ProPrivacy is reader supported and sometimes receives a commission when you make purchases using links on this site.

How to create an Amazon VPN server with Amazon web services

While existing VPNs come with a multitude of subscription choices, most of them – or the fast, reliable ones at least – are only available with a monthly purchase. In this guide, we show you how to create a VPN on Amazon web services, so you can avoid those monthly subscription costs. 

AWS Requirements

Amazon Web Services provides two different VPN server options: OpenVPN and SSH Tunneling. Each option has its ups and downs, and both are worth extensively researching before making a decision. Regardless of whether you choose OpenVPN or SSH Tunneling, you will still need to meet the following requirements:

  • An account with Amazon Web Services
  • A credit card to register for Amazon Web Services (with no charge unless you go over the preset amounts)
  • PuTTy (SSH client)
  • PuTTyGen (key generator)
  • WinSCP (FTP server)

How to set up Amazon VPN on AWS

Setting up your VPN on Amazon Web Services is pretty straightforward. For Windows users, you’ll need to complete the following steps after registering for an account and setting up your billing information.

 

  1. When prompted, choose the Free Basic Plan 1 basic plan select
  2. In the search bar, type and click on EC2 2 EC2 search bar
  3. From the EC2 dashboard, select Launch Instance 3 AWS EC2 dashboard
  4. Select the first free tier eligible option: Amazon Linux AMI 4 Amazon Linux AMI
  5. Choose the free tier eligible t2.micro option (usually pre-selected) 5 t2.micro selection
  6. Select Review and Launch at the bottom of the page
  7. Click on Edit security groups 6 edit AWS security groups
  8. Click on Add Rule 7 add new rule
  9. Under the dropdown menu for Type, select Custom UDP 8 change to UDP and port
  10. Set the Port Range to 1194
  11. Under Source, select Anywhere
  12. Select Launch 9 Click on AWS Launch
  13. When prompted, select the drop-down menu and choose Create a new key pair 10 create a new key pair
  14. Name your key pair 11 name your new key pair
  15. Select Download Key Pair and store it somewhere safe 12 download your key pair and launch
  16. Select Launch Instances 
  17. On the Launch Status screen, select View Instances 13 click on view instances
  18. Verify that only one instance is launched (if this is your first time using EC2) 14 view instances

How to Use your Amazon VPN with SSH Tunneling

Many people use VPNs in the hopes of accessing geographically restricted content. If your sole reason for wanting to use a VPN is to access content that’s not available in your country, SSH tunneling is probably your best and easiest option. While SSH tunneling isn’t perfect, it is great for lightweight use such as basic web browsing or weaseling your way around geographically locked websites/services.

To set up SSH tunneling, complete the following steps:  

  1. Download the PuTTy and PuTTyGen .exe files
  2. Double click on PuTTyGen to open it
  3. Select Load
  4. On the dropdown menu in the lower right corner, select All File Types 
  5. Choose your key pair file from earlier
  6. Select Save Private Key 
  7. Your file name must match your .pem key verbatim 
  8. OPTIONAL: create a passphrase
  9. Exit out of PuTTyGen and open PuTTy
  10. Navigate to your AWS EC2 Dashboard 
  11. Copy your IPv4 Public IP IP address for AWS
  12. Paste your IPv4 Public IP into PuTTy’s Host Name (or IP address) 
  13. Choose a Session Name 
  14. Select Save 
  15. In the left panel, navigate to SSH>Auth
  16. Under Authentication parameters, select Browse
  17. Navigate to the private key you generated earlier and select it
  18. In the left panel, navigate to SSH>Tunnels
  19. Under Add new forwarded port: type in 8080 & select Dynamic and Auto PuTTy configuration
  20. Navigate back to Session & select Save
  21. Select Open
  22. When prompted for a username, type ec2-user for Amazon Linux AMI 
  23. Proceed to the next steps based on your preferred browser 

Firefox

  1. Open Firefox
  2. Navigate to Tools>Options>Advanced>Network>Connection>Settings>Manual proxy configuration 
  3. Set the SOCKS Host to 127.0.0.1
  4. Set the Port to 8080
  5. Hit Save

