How to make your own free VPN with Amazon Web Services
Published by on April 4, 2017 in VPN & Privacy

make your own vpn
Updated July 2017 to include PKI setup instructions using easy-rsa.

Internet users are spoiled for choice when it comes to VPN services, but they either require a monthly subscription, aren’t secure, or are just plain slow. Thankfully, alternatives do exist. They require a bit more technical know-how, but if you want something done right, you have to do it yourself.

Getting started

Amazon Web Services offers one year of free virtual server space, provided you use less than predetermined amounts of bandwidth, time and space. Even if you go over that limit, the cost of running a server image on Amazon’s Elastic Compute Cloud is probably less than you would pay for a VPN subscription.

Here we’ll explain two different ways to use Amazon’s Elastic Cloud service, also called EC2, to divert your connection through a private location of your choice: SSH Tunneling and OpenVPN. Each has advantages and disadvantages, so use the one you find more suited to your needs. No matter which you choose, you’ll require the following:

  • An Amazon Web Services account. This requires a credit card, but you’ll only be charged for what you use, which will likely be nothing if you’re prudent about what you’re doing.
  • PuTTy, if you’re on Windows. OpenSSH via Cygwin is another option, but I found it to be a pain. Linux and Mac computers already have SSH prompts built into their boxes and terminals. You’ll also need PuTTy’s sister key generation program, PuttyGen.
  • WinSCP, or an equivalent FTP client to move files between your local computer and your EC2 instance.
  • A basic working knowledge of Unix commands and how servers work with clients will be massively helpful in troubleshooting should something not go exactly as planned.

Log into your Amazon Web Service account and head to the EC2 dashboard.
aws vpn update 1

On the top right, you can choose the location where we’ll be setting up your VPN. Click Launch Instance.

ec2 vpn 1

Choose whatever Linux AMI is listed as “free tier eligible.” At the time of writing this article, that’s the Amazon Linux AMI. Go on to the next step.

ec2 vpn 2

Here choose a t2.micro instance that’s also free tier eligible. Click “Review and Launch.”

ec2 vpn 3

On the next page, you should get a warning message asking you to edit your security groups.  Click Edit Security Groups.

You’ll need edit the security group to only allow traffic from your computer to access the VPN or proxy.  You should have one rule already in place for connecting to your server via SSH, which we’ll use later. We’ll need to add another to allow OpenVPN connections, which use port 1194 by default. For simplicity’s sake, under the Inbound tab, click the Add rule button. Set the Type to Custom UDPthe Port Range to 1194, and the Source to Anywhere.

EC2 add security group rule buttonHit Save.

EC2 security group anywhere to port 1194

Click “review and launch,” then “launch” on the next page.

Now you’ll want to create a key pair, which sort of works like a password that you’ll use to connect to the virtual server you’re creating. Select “create a new key pair” from the dropdown menu and name it whatever you like. Click the button to download the key pair. Store it somewhere safe.

ec2 vpn 5

The next page should alert you that the instance is launching. Scroll to the bottom and hit “View instances.” Here you’ll see a list of any instances you’ve launched, which if this is your first time using EC2 will just be one.

SSH Tunneling

To begin with, we’re just going to reroute web traffic through the instance we created using SSH tunneling and a proxy. This is a quick and dirty way to get around a firewall or geographic lockout. It’s not quite a VPN–it’s best for light web traffic and won’t work with everything–but it’s much more simple to set up. This tutorial will explain how to interact with your instance using Windows. To do that, you’ll need to download PuTTy and PuTTygen.

ec2 vpn 7

PuTTy and PuTTygen both run right out of the box as .exe files with no need to install. Open PuTTygen, click Load. Navigate to the .pem key pair file you downloaded before and load it into Puttygen. You’ll have to select the option to show all file types for the .pem key to show up. Hit “Save Private Key.” The file name must be identical to the .pem key. You can create a passphrase for the private key if you want.

ec2 vpn 6

Now close out of PuTTygen and open PuTTy. Copy your instance’s public IP from the EC2 console into PuTTy. Type in a name for your session and hit save.

ec2 vpn 8
In the left pane, navigate to “Auth” under SSH. Click the browse button at the bottom and navigate to the private key you just generated.

ec2 vpn 9

Navigate to Tunnels in the left pain. Add port 8080 with Auto and Dynamic selected. Go back to the Session page and hit Save again so you don’t have to do all this over again.

Click Open. A prompt will appear asking you for a username. This differs based on what type of server you set up at the beginning. For the Amazon Linux AMI, it’s “ec2-user”.

ec2 vpn 10

Now you’re connected to your server, but you still need to route your web browser’s traffic through it. If you use Firefox, this can be done in your browser settings. If you use Chrome, download the Proxy Switchy extension. If you prefer to create a fully functioning VPN rather than just a proxy for your browser, skip to the next section now.

In Firefox:

  • Go to Tools > Options > Advanced > Network > Connection > Settings > Manual proxy configuration
  • Set SOCKS Host as 127.0.0.1 and the port as 8080 (or whatever you set the tunnel port to on PuTTy).
  • Click OK to save

In Chrome Proxy Switchy

  • A setup page should appear as soon as you install the extension, or click the icon in the top right of Chrome and click Options.
  • Name the profile whatever you like. Under Manual Configuration, set the SOCKS host to 127.0.0.1 and the port to 8080 (or whatever you set the tunnel port to in PuTTy. Leave everything else blank.
  • Hit Save, then click the icon again to select your proxy profile.
ec2 vpn 11

Voila! Your browser traffic is now being funneled through your EC2 instance. This will work fine for basic browsing, but some websites might run into problems and apps other than your web browser will still use the direct connection. To create a full-on VPN that reroutes all your internet traffic, read on.

Installing OpenVPN on the server

OpenVPN is a free open source tool that will let you run a full-on VPN through your Amazon EC2 instance. That means all your internet traffic goes through it, not just your web browser traffic like the proxy above. Desktop programs such as Steam or Spotify work better with this approach.

ec2 vpn 12

Connect to your EC2 instance using PuTTy according to the instructions above. You should have a command prompt in front of you that says Amazon Linux AMI. Run the following commands (type or copy/paste them and press enter):

sudo yum install -y openvpn
sudo modprobe iptable_nat
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
sudo iptables -t nat -A POSTROUTING -s 10.4.0.1/2 -o eth0 -j MASQUERADE
sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Just a quick note here. You might have noticed in the screenshot that I incorrectly tried to download and install OpenVPN using the “apt-get” command instead of “yum”. Some other versions of Linux still use apt-get, so if yum doesn’t work for you, try this command instead:

sudo apt-get install -y openvpn

A bunch of text will flash on the command prompt while it installs OpenVPN. The other three commands set up IP forwarding, which is necessary for the VPN to work.

