How to create an Amazon VPN server with Amazon web services

While existing VPNs come with a multitude of subscription choices, most of them – or the fast, reliable ones at least – are only available with a monthly purchase. In this guide, we show you how to create a VPN on Amazon web services, so you can avoid those monthly subscription costs. 

AWS Requirements

Amazon Web Services provides two different VPN server options: OpenVPN and SSH Tunneling. Each option has its ups and downs, and both are worth extensively researching before making a decision. Regardless of whether you choose OpenVPN or SSH Tunneling, you will still need to meet the following requirements:

• An account with Amazon Web Services
• A credit card to register for Amazon Web Services (with no charge unless you go over the preset amounts)
• PuTTy (SSH client)
• PuTTyGen (key generator)
• WinSCP (FTP server)

How to set up Amazon VPN on AWS

Setting up your VPN on Amazon Web Services is pretty straightforward. For Windows users, you’ll need to complete the following steps after registering for an account and setting up your billing information.

 

1. When prompted, choose the Free Basic Plan
2. In the search bar, type and click on EC2
3. From the EC2 dashboard, select Launch Instance
4. Select the first free tier eligible option: Amazon Linux AMI
5. Choose the free tier eligible t2.micro option (usually pre-selected)
6. Select Review and Launch at the bottom of the page
7. Click on Edit security groups
8. Click on Add Rule
9. Under the dropdown menu for Type, select Custom UDP
10. Set the Port Range to 1194
11. Under Source, select Anywhere
12. Select Launch
13. When prompted, select the drop-down menu and choose Create a new key pair
14. Name your key pair
15. Select Download Key Pair and store it somewhere safe
16. Select Launch Instances 
17. On the Launch Status screen, select View Instances
18. Verify that only one instance is launched (if this is your first time using EC2)

How to Use your Amazon VPN with SSH Tunneling

Many people use VPNs in the hopes of accessing geographically restricted content. If your sole reason for wanting to use a VPN is to access content that’s not available in your country, SSH tunneling is probably your best and easiest option. While SSH tunneling isn’t perfect, it is great for lightweight use such as basic web browsing or weaseling your way around geographically locked websites/services.

To set up SSH tunneling, complete the following steps:  

1. Download the PuTTy and PuTTyGen .exe files
2. Double click on PuTTyGen to open it
3. Select Load
4. On the dropdown menu in the lower right corner, select All File Types 
5. Choose your key pair file from earlier
6. Select Save Private Key 
7. Your file name must match your .pem key verbatim 
8. OPTIONAL: create a passphrase
9. Exit out of PuTTyGen and open PuTTy
10. Navigate to your AWS EC2 Dashboard 
11. Copy your IPv4 Public IP
12. Paste your IPv4 Public IP into PuTTy’s Host Name (or IP address) 
13. Choose a Session Name 
14. Select Save 
15. In the left panel, navigate to SSH>Auth
16. Under Authentication parameters, select Browse
17. Navigate to the private key you generated earlier and select it
18. In the left panel, navigate to SSH>Tunnels
19. Under Add new forwarded port: type in 8080 & select Dynamic and Auto
20. Navigate back to Session & select Save
21. Select Open
22. When prompted for a username, type ec2-user for Amazon Linux AMI 
23. Proceed to the next steps based on your preferred browser 

Firefox

1. Open Firefox
2. Navigate to Tools>Options>Advanced>Network>Connection>Settings>Manual proxy configuration 
3. Set the SOCKS Host to 127.0.0.1
4. Set the Port to 8080
5. Hit Save

Chrome

1. Install the Proxy SwitchySharp extension
2. A setup screen will pop up
3. Choose a name
4. Select Manual Configuration 
5. Change the SOCKS Host to 127.0.0.1
6. Change the Port to 8080
7. Everything else should be left blank
8. Select Save
9. Click the extension icon and select your proxy profile 

After completing the above steps, you’ll be successfully tunneling your browser’s traffic through your EC2 instance. That said, SSH tunneling is only useful for lightweight browsing and accessing some geographically restricted content. If your intent is to create a fully functioning VPN with the ability to reroute all internet traffic, OpenVPN is the option you’ll want to look into. We go into detail below.

How to Use AWS with OpenVPN

As an open source application, OpenVPN is a great VPN tool to use. With the ability to reroute all of your internet traffic through your EC2 instance, OpenVPN is also able to assist in VPN usage for applications like Steam or Battle.net. OpenVPN setup might seem complex when drifting your eyes over the instructions, but the truth is that it’s fairly simple (if not a bit time consuming).