Chrome

  1. Install the Proxy SwitchySharp extension Chrome Store Web Page
  2. A setup screen will pop up google chrome extension
  3. Choose a name
  4. Select Manual Configuration 
  5. Change the SOCKS Host to 127.0.0.1
  6. Change the Port to 8080
  7. Everything else should be left blank
  8. Select Save
  9. Click the extension icon and select your proxy profile 

After completing the above steps, you’ll be successfully tunneling your browser’s traffic through your EC2 instance. That said, SSH tunneling is only useful for lightweight browsing and accessing some geographically restricted content. If your intent is to create a fully functioning VPN with the ability to reroute all internet traffic, OpenVPN is the option you’ll want to look into. We go into detail below.

How to Use AWS with OpenVPN

As an open source application, OpenVPN is a great VPN tool to use. With the ability to reroute all of your internet traffic through your EC2 instance, OpenVPN is also able to assist in VPN usage for applications like Steam or Battle.net. OpenVPN setup might seem complex when drifting your eyes over the instructions, but the truth is that it’s fairly simple (if not a bit time consuming).

Installing OpenVPN On AWS

  1. Using the instructions above, connect your EC2 instance to PuTTy
  2. A command prompt displaying Amazon Linux AMI should pop up
  3. Copy & paste the following commands individually into your command prompt:
  • sudo yum install -y openvpn
  • sudo modprobe iptable_nat
  • echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
  • sudo iptables -t nat -A POSTROUTING -s 10.4.0.1/2 -o eth0 -j MASQUERADE
  • sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
  1. If the first command listed above doesn’t work, replace it with:
  • sudo apt-get install -y openvpn

Connecting to OpenVPN via easy-rsa 

When it comes to setting up your OpenVPN server, you have a couple of different methods. The first one allows you to connect to various devices simultaneously via easy-rsa, while the second method only allows one connection at a time via static encryption.

Server Configuration 

  1. Copy & paste the following commands individually into your command prompt:
  • sudo yum install easy-rsa -y --enablerepo=epel
  • sudo cp -via /usr/share/easy-rsa/2.0 CA
  1. Enable root user by typing into your command prompt sudo su 
  2. In the next step, you will be asked to fill in information like your occupation/company – select the default by hitting Enter when prompted
  3. Copy & paste the following commands individually into your command prompt:
  • cd /usr/share/easy-rsa/2.0/CA
  • source ./vars
  • ./clean-all
  • ./build-ca
  • ./build-key-server server
  • ./build-dh 2048
  1. To set up your device, copy & paste the following commands individually in your command prompt:
  • ./build-key client
  • cd /usr/share/easy-rsa/2.0/CA/keys
  • openvpn --genkey --secret pfs.key
  • mkdir /etc/openvpn/keys
  • for file in server.crt server.key ca.crt dh2048.pem pfs.key; do cp $file /etc/openvpn/keys/; done
  • cd /etc/openvpn
  • nano server.conf
  1. Nano text editor will open – copy & paste the following text:

port 1194

proto udp

dev tun

ca /etc/openvpn/keys/ca.crt

cert /etc/openvpn/keys/server.crt

key /etc/openvpn/keys/server.key # This file should be kept secret

dh /etc/openvpn/keys/dh2048.pem

cipher AES-256-CBC

auth SHA512

server 10.8.0.0 255.255.255.0

push "redirect-gateway def1 bypass-dhcp"

push "dhcp-option DNS 8.8.8.8"

push "dhcp-option DNS 8.8.4.4"

ifconfig-pool-persist ipp.txt

keepalive 10 120

comp-lzo

persist-key

persist-tun

status openvpn-status.log

log-append openvpn.log

verb 3

tls-server

tls-auth /etc/openvpn/keys/pfs.key

  1. To save and exit the config text, hit CTRL+O followed by CTRL+X
  2. Start OpenVPN by typing into your command prompt:
  • sudo service openvpn start

