Sometimes you want to connect to internet without someone watching you. This can be due to restrictions applied by governments, ISPs, etc. Maintaining privacy while using internet is very important to some people, and for me personally, the experience was to bypass a ridiculous sensor on sites like Twitter and software like Telegram.
So I thought how hard can it be to setup a VPN server (because I didn't want to pay $5 per month) for a web developer. After Googling a bit, I found out you could easily do this on AWS (Amazon Web Services) for free using OpenVPN. I started setting it up and a couple of mins later I had it up and running.
OpenVPN is a popular open-source tool that is well tested and give you a production ready VPN solution.
So just to not forget how I did it, as usual I thought let's write up something, and who knows, maybe it is useful to you too π.
So are you ready?
AWS console
If you don't have an account on AWS (Amazon Web Services), go ahead and create one. It's free, but you will need to have your credit card info handy.
Once signed up, login and under the services menu look for EC2 (you can type and it will filter the services as you type).
Click on EC2 and you will be redirected to its dashboard. Click launch instance button under create instance section.
Select the OpenVPN
Many articles will walk you through setting up an new Linux VM and installing the OpenVPN manually. However, things have changed and some lovely people have put a ready to use service in the AWS marketplace, so we will choose that.
Once in the dashboard, click AWS Marketplace
menu from left and type OpenVPN, then press enter.
Click on select button on the first one with the free tier eligible
badge.
Selecting instance type
On the next page click continue and select t2.micro
from instance type list.
At this stage click on Review and Launch button.
Launch the instance
Select general purpose SSD from the pop up and click next. Now click Launch
and you'll see a pop up asking you to select a key pair. This is to let you access the instance later on.
Select create a new key pair (or an existing if you already have one), enter a name and click download key pair.
Save the .pem
file somewhere safe as this is like a back door to your server π. Click Launch Instance and wait for the instance to go to running state.
Click on view instance to see the instance list.
Select your instance and click connect.
Preparation
You'll see a set of instructions on a popup on how to connect to your instance.
In the instruction set they tell you to use PuTTY to connect to your instance using SSH
. However, I already have Ubuntu set up in WSL
(windows subsystem for Linux) and we can use that. Otherwise you can use PuTTY or even the web browser connection.
Before we do anything we need to set the permissions for our private key ππ½ .pem
ππ½ file, otherwise it wouldn't allow you to connect. If you're using a Linux or Mac machine, simply run the following command:
chmod 400 {name-of-file}.pem
For the rest of you who are like me, right click on the .pem
file and click Security > Advance. Then change the owner to yourself, click disable inheritance and remove all permissions. Click add and add yourself and give full control.
Connecting
Once that's done, open a command prompt, type bash and then enter the following command:
sudo ssh -i "{name-of-file}.pem" openvpnas@{serveraddress}.compute.amazonaws.com
Don't forget to replace the file name with whatever you've chosen previously and replace the name of server with what you got from the instruction popup.
Type yes for the agreement, then just hit enter to have all the defaults confirmed. Once you reached to the end, change the password for the user which will be used to login:
sudo passwd openvpn
Enter a new password twice and you're all set. Open a browser window and type https://{server address}:943/admin
and login with openvpn
and the password you just set.
Tidy up a few settings
Once in the admin dashboard of OpenVPN, click configuration and apply the following changes:
- Change the toggle for Should client Internet traffic be routed through the VPN? to Yes
- Change the toggle for Have clients use specific DNS servers to Yes
- Select custom DNS server and set the first box to
1.1.1.1
(CloudFlare DNS π¦) and the second to8.8.8.8
Now save the settings, wait for the pop up on the top and click apply the changes to server.
You're good to go
You're all set. You can now connect to your very own VPN server and enjoy a private surf of the net π. On the first page of the browser window you opened earlier, there are five options to download the OpenVPN client for different platform. If you click on windows, you will get an installer with your server address pre-configured. Just enter your user name and password and voila.
Hope this will help you if you need a VPN server setup for free.
Top comments (48)
Cool idea! Are there bandwidth limitations?
Also note, while you're anonymous from private citizens, governments can still obtain Amazon records and associate your Amazon account with your web traffic with this solution.
Yea
But, I guess the point of this article is that you can do the same with a hard-to-associate server (like bitcoin bought one)
That's true, but there are ways to get around that now that you're in full control.
I want to set up one for my friends and family back home who live in a region with full government censorship on pretty much all social media network.
Only concern is cost. Approximately how much would that be if say 10 people use it (average use) for whatsapp, FB and twitter.
I was running the same for my family, ended up paying about $10 p/m
I've got a question if you don't mind (I couldn't find a detailed answer by googling):
Is there any difference when I connect to VPN via client app vs when I connect using OS setup (like Windows 10 network settings)?
Not an expert, I am a web developer and wanted to see how easy it is to set it up π
Good one, I couldn't connect to it using windows VPN connection, so I guess they will presetup all the confif in the client app. You might have to do a bit of digging around to find the setup details and get it working with windows
Actually, I did that for a client long ago (setup OpenVPN linux server).
But, he asked me whether to use Windows VPN connection or the client app or the router (all were working options)...
I picked the router for him since it seemed the safest (and cuz his connection will drop when the VPN is out).
But I still wonder what's the difference between OS settings connection and client app connection π€
The VPN options in most OSes are based on the IPSec protocol. IPSec is a fairly comprehensive VPN protocol, but requires quite some time and skills to set it up properly. And the "easier" solutions are often commercial ones, which are fairly expensive. In addition some OS vendors, like Microsoft, also includes their own VPN alternatives as options.
OpenVPN uses its own protocol, and is thus not compatible with other VPN protocols. This is by design, to avoid implementing lots of features not strictly needed for the task OpenVPN tries to solve.
On the other hand, OpenVPN is an open source product, with the first release in 2001 [1]. Since then, OpenVPN has been through two security audits [2] [3] which it passed with quite few findings. And the critical ones where fixed quickly after [4].
On top of this, a Dutch security company, Fox-IT, has also worked with the Dutch government to deliver a certified OpenVPN solution to be used for data transfer up to the RESTRICTED security level [5] (Going higher than this usually means deploying dedicated VPN hardware). The OpenVPN-NL version is shipping with mbed TLS instead of OpenSSL, where both mbed TLS and OpenVPN has been another round of security audit.
So OpenVPN has proven over time to be a fairly solid and secure VPN solution, with not an enormous amount of security issues [6] over these years.
Thanks David for the detailed information!
I hope you won't mind another question that's been in my head for a decade:
Can a PPTP/L2TP VPN or OpenVPN bypass the (speed limit or throttling or data cap) by ISP?
I mean it encrypts the whole internet package, right? does that include stuff like the size of the package?
I actually tried to setup VPNs for many clients, but their internet experience (speed and capping) didn't change... maybe I didn't do the right setup or maybe it's not possible.
No, you cannot use VPN to circumvent neither traffic throttling or data quotas. The encrypted VPN traffic is also network traffic passing over the Internet.
Some ISPs may have some quotas or throttling on specific services, but you will most like see them doing the reverse in reality - they throttle or have quotas on all the Internet traffic except for selected services they provide with lesser restrictions. And since they most likely won't provide lesser restrictions on VPN services, you can't use VPNs to avoid this.
VPNs may be used to to circumvent blocks to services imposed by ISPs, as they can't see what you use the VPN for. For example, using the Private Tunnel service in China for example, can give you access to a more open Internet.
Thanks David, great intro
Makes tons of sense, thanks David for the explanation π
Just realized, this can use a bit more explanation:
Yes, VPNs encrypt the data being passed between the VPN client and server. But it doesn't make the size of the content "disappear".
So, say you want to download a file of 2MiB. All networks have a restriction of how large each network packet can be. This various slightly, but a very common value is 1500 bytes (this is a fairly comprehensive topic, but MTU and Ethernet frames are keyword). Each packet includes both MAC and IP headers (for TCP/IP traffic), and inside IP headers are your local IP address as well as the destination IP address found. And then comes the payload (the data you want to transfer). But due to this restriction, and the packet header information you have less than 1500 bytes per packet available when trying to transfer this 2MiB file. So what happens is that this large transfer is (automatically) chopped up into smaller pieces, fitting into the maximum capacity you can use. On the receiving side, all these fragments are then assembled and saved to a single file again.
When you add VPN into this mix, the VPN interface will receive a stream of packets, as described above. It will then encrypt each of these packets individually (hiding the contents) and then it will be sent further to the VPN host, which means another set of packet headers (which cannot be encrypted) together with the encrypted payload. The receiving side will then decrypt the payload and pass that to its local VPN interface again, containing the packet headers the sending side used.
What this means is that VPN will give an additional overhead and the effect of the available maximum size for the payload will be further reduced. Again, this is quite a complex topic, as there are approaches to try to avoid too much fragmentation on the VPN packets. But the effect is regardless that VPN in practice reduces the overall "transfer capacity" per network packet.
This means you will in almost all cases spend more data transferring packets passed over the VPN. To illustrate this, here's a (reordered) statistic of a VPN session on my computer. Here are both the packet and byte counters for traffic being sent to the VPN interface (TUN_BYTES_IN/TUN_PACKETS_IN). They are encrypted and sent out to the insecure Internet (BYTES_OUT/PACKETS_OUT)
What you see here is that more data is being sent to the VPN server than was received on the VPN interface. This is because encrypted network packets bigger and need additional splitting.
And for the traffice being sent from the VPN server to my client. BYTES_IN/PACKETS_IN is the encrypted data coming from the VPN server. TUN_BYTES_OUT/TUN_PACKETS_OUT is the decrypted data being sent to the VPN interface.
When receiving encrypted data from the VPN server, we see the reverse effect. We send less data/packets to the VPN interface, because decrypting the packets reduces the size.
