Mandee Rose

Mandee Rose

March 15, 2018

While existing VPN options come with a multitude of subscription choices, most of them – or the fast, reliable ones at least – are only available with a monthly purchase.

Because of this, many steer towards free (and mostly unreliable) VPNs in hopes of getting greater online anonymity. This is a pointless endeavor, as most come to realize that paid VPN services cost money for a reason. Fortunately, there is another option that is both free and reliable: creating your own VPN server.

What is a VPN?

A VPN is a virtual private network that gives users the ability to browse the internet in near-anonymity. By using a VPN to tunnel your web traffic to a remote server, you’re able to access things like geographically restricted content. What’s more, you’re able to keep your online identity a secret and your system and activities away from prying eyes.

What is Amazon Web Services?

Amazon Web Services is a great option when it comes to creating your own VPN server. This is because Amazon’s Elastic Compute Cloud is offering an entire year of free virtual server space as part of a trial period. Now, while AWS is a top contender in VPN options, it’s also important to be aware of the drawbacks. AWS is a great option provided you stay under the predetermined amounts of bandwidth, space, and time.

All that aside, AWS is still a free VPN service with better than average speeds that you can use for an entire year before coughing up some dough. Furthermore, even after the year of free service is up, Amazon Web Services offers affordable payment options. Most of these are cheaper than a regular paid VPN subscription.

AWS Requirements

Amazon Web Services provides two different VPN server options: OpenVPN and SSH Tunneling. Each option has its ups and downs, and both are worth extensively researching before making a decision. Regardless of whether you choose OpenVPN or SSH Tunneling, you will still need to meet the following requirements:

  • An account with Amazon Web Services
  • A credit card to register for Amazon Web Services (with no charge unless you go over the preset amounts)
  • PuTTy (SSH client)
  • PuTTyGen (key generator)
  • WinSCP (FTP server)

How to Setup Aamazon Web Services

Setting up your VPN server with Amazon Web Services is pretty straight forward. For Windows users, you’ll need to complete the following steps after registering for an account and setting up your billing information.

  1. When prompted, choose the Free Basic Plan 1 basic plan select
  2. In the search bar, type and click on EC2 2 EC2 search bar
  3. From the EC2 dashboard, select Launch Instance 3 AWS EC2 dashboard
  4. Select the first free tier eligible option: Amazon Linux AMI 4 Amazon Linux AMI
  5. Choose the free tier eligible t2.micro option (usually pre-selected) 5 t2.micro selection
  6. Select Review and Launch at the bottom of the page
  7. Click on Edit security groups 6 edit AWS security groups
  8. Click on Add Rule 7 add new rule
  9. Under the drop down menu for Type, select Custom UDP 8 change to UDP and port
  10. Set the Port Range to 1194
  11. Under Source, select Anywhere
  12. Select Launch 9 Click on AWS Launch
  13. When prompted, select the drop down menu and choose Create a new key pair 10 create a new key pair
  14. Name your key pair 11 name your new key pair
  15. Select Download Key Pair and store it somewhere safe 12 download your key pair and launch
  16. Select Launch Instances
  17. On the Launch Status screen, select View Instances 13 click on view instances
  18. Verify that only one instance is launched (if this is your first time using EC2) 14 view instances

How to Use AWS with SSH Tunneling

Many people use VPNs in the hopes of accessing geographically restricted content. If your sole reason for wanting to use a VPN is to access content that’s not available in your country, SSH tunneling is probably your best and easiest option. While SSH tunneling isn’t perfect, it is great for lightweight use such as basic web browsing or weaselling your way around geographically locked websites/services.