Method #1: Setting up PKI authentication with easy-rsa (recommended)

In the original version of this tutorial, we set up OpenVPN with static encryption and a .ovpn file. While that works, it only allows one device to be connected at a time, and the fact that you only ever use one key means it’s less secure. We now recommend readers use easy-rsa to set up authentication, which is more secure and allows for any number of devices to be simultaneously connected. However, if you want the old version with static encryption, skip to it by clicking here.

Easy-rsa is not available in the default yum package list, so we’ll need to enable the EPEL repo to install it. Type the following into the PuTTy terminal and hit Enter after each:

sudo yum install easy-rsa -y --enablerepo=epel
sudo cp -via /usr/share/easy-rsa/2.0 CA

The second command creates a directory with all of the working files we need to set up our certificate authority.

easyrsa 0.5
For the next steps, we need to be root user. Simply typing in “sudo” before your command won’t work here, so the rest of this tutorial will be as root user. In the Amazon Linux AMI, by default, you can access root with the following command:

sudo su

Notice the user is now “root” instead of “ec2-user”. Now to use easy-rsa to generate up certificates and keys. Enter each of the following commands one at a time. Many will ask you to fill in details about your occupation and company. You can leave these as default just by hitting Enter.  It makes no technical difference so long as you’re using this as a personal VPN. When setting up the server key, we recommend not setting a password so that OpenVPN can start up unattended. Setting a password on the client key will force users to enter a password before connecting.

cd /usr/share/easy-rsa/2.0/CA
source ./vars
./clean-all
./build-ca
./build-key-server server
./build-dh 2048

easyrsa 1
That’s all that’s needed to get the OpenVPN server up and running, but each client will need its own credentials. For each client device you want to connect, run this command:

./build-key client

easyrsa 4
In this tutorial, we’ll only be setting up one client. You now have all the RSA keys and certificates needed, but you still need to generate a TLS key to be used for Perfect Forward Secrecy. This will ensure that if a key is compromised it can’t be used to decrypt past sessions.

cd /usr/share/easy-rsa/2.0/CA/keys
openvpn --genkey --secret pfs.key

With all of the files ready, we need to move them into the OpenVPN directory. First we’ll create a keys directory, then copy all of the keys and certificates into it.

mkdir /etc/openvpn/keys
for file in server.crt server.key ca.crt dh2048.pem pfs.key; do cp $file /etc/openvpn/keys/; done

Next we’ll create a server configuration file that ties everything together. We’ve already got one written up for you below, so all you need to do is copy and paste. Start by navigating to the OpenVPN directory and creating a new file:

cd /etc/openvpn
nano server.conf

You are now in the nano text editor. Copy and paste the following config, then hit CTRL+O to save, hit enter to confirm, and CTRL+X to exit. (Hint: you can paste text from your clipboard into PuTTy just by right-clicking)

port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key # This file should be kept secret
dh /etc/openvpn/keys/dh2048.pem
cipher AES-256-CBC
auth SHA512
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log-append  openvpn.log
verb 3
tls-server
tls-auth /etc/openvpn/keys/pfs.key

The server is now configured. We just need to start up OpenVPN. We’ll start it as a service so that even after you close PuTTy, it will continue to run until the server is either shut down or you manually end the service.

sudo service openvpn start

Now that the server is configured, we need to set up the client. To do that, we’ll have to move the necessary certificate and key files from our server to our client device. With PuTTy still open and running as root, we first need to change the permissions on these files so that we can access them.

cd /usr/etc/easy-rsa/2.0/CA
chmod 777 keys
cd keys
for file in client.crt client.key ca.crt dh2048.pem pfs.key ca.key; do sudo chmod 777 $file; done

To get the files off of our server and onto our PC, we’ll use a free program called WinSCP. Just use the default installation options. Once that’s done, a Window should pop up prompting you to import your server authentication details from PuTTy. Select the one we made above and continue.  

ec2 vpn 14

Select myvpn (or whatever you named yours) and hit the Edit button. Type in ec2-user under user name. Click on Login.

If this isn’t your first time using WinSCP, you can set the .ppk file you used in PuTTy by clicking Edit and Advanced. Go to SSH > Authentication > Private key file and navigate to your PPK file. In the host name field on the main page, you can enter either the IP address or domain of your EC2 instance. Be sure to save your settings.

easyrsa 6

In the right pane, navigate to the directory containing your key files, in this case /usr/share/easy-rsa/2.0/CA/keys

easyrsa 7
Highlight the five files you’ll need on the client: client.crt, client.key, ca.crt, dh2048.pem, and pfs.key. Hit the green Download button. It doesn’t really matter where they go on the left pane so long as you don’t need admin priveleges to access it. We put the files on our desktop for simplicity’s sake.

The last loose end we need to do tie up is removing the ca.key file from the server. The CA, or certificate authority, is used to sign client certificates,and, if it is ever compromised, you can never trust certificates issued by that CA again. While this isn’t necessary for the VPN to work, we strongly recommend doing it. Make sure you’ve all the keys and certificates for every device you want to connect before removing the file. If you want to add more at a later time, you will have to move the ca.key file back onto the server.

easyrsa 9

We’re going to move the file onto our PC in the same way as we did for the client certificates and keys. This time, however, instead of using the basic “Download” button, use the Download and Delete button to move the ca.key file from your server to your PC. Store it in a secure location.

Once the files have downloaded, we need to restore their stricter permissions on the server so not just anyone can access them. Back in PuTTy:

for file in client.crt client.key ca.crt dh2048.pem pfs.key; do sudo chmod 600 $file; done
cd ..
chmod 600 keys

On your PC, cut and paste those five files from wherever you downloaded them into your OpenVPN config folder. In this case that’s C://Program Files//OpenVPN//config.

Lastly, we need to create a client configuration file. Open your favorite plaintext editor (Notepad works fine) by right clicking and selecting Run as administrator and paste the following config:

client
dev tun
proto udp
remote 35.164.238.40 1194  
ca ca.crt
cert client.crt
key client.key
tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
cipher AES-256-CBC
auth SHA512
resolv-retry infinite
auth-retry none
nobind
persist-key
persist-tun
ns-cert-type server
comp-lzo
verb 3
tls-client
tls-auth pfs.key

This is a Windows config file for the OpenVPN GUI, so we’ll save it as client.ovpn. Other OpenVPN clients might use the .conf extension instead. Whatever the case, make sure your text editor doesn’t add the .txt extension after saving. Save it into the same location as your key and certification files: C:\\Program Files\\OpenVPN\\config

easyrsa 8

Now run the OpenVPN GUI in administrator mode by right clicking it and selecting Run as administrator. Right click the icon in your system tray and connect with the client configuration we just set up. A status screen with loads of text will flash across the screen, and then the icon will turn green.

Congratulations! You are now connected to your homemade VPN.

Method #2: Static encryption (easier, but not recommended)

In this method, we’ll create a shared key for authentication. It’s sort of like a file that acts as a password. It’s easier to set up but only allows a single device to be connected to the VPN at any one time, and is less secure than the easy-rsa method above. In PuTTy Type in the following commands and hit enter:

cd /etc/openvpn
sudo openvpn --genkey --secret ovpn.key

Now we’re going to create a server config file for our VPN. Type the following command to create a blank text file in a very basic text editor inside the terminal:

sudo nano openvpn.conf

Type in the following configuration. You can find more options on the OpenVPN website if you want to play around with this later, but make sure you know what you’re doing first.

port 1194
proto tcp-server
dev tun1
ifconfig 10.4.0.1 10.4.0.2
status server-tcp.log
verb 3
secret  ovpn.key

ec2 vpn 13
Now hit CTRL+O (that’s the letter ‘O’ not zero) and hit enter to save the file. Then hit CTRL+X to exit the text editor. Back at the command prompt, it’s time to fire up OpenVPN:

sudo service openvpn start

Next we need to get the shared key from the server to your local computer. First we need to change the permissions on that file so we can access it using the following command:

sudo chmod 777 ovpn.key

If at any point you accidentally close PuTTy or it just craps out, you can navigate back to your open VPN installation directory after reconnecting using this command:

cd /etc/openvpn

To make this as easy as possible, download and install this free application, WinSCP (Mac users will have to find another FTP client. Don’t worry, there are lots of them). Just use the default installation options. Once that’s done, a Window should pop up prompting you to import your server authentication details from PuTTy. Select the one we made above and continue.

ec2 vpn 14

Select myvpn (or whatever you named yours) and hit the Edit button. Type in “ec2-user” under user name. Click on Login.

ec2 vpn 15

Now you can move files between your EC2 instance server and your local computer. On the right hand panel, navigate up as far as you can, then go to etc/openvpn. Here you’ll find the ovpn.key file that we need. Click and drag it into the folder of your choice, but remember where you put it as we’ll want to move it later.

ec2 vpn 16
Now that you have the key, we need to re-apply the old permissions so not just anyone can grab it. Back in your PuTTy terminal, enter:

sudo chmod 600 ovpn.key

It’s time to download the OpenVPN client and GUI for your local computer. Go to the OpenVPN downloads page and choose the appropriate version for your operating system. Install it with the default settings. It should appear in your system tray as an icon once launched. Open up a file explorer and navigate to where you installed OpenVPN, probably in your Program Files folder. Move the opvn.key file we downloaded from the server to the config folder found here (C:/Program Files/OpenVPN/config … if you used the default installation directory on Windows).

Next we need to create a config file for the local machine to match the one we made on our server. Open up Notepad and paste the following, replacing the IP address after “remote” with the IP of your EC2 instance (if you’ve forgotten it, find it in your AWS Console under EC2 Instances). Also double check that the full file path pointing to your key is correct.

proto tcp-client
remote <your EC2 IP here>        
port 1194                   
dev tun                   
secret "C:\\Program Files\\OpenVPN\\config\\ovpn.key"            
redirect-gateway def1       
ifconfig 10.4.0.2 10.4.0.1

Save it as myconfig.ovpn (make sure your text editor doesn’t append it as myconfig.ovpn.txt by mistake) in the config folder of your OpenVPN installation, the same place as your opvn.key file.

ec2 vpn 17

Right click on the OpenVPN icon in your system tray and click Exit to quit. Now start it up again–either from the desktop shortcut or from the Program Files folder–but this time use right click and hit “Run as administrator”. If you don’t run OpenVPN as administrator on Windows, it probably won’t work.

ec2 vpn 18
Right click the system tray icon and click Connect. The OpenVPN GUI should pop up showing you the connection status. Assuming it worked, the system tray icon will turn green. Go to Google and type in “What’s my IP?”, and it should return the IP address of your Amazon EC2 Instance.

ec2 vpn 19

Congratulations, you just made your own VPN!

Additional notes

If you want to protect your VPN from deep packet inspection, a technique used by censorship regimes in places like China and Syria to bock OpenVPN connections, check out our tutorial on setting up Obfsproxy.

Remember to keep your bandwidth within Amazon’s free tier limits. The easiest way to do this is to right click on your instance in the AWS Console and click on the “Add/Edit Alarms” link. You can set your server to stop or even terminate after a few hours of inactivity. The free tier allows for 750 hours per month (which covers the whole month), so you shouldn’t need to do this. Those users past their initial free year of service or doing more with their server, however, can prevent unnecessary charges for unused server time.

Somewhere in this tutorial, something will probably go wrong for you. If you really want a VPN but aren’t willing to do your fair share of troubleshooting, it’s probably best to opt for a paid VPN service. They also allow you to channel your internet traffic through multiple geographic locations, where as an EC2 instance is limited to just one. Check out our VPN reviews here!

Hardcoding DNS servers into your VPN

If you need to set specific DNS servers to use with your VPN, there are a couple of options.

To “push” the DNS server to the client, add this line to the server config. This will affect all of the devices that connect to your VPN (quotes included):

push "dhcp-option DNS 45.56.117.118"

Alternatively, you can set the DNS in an individual client config using:

dhcp-option DNS 45.56.117.118

In these examples I used an OpenNIC public DNS server with anonymous logging located in the US. You can find a OpenNIC server in the country of your choice and filter by features like anonymous logging and DNSCrypt here.

Special thanks to Dctr Watson’s blog, which I leaned on as a resource when writing this article.


144 thoughts on “How to make your own free VPN with Amazon Web Services

  • hello thank for your guide. It is very helpful. I have a problem, i follow the 2nd methode (Static encryption ), when i try to connect via openvpn gui(run as admin), this is the error code ”SIGUSR1[connection failed(soft),init_instance] received, process restarting”
    Any idea? thank you

  • Hello i follow the Static encryption method. When i attempt to connect via openvpn gui there is this error message : SIGUSR1[connection failed(soft),init_instance] received, process restarting

    Any idea?
    Thank you so much

    • maybe you didn’t create the CA directory. try “cd /usr/share/easy-rsa/2.0/” then “ls” to see what directories and files are there.

  • This is pretty clearly the best writeup for this process that currently exists.

    I am running into a bit of trouble with forwarding, though. My client is able to connect to the server, but is unable to pass through to any other host.

