How to make your own free VPN with Amazon Web Services

How to make your own free VPN with Amazon Web Services

Updated April 2017 to reflect some UI changes in the AWS console and add instructions for hardcoding DNS servers.

Internet users are spoiled for choice when it comes to VPN services, but they either require a monthly subscription, aren’t secure, or are just plain slow. Thankfully, alternatives do exist. They require a bit more technical know-how, but if you want something done right, you have to do it yourself.

Amazon Web Services offers one year of free virtual server space, provided you use less than predetermined amounts of bandwidth, time and space. Even if you go over that limit, the cost of running a server image on Amazon’s Elastic Compute Cloud is probably less than you would pay for a VPN subscription.

Here we’ll explain two different ways to use Amazon’s Elastic Cloud service, also called EC2, to divert your connection through a private location of your choice: SSH Tunneling and OpenVPN. Each has advantages and disadvantages, so use the one you find more suited to your needs. No matter which you choose, you’ll require the following:

• An Amazon Web Services account. This requires a credit card, but you’ll only be charged for what you use, which will likely be nothing if you’re prudent about what you’re doing.
• PuTTy, if you’re on Windows. OpenSSH via Cygwin is another option, but I found it to be a pain. Linux and Mac computers already have SSH prompts built into their boxes and terminals. You’ll also need PuTTy’s sister key generation program, PuttyGen.
• WinSCP, or an equivalent FTP client to move files between your local computer and your EC2 instance.
• A basic working knowledge of Unix commands and how servers work with clients will be massively helpful in troubleshooting should something not go exactly as planned.

Log into your Amazon Web Service account and head to the EC2 dashboard.

On the top right, you can choose the location where we’ll be setting up your VPN. Click Launch Instance.

Choose whatever Linux AMI is listed as “free tier eligible.” At the time of writing this article, that’s the Amazon Linux AMI. Go on to the next step.

Here choose a t2.micro instance that’s also free tier eligible. Click “Review and Launch.”

On the next page, you should get a warning message asking you to edit your security groups.  Click Edit Security Groups.

You’ll need to opt to create a security group that will only allow traffic from your computer to access the VPN or proxy. To make things simple, click the bullet that says “Create a new security group” and name it whatever you like. For simplicity’s sake, set the Type to “All traffic” and the Source to “My IP.” If you want to connect with more than one device or from another location, add another rule and set a custom IP using the second device’s IP address. If you know the ports you plan to use, add rules that allow any device to connect to those ports (22 for SSH, 1194 for OpenVPN are common).

Click “review and launch,” then “launch” on the next page.

Now you’ll want to create a key pair, which sort of works like a password that you’ll use to connect to the virtual server you’re creating. Select “create a new key pair” from the dropdown menu and name it whatever you like. Click the button to download the key pair. Store it somewhere safe.

The next page should alert you that the instance is launching. Scroll to the bottom and hit “View instances.” Here you’ll see a list of any instances you’ve launched, which if this is your first time using EC2 will just be one.

SSH Tunneling

To begin with, we’re just going to reroute web traffic through the instance we created using SSH tunneling and a proxy. This is a quick and dirty way to get around a firewall or geographic lockout. It’s not quite a VPN–it’s best for light web traffic and won’t work with everything–but it’s much more simple to set up. This tutorial will explain how to interact with your instance using Windows. To do that, you’ll need to download PuTTy and PuTTygen.

PuTTy and PuTTygen both run right out of the box as .exe files with no need to install. Open PuTTygen, click Load. Navigate to the .pem key pair file you downloaded before and load it into Puttygen. You’ll have to select the option to show all file types for the .pem key to show up. Hit “Save Private Key.” The file name must be identical to the .pem key. You can create a passphrase for the private key if you want.

Now close out of PuTTygen and open PuTTy. Copy your instance’s public IP from the EC2 console into PuTTy. Type in a name for your session and hit save.