And then you might wonder about compression. Compression is an alternative which may be used to reduce this overhead - when the traffic is compressible. But first of all, compression will reduce the security of the VPN tunnel. In addition a lot of the data being transported is already fairly compressed (like .mp3/.avi/.jpg files) or not suitable to compress (like https traffic) - both these cases will not result in much compression effect. So it is not recommended to use compression at all.
So to sum it up: VPNs will not hide the size of the data being transported. The effect will be that you use more data when using VPNs.
Ah, I see now...
It's actually shocking to know that VPN has the opposite effect on data size, regardless of how many falsified articles claim π
BTW guys, David is the team lead core dev of OpenVPN Inc.
Thanks a lot David for the explanation!
Windows 10 doesn't support OpenVPN
Who said so?
openvpn.net/vpn-server-resources/c...
I mean doesn't support out-of-box.
Isn't that a bit like saying it doesn't support spreadsheets?
Sorry for delay, but did your read comment to which I answered?
"Is there any difference when I connect to VPN via client app vs when I connect using OS setup (like Windows 10 network settings)?"
My answer - Window 10 doesn't support OpenVPN out-of-box, you can't setup it via Windows network settings.
Thank you for this excellent guide. Extremely helpful :)
Keep in mind there are a ton of good vpn options, too. Don't get me wrong, OpenVPN is awesome, but there's tinc, wireguard, openconnect, shadowsocks... the number of vpn-like options is boggling.
There's a neat project out there called streisand (link below) which bundles many of these tools together complete with a document output on how to use them. Works within AWS as well. I haven't used it but always struck me as a good intro to vpn-like tools if someone wanted to try them.
github.com/StreisandEffect/streisand
Thanks, the point of article wasn't to compare those, it was how quick you can set something up without prior knowledge
Hello Yaser! I have a question about this config:
"Change the toggle for Should client Internet traffic be routed through the VPN? to Yes"
What's the purpose of it? What happen if I select NO?
Thanks in advance.
If you don't check that toggle, you might be connected to the server, but surfing internet still happens without that. Remember that you can't use windows' native VPN with this, you gotta have to use its client.
When you toggle that, the client changes the routing of your internet traffic through OpenVPN π
Thanks for your response, basically I just need the VPN to browse pages that are blocked by the firewall hehe, I have the OpenVPN client installed in my mac, will it be ok if I disable the option mentioned before? I don't want to incur in any extra charge (using AWS Free Tier)
Thanks
Hmmm, not sure how to route only certain addresses. Better check their docs
Hello! I mean, if I select NO in the "Should client Internet traffic be routed through the VPN? to Yes" Will I have "open internet"? I have changed to NO and seen no difference. I'm still browsing with no restrictions.
Give me some time and I'll dig it up
This is what I found:
It could also be mentioned that using the OpenVPN Connect clients, all you need to provide to connect to your VPN server is the server hostname, username and password. The client setup is then fairly automated.
There are OpenVPN Connect client available for Android and iOS in the respective appstores. Desktop clients can be downloaded by logging into the Access Server web portal.
And in the coming OpenVPN 3 Linux client beta release, there will also be bundled a command line utility where you just need to give the server URL and user credentials, and the VPN profile is downloaded and your Linux host is configured automatically too.
Out of curiosity, why did you choose the Cloudflare primary DNS server (1.1.1.1) and the Google primary DNS server (8.8.8.8) instead of using the Cloudflare secondary DNS server (1.0.0.1) ?
From a network redundancy point of view, I can see this as a reason. From a log privacy viewpoint, the cloudflare secondary DNS might be a better choice.
Ideally you don't want to only be dependent on one DNS provider, and logs shouldn't be plain. But again I am not an expert and this might be the wrong setup π
The point of article was something else
Thanks much for the article and for the feedback!
I just wanted to say THANK YOU SO MUCH for this guide - I had been working with pivpn and had everything in place to set it up, but it was not still not working on my rp4. I was getting into the weeds with network configuration and firewall problems. Having a working VPN server is cool - but it was diving into AWS EC2 instances with this exercise that really made my day. Thank you for doing such a great job in breaking everything down!
After working with it for a moment and realizing that it's been well over a year since I signed up for AWS, I'm wondering what configuration steps should be taken to keep costs down. I set up the budget warning tools and I guess I will see in a few days how much cpu credits are being used. The pricing system seems like it could catch up with you pretty quick if you set an instance up wrong and it tried to chew up resources.
Glad it helped you ππΌ
Yaser
Just set up server on AWS and working fine but how do I create .ovpn files for clients? I have the client profile bundled with the downloaded openvpn client but wonder how to create more profiles. It seems that openvpn server needs to be installed on the AWS image but I can't see any sign of it.
Bit baffled.
Hey Paul,
From what I can see you need to access the server from command line which is mentioned in the article and follow this:
openvpn.net/community-resources/cr...
Let me know if this didn't help you
can you tell me how to set up a client-server for this?
I didn't get your question, this is something you put on your client side code (on img tag) and that's it. Server is only responsible to serve the static files as before, no change required