DEV Community

Yaser Adel Mehraban
Yaser Adel Mehraban

Posted on • Originally published at yashints.dev

Let's setup a VPN server, for free, on AWS, under 5 min 😱🤯🔥

Sometimes you want to connect to internet without someone watching you. This can be due to restrictions applied by governments, ISPs, etc. Maintaining privacy while using internet is very important to some people, and for me personally, the experience was to bypass a ridiculous sensor on sites like Twitter and software like Telegram.

So I thought how hard can it be to setup a VPN server (because I didn't want to pay $5 per month) for a web developer. After Googling a bit, I found out you could easily do this on AWS (Amazon Web Services) for free using OpenVPN. I started setting it up and a couple of mins later I had it up and running.

OpenVPN is a popular open-source tool that is well tested and give you a production ready VPN solution.

So just to not forget how I did it, as usual I thought let's write up something, and who knows, maybe it is useful to you too 😉.

So are you ready?

AWS console

If you don't have an account on AWS (Amazon Web Services), go ahead and create one. It's free, but you will need to have your credit card info handy.

Once signed up, login and under the services menu look for EC2 (you can type and it will filter the services as you type).

Selecting EC2 services from AWS console

Click on EC2 and you will be redirected to its dashboard. Click launch instance button under create instance section.

Select the OpenVPN

Many articles will walk you through setting up an new Linux VM and installing the OpenVPN manually. However, things have changed and some lovely people have put a ready to use service in the AWS marketplace, so we will choose that.

Once in the dashboard, click AWS Marketplace menu from left and type OpenVPN, then press enter.

OpenVPN in AWS Marketplace

Click on select button on the first one with the free tier eligible badge.

Selecting instance type

On the next page click continue and select t2.micro from instance type list.

Choosing free tier instance type

At this stage click on Review and Launch button.

Launch the instance

Select general purpose SSD from the pop up and click next. Now click Launch and you'll see a pop up asking you to select a key pair. This is to let you access the instance later on.

Select a key pair to access the instance

Select create a new key pair (or an existing if you already have one), enter a name and click download key pair.

Save the .pem file somewhere safe as this is like a back door to your server 😁. Click Launch Instance and wait for the instance to go to running state.

status

Click on view instance to see the instance list.

Instance list

Select your instance and click connect.

Preparation

You'll see a set of instructions on a popup on how to connect to your instance.

Instructions on how to connect

In the instruction set they tell you to use PuTTY to connect to your instance using SSH. However, I already have Ubuntu set up in WSL (windows subsystem for Linux) and we can use that. Otherwise you can use PuTTY or even the web browser connection.

Before we do anything we need to set the permissions for our private key 👉🏽 .pem 👈🏽 file, otherwise it wouldn't allow you to connect. If you're using a Linux or Mac machine, simply run the following command:

chmod 400 {name-of-file}.pem
Enter fullscreen mode Exit fullscreen mode

For the rest of you who are like me, right click on the .pem file and click Security > Advance. Then change the owner to yourself, click disable inheritance and remove all permissions. Click add and add yourself and give full control.

Setting the right permissions for private key

Connecting

Once that's done, open a command prompt, type bash and then enter the following command:

sudo ssh -i "{name-of-file}.pem" openvpnas@{serveraddress}.compute.amazonaws.com
Enter fullscreen mode Exit fullscreen mode

Don't forget to replace the file name with whatever you've chosen previously and replace the name of server with what you got from the instruction popup.

Connect prompts

Type yes for the agreement, then just hit enter to have all the defaults confirmed. Once you reached to the end, change the password for the user which will be used to login:

sudo passwd openvpn
Enter fullscreen mode Exit fullscreen mode

Enter a new password twice and you're all set. Open a browser window and type https://{server address}:943/admin and login with openvpn and the password you just set.

Tidy up a few settings

Once in the admin dashboard of OpenVPN, click configuration and apply the following changes:

  • Change the toggle for Should client Internet traffic be routed through the VPN? to Yes
  • Change the toggle for Have clients use specific DNS servers to Yes
  • Select custom DNS server and set the first box to 1.1.1.1 (CloudFlare DNS 🦄) and the second to 8.8.8.8

Now save the settings, wait for the pop up on the top and click apply the changes to server.

You're good to go

You're all set. You can now connect to your very own VPN server and enjoy a private surf of the net 😎. On the first page of the browser window you opened earlier, there are five options to download the OpenVPN client for different platform. If you click on windows, you will get an installer with your server address pre-configured. Just enter your user name and password and voila.

Hope this will help you if you need a VPN server setup for free.

Top comments (48)

Collapse
 
skhmt profile image
Mike • Edited

Cool idea! Are there bandwidth limitations?

Also note, while you're anonymous from private citizens, governments can still obtain Amazon records and associate your Amazon account with your web traffic with this solution.