    “`
    >tail /etc/openvpn/openvpn.log
    Sat Jul 15 17:56:47 2017 {SANITIZED_CLIENT_IP}:41154 TLS: Initial packet from [AF_INET]{SANITIZED_CLIENT_IP}:41154, sid=5f649215 d7cb2211
    Sat Jul 15 17:56:48 2017 {SANITIZED_CLIENT_IP}:41154 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, CN=Fort-Funston CA, name=EasyRSA, emailAddress=me@myhost.mydomain
    Sat Jul 15 17:56:48 2017 {SANITIZED_CLIENT_IP}:41154 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=client, name=EasyRSA, emailAddress=me@myhost.mydomain
    Sat Jul 15 17:56:48 2017 {SANITIZED_CLIENT_IP}:41154 peer info: IV_GUI_VER=net.openvpn.connect.android_1.1.17-76
    Sat Jul 15 17:56:48 2017 {SANITIZED_CLIENT_IP}:41154 peer info: IV_VER=3.0.12
    Sat Jul 15 17:56:48 2017 {SANITIZED_CLIENT_IP}:41154 peer info: IV_PLAT=android
    Sat Jul 15 17:56:48 2017 {SANITIZED_CLIENT_IP}:41154 peer info: IV_NCP=2
    Sat Jul 15 17:56:48 2017 {SANITIZED_CLIENT_IP}:41154 peer info: IV_TCPNL=1
    Sat Jul 15 17:56:48 2017 {SANITIZED_CLIENT_IP}:41154 peer info: IV_PROTO=2
    Sat Jul 15 17:56:48 2017 {SANITIZED_CLIENT_IP}:41154 peer info: IV_LZO=1
    Sat Jul 15 17:56:48 2017 {SANITIZED_CLIENT_IP}:41154 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
    Sat Jul 15 17:56:48 2017 {SANITIZED_CLIENT_IP}:41154 [client] Peer Connection Initiated with [AF_INET]{SANITIZED_CLIENT_IP}:41154
    Sat Jul 15 17:56:48 2017 client/{SANITIZED_CLIENT_IP}:41154 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
    Sat Jul 15 17:56:48 2017 client/{SANITIZED_CLIENT_IP}:41154 MULTI: Learn: 10.8.0.6 -> client/{SANITIZED_CLIENT_IP}:41154
    Sat Jul 15 17:56:48 2017 client/{SANITIZED_CLIENT_IP}:41154 MULTI: primary virtual IP for client/{SANITIZED_CLIENT_IP}:41154: 10.8.0.6
    Sat Jul 15 17:56:48 2017 client/{SANITIZED_CLIENT_IP}:41154 PUSH: Received control message: ‘PUSH_REQUEST’
    Sat Jul 15 17:56:48 2017 client/{SANITIZED_CLIENT_IP}:41154 SENT CONTROL [client]: ‘PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM’ (status=1)
    Sat Jul 15 17:56:48 2017 client/{SANITIZED_CLIENT_IP}:41154 Data Channel: using negotiated cipher ‘AES-256-GCM’
    Sat Jul 15 17:56:48 2017 client/{SANITIZED_CLIENT_IP}:41154 Data Channel Encrypt: Cipher ‘AES-256-GCM’ initialized with 256 bit key
    Sat Jul 15 17:56:48 2017 client/{SANITIZED_CLIENT_IP}:41154 Data Channel Decrypt: Cipher ‘AES-256-GCM’ initialized with 256 bit key
    “`

    I suspect I need to modify something in `iptables`, but I’m really not sure what those commands you suggested we enter even do.

  • Very good tutorial, I was able to use it to get a simple server going. I just discovered that amazon is offering a simple VPS service called lightsail, a scaled back version of ec2. It’s only free for the 1st month, but $5.00 per month for their cheapest package, which includes 1tb of data. ec2 is free for the server but the cost per GB can add up quickly if you are using it as a vpn server. Cheers.

  • Hello, i try to connect, but I have this error.
    the requested name is valid but does not have an ip address.

    • it could be that your EC2 instance changed IP addresses. check your EC2 dashboard and update your client config accordingly.

  • Hello, thank you very much for the guide, we are using it with no problems at all, just have one question, will it be possible to add a “dhcp pool” of address to auto-assign addresses ? We need like 6 or more concurrent users. Thank you

    • i’m not sure about a DHCP pool, but we are working on publishing a tutorial in the near future on how to set up easyrsa. That way you can assign certificates to multiple users instead of a single connection using the .ovpn key.

  • Excellent tutorial, I was wondering and have always kind of wondered, could implementing a process like this prevent your ISP from throttling your data or seeing how much data is being used? It seems that technically you are using Amazon’s data and that it would be kind of blocked behind Amazon, with the ISP only seeing the original connection. Am I interpreting this correctly? If not, is there anything I could do to get a setup that achieves this? Thanks a ton!

    • so long as you route your DNS requests thorugh the VPN, your ISP can only see that traffic is being transmitted, but not its destination or contents. there’s no way to avoid the ISP seeing how much data you’re using, as you’re still using their pipes and data centers to get traffic to Amazon.

  • Hi, thanks for the tutorial

    I have successfully completed your instructions, until http://www.whatsmyip.org/ returns the IP of my remote server.

    But I do not know how to scan the remote server’s folders. I have opened all udp and ucp ports, but still “\\ public-remote-ip” returns me that windows can not access

  • Hi, thanks for the tutorial

    I successfully completed the connection, but I do not know how to scan the remote server folders from windows.

    “\\ ip-server” returns me that windows can not access the folder

  • Any idea what this is and how to fix it? Can’t find any good info on how to set the key direction.

    Options error: Unknown key direction ‘Files\OpenVPN\config\ovpn.key’ — must be ‘0’ or ‘1’
    Use –help for more information.

  • Hi Paul,
    I am following the steps exactly as you mentioned. openvpn service is running under amazon linux. However I am getting “Missing External PKI” error when I try to connect to it. I know this is due to the key has been generated. is there any steps that I am missing here?

  • VPN is a bit slow, i tried switching to UDP rather than TCP which improved the speed but its still alot slower than my connection.

    Any ideas?

  • Paul,

    I am new to AWS and is trying to make below setup, Could you please let me know your view if it’s possible.

    1. I have created Window Virtual Machine in AWS.
    2. I have an server installed on AWS EC2 which need to fetch some data from my laptop(Client) via SSH.
    3. As i am home user, is that a possibility that AWS Virtual Machine can ssh my home laptop. Which is connected to ISP router.

    Is there a possibility to ssh my machine without having public IP.

    Looking forward to hear from you. Thanks

    Sagar

  • Thanks Paul,
    However, I made the mistake of “stopping” the instance once I was done. When I came back the next day and started it again VPN would no longer work. Obviously, I need also to Putty into it and tell it to start OpenVPN. OpenVPN thinks it’s working, but no web pages would load on my browser, so apparently a few more of the setup commands are needed. Not a problem while I’m in the free period, but I’ll want to be able to stop it when I won’t be using it for long periods. Can you point to how to easily put these all in a script that runs whenever the instance is started?