Client Configuration 

  1. Copy & paste the following commands into your command prompt:
  • cd /usr/share/easy-rsa/2.0/CA
  • chmod 777 keys
  • cd keys
  • for file in client.crt client.key ca.crt dh2048.pem pfs.key ca.key; do sudo chmod 777 $file; done
  1. Download WinSCP with default installation options & open it 
  2. WinSCP will prompt you to import your server authentication details from PuTTy
  3. Select the one you created in earlier steps
  4. Select Edit and type in under username: ec2-user
  5. Hit Login
  6. Click on Edit & then Advanced
  7. Navigate to SSH>Authentication>Private key file 
  8. Find your PPK file
  9. Back on the main screen, enter your EC2 instance IPv4 address in the Host Name field
  10. Save your settings
  11. In the right panel, navigate to the directory that holds your key files
  12. You’ll need to highlight the five necessary files: client.crt, client.key, ca.crt, dh2048.pem, and pfs.key 
  13. Select the green Download button
  14. Save the files wherever you want
  15. Navigate back to the PuTTy Command Prompt
  16. Copy & paste the following command:
  • for file in client.crt client.key ca.crt dh2048.pem pfs.key; do sudo chmod 600 $file; done
  • cd ..
  • chmod 600 keys
  1. On your PC, move the five files into your OpenVPN configuration folder (default location is C:\\Program Files\\OpenVPN\\config

SUB: Creating the Client Configuration File 

The last thing we need to do is create the client configuration file. Luckily, this is easily done using your basic text editor.

  1. Right-click on any basic plaintext editor 
  2. Select Run as administrator 
  3. Copy & paste the following configuration:

client

dev tun

proto udp

remote YOUR.EC2.INSTANCE.IP 1194

ca ca.crt

cert client.crt

key client.key

tls-version-min 1.2

tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256

cipher AES-256-CBC

auth SHA512

resolv-retry infinite

auth-retry none

nobind

persist-key

persist-tun

ns-cert-type server

comp-lzo

verb 3

tls-client

tls-auth pfs.key

  1. Save the config as client.ovpn
  2. Save the config file in the same directory as your other five files (Default is C:\\Program Files\\OpenVPN\\config)
  3. Finally, right click on the OpenVPN GUI and select Run as administrator
  4. In your system tray below, right click on the OpenVPN icon
  5. Connect to the appropriate configuration
  6. If successful, the OpenVPN icon will turn green

Removing the Certificate Authority File 

In order to remain as secure as possible, our team at ProPrivacy.com recommends removing the ca.key file from your server. On the off chance that the certificate authority is compromised, you will never want to trust certificates provided by that CA in the future. Before completing the following steps, however, be sure that you have the keys/certificates for every device you want to connect.

  1. Select ca.key
  2. Instead of selecting the Download button, select Download and Delete
  3. Store the file in a safe location 

Fixing Reboot or Maintenance Problems 

If you experience problems after rebooting your PC or completing maintenance, you can set up OpenVPN as a service by typing the following commands in your command prompt. Most times, this fixes the issue.

If the above commands don’t work or you seem to connect to the VPN but not the internet, try resetting your iptable settings by running the commands from earlier:

  • echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
  • sudo iptables -t nat -A POSTROUTING -s 10.4.0.1/2 -o eth0 -j MASQUERADE
  • sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Connecting to OpenVPN via Static Encryption 

While this method is easier to achieve than the easy-rsa method, it is less secure and only allows one connection to the VPN server at a time. Still, it’s a great option over other free VPN services.

  1. In the PuTTy Command Prompt, paste:
  • cd /etc/openvpn
  • sudo openvpn --genkey --secret ovpn.key
  • sudo nano openvpn.conf
  1. When the Nano text editor pops up, type the following configuration:

