How to make your own free VPN using Amazon Web services

There are many VPN services available, but it can be difficult to find the right option for your needs. In most cases, you need to pay a subscription fee and some services don’t offer the level of security and speed that you would expect from them. There is an alternative available and while it is very convenient and free, it requires some technical skills. In this article, we will discuss how you can set up a VPN using Amazon Web Services.

How to start

You can take advantage of Amazon Web Services’ offer. It gives you one year of free virtual server space, as long as you don’t go beyond the limits established fro bandwidth, space and time. The benefit of this alternative is that even if you end up using more than the pre-determined limits, you would probably pay less for running a server image on Amazon’s Elastic Compute Cloud, than what you would pay for a subscription to a VPN service. We’ll go through two ways in which you can use Amazon EC2 (Amazon’s Elastic Cloud service) to redirect your connection through the private location you select. These two options are SSH Tunneling and OpenVPN and there are specific advantages and downsides to each of them. You can choose the one that better suits your requirements. Regardless of the solution you opt for, you will need the below:

  1. An Amazon Web services account. A credit card is required for this, but you will only be charged if you use more than the free allowance.
  2. If you are a Windows user, you will need PuTTy and PuttyGen. Another option is PuTTy, which is an OpenSSH via Cygwin, although it is not as convenient as PuTTy. If you use Mac or Linux, this won’t be necessary since those platforms already have SSH prompts built into their terminals and boxes.
  3. WinSCP, or a similar FTP client is also required in order to move files between your local computer and your EC2 instance.
  4. Basic knowledge of Unix commands and how servers work with clients would be very useful as it will allow you to sort any issue that may arise.

Steps

  1. The first thing you need to do is to log into your Amazon Web Service account and then go to the EC2 dashboard
  2. On the top right, select the location where the VPN would be set up. You can click on Launch Instance
  3. Select any Linux AMI that is listed as “free tier eligible”. Currently, this is the Amazon Linux AMI. Move on to the next step
  4. Now you will need to select a t2.micro instance that is also free tier eligible. Select “Review and Launch”.
  5. On the next page, you will see a warning message requesting you to edit your seucity groups. Click on the Edit Security Groups option
  6. Now you will need to edit the security group so that only traffic that is coming from your computer can access the VPN or proxy. There should be one rule already in place to connect to your server through SSH. This will be used at a later stage. By now, we need to add another rule to allow OpenVPN connections, which use port 1194 by default. To make things easy, under the Inbound tab, select the Add rule button. Select the Type to Custom UDP, the Port Range should be set to 1194 and the Source has to be set to Anywhere. Press “Save”.
  7. Click “review and launch” and then “launch” on the next page. At this point, it would be good to create a key pair. This works in a similar way to a password that will be used to connect to the virtual server that it is being created. Select “create a new key pair” from the dropdown menu and give it the name that you prefer. Click the button to download the key pair and keep in a safe location.
  8. The next page should let you know that the instance is being launched. Go to the bottom and select “View instances”. You will see a list of any instances that you have launched. If it is the first time you are using EC2, you will only see one instance.

SSH Tunneling

  1. To start, the idea is to reroute the web traffic through the instance that was created using SSH tunneling and a proxy. This is a simple solution to bypass geographical restrictions or a firewall. Although this method doesn’t offer the security and versatility of a VPN, it is easier to set up. We will go through the steps required to interact with your instance using Windows. As previously mentioned, PuTTy and PuttyGen are required for this operating system.
  2. Both PuTTy and PuTTygen run as .exe files without requiring installation. Once you open PuTTygen, you need to click Load, go to the .pem key pair file that was previously downloaded and load it into Puttygen. It will be necessary to select the option to display all file types for the .pen key to appear. Press “Save Private Key”. The file name has to be exact to the .pen key. It is possible to create a passphrase for the private key, if preferred.
  3. The next step is to close PuTTygen and open PuTTy. You can copy your instance’s public IP from the EC2 console into PuTTy. Enter a name for your session and press save.
  4. In the left pane, go to “Auth” under SSH. Click the browse button and go to the private Key that you previous created.
  5. In the left pane, go to Tunnels. Add port 8080 with Auto and Dynamic selected. Now you can return to the Session page and press Save again. This means that you won’t have to go through the full process again.
  6. Click Open. You will see a prompt requesting a username. This varies according to the type of server that you set up at the start. In the case of Amazon Linux AMI, it is “ec2-user”.
  7. Once you are connected to the server, you will need to route your web browser’s traffic through it. Firefox users can do this in their browser settings. Chrome users will need to download the Proxy Switchy extension. If preferred, you can create a fully functioning VPN, instead than just a proxy for your browser. Go to the next section.

