!

I need to ask you a few questions before starting the setup.
You can leave the default options and just press enter if you are ok with them.

First, provide the IPv4 address of the network interface you want OpenVPN
listening to.
IP address: 172.xxx.xxx.xxx

This server is behind NAT. What is the public IPv4 address or hostname?
Public IP address / hostname: 54.yyy.yyy.yyy

Which protocol do you want for OpenVPN connections?
1) UDP (recommended)
2) TCP
Protocol [1-2]: 1

What port do you want OpenVPN listening to?
Port: 1194

Which DNS do you want to use with the VPN?
1) Current system resolvers
2) 1.1.1.1
3) Google
4) OpenDNS
5) Verisign
DNS [1-5]: 1

Finally, tell me your name for the client certificate.
Please, use one word only, no special characters.
Client name: js

Okay, that was all I needed. We are ready to set up your OpenVPN server now.
Press any key to continue...

The first time, enter the private IP (should be auto populated), then 2nd time is the elastic IP.

Now, you still won’t be able to connect to VPN yet.

3. Create a security group

Because the new instance doesn’t open some ports by default, now let create.
In the inbound tab:

Type Protocol Port Range Source Description
Custom UDP Rule UDP 1194 0.0.0.0/0
SSH TCP 22 0.0.0.0/0
Custom TCP Rule TCP 943 0.0.0.0/0
HTTPS TCP 443 0.0.0.0/0

Then go back to instance menu, select the OpenVPN instance, and associate the VPN security group.

EC2 change security group

4. Update RDS security group

In the inbound tab

Type Protocol Port Range Source Description
MYSQL/Aurora TCP 3306 172.xxx.xxx.0/24 Web App
MYSQL/Aurora TCP 3306 172.xxx.xxx.xxx/32 OpenVPN

After this, you should be able to connect your local to VPN, and connect MySQL client to RDS.

References: