How to make your own free VPN with Amazon Web Services
Published by on April 4, 2017 in Popular Posts, VPN & Privacy

make your own vpn
Updated April 2017 to reflect some UI changes in the AWS console and add instructions for hardcoding DNS servers.

Internet users are spoiled for choice when it comes to VPN services, but they either require a monthly subscription, aren’t secure, or are just plain slow. Thankfully, alternatives do exist. They require a bit more technical know-how, but if you want something done right, you have to do it yourself.

Amazon Web Services offers one year of free virtual server space, provided you use less than predetermined amounts of bandwidth, time and space. Even if you go over that limit, the cost of running a server image on Amazon’s Elastic Compute Cloud is probably less than you would pay for a VPN subscription.

Here we’ll explain two different ways to use Amazon’s Elastic Cloud service, also called EC2, to divert your connection through a private location of your choice: SSH Tunneling and OpenVPN. Each has advantages and disadvantages, so use the one you find more suited to your needs. No matter which you choose, you’ll require the following:

  • An Amazon Web Services account. This requires a credit card, but you’ll only be charged for what you use, which will likely be nothing if you’re prudent about what you’re doing.
  • PuTTy, if you’re on Windows. OpenSSH via Cygwin is another option, but I found it to be a pain. Linux and Mac computers already have SSH prompts built into their boxes and terminals. You’ll also need PuTTy’s sister key generation program, PuttyGen.
  • WinSCP, or an equivalent FTP client to move files between your local computer and your EC2 instance.
  • A basic working knowledge of Unix commands and how servers work with clients will be massively helpful in troubleshooting should something not go exactly as planned.

Log into your Amazon Web Service account and head to the EC2 dashboard.
aws vpn update 1

On the top right, you can choose the location where we’ll be setting up your VPN. Click Launch Instance.

ec2 vpn 1

Choose whatever Linux AMI is listed as “free tier eligible.” At the time of writing this article, that’s the Amazon Linux AMI. Go on to the next step.

ec2 vpn 2

Here choose a t2.micro instance that’s also free tier eligible. Click “Review and Launch.”

ec2 vpn 3

On the next page, you should get a warning message asking you to edit your security groups.  Click Edit Security Groups.

You’ll need to opt to create a security group that will only allow traffic from your computer to access the VPN or proxy. To make things simple, click the bullet that says “Create a new security group” and name it whatever you like. For simplicity’s sake, set the Type to “All traffic” and the Source to “My IP.” If you want to connect with more than one device or from another location, add another rule and set a custom IP using the second device’s IP address. If you know the ports you plan to use, add rules that allow any device to connect to those ports (22 for SSH, 1194 for OpenVPN are common).

ec2 vpn 4

Click “review and launch,” then “launch” on the next page.

Now you’ll want to create a key pair, which sort of works like a password that you’ll use to connect to the virtual server you’re creating. Select “create a new key pair” from the dropdown menu and name it whatever you like. Click the button to download the key pair. Store it somewhere safe.

ec2 vpn 5

The next page should alert you that the instance is launching. Scroll to the bottom and hit “View instances.” Here you’ll see a list of any instances you’ve launched, which if this is your first time using EC2 will just be one.

SSH Tunneling

To begin with, we’re just going to reroute web traffic through the instance we created using SSH tunneling and a proxy. This is a quick and dirty way to get around a firewall or geographic lockout. It’s not quite a VPN–it’s best for light web traffic and won’t work with everything–but it’s much more simple to set up. This tutorial will explain how to interact with your instance using Windows. To do that, you’ll need to download PuTTy and PuTTygen.

ec2 vpn 7

PuTTy and PuTTygen both run right out of the box as .exe files with no need to install. Open PuTTygen, click Load. Navigate to the .pem key pair file you downloaded before and load it into Puttygen. You’ll have to select the option to show all file types for the .pem key to show up. Hit “Save Private Key.” The file name must be identical to the .pem key. You can create a passphrase for the private key if you want.

ec2 vpn 6

Now close out of PuTTygen and open PuTTy. Copy your instance’s public IP from the EC2 console into PuTTy. Type in a name for your session and hit save.

ec2 vpn 8
In the left pane, navigate to “Auth” under SSH. Click the browse button at the bottom and navigate to the private key you just generated.

ec2 vpn 9

Navigate to Tunnels in the left pain. Add port 8080 with Auto and Dynamic selected. Go back to the Session page and hit Save again so you don’t have to do all this over again.

Click Open. A prompt will appear asking you for a username. This differs based on what type of server you set up at the beginning. For the Amazon Linux AMI, it’s “ec2-user”.

ec2 vpn 10

Now you’re connected to your server, but you still need to route your web browser’s traffic through it. If you use Firefox, this can be done in your browser settings. If you use Chrome, download the Proxy Switchy extension. If you prefer to skip to creating a fully functioning VPN rather than just a proxy for your browser, skip to the next section now.

In Firefox:

  • Go to Tools > Options > Advanced > Network > Connection > Settings > Manual proxy configuration
  • Set SOCKS Host as 127.0.0.1 and the port as 8080 (or whatever you set the tunnel port to on PuTTy).
  • Click OK to save

In Chrome Proxy Switchy

  • A setup page should appear as soon as you install the extension, or click the icon in the top right of Chrome and click Options.
  • Name the profile whatever you like. Under Manual Configuration, set the SOCKS host to 127.0.0.1 and the port to 8080 (or whatever you set the tunnel port to in PuTTy. Leave everything else blank.
  • Hit Save, then click the icon again to select your proxy profile.
ec2 vpn 11

Voila! Your browser traffic is now being funneled through your EC2 instance. This will work fine for basic browsing, but some websites might run into problems and apps other than your web browser will still use the direct connection. To create a full-on VPN that reroutes all your internet traffic, read on.

Setting up OpenVPN

OpenVPN is a free open source tool that will let you run a full-on VPN through your Amazon EC2 instance. That means all your internet traffic goes through it, not just your web browser traffic like the proxy above. Desktop programs such as Steam or Spotify work better with this approach.

ec2 vpn 12

Connect to your EC2 instance using PuTTy according to the instructions above. You should have a command prompt in front of you that says Amazon Linux AMI. Run the following commands (type or copy/paste them and press enter):

sudo yum install -y openvpn
sudo modprobe iptable_nat
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
sudo iptables -t nat -A POSTROUTING -s 10.4.0.1/2 -o eth0 -j MASQUERADE

Just a quick note here. You might have noticed in the screenshot that I incorrectly tried to download and install OpenVPN using the “apt-get” command instead of “yum”. Some other versions of Linux still use apt-get, so if yum doesn’t work for you, try this command instead:

sudo apt-get install -y openvpn

A bunch of text will flash on the command prompt while it installs OpenVPN. The other three commands set up IP forwarding, which is necessary for the VPN to work. Next we’ll create a shared key for authentication. It’s sort of like a file that acts as a password. Type in the following commands and hit enter:

cd /etc/openvpn
sudo openvpn --genkey --secret ovpn.key

Now we’re going to create a server config file for our VPN. Type the following command to create a blank text file in a very basic text editor inside the terminal:

sudo nano openvpn.conf

Type in the following configuration. You can find more options on the OpenVPN website if you want to play around with this later, but make sure you know what you’re doing first.

port 1194
proto tcp-server
dev tun1
ifconfig 10.4.0.1 10.4.0.2
status server-tcp.log
verb 3
secret  ovpn.key

ec2 vpn 13
Now hit CTRL+O (that’s the letter ‘O’ not zero) and hit enter to save the file. Then hit CTRL+X to exit the text editor. Back at the command prompt, it’s time to fire up OpenVPN:

sudo service openvpn start

Next we need to get the shared key from the server to your local computer. First we need to change the permissions on that file so we can access it using the following command:

sudo chmod 777 ovpn.key

If at any point you accidentally close PuTTy or it just craps out, you can navigate back to your open VPN installation directory after reconnecting using this command:

cd /etc/openvpn

To make this as easy as possible, download and install this free application, WinSCP (Mac users will have to find another FTP client. Don’t worry, there are lots of them). Just use the default installation options. Once that’s done, a Window should pop up prompting you to import your server authentication details from PuTTy. Select the one we made above and continue.

ec2 vpn 14

Select myvpn (or whatever you named yours) and hit the Edit button. Type in “ec2-user” under user name. Click on Login.

ec2 vpn 15

Now you can move files between your EC2 instance server and your local computer. On the right hand panel, navigate up as far as you can, then go to etc/openvpn. Here you’ll find the ovpn.key file that we need. Click and drag it into the folder of your choice, but remember where you put it as we’ll want to move it later.

ec2 vpn 16
Now that you have the key, we need to re-apply the old permissions so not just anyone can grab it. Back in your PuTTy terminal, enter:

sudo chmod 600 ovpn.key

It’s time to download the OpenVPN client and GUI for your local computer. Go to the OpenVPN downloads page and choose the appropriate version for your operating system. Install it with the default settings. It should appear in your system tray as an icon once launched. Open up a file explorer and navigate to where you installed OpenVPN, probably in your Program Files folder. Move the opvn.key file we downloaded from the server to the config folder found here (C:/Program Files/OpenVPN/config … if you used the default installation directory on Windows).

Next we need to create a config file for the local machine to match the one we made on our server. Open up Notepad and paste the following, replacing the IP address after “remote” with the IP of your EC2 instance (if you’ve forgotten it, find it in your AWS Console under EC2 Instances). Also double check that the full file path pointing to your key is correct.

proto tcp-client
remote <your EC2 IP here>        
port 1194                   
dev tun                   
secret "C:\\Program Files\\OpenVPN\\config\\ovpn.key"            
redirect-gateway def1       
ifconfig 10.4.0.2 10.4.0.1

Save it as myconfig.ovpn (make sure your text editor doesn’t append it as myconfig.ovpn.txt by mistake) in the config folder of your OpenVPN installation, the same place as your opvn.key file.

ec2 vpn 17

Right click on the OpenVPN icon in your system tray and click Exit to quit. Now start it up again–either from the desktop shortcut or from the Program Files folder–but this time use right click and hit “Run as administrator”. If you don’t run OpenVPN as administrator on Windows, it probably won’t work.

ec2 vpn 18
Right click the system tray icon and click Connect. The OpenVPN GUI should pop up showing you the connection status. Assuming it worked, the system tray icon will turn green. Go to Google and type in “What’s my IP?”, and it should return the IP address of your Amazon EC2 Instance.

ec2 vpn 19

Congratulations, you just made your own VPN!

Update: If you want to protect your VPN from deep packet inspection, a technique used by censorship regimes in places like China and Syria to bock OpenVPN connections, check out our tutorial on setting up Obfsproxy.

Remember to keep your bandwidth within Amazon’s free tier limits. The easiest way to do this is to right click on your instance in the AWS Console and click on the “Add/Edit Alarms” link. You can set your server to stop or even terminate after a few hours of inactivity. The free tier allows for 750 hours per month (which covers the whole month), so you shouldn’t need to do this. Those users past their initial free year of service or doing more with their server, however, can prevent unnecessary charges for unused server time.

Somewhere in this tutorial, something will probably go wrong for you. If you really want a VPN but aren’t willing to do your fair share of troubleshooting, it’s probably best to opt for a paid VPN service. They also allow you to channel your internet traffic through multiple geographic locations, where as an EC2 instance is limited to just one. Check out our VPN reviews here!

Hardcoding DNS servers into your VPN

If you need to set specific DNS servers to use with your VPN, there are a couple of options.

To “push” the DNS server to the client, add this line to the server config. This will affect all of the devices that connect to your VPN (quotes included):

push "dhcp-option DNS 45.56.117.118"

Alternatively, you can set the DNS in an individual client config using:

dhcp-option DNS 45.56.117.118

In these examples I used an OpenNIC public DNS server with anonymous logging located in the US. You can find a OpenNIC server in the country of your choice and filter by features like anonymous logging and DNSCrypt here.

Special thanks to Dctr Watson’s blog, which I leaned on as a resource when writing this article.


117 thoughts on “How to make your own free VPN with Amazon Web Services

  • Thanks Paul,
    However, I made the mistake of “stopping” the instance once I was done. When I came back the next day and started it again VPN would no longer work. Obviously, I need also to Putty into it and tell it to start OpenVPN. OpenVPN thinks it’s working, but no web pages would load on my browser, so apparently a few more of the setup commands are needed. Not a problem while I’m in the free period, but I’ll want to be able to stop it when I won’t be using it for long periods. Can you point to how to easily put these all in a script that runs whenever the instance is started?

    Also, is this a case where we should be using “elastic IPs”? When I restarted the assigned IP address is different, so had to modify the settings in the openvpn config file.

    Thanks much,
    Jim

    • Yes the elastic IPs are helpful if you’re frequently starting/stopping. To make it work on startup, look into setting up OpenVPN Access Server. That will give you a web GUI to control things from and can be configured to run whenever the instance is running. A tutorial for this is in my queue but might be awhile before I get to it.

  • Well done, Paul, thank you so much. Was able to get it up and running relatively easily even though I’m a novice at this. I did have to add an entry to the security group for custom TCP to port 1194, but that was it. Now I’ll have to dig into RSA so I can get it working on multiple devices.

  • Ok here is the problem and solution:
    http://unix.stackexchange.com/questions/292091/ubuntu-server-16-04-openvpn-seems-not-to-start-no-logs-get-written
    Shorter version:
    run this:
    sudo systemctl start openvpn@[CONFIG FILENAME WITHOUT EXTENSION HERE].service
    Now if we run above command with status instead of start we see status is:
    Active (Running)
    Instead of:
    Active (Exited)
    Because the actual openvpn.service in Ubuntu servers is just a dummy service!
    The vpn connection should be able to establish even after instance reboot.

  • Thanks. This is the only article online that covers exactly what I need. But unfortunately it doesn’t work. It missed some command somewhere and anyone must have found a way to fix it but forget or didn’t find time to mention it somewhere on the internet.
    So here’s the problem:
    TCP: connect to [AF_INET]XX.XX.XX.XX:1194 failed, will try again in 5 seconds: Connection refused
    I got UDP/TCP for 1194 from anywhere open on my aws ec2 security group open.
    I checked the security group is assigned to the EC2 instance.
    I can ssh to the server so server is up and running.
    What I understood is that when we start the service on the server, there is no way to tell the service where to look for the conf file. I put random characters in the conf file and service was able to restart successfully! I even removed the conf file from the server and server was still able to restart successfully. Status says it is active and green.
    I’m sure the port 1194 is open. Because if I remove rules on aws security group the error is connection timed out. If I add them the error is connection refused. So the rules work. There is no server on the port to listen to the input. There is no log file created with name server-tcp.log anywhere on storage of the server. It apparently ignores the config file. Any idea?
    Thanks in advance.