Installing OpenVPN On AWS

1. Using the instructions above, connect your EC2 instance to PuTTy
2. A command prompt displaying Amazon Linux AMI should pop up
3. Copy & paste the following commands individually into your command prompt:

• sudo yum install -y openvpn
• sudo modprobe iptable_nat
• echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
• sudo iptables -t nat -A POSTROUTING -s 10.4.0.1/2 -o eth0 -j MASQUERADE
• sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

4. If the first command listed above doesn’t work, replace it with:

• sudo apt-get install -y openvpn

Connecting to OpenVPN via easy-rsa 

When it comes to setting up your OpenVPN server, you have a couple of different methods. The first one allows you to connect to various devices simultaneously via easy-rsa, while the second method only allows one connection at a time via static encryption.

Server Configuration 

1. Copy & paste the following commands individually into your command prompt:

• sudo yum install easy-rsa -y --enablerepo=epel
• sudo cp -via /usr/share/easy-rsa/2.0 CA

2. Enable root user by typing into your command prompt sudo su 
3. In the next step, you will be asked to fill in information like your occupation/company – select the default by hitting Enter when prompted
4. Copy & paste the following commands individually into your command prompt:

• cd /usr/share/easy-rsa/2.0/CA
• source ./vars
• ./clean-all
• ./build-ca
• ./build-key-server server
• ./build-dh 2048

5. To set up your device, copy & paste the following commands individually in your command prompt:

• ./build-key client
• cd /usr/share/easy-rsa/2.0/CA/keys
• openvpn --genkey --secret pfs.key
• mkdir /etc/openvpn/keys
• for file in server.crt server.key ca.crt dh2048.pem pfs.key; do cp $file /etc/openvpn/keys/; done
• cd /etc/openvpn
• nano server.conf

6. Nano text editor will open – copy & paste the following text:

port 1194

proto udp

dev tun

ca /etc/openvpn/keys/ca.crt

cert /etc/openvpn/keys/server.crt

key /etc/openvpn/keys/server.key # This file should be kept secret

dh /etc/openvpn/keys/dh2048.pem

cipher AES-256-CBC

auth SHA512

server 10.8.0.0 255.255.255.0

push "redirect-gateway def1 bypass-dhcp"

push "dhcp-option DNS 8.8.8.8"

push "dhcp-option DNS 8.8.4.4"

ifconfig-pool-persist ipp.txt

keepalive 10 120

comp-lzo

persist-key

persist-tun

status openvpn-status.log

log-append openvpn.log

verb 3

tls-server

tls-auth /etc/openvpn/keys/pfs.key

7. To save and exit the config text, hit CTRL+O followed by CTRL+X
8. Start OpenVPN by typing into your command prompt:

• sudo service openvpn start

Client Configuration 

1. Copy & paste the following commands into your command prompt:

• cd /usr/share/easy-rsa/2.0/CA
• chmod 777 keys
• cd keys
• for file in client.crt client.key ca.crt dh2048.pem pfs.key ca.key; do sudo chmod 777 $file; done

2. Download WinSCP with default installation options & open it 
3. WinSCP will prompt you to import your server authentication details from PuTTy
4. Select the one you created in earlier steps
5. Select Edit and type in under username: ec2-user
6. Hit Login
7. Click on Edit & then Advanced
8. Navigate to SSH>Authentication>Private key file 
9. Find your PPK file
10. Back on the main screen, enter your EC2 instance IPv4 address in the Host Name field
11. Save your settings
12. In the right panel, navigate to the directory that holds your key files
13. You’ll need to highlight the five necessary files: client.crt, client.key, ca.crt, dh2048.pem, and pfs.key 
14. Select the green Download button
15. Save the files wherever you want
16. Navigate back to the PuTTy Command Prompt
17. Copy & paste the following command:

• for file in client.crt client.key ca.crt dh2048.pem pfs.key; do sudo chmod 600 $file; done
• cd ..
• chmod 600 keys

18. On your PC, move the five files into your OpenVPN configuration folder (default location is C:\\Program Files\\OpenVPN\\config

SUB: Creating the Client Configuration File 

The last thing we need to do is create the client configuration file. Luckily, this is easily done using your basic text editor.