Firefox

  1. Go to Tools, then Options. Select Advanced, followed by Network and then Connection, Settings and Manual proxy configuration.
  2. Set SOCKS Host as 127.0.0.1 and the port as 8080, or the data that the tunnel port was set to on PuTTy. Click OK to save.

Chrome Proxy Switchy

  1. Right after installing the extension, you will see a setup page. Alternatively, you can click the icon in the top right of Chrome and select Options. You can select any name you want for the profile.
  2. Set the SOCKS host to 127.0.0.1 and the port to 8080, under Manual Configuration. Everything else can be left blank. Press Save and then click the icon again so that you can select your proxy profile.

That is it, now your browser traffic is being directed through your EC2 instance. This will work well for general browsing, although you may come across issues on some websites and apps and the web browser may still use the direct connection. In order to create a fully functional VPN that redirects all your online traffic, you need to follow additional instructions.

How to install OpenVPN on the server

OpenVPN is a free open source solution that will allow you to run a fully functional VPN through your Amazon EC2 instance. All your online traffic will be routed through the VPN and streaming applications, as well as games work better with this setup.

To begin, connect your EC2 instance using PuTTy as explained before. You should see a command prompt in front of you that says Amazon Linux AMI. You can tepe or copy and paste the below commands to run them.

sudo yum install -y openvpn
sudo modprobe iptable_nat
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
sudo iptables -t nat -A POSTROUTING -s 10.4.0.1/2 -o eth0 -j MASQUERADE
sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

If yum doesn’t work, you can try sudo apt-get install – y openvpn instead. There is a lot of text that will flash on the command prompt as OpenVPN is installed. The other three commands set up IP forwarding, which is needed for the VPN to work.

Method 1

The first option and the one that works better in most cases is setting up PKI authentication with easy-rsa. Although you can set up OpenVPN with static encryption and a .ovpn file, this only allows you to connect one device at a time and since only one key is used, the security is not as strong. This is why it is advisable to use easy-rsa to set authentication instead. This is far more secure and supports multiple devices at the same time. Since easy-rsa is not available in the default yum package list, it is ncessary to enable the EPEL repo to install it. You need to enter the following into the PuTTY terminal and press Enter after each command.

sudo yum install easy-rsa -y –enablerepo=epel
sudo cp -via /usr/share/easy-rsa/2.0 CA

The second command will set up a directory with all the working files needed to set up our certificate authority.

Next, we need to be root user. In order to access root in the Amazon Linux AMI, you can use the below command:

sudo su

Keep in mind that the user is not “ec2-user” but “root”. In order to use easy-rsa to create certificates and keys, start by entering each of the following commands one after the other. You will be asked to fill in details about occupation and company, but these can be left as default by pressing Enter. When you are setting up the server key, it is advisable to set a password so that OpenVPN can start up automatically. You can set a password on the client key, which will force users to enter a password before establishing a connection.

cd /usr/share/easy-rsa/2.0/CA
source ./vars
./clean-all
./build-ca
./build-key-server server
./build-dh 2048

This is all that you need to do in order to get the OpenVPN server up and running, although every client will require its own login details. You can run the below command for each client that you want to connect.

./build-key client

In the instructions presented here, online one client will be set up. Once you have all the RSA keys and certificates needed, you need to generate a TLS key that can be used for Perfect Forward Secrecy. If a key is compromised, it is not possible to use it to decrypt past sessions.

cd /usr/share/easy-rsa/2.0/CA/keys
openvpn –genkey –secret pfs.key

Once all of the files are ready, it is necessary to move them into the OpenVPN directory. The first thing is to create a keys directory, then you can copy all of the keys and certificates into it.

mkdir /etc/openvpn/keys
for file in server.crt server.key ca.crt dh2048.pem pfs.key; do cp $file /etc/openvpn/keys/; done

The next step is to create a server configuration file that combines all the elements. You can copy and paste the following:
cd /etc/openvpn
nano server.conf

Go to OpenVPN directory and create a new file.

