blog archive     the meetup     about     contact me

how to host your own vpn

VPN on Amazon Web Services

In this post I’m going to document how to quickly and easily stand up your own VPN server using Amazon Web Services (AWS) essentially for free. The AWS Marketplace contains a free AMI for an OpenVPN Access Server which comes with a license for 2 concurrent users. Further, the “free-tier” instances have proven to be sufficient for this use, so any new AWS customers will receive their VPN for free for one year.  

I love my VPN server, and use it all the time. Here are a few use cases:

  • Forced to use public WiFi? Send all your traffic through your tunnel to keep it away from prying eyes.
  • Vulnerable to KRACK? (Yes, you most likely are.) Tunnel all the things.
  • Have a computer on your home network that you want accessible from outside? Open your firewall only to the source IP of your AWS VPN (your Elastic IP). This is a relatively secure configuration as your home network is now not open to the entire Internet, and you can still tunnel up from any remote location to access it.
  • Is your ISP throttling certain traffic? Cloak it in your tunnel, and then go support the EFF: https://act.eff.org/
  • ISP not letting you use the DNS server of your choice? Tunnel, and then go get a new ISP.

The list could go on.

Do be aware that this configuration assumes you trust Amazon with your traffic. That is a choice only you can make. But as far as VPN options go, I personally trust AWS much more so than hidemyass(dot)com, et al.

Standing up the instance

I’m not going to reinvent the wheel here; this guide is really good: https://docs.openvpn.net/getting-started/amazon-web-services-ec2-tiered-appliance-quick-start-guide/

I will make a few recommendations/improvements though:

Change your inbound Security Group settings. This restricts access to the shell of the instance and the OpenVPN admin interface to only your trusted (home or office) IP:

  1. Change Source to My IP for SSH, port 22.
  2. Change Source to My IP for Custom TCP Rule, port 943.

You’ll have to change the permissions on the .pem file before you can SSH to your instance:

chmod 400 /path/to/your/pem.pem

then

ssh -i /path/to/your/pem.pem openvpnas@w.x.y.z

where w.x.y.z = the Elastic IP you were allocated above.

Now that you’re on your instance, do the following:

sudo apt-get update

sudo apt-get upgrade

sudo reboot

Administering your VPN

In your browser, go to https://w.x.y.z:943/admin. This will bring up the admin interface for configuring your OpenVPN server (ignore the cert warning). You will log in with the username and password that you created during the setup process above:

> Do you wish to login to the Admin UI as "openvpn"?.

This interface is where you will configure your users, and other connection parameters such as requiring 2FA, etc. Which reminds me, definitely enable 2FA utilizing Google Authenticator!

Most of the configs in the admin interface are pretty self-explanatory, but here is another good reference doc: https://openvpn.net/index.php/access-server/docs/quick-start-guide.html

After you have configured your user account, you will need to log into htps://w.x.y.x:943 with the user account that you just created (notice no /admin on that URL). In this portal is where you can download your .ovpn file and set up Google Authenticator.

Connecting to your VPN

To “programatically remember” your VPN username and password you can create an authentication file. The auth-file simply needs to have your username on one line, and your password on the second line.

Note: you should only do this if you 1) have enabled full-drive encryption or have utilized ecryptfs on your /home directory, and 2) understand what you are doing. Placing your authentication creds in a plaintext file on your drive will weaken your security a bit.

Now, assuming you did create auth-file and have downloaded your .ovpn file, you can tunnel up by issuing this command:

sudo openvpn --config /home/user/path/to/client.ovpn --auth-user-pass /home/user/path/to/auth-file

And for bonus points do this:

You can create an alias for the command vpn. You only need to execute the following command one time:

sudo echo "alias vpn='sudo openvpn --config /home/user/path/to/client.ovpn --auth-user-pass /home/user/path/to/auth-file'" >> /etc/bash.bashrc && exec bash

Then each time you want to establish your tunnel, you can simply do vpn.

Easy peasy. Happy tunneling.