Collapse
 
yaser profile image
Yaser Al-Najjar

Yea

But, I guess the point of this article is that you can do the same with a hard-to-associate server (like bitcoin bought one)

Collapse
 
yashints profile image
Yaser Adel Mehraban

That's true, but there are ways to get around that now that you're in full control.

Collapse
 
yaverhussain profile image
yaverhussain

I want to set up one for my friends and family back home who live in a region with full government censorship on pretty much all social media network.
Only concern is cost. Approximately how much would that be if say 10 people use it (average use) for whatsapp, FB and twitter.

Thread Thread
 
yashints profile image
Yaser Adel Mehraban

I was running the same for my family, ended up paying about $10 p/m

Collapse
 
yaser profile image
Yaser Al-Najjar

I've got a question if you don't mind (I couldn't find a detailed answer by googling):

Is there any difference when I connect to VPN via client app vs when I connect using OS setup (like Windows 10 network settings)?

Collapse
 
yashints profile image
Yaser Adel Mehraban

Not an expert, I am a web developer and wanted to see how easy it is to set it up 🙃

Collapse
 
yashints profile image
Yaser Adel Mehraban

Good one, I couldn't connect to it using windows VPN connection, so I guess they will presetup all the confif in the client app. You might have to do a bit of digging around to find the setup details and get it working with windows

Collapse
 
yaser profile image
Yaser Al-Najjar • Edited

Actually, I did that for a client long ago (setup OpenVPN linux server).

But, he asked me whether to use Windows VPN connection or the client app or the router (all were working options)...

I picked the router for him since it seemed the safest (and cuz his connection will drop when the VPN is out).

But I still wonder what's the difference between OS settings connection and client app connection 🤔

Thread Thread
 
dsommers profile image
David Sommerseth

The VPN options in most OSes are based on the IPSec protocol. IPSec is a fairly comprehensive VPN protocol, but requires quite some time and skills to set it up properly. And the "easier" solutions are often commercial ones, which are fairly expensive. In addition some OS vendors, like Microsoft, also includes their own VPN alternatives as options.

OpenVPN uses its own protocol, and is thus not compatible with other VPN protocols. This is by design, to avoid implementing lots of features not strictly needed for the task OpenVPN tries to solve.

On the other hand, OpenVPN is an open source product, with the first release in 2001 [1]. Since then, OpenVPN has been through two security audits [2] [3] which it passed with quite few findings. And the critical ones where fixed quickly after [4].

On top of this, a Dutch security company, Fox-IT, has also worked with the Dutch government to deliver a certified OpenVPN solution to be used for data transfer up to the RESTRICTED security level [5] (Going higher than this usually means deploying dedicated VPN hardware). The OpenVPN-NL version is shipping with mbed TLS instead of OpenSSL, where both mbed TLS and OpenVPN has been another round of security audit.

So OpenVPN has proven over time to be a fairly solid and secure VPN solution, with not an enormous amount of security issues [6] over these years.

Thread Thread
 
yaser profile image
Yaser Al-Najjar

Thanks David for the detailed information!

I hope you won't mind another question that's been in my head for a decade:

Can a PPTP/L2TP VPN or OpenVPN bypass the (speed limit or throttling or data cap) by ISP?

I mean it encrypts the whole internet package, right? does that include stuff like the size of the package?

I actually tried to setup VPNs for many clients, but their internet experience (speed and capping) didn't change... maybe I didn't do the right setup or maybe it's not possible.

Thread Thread
 
dsommers profile image
David Sommerseth

No, you cannot use VPN to circumvent neither traffic throttling or data quotas. The encrypted VPN traffic is also network traffic passing over the Internet.

Some ISPs may have some quotas or throttling on specific services, but you will most like see them doing the reverse in reality - they throttle or have quotas on all the Internet traffic except for selected services they provide with lesser restrictions. And since they most likely won't provide lesser restrictions on VPN services, you can't use VPNs to avoid this.

VPNs may be used to to circumvent blocks to services imposed by ISPs, as they can't see what you use the VPN for. For example, using the Private Tunnel service in China for example, can give you access to a more open Internet.

Thread Thread
 
yashints profile image
Yaser Adel Mehraban

Thanks David, great intro

 
yaser profile image
Yaser Al-Najjar

Makes tons of sense, thanks David for the explanation 😊

Thread Thread
 
dsommers profile image
David Sommerseth

Just realized, this can use a bit more explanation:

I mean it encrypts the whole internet package, right? does that include stuff like the size of the package?

Yes, VPNs encrypt the data being passed between the VPN client and server. But it doesn't make the size of the content "disappear".

