How to make your own free VPN with Amazon Web Services

Why You Might Want to Do This


Find the server log and see if it gives you any more details. Hi Paul, Thank you SO much for this wonderful and delightful tutorial. We just need to start up OpenVPN. Learn how your comment data is processed. So, do you have any idea how deal with this issue? Once I deleted that rule, it worked like a charm. Type in ec2-user under user name.

Creating a VPN Server


Now let's get started! Since VPN connections link networks together, you must be careful with the subnet and IP addressing so there aren't any conflicts. On the network hosting the VPN server, you should use an uncommon default IP for the router, such as To configure the Windows VPN server, you do what is described by Microsoft as "creating an incoming connection.

Among other things, you'll specify the users you want to be able to connect. Follow these steps to create an incoming connection:. Now you need to access the properties of the newly created incoming network connection and define the IP address range for VPN clients:. Windows will automatically allow the VPN connections through Windows Firewall when you configure the incoming connection on the host PC.

However, if you have a third-party firewall installed on the host PC, you need to make sure the VPN traffic is allowed. You may have to manually enter the port numbers 47 and You specify the host PC by entering its local IP address. Therefore, before you setup the port forward, you should ensure the IP address won't change. Start by logging into to the Web-based control panel of the router.

Some routers don't have this feature. Next, select the user accounts that can connect remotely. To increase security, you may want to create a new, limited user account rather than allow VPN logins from your primary user account.

Next, you can select the networking protocols that should be enabled for incoming connections. Windows then configures access for the user accounts you chose—which can take a few seconds. And at this point, your VPN server is up and running, ready to take incoming connection requests. This will allow you to connect to the VPN server using port , and will protect you from malicious programs that scan and attempt to automatically connect to VPN servers running on the default port.

Start with this command:. The command will ensure OpenVPN starts when the server boots, and the script will ensure the necessary routes are set up in iptables to allow OpenVPN traffic.

Now that the server is configured, we need to set up the client. With PuTTy still open and running as root, we first need to change the permissions on these files so that we can access them. To do that, type:. This will make you the root user and grant administrative privileges. Now enter the following commands:. The last command lowers the required permissions to access these files. Just use the default installation options.

Select the one we made above and continue. Select myvpn or whatever you named yours and hit the Edit button. Type in ec2-user under user name. In the host name field on the main page, you can enter either the IP address or domain of your EC2 instance.

Hit the green Download button. The last loose end we need to do tie up is removing the ca. The CA, or certificate authority, is used to sign client certificates,and, if it is ever compromised, you can never trust certificates issued by that CA again. If you want to add more at a later time, you will have to move the ca.

Once you have the CA key safely stored somewhere other than the server, go into PuTTy and remove both the the original ca. Once the files have downloaded, we need to restore their stricter permissions on the server so not just anyone can access them. Lastly, we need to create a client configuration file. Open your favorite plaintext editor Notepad works fine by right clicking and selecting Run as administrator and paste the following config, replacing YOUR.

Other OpenVPN clients might use the. Save it into the same location as your key and certification files: Right click the icon in your system tray and connect with the client configuration we just set up.

A status screen with loads of text will flash across the screen, and then the icon will turn green. In PuTTy Type in the following commands and hit enter:.

Type the following command to create a blank text file in a very basic text editor inside the terminal:. Type in the following configuration. Next we need to get the shared key from the server to your local computer. First we need to change the permissions on that file so we can access it using the following command:. If at any point you accidentally close PuTTy or it just craps out, you can navigate back to your open VPN installation directory after reconnecting using this command:.

Now you can move files between your EC2 instance server and your local computer. Now that you have the key, we need to re-apply the old permissions so not just anyone can grab it. Back in your PuTTy terminal, enter:. Go to the OpenVPN downloads page and choose the appropriate version for your operating system. Install it with the default settings. It should appear in your system tray as an icon once launched.

Next we need to create a config file for the local machine to match the one we made on our server. Also double check that the full file path pointing to your key is correct. Save it as myconfig. Right click the system tray icon and click Connect. Assuming it worked, the system tray icon will turn green. If you want to protect your VPN from deep packet inspection, a technique used by censorship regimes in places like China and Syria to block OpenVPN connections, check out our tutorial on setting up Obfsproxy.

Note this tutorial was written as a sort of sequel to the older Method 2 in this article, so if you used easy-rsa, it will require some additional configuration. You can set your server to stop or even terminate after a few hours of inactivity. Those users past their initial free year of service or doing more with their server, however, can prevent unnecessary charges for unused server time.

Somewhere in this tutorial, something will probably go wrong for you. They also allow you to channel your internet traffic through multiple geographic locations, where as an EC2 instance is limited to just one. Check out our VPN reviews here!

This will affect all of the devices that connect to your VPN quotes included:. I would like to ask you for a help, in the may update while following preciesly at least I hope your instructions when I paste the following commands: I have been waiting for this update for a while.. I followed your setup and successfully built a VPN last year, but I shut it down and terminated it.

Now I am trying to build again. I have followed every step very carefully several times but get this error when trying to setup the certificate authority. This is a tremendously helpful guide and I used it in the past with the static encryption but just spun up a new server with the EasyRSA but with it.

Where should I start troubleshooting? Hi Andy, It sounds like the server firewall might be blocking outbound connections to the internet. Sometimes when an EC2 server gets restarted, those routing tables get reset. Thanks for the elaborate and helpful post.

Maybe you need to update this post. Not sure if this is for only EC2 i picked. I am still trying to get the openvpn installed.

Remember to run an update on the whole server as well. Well I have successfully managed to follow the tutorial including navigating the use of easy-rsa 3. I cannot see what I am doing wrong. The client certificate and key have no password. This posting is tremendously helpful, but please update to Easy-RSA 3. The official instructions are so terse, they are not terribly helpful. Hi, This a great tutorial, thank you for posting.

I am having some trouble with easy rsa 3. When I get to point 5 in the VPN — howto link you provided: The input file does not appear to be a certificate request. Hi, getting this when i try to connect Fri Feb 23 Unknown error Fri Feb 23 It looks like the Yep I will look into updating this tutorial with easy-rsa 3. Hopefully this will help in the meantime: When I installed easy-rsa, it installed version 3.

Is there a workaround? Hi Doug, I ran into the same problem as you. Here is the tutorial page for the 3. Ran into the same problem. Anyone got some clarification on that? Ive come up with the same problem. If the user is in their home directory, it creates the folder CA in the home directory, not in the 2. In my case the version of easy-rsa that was installed was 3. Thanks for such a great tutorial! I am having a hard time to conclude it because I am a really newbie in Linux, but I am enjoying it because I am learning.

When I try to start the service on server it fails. I looked into the log and the message I receive is:. Please correct these errors. Use —help for more information. Once I go through the entire tutorial and get it working on one machine, then what do I have to do to get in working on another machine?

Which steps do I have to implement? Which steps can I skip? Do I have to rename some things? Windows10 and Android openvpn works ok,But Ubuntu Fixed in the tutorial now. And then this CA directory is never referenced again in any of the instructions. Very thorough and complete! I saw at least one other commenter found this necessary. Should this be of any concern? I also plan to setup my Android phone to do the same. It would be greatly helpful if you could clarify how to setup additional client keys.

Also, should the VPN server have some sort of firewall software installed on it to prevent hacking? First of all great tutorial, it is really detailed and is incredibly easy to follow. I run into a problem when trying to connect through openvpn in my windows machine.

Wed Oct 11 Preserving recently used remote address: TLS key negotiation failed to occur within 60 seconds check your network connectivity Wed Oct 11 TLS handshake failed Wed Oct 11 Thanks for the super helpful article, Paul! This was crucial to realizing I had an empty server. That command will start openvpn on boot but we still need to set up the port forwarding stuff.

That init script will run a. I did not need to change file permissions to make the file executable. After rebooting the server I was able to connect as usual and it worked just fine. For those without systemctl it would be worth mentioning the chkconfig route. For simplicity I prefer to have to only move a single file to my phone instead of all the crt and key files I do create different keys for each device, though.

Instead of each line specifying the crt or key file you can just add the certificate or key inline as follows:. Thank you so much for this post! To anyone struggling with the problem when the OpenVPN server does not forward requests, those 3 lines from step 3 solved it for me. Hello,windows 10 can connect openvpn,But Ubuntu I have tried the method you mentioned, but to no avail. Thanks for the feedback Matt! I think my IT knowledge is slightly above the average but there is no chance that I can do the above myself.

Can you recommend who could set up the EC2 for me for a suitable fee of course? Using your push dhcp parameter in server. However, when we run a test at http: Looks like your DNS might be leaking…. The IP address is reported as the openvpn server IP we configured.

Did you update this excellent tutorial with instructions on how to issue additional keys for separate clients? I am reading this how to: Sir, what is the procedure to use both user name as well as password during connection establishment?

Sorry, you can cancel that question about missing client. My mistake — missed a line. I skipped this step for now, but would like to know how to perform this in case a server reboot problem should occur. I went through the tutorial again and again, but fail to see in which step these two files were supposed to be created? All other mentioned files are there.

Thanks for any clarifications. Will this helps to create multiple VPN connections to a number of clients accessing my EC2 cloud instance? This made my day! I think that before starting to set up something, you need to know the OS you are working on? Also, I suggest that you never do chmod on a private key. Glad to hear it! The chmod is just temporary so you can access the files from your PC. The alternative is to generate the key on your PC using the windows version of easyrsa, then moving those files onto your ec2 instance.

When you restart the server, I think you are assigned a new IP address. You can get around this by getting an elastic IP address, but it may cost you a bit more. In the end, if implemented correctly, it will help any user to have their own custom VPN using Amazon.

Option One: Get a Router With VPN Capabilities