To set up SSH tunneling, complete the following steps:

  1. Download the PuTTy and PuTTyGen .exe files
  2. Double click on PuTTyGen to open it
  3. Select Load
  4. On the drop down menu in the lower right corner, select All File Types
  5. Choose your key pair file from earlier
  6. Select Save Private Key
  7. Your file name must match your .pem key verbatim
  8. OPTIONAL: create a passphrase
  9. Exit out of PuTTyGen and open PuTTy
  10. Navigate to your AWS EC2 Dashboard
  11. Copy your IPv4 Public IP IP address for AWS
  12. Paste your IPv4 Public IP into PuTTy’s Host Name (or IP address)
  13. Choose a Session Name
  14. Select Save
  15. In the left panel, navigate to SSH>Auth
  16. Under Authentication parameters, select Browse
  17. Navigate to the private key you generated earlier and select it
  18. In the left panel, navigate to SSH>Tunnels
  19. Under Add new forwarded port: type in 8080 & select Dynamic and Auto PuTTy configuration
  20. Navigate back to Session & select Save
  21. Select Open
  22. When prompted for a username, type ec2-user for Amazon Linux AMI
  23. Proceed to the next steps based on your preferred browser

Firefox

  1. Open Firefox
  2. Navigate to Tools>Options>Advanced>Network>Connection>Settings>Manual proxy configuration
  3. Set the SOCKS Host to 127.0.0.1
  4. Set the Port to 8080
  5. Hit Save

Chrome

  1. Install the Proxy SwitchySharp extension Chrome Store Web Page
  2. A setup screen will pop up google chrome extension
  3. Choose a name
  4. Select Manual Configuration
  5. Change the SOCKS Host to 127.0.0.1
  6. Change the Port to 8080
  7. Everything else should be left blank
  8. Select Save
  9. Click the extension icon and select your proxy profile

After completing the above steps, you’ll be successfully tunneling your browser’s traffic through your EC2 instance. That said, SSH tunneling is only useful for lightweight browsing and accessing some geographically restricted content. If your intent is to create a fully functioning VPN with the ability to reroute all internet traffic, OpenVPN is the option you’ll want to look into. We go into detail below.

How to Use AWS with OpenVPN

As a free open source application, OpenVPN is a great VPN tool to use. With the ability to reroute all of your internet traffic through your EC2 instance, OpenVPN is also able to assist in VPN usage for applications like Steam or Battle.net. OpenVPN setup might seem complex when drifting your eyes over the instructions, but the truth is that it’s fairly simple (if not a bit time consuming).

Installing OpenVPN On AWS

  1. Using the instructions above, connect your EC2 instance to PuTTy
  2. A command prompt displaying Amazon Linux AMI should pop up
  3. Copy & paste the following commands individually into your command prompt:
    • sudo yum install -y openvpn
    • sudo modprobe iptable_nat
    • echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
    • sudo iptables -t nat -A POSTROUTING -s 10.4.0.1/2 -o eth0 -j MASQUERADE
    • sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
  1. If the first command listed above doesn’t work, replace it with:
    • sudo apt-get install -y openvpn

Connecting to OpenVPN via easy-rsa

When it comes to setting up your OpenVPN server, you have a couple of different methods. The first one allows you to connect to various devices simultaneously via easy-rsa, while the second method only allows one connection at a time via static encryption.

Server Configuration

  1. Copy & paste the following commands individually into your command prompt:
    • sudo yum install easy-rsa -y –enablerepo=epel
    • sudo cp -via /usr/share/easy-rsa/2.0 CA
  1. Enable root user by typing into your command prompt sudo su
  2. In the next step, you will be asked to fill in information like your occupation/company – select the default by hitting Enter when prompted
  3. Copy & paste the following commands individually into your command prompt:
    • cd /usr/share/easy-rsa/2.0/CA
    • source ./vars
    • ./clean-all
    • ./build-ca
    • ./build-key-server server
    • ./build-dh 2048
  1. To set up your device, copy & paste the following commands individually in your command prompt:
    • ./build-key client
    • cd /usr/share/easy-rsa/2.0/CA/keys
    • openvpn –genkey –secret pfs.key
    • mkdir /etc/openvpn/keys
    • for file in server.crt server.key ca.crt dh2048.pem pfs.key; do cp $file /etc/openvpn/keys/; done
    • cd /etc/openvpn
    • nano server.conf
  1. Nano text editor will open – copy & paste the following text:

port 1194

proto udp

dev tun

ca /etc/openvpn/keys/ca.crt

cert /etc/openvpn/keys/server.crt

key /etc/openvpn/keys/server.key # This file should be kept secret

dh /etc/openvpn/keys/dh2048.pem

cipher AES-256-CBC

auth SHA512

server 10.8.0.0 255.255.255.0

push “redirect-gateway def1 bypass-dhcp”

push “dhcp-option DNS 8.8.8.8”

push “dhcp-option DNS 8.8.4.4”

ifconfig-pool-persist ipp.txt

keepalive 10 120

comp-lzo

persist-key

persist-tun

status openvpn-status.log

log-append openvpn.log

verb 3

tls-server

tls-auth /etc/openvpn/keys/pfs.key

  1. To save and exit the config text, hit CTRL+O followed by CTRL+X
  2. Start OpenVPN by typing into your command prompt:
    • sudo service openvpn start

Client Configuration

  1. Copy & paste the following commands into your command prompt:
    • cd /usr/share/easy-rsa/2.0/CA
    • chmod 777 keys
    • cd keys
    • for file in client.crt client.key ca.crt dh2048.pem pfs.key ca.key; do sudo chmod 777 $file; done
  1. Download WinSCP with default installation options & open it
  2. WinSCP will prompt you to import your server authentication details from PuTTy
  3. Select the one you created in earlier steps
  4. Select Edit and type in under username: ec2-user
  5. Hit Login
  6. Click on Edit & then Advanced
  7. Navigate to SSH>Authentication>Private key file
  8. Find your PPK file
  9. Back on the main screen, enter your EC2 instance IPv4 address in the Host Name field
  10. Save your settings
  11. In the right panel, navigate to the directory that holds your key files
  12. You’ll need to highlight the five necessary files: client.crt, client.key, ca.crt, dh2048.pem, and pfs.key
  13. Select the green Download button
  14. Save the files wherever you want
  15. Navigate back to the PuTTy Command Prompt
  16. Copy & paste the following command:
    • for file in client.crt client.key ca.crt dh2048.pem pfs.key; do sudo chmod 600 $file; done
    • cd ..
    • chmod 600 keys
  1. On your PC, move the five files into your OpenVPN configuration folder (default location is C:\\Program Files\\OpenVPN\\config

SUB: Creating the Client Configuration File

The last thing we need to do is create the client configuration file. Luckily, this is easily done using your basic text editor.

  1. Right click on any basic plaintext editor
  2. Select Run as administrator
  3. Copy & paste the following configuration:

client

dev tun

proto udp

remote YOUR.EC2.INSTANCE.IP 1194

ca ca.crt

cert client.crt

key client.key

tls-version-min 1.2

tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256

cipher AES-256-CBC

auth SHA512

resolv-retry infinite

auth-retry none

nobind

persist-key

persist-tun

ns-cert-type server

comp-lzo

verb 3

tls-client

tls-auth pfs.key

  1. Save the config as client.ovpn
  2. Save the config file in the same directory as your other five files (Default is C:\\Program Files\\OpenVPN\\config)
  3. Finally, right click on the OpenVPN GUI and select Run as administrator
  4. In your system tray below, right click on the OpenVPN icon
  5. Connect to the appropriate configuration
  6. If successful, the OpenVPN icon will turn green

Removing the Certificate Authority File

In order to remain as secure as possible, our team at BestVPN.com recommends removing the ca.key file from your server. On the off chance that the certificate authority is compromised, you will never want to trust certificates provided by that CA in the future. Before completing the following steps however, be sure that you have the keys/certificates for every device you want to connect.

  1. Select ca.key
  2. Instead of selecting the Download button, select Download and Delete
  3. Store the file in a safe location

Fixing Reboot or Maintenance Problems

If you experience problems after rebooting your PC or completing maintenance, you can set up OpenVPN as a service by typing the following commands in your command prompt. Most times, this fixes the issue.