  • Paul,
    Great document. Just a couple things on feedback.
    OpenVPN gives a warning about the cipher being too weak
    Suggest including the line
    cipher AES-256-CBC

    Can you also include how to configure multiple certs so you can run VPN on 2 or more computers?

    Best,

    • Hi Rob,
      Multiple certs has been on our agenda for awhile now but haven’t had a chance to write up a tutorial yet. Noted about the cipher, thanks.
      Best,
      Paul

  • I have two Win10 x64 Pro desktops behind my ISP NATing router/firewall. According to google they both have the same IP. I’ve setup identical OpenVPN client configs on each. They both can establish a connection to an ec2 OpenVPN server configured per your instructions, but not simultaneously (the second one just hangs establishing the connection). I’ve looked through the OpenVPN server config but nothing’s jumping out at me. Do I need to config the server to listen on as many ports as I’ll have simultaneous client connections and then config each client to connect to one of those different ports each? Some other secret sauce?

  • Followed your year old recipe and I think it worked like a champ (the ec2 gui changed a bit but it was easy enough to figure out). I say I think because when I check https://www.iplocation.net/find-ip-address before and after, the after shows the EC2 IPv4 address. But if I type “What’s My IP” into Google before and after, it’s the same IPv6 address.

    Is it working??? It doesn’t seem right that it should be the same IPv6 address

    • Hi Mark,

      Unfortunately, IPv6 leaks are a common issue with OpenVPN on Windows 10 (not sure about other Windows versions). Windows sends out DNS requests on both IPv4 and IPv6 and uses whichever comes back faster to improve page load times. What most commercial VPNs do to get around this is disable IPv6 altogether and just use IPv4. You can do this in your network settings.

      Best,

      Paul

      • That did it. Thanks! (who needs HomeGroup, it’s very hit/miss anyway).

        BTW, I’m running the OpenVPN GUI without Admin priv under up-to-date Win10 x64 Pro and Home and it works Just Fine. It’ll be interesting to see once the free year runs out how much it costs to keep it running. Does it cost anything for the ec2 instance to run idle/unused?

        Thanks again for the walk-through.

        • If I leave an instance running but don’t use it, it usually adds a $5 or less onto my bill. I’m running a few other instances as well and haven’t looked at the exact breakdown for how much an idle one costs.

    • Technically that’s correct but Amazon has pretty strict rules about accessing customer’s data. It wouldn’t be practical or beneficial for them to snoop on your EC2 instance.

  • Hi,

    Before I invest time in this, one question. With Netflix’s aggressive VPN blocking, are you able to watch Netflix when using this VPN?

    • I’ve had mixed results. I think Netflix has banned a range of EC2 IPs but not all of them. Luckily, unless you have an elastic IP set up, you can just reboot the instance to get a new IP and try again. Make sure you change you config as necessary.

  • What is the security structure like once the VPN connection to my Linux instance on AWS is up? At home I’m “protected” by NAT and Firewall of my router. How does that work with this VPN solution ?

  • Thanks for this easy to follow guide. I’m able to setup the VPN and connect to it using my windows client. I require two more things:
    1) How to access the OpenVPN admin interface via browser
    2) How to connect using Linux Client

    Thanks in advance

    • The admin interface is a separate installation called OpenVPN Access Server. It’s not included in this tutorial but I’ll look into a separate tutorial for that later. As for your Linux client, it should be more or less the same thing but with your Linux terminal instead of PuTTy. Make sure you allow your Linux device to connect in your AWS security groups.

  • Great white paper. I have not installed the OpenVPN yet. I was wondering your vpn test did not prompt for username and password

  • Hi, thanks for the tutorial! I’ve been looking to get a VPN started because of the Snooper’s charter that came into play in the UK (which is something I heavily dislike) but paid vpns seem to have quite a bit of problems, running from sites blacklisting their ips to speed and privacy issues. As such, I want to ask how safe is it to use Amazon as a server provider considering it is a US company (5 eyes and whatnot)? Is it possible that Amazon could keep logs of what website I visit if I have a VPN set up with AWS? Alternatively, what VPNs would you recommend which have a good mix of privacy and speed and which aren’t blacklisted from tons of site?
    Thanks

    • I suppose it’s always possible that Amazon could be logging activity but I highly doubt it. Unless you’ve included some mechanism that logs traffic on your VPN, then there won’t be anything other than some metadata in the server logs for them to see. You can even minimize this by lowering the verbosity in your server config.

      As for what VPNs to use that aren’t blacklisted, NordVPN has been pretty reliable for me lately, and ExpressVPN is also good. You have to contact customer service to ask which server can unblock which sites.

  • Hey Paul! It seems that everything was fine until I tried to connect to the OpenVPN. Here’s the log:

    Wed Nov 23 18:56:47 2016 Attempting to establish TCP connection with [AF_INET(myip):1194 [nonblock]
    Wed Nov 23 18:56:57 2016 TCP: connect to [AF_INET](myip):1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)

    I even created a rule for the port on the firewall but it didn’t seem to work.

      • Im facing the exact same issue. I’m running an unbutu instance tho, not Amazon Linux. Everything works and service is up, also the security group was checked several times. I even tried opening everything to anywhere.
        Didn’t work. Any suggestion?

  • Hi,

    I can connect to the client and my IP is the same as ec2, open vpn is connected, but I still can not get on to the sites that are blocked in my location i.e. China. I am wondering where did I go wrong?

    Any thoughts?

    Best,

    Naman

  • Hi Paul,

    first and foremost – thanks so much! Very mich appreciated.
    I have a little problem though. I can connect to the server, but can’t connect from there to the outside world. I’m probably making an obvious mistake.

    Any ideas?

    Best,
    Declan
    ——————————————————————-
    2016-11-10 23:04:42 /sbin/route add -net 54.81.225.179 192.168.0.1 255.255.255.255
    add net 54.81.225.179: gateway 192.168.0.1
    2016-11-10 23:04:42 /sbin/route add -net 0.0.0.0 10.4.0.1 128.0.0.0
    add net 0.0.0.0: gateway 10.4.0.1
    2016-11-10 23:04:42 /sbin/route add -net 128.0.0.0 10.4.0.1 128.0.0.0
    add net 128.0.0.0: gateway 10.4.0.1
    2016-11-10 23:04:42 Attempting to establish TCP connection with [AF_INET]54.81.225.179:1194 [nonblock]
    2016-11-10 23:04:42 MANAGEMENT: >STATE:1478815482,TCP_CONNECT,,,
    2016-11-10 23:04:43 TCP connection established with [AF_INET]54.81.225.179:1194
    2016-11-10 23:04:43 TCPv4_CLIENT link local: [undef]
    2016-11-10 23:04:43 TCPv4_CLIENT link remote: [AF_INET]54.81.225.179:1194
    2016-11-10 23:04:53 Peer Connection Initiated with [AF_INET]54.81.225.179:1194
    2016-11-10 23:04:54 *Tunnelblick: No ‘connected.sh’ script to execute
    2016-11-10 23:04:54 Initialization Sequence Completed
    2016-11-10 23:04:54 MANAGEMENT: >STATE:1478815494,CONNECTED,SUCCESS,10.4.0.2,54.81.225.179
    2016-11-10 23:05:34 *Tunnelblick: After 30.0 seconds, gave up trying to fetch IP address information using the ipInfo host’s name after connecting.

    ——————————————————————-

  • Great post. Have you tried to create a layer 3 site to site tunnel using OpenVPN. I have using the openvpn access server web portal. However, where the server can talk(ping) to the client and vice versa, I can’t figure out how the server can talk to any other computers on the clients subnet. You don’t happen to know do you? Or at least the AWS side? Another tutorial perhaps. OpenVPNSite to Site with AWS tutorial?

  • Hi Paul,
    Could you please provide the link or input how to login to the openvpn client using with users name and password more then 2 users.

    Thanks,
    bheema.

    • Hi Jeff,
      Haven’t tested this myself but I think you can add this to your server config to “push” the DNS server to the client:
      push "dhcp-option DNS 10.11.12.13"
      Alternatively, you can set them in the client config using:
      dhcp-option DNS 10.11.12.13

      Best,

      Paul

    • Hi Paul,

      It seems that I encountered the same warining as Jackson Wolf’s, why our connection is failure? Can you help fix?

      Looking forward to your response.

      Cheers,
      Jesse

    • Hi,

      I followed the tutorial step by step but did not worked!!

      is there a way to discover the reason using the openvpn output?

      • Hi Belhassen,
        There is a client log and a server log for OpenVPN. You should be able to diagnose the problem using one or the other or both.
        Best,
        Paul

  • Great tutorial!!! Thank you, Paul. After following OpenVPN instructions above, my public IP address is now my EC2’s IP address. I’m primarily using this when I am traveling abroad. When I go to http://www.whatismyipaddress.com, the EC2’s IP address is indicated but it shows my current foreign location. Any settings I can tweak to have the IP detected as within the US? My EC2 instance is in “N. California”.

    • Hi Alonzo,

      It could be a DNS leak, which this tutorial does not account for. Try changing to Google DNS or OpenNIC DNS servers and see if that helps.

  • Excellent article Paul. Do you know if it is possible to have username and password authentication from the client in static key mode? I am trying to convert your config to add username/password as a secondary check.
    -Steve

    • I’m not positive but OpenRSA might support this. In any case it will boost your security and allow you to connect multiple simultaneous devices.