In the left pane, navigate to “Auth” under SSH. Click the browse button at the bottom and navigate to the private key you just generated.

Navigate to Tunnels in the left pain. Add port 8080 with Auto and Dynamic selected. Go back to the Session page and hit Save again so you don’t have to do all this over again.

Click Open. A prompt will appear asking you for a username. This differs based on what type of server you set up at the beginning. For the Amazon Linux AMI, it’s “ec2-user”.

Now you’re connected to your server, but you still need to route your web browser’s traffic through it. If you use Firefox, this can be done in your browser settings. If you use Chrome, download the Proxy Switchy extension. If you prefer to skip to creating a fully functioning VPN rather than just a proxy for your browser, skip to the next section now.

In Firefox:

• Go to Tools > Options > Advanced > Network > Connection > Settings > Manual proxy configuration
• Set SOCKS Host as 127.0.0.1 and the port as 8080 (or whatever you set the tunnel port to on PuTTy).
• Click OK to save

In Chrome Proxy Switchy

• A setup page should appear as soon as you install the extension, or click the icon in the top right of Chrome and click Options.
• Name the profile whatever you like. Under Manual Configuration, set the SOCKS host to 127.0.0.1 and the port to 8080 (or whatever you set the tunnel port to in PuTTy. Leave everything else blank.
• Hit Save, then click the icon again to select your proxy profile.

Voila! Your browser traffic is now being funneled through your EC2 instance. This will work fine for basic browsing, but some websites might run into problems and apps other than your web browser will still use the direct connection. To create a full-on VPN that reroutes all your internet traffic, read on.

Setting up OpenVPN

OpenVPN is a free open source tool that will let you run a full-on VPN through your Amazon EC2 instance. That means all your internet traffic goes through it, not just your web browser traffic like the proxy above. Desktop programs such as Steam or Spotify work better with this approach.

Connect to your EC2 instance using PuTTy according to the instructions above. You should have a command prompt in front of you that says Amazon Linux AMI. Run the following commands (type or copy/paste them and press enter):

sudo yum install -y openvpn
sudo modprobe iptable_nat
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
sudo iptables -t nat -A POSTROUTING -s 10.4.0.1/2 -o eth0 -j MASQUERADE

Just a quick note here. You might have noticed in the screenshot that I incorrectly tried to download and install OpenVPN using the “apt-get” command instead of “yum”. Some other versions of Linux still use apt-get, so if yum doesn’t work for you, try this command instead:

sudo apt-get install -y openvpn

A bunch of text will flash on the command prompt while it installs OpenVPN. The other three commands set up IP forwarding, which is necessary for the VPN to work. Next we’ll create a shared key for authentication. It’s sort of like a file that acts as a password. Type in the following commands and hit enter:

cd /etc/openvpn
sudo openvpn --genkey --secret ovpn.key

Now we’re going to create a server config file for our VPN. Type the following command to create a blank text file in a very basic text editor inside the terminal:

sudo nano openvpn.conf

Type in the following configuration. You can find more options on the OpenVPN website if you want to play around with this later, but make sure you know what you’re doing first.

port 1194
proto tcp-server
dev tun1
ifconfig 10.4.0.1 10.4.0.2
status server-tcp.log
verb 3
secret  ovpn.key

Now hit CTRL+O (that’s the letter ‘O’ not zero) and hit enter to save the file. Then hit CTRL+X to exit the text editor. Back at the command prompt, it’s time to fire up OpenVPN:

sudo service openvpn start

Next we need to get the shared key from the server to your local computer. First we need to change the permissions on that file so we can access it using the following command:

sudo chmod 777 ovpn.key

If at any point you accidentally close PuTTy or it just craps out, you can navigate back to your open VPN installation directory after reconnecting using this command:

cd /etc/openvpn

To make this as easy as possible, download and install this free application, WinSCP (Mac users will have to find another FTP client. Don’t worry, there are lots of them). Just use the default installation options. Once that’s done, a Window should pop up prompting you to import your server authentication details from PuTTy. Select the one we made above and continue.

