How To Create A Free Personal VPN In The Cloud Using EC2 & OpenVPN
What is a VPN?
Think of a Virtual Private Network like a layer that sits below your connection to a network. By connecting your device to the VPN, data is sent and received privately through a different IP address. Connecting to a VPN allows for a multitude of benefits, like functionality, security (data encryption), and if you run your own VPN, private network management.
Alright, bare with me here because I know that this tutorial *looks* long — but thats only because I added a ton of pictures to make sure things were as straightforward and clear as possible.
If you haven’t yet signed up for an AWS developer account, you can do so here for free. AWS offers free instance tiers for the first 12 months, which you’re welcome to use for your VPN if you so wish.
EC2, also known as Elastic Cloud Compute, can be described as a chunk of server space on a rack sitting somewhere in Amazon’s 54 availability zones — a.k.a. data-centers. Once you’re logged into your developer account, navigate to the EC2 service from the AWS management console. You can select which zone you want your server space to be in on the top right bar of the console. For myself, I chose N. Virginia.
Instances are created by loading that chunk of server with an operating system/image at initialization time. Since different operating systems are utilized for different operations and applications, this allows for a plethora of choices for specific optimizations and use cases.
Launch A New EC2 Instance
For the VPN, were going to bootstrap our little chunk of server with OpenVPN’s open source image located in the marketplace.
This means OpenVPN is already packaged along with the operating system and were going to spin both up together on our machine at the same time. Get started by hitting the big, blue launch instance button seen below.
After selecting “Launch Instance,” navigate to the AWS Marketplace using the left side navigation bar. In the search bar, type in OpenVPN so that you receive filtered results.
I decided to use OpenVPN for my server because it has the added benefits of open source software, as well as being free for the average user. Additionally, it utilizes its own custom security protocol that utilizes SSL/TLS for key exchange and its capable of traversing network address translators (NATs) and firewalls. Note that this image has a license for 2 devices.
Choose An Amazon Machine Image
For Step 1 “Select” the OpenVPN Access Server image, seen first below.
Once you select the image, you will be prompted to ensure you’re selecting the right option. There will be a list of hourly fees for the service, mainly for those users with larger networks or enterprise customers. You can go ahead and click “Continue”.
Choose An EC2 Instance Type
Next, for Step 2, you will choose your EC2 instance type. Since I am the only person using my VPN, I selected the t2.micro instance, which is the free 12 month tier offered to new users.
If you’re interested in learning about the differences of each instance type, you can do so here. After selecting the type, continue by hitting the “Next: Configure Instance Details” button.
Configure The Instance Details
In Step 3, we make some modifications to the instance that guard our VPN against accidental deletion. To do this, select the “Protect against accidental termination” option in the 5th section of this step. When that is done, hit the “Next: Add Storage” button.
Modify The Instance’s Storage
After selecting the protection and navigating to the next page, you should see Step 4 — storage.
I prefer adding storage to my server since most operations that exist within a system utilize memory to function and you can still utilize the EC2 instance for other purposes if you wish, as long as there is enough storage. For this reason, I changed the size to 50Gb, as the default size is 8Gb.
Next, select a different volume type using the drop down, choosing “General Purpose SSD” since were doing average operations on the machine. Lastly, uncheck the delete on termination box, meaning that to delete the snapshot (backup) of storage, you must manually delete it.
Note: Changing the storage properties can affect the price of the selected tier, although AWS is still incredibly inexpensive.
Naming The Instance With Tags
Okay okay, were almost done creating the instance for our VPN to run on in the cloud. Awesome. So let’s finish by adding a tag to our instance in Step 5 so that we can find it among our other instances if we need to.
You can tag it however you’d like, but I’d recommend keeping OpenVPN in the tag value. YourNameOpenVPN, MyOpenVPN, or OpenVPN all should work fine.
Configure The Instance’s Security Groups
Lastly, go ahead and navigate to Step 6 “Configure Security Group.” Since we booted a pre-made image of OpenVPN onto the EC2 instance, they already established a recommended security group. Go ahead and select the existing group.
Then, select “Review and Launch.”
Review And Launch The EC2 Instance
Yay! We practically did it! Go ahead and scroll through the configuration changes that you’ve made and ensure everything is correct. When you’re done looking things over. Hit “Launch.” It will ask you to create or select a key for your instance, if you haven’t yet created a key — PLEASE DO. The purpose of the instance key (.pem) is to ensure that no-one can SSH into your EC2 instance without it. Name it as you’d like, then hit “Launch Instances.”
Congratulations! You just created your very own EC2 Instance with OpenVPN installed!
Configure Your OpenVPN Installation
At the moment, your VPN is public — No. Bueno. This means that any one is able to access your server through the IP address.