  • Great tutorial, thanks.

    I managed to get connected (green icon) but still get my own WAN ip when i check against WhatsMyIP. Any thoughts where i could be going wrong?

    Thanks

  • I got everything setup (including using openvpn to tunnel everything on my pc) and it works good. Thank you for this tutorial. It’s one of the best on the Web, very good for beginners too.

    Now, I was wondering. Is it possible to tunnel my whole router traffic, including wifi?

    So that when I connect to WiFi it also is “tunneled” connection using static ip from amazon?

  • Any chance you might consider doing a parallel article for setting up in Azure? I have come very close, but some of the networking defaults on an Azure Linux VM seem to be different that Amazon and I’m not getting the packets forwarded from Azure to the destination site.

    • Hi Ken,
      We’ll look into an Azure VPN setup tutorial but we’ve got quite a backlog of articles to get to so I don’t want to promise anything.
      Let us know if you figure it out!
      Best,
      Paul

  • I’m working within the free tier of AWS with a t2.micro instance. When I attempt to install OpenVPN, I get the following:

    sudo yum install -y openvpn
    Loaded plugins: amazon-id, rhui-lb, search-disabled-repos
    rhui-REGION-client-config-server-7 | 2.9 kB 00:00
    rhui-REGION-rhel-server-releases | 3.5 kB 00:00
    rhui-REGION-rhel-server-rh-common | 3.8 kB 00:00
    (1/7): rhui-REGION-client-config-server-7/x86_64/primary_d | 5.5 kB 00:00
    (2/7): rhui-REGION-rhel-server-releases/7Server/x86_64/gro | 699 kB 00:00
    (3/7): rhui-REGION-rhel-server-rh-common/7Server/x86_64/gr | 104 B 00:00
    (4/7): rhui-REGION-rhel-server-rh-common/7Server/x86_64/pr | 110 kB 00:00
    (5/7): rhui-REGION-rhel-server-rh-common/7Server/x86_64/up | 29 kB 00:00
    (6/7): rhui-REGION-rhel-server-releases/7Server/x86_64/pri | 26 MB 00:00
    (7/7): rhui-REGION-rhel-server-releases/7Server/x86_64/upd | 1.4 MB 00:00
    No package openvpn available.
    Error: Nothing to do

    It looks like the installer does not exist. What am I missing, or is OpenVPN not available on the free tier?

    • problem resolved,
      I succeded to setup the vpn using ubuntu 16 by opening the TCP port as following:

      sudo ufw allow 1194/tcp
      sudo ufw allow OpenSSH
      sudo ufw disable
      sudo ufw enable

  • I found that using openvpn in this way, while having IPv6 enabled on your local client, will leak lots of traffic locally over ipv6.

    to solve this i added these lines to my client config:

    tun-ipv6
    route-ipv6 2000::/3
    ifconfig-ipv6 2001:db8:0:123::2 2001:db8:0:123::1

    I still have to solve how to forward ipv6 traffic on the server side.
    But it does solve the ipv6 data leakage, basically by just dumping all ipv6 traffic in a black hole.

  • Thanks for the tutorial however I have a Mac so what do I do once I get to SSH tunneling? Also is there a tutorial to configure the client to use DNS on my AWS instance to prevent lookups on my client environment?

    • Hi Justin,
      We don’t have tutorials for Mac or setting up DNS with OpenVPN at this time. Once you get to SSH tunneling, you can choose to use a simple port forward+SOCKS proxy or set up the full VPN. Because Macs have a proper Unix terminal, you should be able to connect directly to the server through that instead of something like PuTTy.
      Best,
      Paul

    • I added this to the server config:

      push “dhcp-option DNS 172.31.0.2”

      where 172.31.0.2 is the address i found in /etc/resolv.conf.
      I am not sure if that is the same for all ec2 instances.
      Maybe there is a way to tell openvpn to use whatever address it finds in /etc/resolv.conf?

  • Greate work,
    but i see there is DNS configuration is missing or not include ,

    so where we can add DNS for client DHCP

    thank you,

  • Paul,

    Great write up, thank!

    I got it working with a windows client. Can you point me in the direction of getting it to work with the linux client?

    • Hi Will,
      We’re working on a tutorial that should be finished in the next week or two for Linux users. If you need something before then, Google is your best friend. You could also try the OpenVPN forums.
      Best,
      Paul

  • Wow! Used this to set up a single-user VPN server.

    Just spent a couple days finagling with openrsa, using a couple websites, and was able to install it and start making keys, but cannot figure out how to tie that in to openVPN for multiple users.

    Any chance of a write-up or other help for us noobs looking to set up VPN servers for multiple (home, fair use, single-family) clients?