Select myvpn (or whatever you named yours) and hit the Edit button. Type in “ec2-user” under user name. Click on Login.

Now you can move files between your EC2 instance server and your local computer. On the right hand panel, navigate up as far as you can, then go to etc/openvpn. Here you’ll find the ovpn.key file that we need. Click and drag it into the folder of your choice, but remember where you put it as we’ll want to move it later.

Now that you have the key, we need to re-apply the old permissions so not just anyone can grab it. Back in your PuTTy terminal, enter:

sudo chmod 600 ovpn.key

It’s time to download the OpenVPN client and GUI for your local computer. Go to the OpenVPN downloads page and choose the appropriate version for your operating system. Install it with the default settings. It should appear in your system tray as an icon once launched. Open up a file explorer and navigate to where you installed OpenVPN, probably in your Program Files folder. Move the opvn.key file we downloaded from the server to the config folder found here (C:/Program Files/OpenVPN/config … if you used the default installation directory on Windows).

Next we need to create a config file for the local machine to match the one we made on our server. Open up Notepad and paste the following, replacing the IP address after “remote” with the IP of your EC2 instance (if you’ve forgotten it, find it in your AWS Console under EC2 Instances). Also double check that the full file path pointing to your key is correct.

proto tcp-client
remote <your EC2 IP here>        
port 1194                   
dev tun                   
secret "C:Program FilesOpenVPNconfigovpn.key"            
redirect-gateway def1       
ifconfig 10.4.0.2 10.4.0.1

Save it as myconfig.ovpn (make sure your text editor doesn’t append it as myconfig.ovpn.txt by mistake) in the config folder of your OpenVPN installation, the same place as your opvn.key file.

Right click on the OpenVPN icon in your system tray and click Exit to quit. Now start it up again–either from the desktop shortcut or from the Program Files folder–but this time use right click and hit “Run as administrator”. If you don’t run OpenVPN as administrator on Windows, it probably won’t work.

Right click the system tray icon and click Connect. The OpenVPN GUI should pop up showing you the connection status. Assuming it worked, the system tray icon will turn green. Go to Google and type in “What’s my IP?”, and it should return the IP address of your Amazon EC2 Instance.

Congratulations, you just made your own VPN!

Update: If you want to protect your VPN from deep packet inspection, a technique used by censorship regimes in places like China and Syria to bock OpenVPN connections, check out our tutorial on setting up Obfsproxy.

Remember to keep your bandwidth within Amazon’s free tier limits. The easiest way to do this is to right click on your instance in the AWS Console and click on the “Add/Edit Alarms” link. You can set your server to stop or even terminate after a few hours of inactivity. The free tier allows for 750 hours per month (which covers the whole month), so you shouldn’t need to do this. Those users past their initial free year of service or doing more with their server, however, can prevent unnecessary charges for unused server time.

Somewhere in this tutorial, something will probably go wrong for you. If you really want a VPN but aren’t willing to do your fair share of troubleshooting, it’s probably best to opt for a paid VPN service. They also allow you to channel your internet traffic through multiple geographic locations, where as an EC2 instance is limited to just one. Check out our VPN reviews here!

Hardcoding DNS servers into your VPN

If you need to set specific DNS servers to use with your VPN, there are a couple of options.

To “push” the DNS server to the client, add this line to the server config. This will affect all of the devices that connect to your VPN (quotes included):

push "dhcp-option DNS 45.56.117.118"

Alternatively, you can set the DNS in an individual client config using:

dhcp-option DNS 45.56.117.118

In these examples I used an OpenNIC public DNS server with anonymous logging located in the US. You can find a OpenNIC server in the country of your choice and filter by features like anonymous logging and DNSCrypt here.

Special thanks to Dctr Watson’s blog, which I leaned on as a resource when writing this article.