    Also, is this a case where we should be using “elastic IPs”? When I restarted the assigned IP address is different, so had to modify the settings in the openvpn config file.

    Thanks much,
    Jim

    • Yes the elastic IPs are helpful if you’re frequently starting/stopping. To make it work on startup, look into setting up OpenVPN Access Server. That will give you a web GUI to control things from and can be configured to run whenever the instance is running. A tutorial for this is in my queue but might be awhile before I get to it.

  • Well done, Paul, thank you so much. Was able to get it up and running relatively easily even though I’m a novice at this. I did have to add an entry to the security group for custom TCP to port 1194, but that was it. Now I’ll have to dig into RSA so I can get it working on multiple devices.

  • Ok here is the problem and solution:
    http://unix.stackexchange.com/questions/292091/ubuntu-server-16-04-openvpn-seems-not-to-start-no-logs-get-written
    Shorter version:
    run this:
    sudo systemctl start openvpn@[CONFIG FILENAME WITHOUT EXTENSION HERE].service
    Now if we run above command with status instead of start we see status is:
    Active (Running)
    Instead of:
    Active (Exited)
    Because the actual openvpn.service in Ubuntu servers is just a dummy service!
    The vpn connection should be able to establish even after instance reboot.

  • Thanks. This is the only article online that covers exactly what I need. But unfortunately it doesn’t work. It missed some command somewhere and anyone must have found a way to fix it but forget or didn’t find time to mention it somewhere on the internet.
    So here’s the problem:
    TCP: connect to [AF_INET]XX.XX.XX.XX:1194 failed, will try again in 5 seconds: Connection refused
    I got UDP/TCP for 1194 from anywhere open on my aws ec2 security group open.
    I checked the security group is assigned to the EC2 instance.
    I can ssh to the server so server is up and running.
    What I understood is that when we start the service on the server, there is no way to tell the service where to look for the conf file. I put random characters in the conf file and service was able to restart successfully! I even removed the conf file from the server and server was still able to restart successfully. Status says it is active and green.
    I’m sure the port 1194 is open. Because if I remove rules on aws security group the error is connection timed out. If I add them the error is connection refused. So the rules work. There is no server on the port to listen to the input. There is no log file created with name server-tcp.log anywhere on storage of the server. It apparently ignores the config file. Any idea?
    Thanks in advance.

  • Paul,
    Great document. Just a couple things on feedback.
    OpenVPN gives a warning about the cipher being too weak
    Suggest including the line
    cipher AES-256-CBC

    Can you also include how to configure multiple certs so you can run VPN on 2 or more computers?

    Best,

    • Hi Rob,
      Multiple certs has been on our agenda for awhile now but haven’t had a chance to write up a tutorial yet. Noted about the cipher, thanks.
      Best,
      Paul

      • Hello paul,
        Am very grateful for the time taken to put the write up together..
        I followed the process as described but after the setup on my putty connect while the other things like browsers refused to connect…
        What might be the cause of that please.

  • I have two Win10 x64 Pro desktops behind my ISP NATing router/firewall. According to google they both have the same IP. I’ve setup identical OpenVPN client configs on each. They both can establish a connection to an ec2 OpenVPN server configured per your instructions, but not simultaneously (the second one just hangs establishing the connection). I’ve looked through the OpenVPN server config but nothing’s jumping out at me. Do I need to config the server to listen on as many ports as I’ll have simultaneous client connections and then config each client to connect to one of those different ports each? Some other secret sauce?

  • Followed your year old recipe and I think it worked like a champ (the ec2 gui changed a bit but it was easy enough to figure out). I say I think because when I check https://www.iplocation.net/find-ip-address before and after, the after shows the EC2 IPv4 address. But if I type “What’s My IP” into Google before and after, it’s the same IPv6 address.

    Is it working??? It doesn’t seem right that it should be the same IPv6 address

    • Hi Mark,

      Unfortunately, IPv6 leaks are a common issue with OpenVPN on Windows 10 (not sure about other Windows versions). Windows sends out DNS requests on both IPv4 and IPv6 and uses whichever comes back faster to improve page load times. What most commercial VPNs do to get around this is disable IPv6 altogether and just use IPv4. You can do this in your network settings.

      Best,

      Paul

      • That did it. Thanks! (who needs HomeGroup, it’s very hit/miss anyway).

        BTW, I’m running the OpenVPN GUI without Admin priv under up-to-date Win10 x64 Pro and Home and it works Just Fine. It’ll be interesting to see once the free year runs out how much it costs to keep it running. Does it cost anything for the ec2 instance to run idle/unused?

        Thanks again for the walk-through.

        • If I leave an instance running but don’t use it, it usually adds a $5 or less onto my bill. I’m running a few other instances as well and haven’t looked at the exact breakdown for how much an idle one costs.

    • Technically that’s correct but Amazon has pretty strict rules about accessing customer’s data. It wouldn’t be practical or beneficial for them to snoop on your EC2 instance.

  • Hi,

    Before I invest time in this, one question. With Netflix’s aggressive VPN blocking, are you able to watch Netflix when using this VPN?

    • I’ve had mixed results. I think Netflix has banned a range of EC2 IPs but not all of them. Luckily, unless you have an elastic IP set up, you can just reboot the instance to get a new IP and try again. Make sure you change you config as necessary.

  • What is the security structure like once the VPN connection to my Linux instance on AWS is up? At home I’m “protected” by NAT and Firewall of my router. How does that work with this VPN solution ?

  • Thanks for this easy to follow guide. I’m able to setup the VPN and connect to it using my windows client. I require two more things:
    1) How to access the OpenVPN admin interface via browser
    2) How to connect using Linux Client

    Thanks in advance

    • The admin interface is a separate installation called OpenVPN Access Server. It’s not included in this tutorial but I’ll look into a separate tutorial for that later. As for your Linux client, it should be more or less the same thing but with your Linux terminal instead of PuTTy. Make sure you allow your Linux device to connect in your AWS security groups.

  • Great white paper. I have not installed the OpenVPN yet. I was wondering your vpn test did not prompt for username and password

  • Hi, thanks for the tutorial! I’ve been looking to get a VPN started because of the Snooper’s charter that came into play in the UK (which is something I heavily dislike) but paid vpns seem to have quite a bit of problems, running from sites blacklisting their ips to speed and privacy issues. As such, I want to ask how safe is it to use Amazon as a server provider considering it is a US company (5 eyes and whatnot)? Is it possible that Amazon could keep logs of what website I visit if I have a VPN set up with AWS? Alternatively, what VPNs would you recommend which have a good mix of privacy and speed and which aren’t blacklisted from tons of site?
    Thanks

    • I suppose it’s always possible that Amazon could be logging activity but I highly doubt it. Unless you’ve included some mechanism that logs traffic on your VPN, then there won’t be anything other than some metadata in the server logs for them to see. You can even minimize this by lowering the verbosity in your server config.