So, say you want to download a file of 2MiB. All networks have a restriction of how large each network packet can be. This various slightly, but a very common value is 1500 bytes (this is a fairly comprehensive topic, but MTU and Ethernet frames are keyword). Each packet includes both MAC and IP headers (for TCP/IP traffic), and inside IP headers are your local IP address as well as the destination IP address found. And then comes the payload (the data you want to transfer). But due to this restriction, and the packet header information you have less than 1500 bytes per packet available when trying to transfer this 2MiB file. So what happens is that this large transfer is (automatically) chopped up into smaller pieces, fitting into the maximum capacity you can use. On the receiving side, all these fragments are then assembled and saved to a single file again.

When you add VPN into this mix, the VPN interface will receive a stream of packets, as described above. It will then encrypt each of these packets individually (hiding the contents) and then it will be sent further to the VPN host, which means another set of packet headers (which cannot be encrypted) together with the encrypted payload. The receiving side will then decrypt the payload and pass that to its local VPN interface again, containing the packet headers the sending side used.

What this means is that VPN will give an additional overhead and the effect of the available maximum size for the payload will be further reduced. Again, this is quite a complex topic, as there are approaches to try to avoid too much fragmentation on the VPN packets. But the effect is regardless that VPN in practice reduces the overall "transfer capacity" per network packet.

This means you will in almost all cases spend more data transferring packets passed over the VPN. To illustrate this, here's a (reordered) statistic of a VPN session on my computer. Here are both the packet and byte counters for traffic being sent to the VPN interface (TUN_BYTES_IN/TUN_PACKETS_IN). They are encrypted and sent out to the insecure Internet (BYTES_OUT/PACKETS_OUT)

     TUN_BYTES_IN............12334129   (VPN interface)
     BYTES_OUT...............15770719   (WLAN interface)
     TUN_PACKETS_IN............136912   (VPN interface)
     PACKETS_OUT...............136942   (WLAN interface)

What you see here is that more data is being sent to the VPN server than was received on the VPN interface. This is because encrypted network packets bigger and need additional splitting.

And for the traffice being sent from the VPN server to my client. BYTES_IN/PACKETS_IN is the encrypted data coming from the VPN server. TUN_BYTES_OUT/TUN_PACKETS_OUT is the decrypted data being sent to the VPN interface.

     BYTES_IN...............249144390  (WLAN interface)
     TUN_BYTES_OUT..........244135442  (VPN interface)
     PACKETS_IN................202284  (WLAN interface)
     TUN_PACKETS_OUT...........202254  (VPN interface)

When receiving encrypted data from the VPN server, we see the reverse effect. We send less data/packets to the VPN interface, because decrypting the packets reduces the size.

And then you might wonder about compression. Compression is an alternative which may be used to reduce this overhead - when the traffic is compressible. But first of all, compression will reduce the security of the VPN tunnel. In addition a lot of the data being transported is already fairly compressed (like .mp3/.avi/.jpg files) or not suitable to compress (like https traffic) - both these cases will not result in much compression effect. So it is not recommended to use compression at all.

So to sum it up: VPNs will not hide the size of the data being transported. The effect will be that you use more data when using VPNs.

Thread Thread
 
yaser profile image
Yaser Al-Najjar

Ah, I see now...

It's actually shocking to know that VPN has the opposite effect on data size, regardless of how many falsified articles claim 😁

BTW guys, David is the team lead core dev of OpenVPN Inc.

Thanks a lot David for the explanation!

Collapse
 
fiftin profile image
Denis Gukov

Windows 10 doesn't support OpenVPN

Collapse
 
yaser profile image
Yaser Al-Najjar

Who said so?

This program is designed to function on Windows Vista, 7, 8, and Windows 10.

openvpn.net/vpn-server-resources/c...

Thread Thread
 
fiftin profile image
Denis Gukov

I mean doesn't support out-of-box.

Thread Thread
 
emathiasen profile image
Eric Mathiasen

Isn't that a bit like saying it doesn't support spreadsheets?

Thread Thread
 
fiftin profile image
Denis Gukov • Edited

Sorry for delay, but did your read comment to which I answered?

"Is there any difference when I connect to VPN via client app vs when I connect using OS setup (like Windows 10 network settings)?"

My answer - Window 10 doesn't support OpenVPN out-of-box, you can't setup it via Windows network settings.

Collapse
 
vpnprogramlari profile image
VPN Programları

Thank you for this excellent guide. Extremely helpful :)

Collapse
 
flrichar profile image
Fred Richards

Keep in mind there are a ton of good vpn options, too. Don't get me wrong, OpenVPN is awesome, but there's tinc, wireguard, openconnect, shadowsocks... the number of vpn-like options is boggling.