    • Hi Bartholomew,

      I’ll look into writing an openrsa tutorial, but I’ve got a queue of other articles to get to first. In the meantime, I would recommend checking out the official OpenVPN forums for tips and setup help.

      Best,

      Paul

  • Hi,
    I am behind a fortiguard firewall, could this be the reason I am getting:
    TCP: connect to [AF_INET] (my ip) failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
    while trying to connect through OpenVPN?

    Let me know,
    Thanks

    • Hi Ben,

      Yes, that could be the reason. You might try a different port and see if that helps.

      Best,

      Paul

      • Hi Paul,
        Thanks for the quick reaply!

        I changed the port to 443, and now I get this:

        TCP connection established with [AF_INET](my ip):443
        TCPv4_CLIENT link local: [undef]
        TCPv4_CLIENT link remote: [AF_INET](my ip):443
        read TCPv4_CLIENT: Connection timed out (WSAETIMEDOUT) (code=10060)
        Connection reset, restarting [-1]
        SIGUSR1[soft,connection-reset] received, process restarting

        Any suggestions?

        Thanks

        • Hey Ben,

          443 is often reserved for HTTPS web traffic, so it might not work with OpenVPN. Try 119, 563, 1080, 1194, and 8080. You may need to install a special program to see what TCP ports are open in the firewall if those don’t work.

          Best,

          Paul

          • I spoke too soon. Shortly after it connected, it disconnected again. I could only get it to work by restarting the OpenVPN server on the AWS instance. Here are the logs. Any ideas?

            TCP: connect to [AF_INET]:8080 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
            TCP connection established with [AF_INET]:8080
            TCPv4_CLIENT link local: [undef]
            TCPv4_CLIENT link remote: [AF_INET]:8080
            Peer Connection Initiated with [AF_INET]:8080
            Initialization Sequence Completed
            write TCPv4_CLIENT: Connection reset by peer (WSAECONNRESET) (code=10054)
            read TCPv4_CLIENT: Connection timed out (WSAETIMEDOUT) (code=10060)
            Connection reset, restarting [-1]
            SIGUSR1[soft,connection-reset] received, process restarting
            WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a –cipher with a larger block size (e.g. AES-256-CBC).
            WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a –cipher with a larger block size (e.g. AES-256-CBC).
            do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
            open_tun, tt->ipv6=0
            TAP-WIN32 device [Local Area Connection 14] opened: \\.\Global\{F17B3899-247A-4916-BF49-E2BA19FEDC7B}.tap
            Notified TAP-Windows driver to set a DHCP IP/netmask of 10.4.0.2/255.255.255.252 on interface {F17B3899-247A-4916-BF49-E2BA19FEDC7B} [DHCP-serv: 10.4.0.1, lease-time: 31536000]
            Successful ARP Flush on interface [105] {F17B3899-247A-4916-BF49-E2BA19FEDC7B}
            Attempting to establish TCP connection with [AF_INET]:8080 [nonblock]
            TCP: connect to [AF_INET]:8080 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
            TCP: connect to [AF_INET]:8080 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)

          • It’s difficult to say without seeing the server logs. Since it was working and then not working, it might be that your computer was assigned a new IP address which isn’t allowed on the AWS security groups. You can change your AWS security settings to allow all traffic on whatever port you want from any IP to avoid this.

          • Hi Paul,

            Thank you SO much for this wonderful and delightful tutorial. It was so easy to follow.

            At first, the OpenVPN client wouldn’t connect on port 1194. I decided to change it to 8080 and that did the trick.

            Thanks again!

          • Well, you could try port 22 but it probably won’t be very fast as it’s usually just for SSH to a server. Without being able to control the firewall, I’m not sure what else to suggest. You could try a UDP setup, which would give you access to more ports, but that will require a different configuration and I’m not sure if it would even solve your problem.

          • Also, make sure the necessary ports are open on your EC2 instance. You can change them using iptables from the command line or under Security Groups on the AWS Dashboard.

  • Nice tutorial. However, when I attempt to connect to VPN, OpenVPN shows “TCP: Connect to [AF_INET](MY EC2 IP ADDRESS) failed.
    What should I do to deal with it?

    • Hi Vincent,
      That’s a pretty vague error, so I can’t diagnose it without more details. Find the server log and see if it gives you any more details. It should either be in the same directory as the config file as server-tcp.log or in /var/log/syslog or /var/log/openvpn.log

      Best,

      Paul

    • Hi Anas,

      You can just import the same config file that you use on your PC, along with the associated key file, to whatever OpenVPN client you are using on those devices. Make sure to allow the IP addresses for those devices through the firewall using AWS security groups or iptables. However, if you want to connect multiple devices at the same time, you’ll need to create certificates for each, which gets more complicated. I don’t have a tutorial for that yet, but you can look into easy-rsa for generating these certificates.

      Best,

      Paul

  • I’m running into an issue where OpenVPN isn’t giving my workstation a DNS address. I followed the guide and can’t see if I missed anything. Manually set the adapter to Google Dns and it works. Any ideas?