      As for what VPNs to use that aren’t blacklisted, NordVPN has been pretty reliable for me lately, and ExpressVPN is also good. You have to contact customer service to ask which server can unblock which sites.

  • Hey Paul! It seems that everything was fine until I tried to connect to the OpenVPN. Here’s the log:

    Wed Nov 23 18:56:47 2016 Attempting to establish TCP connection with [AF_INET(myip):1194 [nonblock]
    Wed Nov 23 18:56:57 2016 TCP: connect to [AF_INET](myip):1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)

    I even created a rule for the port on the firewall but it didn’t seem to work.

      • Im facing the exact same issue. I’m running an unbutu instance tho, not Amazon Linux. Everything works and service is up, also the security group was checked several times. I even tried opening everything to anywhere.
        Didn’t work. Any suggestion?

  • Hi,

    I can connect to the client and my IP is the same as ec2, open vpn is connected, but I still can not get on to the sites that are blocked in my location i.e. China. I am wondering where did I go wrong?

    Any thoughts?

    Best,

    Naman

  • Hi Paul,

    first and foremost – thanks so much! Very mich appreciated.
    I have a little problem though. I can connect to the server, but can’t connect from there to the outside world. I’m probably making an obvious mistake.

    Any ideas?

    Best,
    Declan
    ——————————————————————-
    2016-11-10 23:04:42 /sbin/route add -net 54.81.225.179 192.168.0.1 255.255.255.255
    add net 54.81.225.179: gateway 192.168.0.1
    2016-11-10 23:04:42 /sbin/route add -net 0.0.0.0 10.4.0.1 128.0.0.0
    add net 0.0.0.0: gateway 10.4.0.1
    2016-11-10 23:04:42 /sbin/route add -net 128.0.0.0 10.4.0.1 128.0.0.0
    add net 128.0.0.0: gateway 10.4.0.1
    2016-11-10 23:04:42 Attempting to establish TCP connection with [AF_INET]54.81.225.179:1194 [nonblock]
    2016-11-10 23:04:42 MANAGEMENT: >STATE:1478815482,TCP_CONNECT,,,
    2016-11-10 23:04:43 TCP connection established with [AF_INET]54.81.225.179:1194
    2016-11-10 23:04:43 TCPv4_CLIENT link local: [undef]
    2016-11-10 23:04:43 TCPv4_CLIENT link remote: [AF_INET]54.81.225.179:1194
    2016-11-10 23:04:53 Peer Connection Initiated with [AF_INET]54.81.225.179:1194
    2016-11-10 23:04:54 *Tunnelblick: No ‘connected.sh’ script to execute
    2016-11-10 23:04:54 Initialization Sequence Completed
    2016-11-10 23:04:54 MANAGEMENT: >STATE:1478815494,CONNECTED,SUCCESS,10.4.0.2,54.81.225.179
    2016-11-10 23:05:34 *Tunnelblick: After 30.0 seconds, gave up trying to fetch IP address information using the ipInfo host’s name after connecting.

    ——————————————————————-

  • Great post. Have you tried to create a layer 3 site to site tunnel using OpenVPN. I have using the openvpn access server web portal. However, where the server can talk(ping) to the client and vice versa, I can’t figure out how the server can talk to any other computers on the clients subnet. You don’t happen to know do you? Or at least the AWS side? Another tutorial perhaps. OpenVPNSite to Site with AWS tutorial?

  • Hi Paul,
    Could you please provide the link or input how to login to the openvpn client using with users name and password more then 2 users.

    Thanks,
    bheema.

    • Hi Jeff,
      Haven’t tested this myself but I think you can add this to your server config to “push” the DNS server to the client:
      push "dhcp-option DNS 10.11.12.13"
      Alternatively, you can set them in the client config using:
      dhcp-option DNS 10.11.12.13

      Best,

      Paul

    • Under settings on FileZilla there is a place to put the putty ssh key. Once you import that you can login with the username ec2-user and just make sure your port is 22

    • Hi Paul,

      It seems that I encountered the same warining as Jackson Wolf’s, why our connection is failure? Can you help fix?

      Looking forward to your response.

      Cheers,
      Jesse

    • Hi,

      I followed the tutorial step by step but did not worked!!

      is there a way to discover the reason using the openvpn output?

      • Hi Belhassen,
        There is a client log and a server log for OpenVPN. You should be able to diagnose the problem using one or the other or both.
        Best,
        Paul

  • Great tutorial!!! Thank you, Paul. After following OpenVPN instructions above, my public IP address is now my EC2’s IP address. I’m primarily using this when I am traveling abroad. When I go to http://www.whatismyipaddress.com, the EC2’s IP address is indicated but it shows my current foreign location. Any settings I can tweak to have the IP detected as within the US? My EC2 instance is in “N. California”.

    • Hi Alonzo,

      It could be a DNS leak, which this tutorial does not account for. Try changing to Google DNS or OpenNIC DNS servers and see if that helps.

  • Excellent article Paul. Do you know if it is possible to have username and password authentication from the client in static key mode? I am trying to convert your config to add username/password as a secondary check.
    -Steve

    • I’m not positive but OpenRSA might support this. In any case it will boost your security and allow you to connect multiple simultaneous devices.

  • Great tutorial, thanks.

    I managed to get connected (green icon) but still get my own WAN ip when i check against WhatsMyIP. Any thoughts where i could be going wrong?

    Thanks

  • I got everything setup (including using openvpn to tunnel everything on my pc) and it works good. Thank you for this tutorial. It’s one of the best on the Web, very good for beginners too.

    Now, I was wondering. Is it possible to tunnel my whole router traffic, including wifi?

    So that when I connect to WiFi it also is “tunneled” connection using static ip from amazon?

  • Any chance you might consider doing a parallel article for setting up in Azure? I have come very close, but some of the networking defaults on an Azure Linux VM seem to be different that Amazon and I’m not getting the packets forwarded from Azure to the destination site.