  • sudo systemctl start openvpn@server.service
  • sudo systemctl enable openvpn@server.service

If the above commands don’t work or you seem to connect to the VPN but not the internet, try resetting your iptable settings by running the commands from earlier:

  • echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
  • sudo iptables -t nat -A POSTROUTING -s 10.4.0.1/2 -o eth0 -j MASQUERADE
  • sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Connecting to OpenVPN via Static Encryption

While this method is easier to achieve than the easy-rsa method, it is less secure and only allows one connection to the VPN server at a time. Still, it’s a great option over other free VPN services.

  1. In the PuTTy Command Prompt, paste:
    • cd /etc/openvpn
    • sudo openvpn –genkey –secret ovpn.key
    • sudo nano openvpn.conf
  1. When the Nano text editor pops up, type the following configuration:

port 1194

proto tcp-server

dev tun1

ifconfig 10.4.0.1 10.4.0.2

status server-tcp.log

verb 3

secret ovpn.key

  1. Select CTRL+O to save followed by CTRL+X to exit
  2. In the PuTTy Command Prompt, type:
    • sudo service openvpn start
    • sudo chmod 777 ovpn.key
  1. Download WinSCP by following default installation prompts
  2. A prompt will ask you to import your server authentication details from PuTTy
  3. Select the one you made in earlier steps and click Edit
  4. Under username, type in ec2-user and hit Login
  5. In the right panel, scroll up and navigate to etc/openvpn
  6. Select the ovpn.key file and drag it into a secure location
  7. In the PuTTy Command Prompt, type:
    • sudo chmod 600 ovpn.key
  1. Download OpenVPN according to your system specifics
  2. Move your ovpn.key into OpenVPN’s configuration folder (Default is C:/Program Files/OpenVPN/config…)
  3. Open Notepad and paste the following:

proto tcp-client

remote yourEC2IPhere

port 1194

dev tun

secret “your pathway to OpenVPN config folder – see default above

redirect-gateway def1

ifconfig 10.4.0.2 10.4.0.1

  1. Save the file in your OpvenVPN config folder as myconfig.ovpn
  2. In your system tray, make sure OpenVPN isn’t running – close it if it is
  3. On your desktop, right click on OpenVPN and select Run as administrator
  4. Back in your system tray, right click on OpenVPN and select Connect
  5. If successful, the icon will turn green

Testing Your AWS VPN is Working

Verifying your success with Amazon Web Services VPN is extremely easy!

  1. Disconnect from your VPN
  2. Navigate to a website like www.ipchicken.com
  3. Jot down your IP address
  4. Exit out of the browser
  5. Reconnect to your VPN
  6. Open your browser and navigate back to www.ipchicken.com
  7. Compare your IP address from step 3 to the one displayed now
  8. If the IP addresses are different, you’re successfully using your homemade VPN!

Using Amazon Web Services to Create a VPN: A Summary

If you want the benefits of using a VPN without the monthly subscription fees, you need to consider Amazon Web Services before browsing the free VPN services that are available. Creating your own Amazon Web Service VPN is straightforward and easy – and despite being somewhat time consuming – it’s also completely worth it.

Mandee Rose
June 22nd, 2018

Mandee Rose has been an advert for cyber security for 5+ years, working to spread knowledge via her technical writing and investigative journaling. Her work is centered around a variety of infosec topics including data breaches, digital surveillance, and of course, VPNs. You can follow her on Twitter at @Mand33InfoSec.

2 responses to “Create Your Own FREE VPN Server Using Amazon Web Services – Configure AWS To OpenVPN

  1. The commands related with easy-rsa do not work anymore, since a new version of the software is in the epel repo right now, and the file structure is different.

    I am trying to install the easy-rsa 2.0 from others repo’s so I can follow your tutorial, but no luck until now.

Leave a Reply

Your email address will not be published. Required fields are marked *