Skip to content

Tutorial – Amazon Web Services – Roll Your Own VPN

So.. confession – I did the work for this blog back in May, but never got around to writing it. Between taking summer classes, teaching summer school, and the madness of the fall, dissertation work, and teaching, and Covid – can’t forget Covid -… and here it is now, late but better than never.

For a while, all I was hearing (and seeing in my social media timeline) were ads for VPNs. I had my suspicions about most of these providers because they just didn’t sound reputable. It also seems odd that to avoid the threat of snooping on my Internet traffic, that I would route everything through an opaque provider with no real assurance that the provider is actually protecting my privacy. As an aside, I play in Amazon AWS quite often, so it seemed like a pretty good opportunity to roll my own VPN that way. I did a little research and found that OpenVPN has apps for both Android and iOS, so I decided to go that way.

If you think I’m paranoid in this area: read up here, here, or here. The one where NordVPN got hacked is the one that did it for me. There is everything from VPNs getting hacked to others logging traffic and still others that are outright scams.

So yeah, it will be mine or none

So the first question is how hard was it to set up?

I got a T2-Micro EC2 instance and an Elastic-IP (I’ve used up my free tier a long time ago) and assigned a hostname in Route 53. That took about 5 minutes of clicking through the AWS control panel. Once I got logged-in to the EC2 instance, I ran the usual Ubuntu EC2 trinity of commands:

sudo apt update
sudo apt upgrade

Downloaded and installed openvpn:

wget -O
chmod +x
sudo ./

You need to know the IPv4 address openVPN will listen on – this is the private IPv4 address of the EC2 instance:

EC2 network screenshot

I rolled with UDP as the protocol for OpenVPN connections, listening on port 1194 (standard port)

I chose Google as the DNS provider

After letting the script run to do configuration tasks, I had to provide the IP of my Elastic-IP as the external interface for the VPN

More script running and it dropped the client config file (client.ovpn). When it’s all done, you will have a tunnel interface for the VPN traffic

Image of routing table with tunnel interface (tun0)
Image of tunnel tunnel interface config (tun0)

You must make sure that you are allowing traffic to UDP/1194 to reach your EC2 instance. This is how you will connect to the VPN.

EC2 security screen shot

The last thing to do is start OpenVPN on the EC2 instance:

sudo systemctl start openvpn

There was a guide that recommended using openvpn@server, but that did not work for me.

When running the service will look like this: (mine has now been up for months)

Starting openvpn on server

I decided to make my iPhone my test device. Great guide for this here

Basically three steps – install the OpenVPN Client (free), configure it (No additional Service), install the config profile file.

Almost done… have to import the profile (client.ovpn), I sftpd’d it from my server to my laptop and gmail’ed it to myself. iPhones arent super friendly for transferring files. If you have your mail app configured on the iPhone you can download it from there. This seemed less problematic than trying to transfer the file with iTunes. You can also move the file over via Finder ( if you have MacOS.

Whichever way you do it, once you have the config file on the client, you are ready to configure OpenVPN to add the VPN.

Edit: I also added the config to my MacBook – extremely easy. Download the OpenVPN client – then copied over the client.ovpn file generated during the config process again and loaded it

downloading client config and importing into OpenVPN on Mac

Click through the menu’s and you are good to go.

imported profile

From that point on you can connect or disconnect from the VPN at will.

Limitations: Because this VPN routes traffic from Amazon, you will have some interesting user experiences. It is very easy for services and websites that don’t like VPN traffic to know to block you or limit your access. Still, for basic secure access to the Internet, it works… might investigate routing the traffic back through my home net in the future.

Questions?/Comments? Shoot me a note on twitter…

or share this content