Now you are in the nano text editor. You can copy and paste the following config, then press CTRL+O to save. Press enter to confirm and CTRL+X to exit. It is possible to paste text from your clipboard into PuTTy just by right-clicking.

port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key # This file should be kept secret
dh /etc/openvpn/keys/dh2048.pem
cipher AES-256-CBC
auth SHA512
server 10.8.0.0 255.255.255.0
push “redirect-gateway def1 bypass-dhcp”
push “dhcp-option DNS 8.8.8.8”
push “dhcp-option DNS 8.8.4.4”
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 3
tls-server
tls-auth /etc/openvpn/keys/pfs.key

With this, the server is configured. All you need to do is to start up OpenVPN. If you start it as a service, even after closing PuTTy, it will still run until the server is shut down or you close it.

sudo service openvpn start

After configuring the server, it is necessary to set up the client. In order to do this, you will need to move the certificate and the key files required from the server to your client device. Keep PuTTy open and running as root and then change the permission on these files so that they can be accessed.

cd /usr/etc/easy-rsa/2.0/CA
chmod 777 keys
cd keys
for file in client.crt client.key ca.crt dh2048.pem pfs.key ca.key; do sudo chmod 777 $file; done

In order to get the files off of your server and onto your computer, a free program called WinSCP can be used. After installing it with the default options, a Window will pop up, asking you to import your server authentication details from PuTTy. Select the one created above and move forward.

Select myvpn (or the name you assigned to yours) and press the Edit button. Type in ec2-user under user name and click on Login.

If this is not the first time you use WinSCP, it is possible to set the .ppk file that was used in PuTTy by clicking Edit and Advanced. Go to SSH>Authentication, then Private key file and go to your PPK file. In the host name filed on the main page, you will be able to enter the IP address of the domain of your EC2 instance. Just make sure that the settings are saved.

In the right pane, go to the directory that contains your key files, which is /usr/share/easy-rsa/2.0/CA/keys in this case.

Highlight the five files that you will need on the client: client.crt, client.key, ca.crt, dh2048.pem and pfs.key. Press the green Donwload button. The location on the left pane is not so important. The main thing is that you don’t need admin privileges to access it. You can put the file son the desktop to make things simple.

Finally, it is important to remove the ca.key file from the server. The CA, or certificate authority is used to sign client certificates and if it is compromised, you will never be able to trust certificates issues by that CA again. Although removing the ca.key is not required for the VPN’s performance, it is recommended. Just make sure that you have all the keys and certificates for every device that you need to connect before removing it. Keep in mind that to add more at a later stage, you’ll have to move the ca.key file back onto the server.

The file can be moved onto your computer just like the client certification and keys were moved. Instead of using the “Download” button in this case, you will use the Download and Delete button to move the ca.key file from your server to your computer. Move it in a secure location.

After the files have been downloaded, you have to restore their stricter permissions on the server to ensure that nobody can access them. This is what you need to enter in PuTTy:

for file in client.crt client.key ca.crt dh2048.pem pfs.key; do sudo chmod 600 $file; done
cd ..
chmod 600 keys

On your computer, cut and paste those five files from wherever you downloaded them into your OpenVPN config folder, which is C://Program Files//OpenVPN//config in this case.

The last step is to set up a client configuration file. To do this, open Notepad or a similar option, by right clicking and selecting Run as administrator and paste the below config:

client
dev tun
proto udp
remote 35.164.238.40 1194
ca ca.crt
cert client.crt
key client.key
tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
cipher AES-256-CBC
auth SHA512
resolv-retry infinite
auth-retry none
nobind
persist-key
persist-tun
ns-cert-type server
comp-lzo
verb 3
tls-client
tls-auth pfs.key

Since this is a Windows config file for the OpenVPN GUI, it will be saved as client.ovpn. Other OpenVPN clients could use the .conf extension instead. Regardless of the situation, you need to ensure that your text editor doesn’t add the .txt extension after it is saved. Now save it into the same location as your key and certification files: C:\\Program Files\\OpenVPN\\config.