port 1194

proto tcp-server

dev tun1

ifconfig 10.4.0.1 10.4.0.2

status server-tcp.log

verb 3

secret ovpn.key

  1. Select CTRL+O to save followed by CTRL+X to exit
  2. In the PuTTy Command Prompt, type:
  • sudo service openvpn start
  • sudo chmod 777 ovpn.key
  1. Download WinSCP by following default installation prompts
  2. A prompt will ask you to import your server authentication details from PuTTy
  3. Select the one you made in earlier steps and click Edit
  4. Under username, type in ec2-user and hit Login
  5. In the right panel, scroll up and navigate to etc/openvpn
  6. Select the ovpn.key file and drag it into a secure location
  7. In the PuTTy Command Prompt, type:
  • sudo chmod 600 ovpn.key
  1. Download OpenVPN according to your system specifics 
  2. Move your ovpn.key into OpenVPN’s configuration folder (Default is C:/Program Files/OpenVPN/config…)
  3. Open Notepad and paste the following:

proto tcp-client

remote yourEC2IPhere

port 1194

dev tun

secret "your pathway to OpenVPN config folder – see default above"

redirect-gateway def1

ifconfig 10.4.0.2 10.4.0.1

  1. Save the file in your OpvenVPN config folder as myconfig.ovpn
  2. In your system tray, make sure OpenVPN isn’t running – close it if it is
  3. On your desktop, right click on OpenVPN and select Run as administrator
  4. Back in your system tray, right click on OpenVPN and select Connect 
  5. If successful, the icon will turn green

Testing Your AWS VPN is Working

Verifying your success with Amazon Web Services VPN is extremely easy!

  1. Disconnect from your VPN
  2. Navigate to a website like www.ipchicken.com
  3. Jot down your IP address
  4. Exit out of the browser
  5. Reconnect to your VPN
  6. Open your browser and navigate back to www.ipchicken.com
  7. Compare your IP address from step 3 to the one displayed now
  8. If the IP addresses are different, you’re successfully using your homemade VPN! 

Create your own VPN server on Linux

If you are a Linux user and you want to create your own VPN, check out our how to set up a VPN server on Linux guide. We list the steps you need to take in order to create your own Linux VPN server.

Using Amazon Web Services to Create a VPN: A Summary

If you want the benefits of using a VPN without the monthly subscription fees, creating an Amazon VPN is a great option. Creating your own Amazon Web Service VPN is straightforward and easy – and despite being somewhat time consuming – it’s also completely worth it.

Written by: Sean McGrath

Sean McGrath is Editor of ProPrivacy.com. An experienced investigative journalist, writer and editor, he has worked for some of the world's best-known IT publications including the ComputerWeekly, PCPro, TechWeekEurope & InformationWeek. He regularly comments on industry matters for the likes of Forbes, Silicon, iTWire, Cyber Defense Magazine & Android Headlines.

5 Comments

Steve cummings
on August 22, 2019
It isn't really free. You incur bandwith costs on amazon, I had to pay 20 dollars
Michael Paccione
on November 13, 2018
So I followed this tutorial for basic SSH Tunneling exactly... using AWS Micro and SwitchySharp on Chrome. I get no internet when it is enabled. What's the deal?
https://cdn.proprivacy.com/storage/images/proprivacy/02/member-dougjpg-avatar-image-default-1png-avatar-image-default-minpng-avatar_image-small_webp.webp
douglas replied to Michael Paccione
on November 14, 2018
Hi Michael, Unfortunately, this article's author, Mandee, is no longer with us. When we have the time we will go through this article ourselves in order to check that the information in it accurate.
Rodrigo Freitas
on June 15, 2018
The commands related with easy-rsa do not work anymore, since a new version of the software is in the epel repo right now, and the file structure is different. I am trying to install the easy-rsa 2.0 from others repo's so I can follow your tutorial, but no luck until now.
https://cdn.proprivacy.com/storage/images/proprivacy/2019/10/default-avatarpng-avatar_image-small_webp.webp
Mandee Rose replied to Rodrigo Freitas
on June 24, 2018
Hi Rodrigo, Sorry about that! We're currently working to update this article to include the correct commands for easy-rsa 3.0. In the meantime, easy-rsa 3.0 should still work when it comes to using OpenVPN - maybe this can help for the time being: https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto. Thanks for your patience and sorry again!

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives:

The fastest VPN we test, unblocks everything, with amazing service all round

A large brand offering great value at a cheap price

One of the largest VPNs, voted best VPN by Reddit

One of the cheapest VPNs out there, but an incredibly good service