    • Hi Quinn,
      It’s hard to tell without seeing your config and log files. Are you able to connect to the internet through the VPN with Google DNS?
      -Paul

  • Paul,
    Thanks for your guide. Unfortunately, it seems like my ISP blocking everything except traffic via 80/443 ports. Is there any way to overcome this limitation? Even if I set up source port 80 or 8080 in Putty it does not allow me to connect (timed out).
    Thanks.

    • Hi Mike,
      Have you check the security groups on AWS to make sure traffic through those ports are open?
      -Paul

      • Hey Paul,

        Thanks for your help. Actually, I’ve tested my setup using mobile internet from my phone – everything was working smoothly (if I tried to connect on 8080 port), but didn’t work with my regular ISP. So, I assumed that 8080 port is also blocked or filtered. However, OpenVPN refused to connect on 80/443 (I think these ports accept only specific traffic). So, do you have any idea how deal with this issue?
        PS: I could connect my work laptop to the corporate network using Cisco Any.. vie the same wifi, which I use for my personal laptop. I tried to use port 4500 (UDP, usually used by Cisco) in my OpenVPN setup but it did not play well.

      • Bingo!

        I triple-checked that firewalls weren’t blocking communication on port 1194 on either end and was confused why OpenVPN was stuck at “connecting”…until Paul’s comment.

        I added UDP 1194 to the security group for my instance, and it connected with no problem. Thanks Paul.

  • Hi Paul, great tut.. Out of curiosity I’m looking to have amazon act as a backup VPN service in the event our corp connection dies. Using your defined method is it possible to allow multiple users to connect to the new VPN service and from said service connect to our various VPC’s? on amazon?

    • Hi Austin,
      Yes, it is possible, but ideally you would use tls-auth instead of the pre-shared private key (ovpn.key in this tutorial) for multiple simultaneous users. You’ll need to generate different authentication credentials for each simultaneous user and make sure the appropriate ports are opened up so they can connect from their respective IP addresses. You can look into installing easy-rsa to generate TLS certificates.
      Best,
      Paul

  • I followed the directions and was able to VPN to my AWS server. What I would like to do now is create an ssh tunnel from AWS server to a linux server at my home. I put a hole in the firewall and can create a tunnel, however I can’t seem to pass RDP traffic accross that. i created tunnel like this “ssh -N -f -L3389:localhost:3389 “. when i try to run “telnet localhost 3389” i get this error on the remote computer “error: connect_to localhost port 3389: failed.” On the server in my home i ran this rule “firewall-cmd –add-forward-port=port=3389:proto=tcp:toport=3389:toaddr=192.168.1.225”. however the trafic seems to die at the end of the tunnel.

  • Hi Thanks for the guide.
    I have successfully connected to my EC2, however there is no connection coming in.
    I tried both the SSH tunnel and openVPN both yield the same result.
    Any idea what I am missing?

  • Thank you so much .. it was helpful .

    but as you the internet speed within the server is about 750 Mbps !
    how can i use that high speed to download files to my pc !

    tnx in advance

    • Hi alpionscop,

      A VPN doesn’t change the maximum download speed allocated by your ISP, which is probably much less than 750 Mbps. On top of that, the encryption and re-routing of internet traffic that takes place with a VPN will slow your download speed down, usually by about 10 percent.

      -Paul

  • This a great tutorial, thanks! The only thing I’m stuck on is trying to get the VPN service to start automatically every time I restart my EC2 instance. I’d like it to run without having to login through SSH and manually start the openvpn service. Any suggestions?

  • Thanks for this extremely helpful article. I followed the instructions to the letter and it worked perfectly!

    Do you know how to make the OpenVPN client configuration file work with an Asus Router (I have an RT-AC87U)? I want to route all traffic in my home through the VPN server.

    I have basic technical knowledge, and I know how to navigate the Asus interface, but I’m not sure how to use the config file to “point” to the opvn.key file that I uploaded to the the router.

    • Hi Chris,

      I’m glad the article was helpful. I’m not sure how to help you with your router, though, as I don’t have a similar one on hand. If you know what type of firmware your router uses–DD-WRT, Tomato, etc–then that should point in the right direction with a Google search.

      -Paul

  • proto tcp-client
    remote
    port 1194
    dev tun
    secret “C:\\Program Files\\OpenVPN\\config\\ovpn.key”
    redirect-gateway def1
    ifconfig 10.4.0.2 10.4.0.1
    daemon

    The client config is wrong, you can’t run daemon on Windows.

  • Well I definitely don’t like the idea of having to watch my data usage on my PC like I do on my mobile… but… I suppose it might be worth it protecting your online privacy, and it’s awesome that getting a free VPN is even possible at all! It looks pretty complicated but this guide should make it pretty easy, even for those of us that aren’t so tech savvy.

Leave a Reply

Your email address will not be published. Required fields are marked *