There's a neat project out there called streisand (link below) which bundles many of these tools together complete with a document output on how to use them. Works within AWS as well. I haven't used it but always struck me as a good intro to vpn-like tools if someone wanted to try them.

github.com/StreisandEffect/streisand

Collapse
 
yashints profile image
Yaser Adel Mehraban

Thanks, the point of article wasn't to compare those, it was how quick you can set something up without prior knowledge

Collapse
 
milonurv88 profile image
Luis Manuel Jimenez • Edited

Hello Yaser! I have a question about this config:

"Change the toggle for Should client Internet traffic be routed through the VPN? to Yes"

What's the purpose of it? What happen if I select NO?

Thanks in advance.

Collapse
 
yashints profile image
Yaser Adel Mehraban

If you don't check that toggle, you might be connected to the server, but surfing internet still happens without that. Remember that you can't use windows' native VPN with this, you gotta have to use its client.

When you toggle that, the client changes the routing of your internet traffic through OpenVPN 😊

Collapse
 
milonurv88 profile image
Luis Manuel Jimenez

Thanks for your response, basically I just need the VPN to browse pages that are blocked by the firewall hehe, I have the OpenVPN client installed in my mac, will it be ok if I disable the option mentioned before? I don't want to incur in any extra charge (using AWS Free Tier)
Thanks

Thread Thread
 
yashints profile image
Yaser Adel Mehraban

Hmmm, not sure how to route only certain addresses. Better check their docs

Thread Thread
 
milonurv88 profile image
Luis Manuel Jimenez

Hello! I mean, if I select NO in the "Should client Internet traffic be routed through the VPN? to Yes" Will I have "open internet"? I have changed to NO and seen no difference. I'm still browsing with no restrictions.

Thread Thread
 
yashints profile image
Yaser Adel Mehraban

Give me some time and I'll dig it up

Thread Thread
 
yashints profile image
Yaser Adel Mehraban

This is what I found:

If you only have a small network you would like your remote users to connect to over the VPN, select no. Otherwise, if you would like everything to go through the VPN while the user is connected (especially useful if you want to secure data communications over an insecure link), select yes for this option.

Collapse
 
dsommers profile image
David Sommerseth

It could also be mentioned that using the OpenVPN Connect clients, all you need to provide to connect to your VPN server is the server hostname, username and password. The client setup is then fairly automated.

There are OpenVPN Connect client available for Android and iOS in the respective appstores. Desktop clients can be downloaded by logging into the Access Server web portal.

And in the coming OpenVPN 3 Linux client beta release, there will also be bundled a command line utility where you just need to give the server URL and user credentials, and the VPN profile is downloaded and your Linux host is configured automatically too.

Collapse
 
glenwild profile image
glenwild

Out of curiosity, why did you choose the Cloudflare primary DNS server (1.1.1.1) and the Google primary DNS server (8.8.8.8) instead of using the Cloudflare secondary DNS server (1.0.0.1) ?

From a network redundancy point of view, I can see this as a reason. From a log privacy viewpoint, the cloudflare secondary DNS might be a better choice.

Collapse
 
yashints profile image
Yaser Adel Mehraban

Ideally you don't want to only be dependent on one DNS provider, and logs shouldn't be plain. But again I am not an expert and this might be the wrong setup 🙃

The point of article was something else

Collapse
 
glenwild profile image
glenwild

Thanks much for the article and for the feedback!

Collapse
 
dallaswhitehat profile image
B • Edited

I just wanted to say THANK YOU SO MUCH for this guide - I had been working with pivpn and had everything in place to set it up, but it was not still not working on my rp4. I was getting into the weeds with network configuration and firewall problems. Having a working VPN server is cool - but it was diving into AWS EC2 instances with this exercise that really made my day. Thank you for doing such a great job in breaking everything down!

After working with it for a moment and realizing that it's been well over a year since I signed up for AWS, I'm wondering what configuration steps should be taken to keep costs down. I set up the budget warning tools and I guess I will see in a few days how much cpu credits are being used. The pricing system seems like it could catch up with you pretty quick if you set an instance up wrong and it tried to chew up resources.

Collapse
 
yashints profile image
Yaser Adel Mehraban

Glad it helped you 👌🏼

Collapse
 
paullowman profile image
Paul-Lowman

Yaser

Just set up server on AWS and working fine but how do I create .ovpn files for clients? I have the client profile bundled with the downloaded openvpn client but wonder how to create more profiles. It seems that openvpn server needs to be installed on the AWS image but I can't see any sign of it.
Bit baffled.

Collapse
 
yashints profile image
Yaser Adel Mehraban

Hey Paul,

From what I can see you need to access the server from command line which is mentioned in the article and follow this:

openvpn.net/community-resources/cr...

Let me know if this didn't help you

Collapse
 
agassijoelvedala profile image
agassijoelvedala

can you tell me how to set up a client-server for this?

Collapse
 
yashints profile image
Yaser Adel Mehraban

I didn't get your question, this is something you put on your client side code (on img tag) and that's it. Server is only responsible to serve the static files as before, no change required