Finally, run the OpenVPN GUI in administrator mode. To do this, right click it and select Run as administrator. Then right click the icon in your system tray and connect with the client configuration that was previously set up. You will see a status screen with loads of text, flashing across the screen and then the icon will turn green, indicating that you are connected to your own VPN.

Method 2

Using static encryption is easier, although it is not the best option. For this method, a shared key for authentication will be created. It is like a file that acts like a password. Although it is easier to set up, you can only connect one device to the VPN at a time. It is less secure than the easy-rsa method previously discussed. To start, type in the below commands in PuTTy and press Enter:

cd /etc/openvpn
sudo openvpn –genkey –secret ovpn.key

Next, a server config file for the VPN will be created. To do this, enter the following command to set up a blank text in a basic text editor inside the terminal.

sudo nano openvpn.conf

Enter the following configuration:

port 1194
proto tcp-server
dev tun1
ifconfig 10.4.0.1 10.4.0.2
status server-tcp.log
verb 3
secret ovpn.key

Press CTRL+O and press enter to save the file. Then press CTRL+X to exit the text editor. Back at the command prompt, you need to fire up OpenVPN:

sudo service openvpn start

The next part is to get the shared key from the server to your local computer. The first stage is to change the permissions on that file to ensure that it can be accessed. Use the below command:

sudo chmod 777 ovpn.key

If at some point you close PuTTy by mistake, or if it stops working for some reasons, you can go back to your OpenVPN installation directory after re-establishing the connection, using the below command:

cd /etc/openvpn

To make things easier, Windows users can download and install WinSCP. Use the default installation options and after that, a window will appear asking you to import your server authentication details from PuTTy. Select the one mentioned above and continue.

Now select myvpn (or the name that you assigned to yours) and press the Edit button. Under username, enter “ec2-user” and click on Login.

Now the files can be moved between your EC2 instance server and your local computer. Go as far as possible on the right hand panel and then go to etc/openvpn. There you’ll find the ovpn.key file that is needed. Click and drag it into the folder you prefer. Just make sure that you can remember where you left it as you will have to move it later.

Once you have the key, you will need to re-apply the old permissions so that they can’t be just grabbed by anyone. In the PuTTy terminal enter this command:

sudo chmod 600 ovpn.key

Now you have to download the OpenVPN client and GUI for the local computer. Go to the OpenVPN downloads page, select the relevant version for your OS and install it with the default settings. Once it is launched, it will appear in the system tray as an icon. Open up a file explorer and go to where you installed OpenVPN. Move the opvn.key file previously downloaded from the server to the config folder found in C:/Program Files/OpenVPN/config. Keep in mind that this will be the location is you used the default installation directory on Windows.

The next step is to create a config file for the local machine to go with the one that was previously created on the server. Launch Notepad and paste the below, but keep in mind that the IP address after “remote” needs to be replaced with the IP of your EC2 instance. This can be found in your AWS Console under EC2 Instances.

proto tcp-client
remote
port 1194
dev tun
secret “C:\\Program Files\\OpenVPN\\config\\ovpn.key”
redirect-gateway def1
ifconfig 10.4.0.2 10.4.0.1

Save as myconfig.ovpn in the config folder of your OpenVPN installation, where the opvn.key file is. Double check to ensure that the text editor doesn’t add it as myconfig.ovpn.txt.

Right click on the OpenVPN icon in your system tray and click Exit. Then start it up again from the desktop shortcut or from the Program Files folder. The difference is that now, you will right click and press “Run as administrator”. If OpenVPN is not run as administrator on Windows, it is likely that it won’t work.

Right click the system tray icon and then click Connect. The OpenVPN GUI will pop up, showing the connection states. If it worked, the system tray icon will turn green. In Google, search “What’s my IP?”. It should show you the IP address of your Amazon EC2 instance. That is it, you will be now running your own VPN.

(Visited 21 times, 1 visits today)

Leave a Reply

Your email address will not be published. Required fields are marked *