This tutorial will show you how to create your own VPN server on Amazon Web Services – Elastic Compute Cloud (in short: EC2).
Part 2 of this tutorial shows you how to connect an Android device to this OpenVPN server.
A VPN service can be used for a lot of things, for example:
- Testing your websites or services from another countrys ip
- Accessing content on some sites with ip address block, such as hulu or netflix
- Connect your computer and/or mobile phones and tablets that support VPN
- Safely accessing internet on public unsecure wifi networks!
I find that last point especially important. A VPN connection can prevent someone from picking up your login details if you are using a public wifi network; If some of the programs/apps you are using, send sensitive data such as login details or cookies over http instead of https, the details can be picked up by others sniffing around on the network.
There are many different VPN services available, most of them charge a couple of dollars per month (e.g strongvpn.com charges $21 for 3 months), and many are often on shared connections, often giving you a slow or unstable connection.
By setting up your own VPN service, you can fully control access to it, and even allow others to use your VPN server. Depending on your level of skills, setting this VPN server up can take as little as 15 minutes.
Why Amazon EC2
EC2 is Amazons virtual servers in the cloud, where you can set up your own virtual private server (VPS). EC2 instances come in a lot of different sizes, and are charged hourly and by usage. You can of course set up a VPN service on almost any VPS, but heres the reasons why I chose EC2:
- It’s widely available to everyone
- They have a lot of services available from one web interface
- They have a large library of Amazon Machine Images (AMI’s) which are predefined images with different setups, often making installation and configuration a breeze.
(We will be using an AMI later in this guide)
- It’s not the cheapest, nor the most expensive place to setup a VPS
- They have something called “AWS Free tier” which is a great offer to newcomers, letting people try out the different services for free!
So basically, if you are eligible for their free tier, you can get a free VPS server for a whole year. With this, you can for example setup a VPN server like we are about to right now!
As an alternative, you could for example use a Linode VPS to create this VPN server on.
Creating a new EC2 instance
Log into your AWS account, here, or create a new one and get the free tier.
Note:In the upper right corner of the webpage, you can choose your EC2 instance datacenter location. It’s wise to choose a location near you.
When logged in, choose the EC2 – Virtual servers in the cloud.
We start by launching a new instance (creating a new virtual machine).
Step 1: Amazon Machine Images
For this OpenVPN server, there’s something called Amazon Machine Images, which are basically ready made images for different setups, like web servers. (You can browse around the marketplace here)
Inside you AWS account, select the AWS marketplace to see a list of machine images we can use for this EC2 instance. Do a search for “openvpn”.
Select the OpenVPN Access Server.
Note: OpenVPN requires a paid license, but only if you are going to use more than 2 concurrent connections.
Step 2: Choose Instance type
Next, select the machine instance type you want to run this image on.
The smallest ones, t1.micro and t2.micro are available for free on the free tier. For my simple VPN usage, the t1.micro has more than enough juice.
Step 3: Configure instance details
On the details page, we need to fill out some settings for our new OpenVPN server. Click the Advanced details dropdown, and enter the following key values into the User data field:
public_hostname=openvpn admin_user=openvpn admin_pw=openvpn reroute_gw=1 reroute_dns=1 license=<optional. enter license here if you have one>
Note: Enter your own admin username and password… You should also change this password later on when setup is finished.
Step 4: Add Storage
Now we add a disk storage to the virtual machine. change the Volume type to General Purpose SSD (which is also included in the free tier).
Step 5: Tag instance
This step is not that important, you may create a tag for this virtual machine, for later reference. Just give the machine a name.
Step 6: Configure security group
Here you can set port and ip restrictions. For my usage, and being able to reach the server from many different places, I went with the defaults.
That means the machine will be open to the public internet.
Note: The defaults also expose port 443 for HTTPS only!
It’s of course possible to further harden the security:
- Setup ip restrictions
- Change ssh login username to something uncommon
- Change ssh login password to something strong
- Move the ssh port to avoid automatic attacks
- Setup fail2ban for the ssh port, to block attacks.
But for this tutorial, defaults will do.
Step 7: Review
If your settings looks good, hit Launch to spin up your new EC2 machine!
You should be offered to setup a new, or use existing key, for accessing you machine via ssh. This is a .pem file you will have to download, and use when you are logging into the machine via SSH.
You should be taken back into the instances list, and withing a few minutes, your server will be up and running!
Step 8: Initial setup of OpenVPN
After the machine has booted, we have to SSH into it, and go through the initial setup of OpenVPN.
You can use Amazons own guide for connecting to your vm, as it may vary depending of which operating system you are using.
- To log in, you will need the .pem file from Step 7.
- Open a terminal.
- chmod the .pem file to 400:
chmod 400 ~/.ssh/openvpn.pem
- Then SSH into your new OpenVPN server, with the .pem certificate:
ssh -i ~/.ssh/openvpn.pem openvpnas@your_machine_ip
(These commands assumes you have placed the file in your .ssh folder)
Note: The username for accessing the machine, is openvpnas. This is set as default by the Openvpn machine image.
OpenVPN setup steps
The authenticity of host '<your_machine_ip>' can't be established. RSA key fingerprint is a0:3c:ac:23:97:dc..... Are you sure you want to continue connecting (yes/no)? yes```
Type yes, and enter.
Type yes and enter if you agree to the license that is displayed.
Will this be the primary Access Server node? Yes.
Please specify the network interface and IP address to be used by the Admin Web UI: (1) all interfaces: 0.0.0.0 (2) eth0: 22.214.171.124
Select (1), for “all interfaces””.
For the rest of the setup, you can hit enter, to use the defaults.
You will then see (depending on the settings you chose above, like port number and username…):
Initial Configuration Complete! You can now continue configuring OpenVPN Access Server by directing your Web browser to this URL: https://<your_machine_ip>:943/admin Login as "openvpn" with the same password used to authenticate to this UNIX host. During normal operation, OpenVPN AS can be accessed via these URLs: Admin UI: https://<your_machine_ip>:943/admin Client UI: https://<your_machine_ip>:943/
We now have setup the openvpn server, and we have to login to the admin website, where we administer accounts, settings, security, statistics etc.
Logging in to the openvpn admin website
In your browser, navigate to
https://<your_machine_ip>/admin/ and login with with username openvpn and password openvpn (or whatever you set in step 3).
You should then see the admin status screen:
Go to the Server network settings page and check that the hostname is set to your machine ip adress, if not, input your machine ip and save:
Go to the User permissions page, and click Show on the openvpn account, and set a better password. Click save, and “update running server”.
You can also create new openvpn useraccounts here, for example if you want to give a friend access to using the vpn.
Logging in via SSH command line
If you need to access your virtual machine via SSH to perform any kind of actions, you can login to the machine with the same procedure as described in step 7.
Basically, you are logging on to your machine via SSH, with the .pem file that you downloaded in step 8:
ssh -i ~/.ssh/openvpn.pem openvpnas@<your_machine_ip>
You also need to chmod your .pem file before you can use it.
Note: This assumes the username for accessing the machine, is openvpnas. Which is set as default by the Openvpn machine image.
Connecting clients to the OpenVPN server
This was the part on how to setup the openvpn server on an AWS EC2 machine.
Part 2 of this tutorial shows you how to connect an Android device to this OpenVPN server, for secure browsing on the go.