    • Hi Ken,
      We’ll look into an Azure VPN setup tutorial but we’ve got quite a backlog of articles to get to so I don’t want to promise anything.
      Let us know if you figure it out!
      Best,
      Paul

  • I’m working within the free tier of AWS with a t2.micro instance. When I attempt to install OpenVPN, I get the following:

    sudo yum install -y openvpn
    Loaded plugins: amazon-id, rhui-lb, search-disabled-repos
    rhui-REGION-client-config-server-7 | 2.9 kB 00:00
    rhui-REGION-rhel-server-releases | 3.5 kB 00:00
    rhui-REGION-rhel-server-rh-common | 3.8 kB 00:00
    (1/7): rhui-REGION-client-config-server-7/x86_64/primary_d | 5.5 kB 00:00
    (2/7): rhui-REGION-rhel-server-releases/7Server/x86_64/gro | 699 kB 00:00
    (3/7): rhui-REGION-rhel-server-rh-common/7Server/x86_64/gr | 104 B 00:00
    (4/7): rhui-REGION-rhel-server-rh-common/7Server/x86_64/pr | 110 kB 00:00
    (5/7): rhui-REGION-rhel-server-rh-common/7Server/x86_64/up | 29 kB 00:00
    (6/7): rhui-REGION-rhel-server-releases/7Server/x86_64/pri | 26 MB 00:00
    (7/7): rhui-REGION-rhel-server-releases/7Server/x86_64/upd | 1.4 MB 00:00
    No package openvpn available.
    Error: Nothing to do

    It looks like the installer does not exist. What am I missing, or is OpenVPN not available on the free tier?

    • problem resolved,
      I succeded to setup the vpn using ubuntu 16 by opening the TCP port as following:

      sudo ufw allow 1194/tcp
      sudo ufw allow OpenSSH
      sudo ufw disable
      sudo ufw enable

  • I found that using openvpn in this way, while having IPv6 enabled on your local client, will leak lots of traffic locally over ipv6.

    to solve this i added these lines to my client config:

    tun-ipv6
    route-ipv6 2000::/3
    ifconfig-ipv6 2001:db8:0:123::2 2001:db8:0:123::1

    I still have to solve how to forward ipv6 traffic on the server side.
    But it does solve the ipv6 data leakage, basically by just dumping all ipv6 traffic in a black hole.

  • Thanks for the tutorial however I have a Mac so what do I do once I get to SSH tunneling? Also is there a tutorial to configure the client to use DNS on my AWS instance to prevent lookups on my client environment?

    • Hi Justin,
      We don’t have tutorials for Mac or setting up DNS with OpenVPN at this time. Once you get to SSH tunneling, you can choose to use a simple port forward+SOCKS proxy or set up the full VPN. Because Macs have a proper Unix terminal, you should be able to connect directly to the server through that instead of something like PuTTy.
      Best,
      Paul

    • I added this to the server config:

      push “dhcp-option DNS 172.31.0.2”

      where 172.31.0.2 is the address i found in /etc/resolv.conf.
      I am not sure if that is the same for all ec2 instances.
      Maybe there is a way to tell openvpn to use whatever address it finds in /etc/resolv.conf?

  • Greate work,
    but i see there is DNS configuration is missing or not include ,

    so where we can add DNS for client DHCP

    thank you,

  • Paul,

    Great write up, thank!

    I got it working with a windows client. Can you point me in the direction of getting it to work with the linux client?

    • Hi Will,
      We’re working on a tutorial that should be finished in the next week or two for Linux users. If you need something before then, Google is your best friend. You could also try the OpenVPN forums.
      Best,
      Paul

  • Wow! Used this to set up a single-user VPN server.

    Just spent a couple days finagling with openrsa, using a couple websites, and was able to install it and start making keys, but cannot figure out how to tie that in to openVPN for multiple users.

    Any chance of a write-up or other help for us noobs looking to set up VPN servers for multiple (home, fair use, single-family) clients?

    • Hi Bartholomew,

      I’ll look into writing an openrsa tutorial, but I’ve got a queue of other articles to get to first. In the meantime, I would recommend checking out the official OpenVPN forums for tips and setup help.

      Best,

      Paul

  • Hi,
    I am behind a fortiguard firewall, could this be the reason I am getting:
    TCP: connect to [AF_INET] (my ip) failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
    while trying to connect through OpenVPN?

    Let me know,
    Thanks

    • Hi Ben,

      Yes, that could be the reason. You might try a different port and see if that helps.

      Best,

      Paul

      • Hi Paul,
        Thanks for the quick reaply!

        I changed the port to 443, and now I get this:

        TCP connection established with [AF_INET](my ip):443
        TCPv4_CLIENT link local: [undef]
        TCPv4_CLIENT link remote: [AF_INET](my ip):443
        read TCPv4_CLIENT: Connection timed out (WSAETIMEDOUT) (code=10060)
        Connection reset, restarting [-1]
        SIGUSR1[soft,connection-reset] received, process restarting

        Any suggestions?

        Thanks

        • Hey Ben,

          443 is often reserved for HTTPS web traffic, so it might not work with OpenVPN. Try 119, 563, 1080, 1194, and 8080. You may need to install a special program to see what TCP ports are open in the firewall if those don’t work.

          Best,

          Paul

          • I spoke too soon. Shortly after it connected, it disconnected again. I could only get it to work by restarting the OpenVPN server on the AWS instance. Here are the logs. Any ideas?

            TCP: connect to [AF_INET]:8080 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
            TCP connection established with [AF_INET]:8080
            TCPv4_CLIENT link local: [undef]
            TCPv4_CLIENT link remote: [AF_INET]:8080
            Peer Connection Initiated with [AF_INET]:8080
            Initialization Sequence Completed
            write TCPv4_CLIENT: Connection reset by peer (WSAECONNRESET) (code=10054)
            read TCPv4_CLIENT: Connection timed out (WSAETIMEDOUT) (code=10060)
            Connection reset, restarting [-1]
            SIGUSR1[soft,connection-reset] received, process restarting
            WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a –cipher with a larger block size (e.g. AES-256-CBC).
            WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a –cipher with a larger block size (e.g. AES-256-CBC).
            do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
            open_tun, tt->ipv6=0
            TAP-WIN32 device [Local Area Connection 14] opened: \\.\Global\{F17B3899-247A-4916-BF49-E2BA19FEDC7B}.tap
            Notified TAP-Windows driver to set a DHCP IP/netmask of 10.4.0.2/255.255.255.252 on interface {F17B3899-247A-4916-BF49-E2BA19FEDC7B} [DHCP-serv: 10.4.0.1, lease-time: 31536000]
            Successful ARP Flush on interface [105] {F17B3899-247A-4916-BF49-E2BA19FEDC7B}
            Attempting to establish TCP connection with [AF_INET]:8080 [nonblock]
            TCP: connect to [AF_INET]:8080 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
            TCP: connect to [AF_INET]:8080 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)

          • It’s difficult to say without seeing the server logs. Since it was working and then not working, it might be that your computer was assigned a new IP address which isn’t allowed on the AWS security groups. You can change your AWS security settings to allow all traffic on whatever port you want from any IP to avoid this.

          • Hi Paul,

            Thank you SO much for this wonderful and delightful tutorial. It was so easy to follow.