Were going to make some changes now that add some layers of security to your instance and the VPN you just installed. These changes will be creating a permanent IP and private IP address, creating a user account to manage and access the VPN with, and turning off settings on the server which disable public connections.
Create An Elastic IP For Your Instance
Upon launching an EC2 instance, a Public IP address is assigned so that that instance is available. As soon as the instance is shut down, a new public IP gets assigned for the same instance. This means if we set up the VPN server with the default IP, we wont be able to access the VPN if the instance is shut down. Elastic IP solves this issue and assigns a permanent IP address.
Once your instance starts up, you should see a list of instances associated to your account. Select the OpenVPN instance and on the left navigation window, scroll down to “Network & Security” and select Elastic IPs.
Inside Elastic IPs, we are going to “Allocate A New Address” and select this our OpenVPN instance. Once you’ve finished this, hit “Associate.”
Sweet! Success is upon us. Hopefully, your permanent public IP address is now listed as one of the properties of your instance. Note that you can also view it from selecting the instance and viewing its description.
Disabling Public Access To OpenVPN
Now that we have created a permanent IP address, we are going to make some changes to our OpenVPN configurations, disable public access and create a truly private network.
To complete these next steps, we use a protocol called SSH to log into our instance. SSH, or Secure Shell, is a cryptographically secure way to access and preform network operations over an un-secure network.
We will use use this, along with our private instance key (.pem) to initialize our OpenVPN configuration. To use our key right, we must first confirm that the key (.pem) was saved to the root user’s folder in your local computer’s file directory.
If your computer is set to default settings, the key most likely downloaded to the Downloads folder.
SSH Into Your Instance To Initialize OpenVPN
Connect to your Instance as stated in the following doocument:
After connecting you should see this OpenVPN License Agreement.
Scroll all the way down and hit “Enter” to agree.
Complete Initial OpenVPN Configuration Settings
This step is easy, just hit “Enter” to all of them until you’re done. After completing this step, you should see a initialization complete message. Woohoo!
Create A New User Account For Managing OpenVPN
In the terminal, type in the following command to create a user with your name. This is great practice, because you never want to manage a system as the root user all the time, as that can lead to excess access privileges and accidental system corruption.
sudo passwd YourName
It will prompt you for a password, and then prompt you again to confirm the password. Once this is finished type exit to close the connection and logout.
Download OpenVPN Application For Your Computer
Yay. Mostly the hard parts are over, and now we can focus on the good stuff.
To actually use to the VPN server you just made, you need a client that lets you establish a connection to it. The client is an OpenVPN program which you can install on your computer like any other application. To do this, use your public IP to access the installer link.
In your browser, open a new tab and type http://YourPublicIP and hit enter. This should bring you to the following page which warns about a public connection. Hit advanced and select the link at the bottom to proceed.
Now we are directed to the login page of the OpenVPN server. Log into the server with the username and password you just made in the terminal.
In my case, I named my user openvpn. When you’re done, hit “Go”.
At this point, you will be asked to click a link to download the installer for OpenVPN. Click the link, and when the installer is done downloading, double click to open it.
It should bring you to an installation wizard. Hit continue each time and install the package.
Logging Into Your New VPN
Yay, the VPN is up and running and we downloaded the application that lets us connect to it. Let’s log in!
Click this new icon to start a connection to the OpenVPN we made. Under the IP address, select connect. Log in with your username and password you created. After this, you should be connected to your very own VPN!
Disable Public Access To The VPN
You have now successfully logged in and the end of this tutorial is nigh. Lets finish strong by adding the last security touches!
Log into the server again using your browser with the following URL:
Once again, hit advanced and proceed to direct to the login page. Login with your username and password. You should see this notification. Hit accept to access the admin portal for the VPN.
Now that we are in the admin portal, we want to disable access to the portal from your public/elastic IP, and only allow usage through the private IP that was assigned. To do this, on the left side navigation panel, under “Configuration” select “Server network settings.”
Scroll down the bottom of the page and toggle off the admin and client web server options, seen below.
After this is done, hit save at the bottom. The page will update at the top to include this message. Hit “Update Running Server.”
When you hit the button, the page will break. This is a good sign, because we just successfully disabled the usage thru the public IP.
Accessing The Admin Portal With The Private IP
Just like in Step 9, you can still access the portal with the same method, however, the public IP no longer works. This means that you can only access it through the private IP. The URL is given below for clarity.
Lastly — Disable SSH Access
Returning to your AWS EC2 Console, select your instance. On the left side navigation panel, under “Network & Security,” select “Security Groups.”
Under the instance, there now should be a tab labeled “Inbound.” Select this tab and hit the edit button. You should now be able to delete SSH as a type by clicking the X on the right. Hit save to keep the changes.