1. Right-click on any basic plaintext editor 
2. Select Run as administrator 
3. Copy & paste the following configuration:

client

dev tun

proto udp

remote YOUR.EC2.INSTANCE.IP 1194

ca ca.crt

cert client.crt

key client.key

tls-version-min 1.2

tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256

cipher AES-256-CBC

auth SHA512

resolv-retry infinite

auth-retry none

nobind

persist-key

persist-tun

ns-cert-type server

comp-lzo

verb 3

tls-client

tls-auth pfs.key

4. Save the config as client.ovpn
5. Save the config file in the same directory as your other five files (Default is C:\\Program Files\\OpenVPN\\config)
6. Finally, right click on the OpenVPN GUI and select Run as administrator
7. In your system tray below, right click on the OpenVPN icon
8. Connect to the appropriate configuration
9. If successful, the OpenVPN icon will turn green

Removing the Certificate Authority File 

In order to remain as secure as possible, our team at ProPrivacy.com recommends removing the ca.key file from your server. On the off chance that the certificate authority is compromised, you will never want to trust certificates provided by that CA in the future. Before completing the following steps, however, be sure that you have the keys/certificates for every device you want to connect.

1. Select ca.key
2. Instead of selecting the Download button, select Download and Delete
3. Store the file in a safe location 

Fixing Reboot or Maintenance Problems 

If you experience problems after rebooting your PC or completing maintenance, you can set up OpenVPN as a service by typing the following commands in your command prompt. Most times, this fixes the issue.

• sudo systemctl start [email protected]
• sudo systemctl enable [email protected]

If the above commands don’t work or you seem to connect to the VPN but not the internet, try resetting your iptable settings by running the commands from earlier:

• echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
• sudo iptables -t nat -A POSTROUTING -s 10.4.0.1/2 -o eth0 -j MASQUERADE
• sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Connecting to OpenVPN via Static Encryption 

While this method is easier to achieve than the easy-rsa method, it is less secure and only allows one connection to the VPN server at a time. Still, it’s a great option over other free VPN services.

1. In the PuTTy Command Prompt, paste:

• cd /etc/openvpn
• sudo openvpn --genkey --secret ovpn.key
• sudo nano openvpn.conf

2. When the Nano text editor pops up, type the following configuration:

port 1194

proto tcp-server

dev tun1

ifconfig 10.4.0.1 10.4.0.2

status server-tcp.log

verb 3

secret ovpn.key

3. Select CTRL+O to save followed by CTRL+X to exit
4. In the PuTTy Command Prompt, type:

• sudo service openvpn start
• sudo chmod 777 ovpn.key

5. Download WinSCP by following default installation prompts
6. A prompt will ask you to import your server authentication details from PuTTy
7. Select the one you made in earlier steps and click Edit
8. Under username, type in ec2-user and hit Login
9. In the right panel, scroll up and navigate to etc/openvpn
10. Select the ovpn.key file and drag it into a secure location
11. In the PuTTy Command Prompt, type:

• sudo chmod 600 ovpn.key

12. Download OpenVPN according to your system specifics 
13. Move your ovpn.key into OpenVPN’s configuration folder (Default is C:/Program Files/OpenVPN/config…)
14. Open Notepad and paste the following:

proto tcp-client

remote yourEC2IPhere

port 1194

dev tun

secret "your pathway to OpenVPN config folder – see default above"

redirect-gateway def1

ifconfig 10.4.0.2 10.4.0.1

15. Save the file in your OpvenVPN config folder as myconfig.ovpn
16. In your system tray, make sure OpenVPN isn’t running – close it if it is
17. On your desktop, right click on OpenVPN and select Run as administrator
18. Back in your system tray, right click on OpenVPN and select Connect 
19. If successful, the icon will turn green

Testing Your AWS VPN is Working

Verifying your success with Amazon Web Services VPN is extremely easy!

1. Disconnect from your VPN
2. Navigate to a website like www.ipchicken.com
3. Jot down your IP address
4. Exit out of the browser
5. Reconnect to your VPN
6. Open your browser and navigate back to www.ipchicken.com
7. Compare your IP address from step 3 to the one displayed now
8. If the IP addresses are different, you’re successfully using your homemade VPN! 

Using Amazon Web Services to Create a VPN: A Summary

If you want the benefits of using a VPN without the monthly subscription fees, creating an Amazon VPN is a great option. Creating your own Amazon Web Service VPN is straightforward and easy – and despite being somewhat time consuming – it’s also completely worth it.