            At first, the OpenVPN client wouldn’t connect on port 1194. I decided to change it to 8080 and that did the trick.

            Thanks again!

          • Well, you could try port 22 but it probably won’t be very fast as it’s usually just for SSH to a server. Without being able to control the firewall, I’m not sure what else to suggest. You could try a UDP setup, which would give you access to more ports, but that will require a different configuration and I’m not sure if it would even solve your problem.

          • Also, make sure the necessary ports are open on your EC2 instance. You can change them using iptables from the command line or under Security Groups on the AWS Dashboard.

  • Nice tutorial. However, when I attempt to connect to VPN, OpenVPN shows “TCP: Connect to [AF_INET](MY EC2 IP ADDRESS) failed.
    What should I do to deal with it?

    • Hi Vincent,
      That’s a pretty vague error, so I can’t diagnose it without more details. Find the server log and see if it gives you any more details. It should either be in the same directory as the config file as server-tcp.log or in /var/log/syslog or /var/log/openvpn.log

      Best,

      Paul

    • Hi Anas,

      You can just import the same config file that you use on your PC, along with the associated key file, to whatever OpenVPN client you are using on those devices. Make sure to allow the IP addresses for those devices through the firewall using AWS security groups or iptables. However, if you want to connect multiple devices at the same time, you’ll need to create certificates for each, which gets more complicated. I don’t have a tutorial for that yet, but you can look into easy-rsa for generating these certificates.

      Best,

      Paul

  • I’m running into an issue where OpenVPN isn’t giving my workstation a DNS address. I followed the guide and can’t see if I missed anything. Manually set the adapter to Google Dns and it works. Any ideas?

    • Hi Quinn,
      It’s hard to tell without seeing your config and log files. Are you able to connect to the internet through the VPN with Google DNS?
      -Paul

  • Paul,
    Thanks for your guide. Unfortunately, it seems like my ISP blocking everything except traffic via 80/443 ports. Is there any way to overcome this limitation? Even if I set up source port 80 or 8080 in Putty it does not allow me to connect (timed out).
    Thanks.

    • Hi Mike,
      Have you check the security groups on AWS to make sure traffic through those ports are open?
      -Paul

      • Hey Paul,

        Thanks for your help. Actually, I’ve tested my setup using mobile internet from my phone – everything was working smoothly (if I tried to connect on 8080 port), but didn’t work with my regular ISP. So, I assumed that 8080 port is also blocked or filtered. However, OpenVPN refused to connect on 80/443 (I think these ports accept only specific traffic). So, do you have any idea how deal with this issue?
        PS: I could connect my work laptop to the corporate network using Cisco Any.. vie the same wifi, which I use for my personal laptop. I tried to use port 4500 (UDP, usually used by Cisco) in my OpenVPN setup but it did not play well.

      • Bingo!

        I triple-checked that firewalls weren’t blocking communication on port 1194 on either end and was confused why OpenVPN was stuck at “connecting”…until Paul’s comment.

        I added UDP 1194 to the security group for my instance, and it connected with no problem. Thanks Paul.

  • Hi Paul, great tut.. Out of curiosity I’m looking to have amazon act as a backup VPN service in the event our corp connection dies. Using your defined method is it possible to allow multiple users to connect to the new VPN service and from said service connect to our various VPC’s? on amazon?

    • Hi Austin,
      Yes, it is possible, but ideally you would use tls-auth instead of the pre-shared private key (ovpn.key in this tutorial) for multiple simultaneous users. You’ll need to generate different authentication credentials for each simultaneous user and make sure the appropriate ports are opened up so they can connect from their respective IP addresses. You can look into installing easy-rsa to generate TLS certificates.
      Best,
      Paul

  • I followed the directions and was able to VPN to my AWS server. What I would like to do now is create an ssh tunnel from AWS server to a linux server at my home. I put a hole in the firewall and can create a tunnel, however I can’t seem to pass RDP traffic accross that. i created tunnel like this “ssh -N -f -L3389:localhost:3389 “. when i try to run “telnet localhost 3389” i get this error on the remote computer “error: connect_to localhost port 3389: failed.” On the server in my home i ran this rule “firewall-cmd –add-forward-port=port=3389:proto=tcp:toport=3389:toaddr=192.168.1.225”. however the trafic seems to die at the end of the tunnel.

  • Hi Thanks for the guide.
    I have successfully connected to my EC2, however there is no connection coming in.
    I tried both the SSH tunnel and openVPN both yield the same result.
    Any idea what I am missing?

  • Thank you so much .. it was helpful .

    but as you the internet speed within the server is about 750 Mbps !
    how can i use that high speed to download files to my pc !

    tnx in advance

    • Hi alpionscop,

      A VPN doesn’t change the maximum download speed allocated by your ISP, which is probably much less than 750 Mbps. On top of that, the encryption and re-routing of internet traffic that takes place with a VPN will slow your download speed down, usually by about 10 percent.

      -Paul

      • Paul, im getting very slow speed through the VPN.

        I tried switching to UDP to see if that helps, it did but only for a short while. Seems to be an odd issue where it speeds up and slows down.

        I disconnected the VPN and did a speed test, which was working fine.

        Any ideas?

  • This a great tutorial, thanks! The only thing I’m stuck on is trying to get the VPN service to start automatically every time I restart my EC2 instance. I’d like it to run without having to login through SSH and manually start the openvpn service. Any suggestions?

  • Thanks for this extremely helpful article. I followed the instructions to the letter and it worked perfectly!

    Do you know how to make the OpenVPN client configuration file work with an Asus Router (I have an RT-AC87U)? I want to route all traffic in my home through the VPN server.

    I have basic technical knowledge, and I know how to navigate the Asus interface, but I’m not sure how to use the config file to “point” to the opvn.key file that I uploaded to the the router.

    • Hi Chris,

      I’m glad the article was helpful. I’m not sure how to help you with your router, though, as I don’t have a similar one on hand. If you know what type of firmware your router uses–DD-WRT, Tomato, etc–then that should point in the right direction with a Google search.

      -Paul

  • proto tcp-client
    remote
    port 1194
    dev tun
    secret “C:\\Program Files\\OpenVPN\\config\\ovpn.key”
    redirect-gateway def1
    ifconfig 10.4.0.2 10.4.0.1
    daemon

    The client config is wrong, you can’t run daemon on Windows.

  • Well I definitely don’t like the idea of having to watch my data usage on my PC like I do on my mobile… but… I suppose it might be worth it protecting your online privacy, and it’s awesome that getting a free VPN is even possible at all! It looks pretty complicated but this guide should make it pretty easy, even for those of us that aren’t so tech savvy.

Leave a Reply

Your email address will not be published. Required fields are marked *