Personal VPNs can be really useful in the following scenarios:

  • You want to secure your connection because you are using a free internet hotspot.
  • You want to access forbidden sites such as google from countries that block it.
  • You want to use a service that is not available in your country and that has an IP geo location filter

It is very easy to build such a system via AWS and Open VPN.

Warning

Bypassing a state security or a TV provider limitations can be forbidden in some countries. Note also that some providers also filter datacenter IPs in order to prevent you from bypassing them. For example in China, I am using a simple L2TP/IPSec VPN hosted in my own home in belgium. N…..x banned most of the IPs coming from OVH France but not IPs from AWS. So depending on what you want to do, results will can differ.

Note also that a micro EC2 is not for free but is really not very expensive.

Starting an EC2

I suppose that you already have an AWS account. The first step is to start an EC2 instance using an already configured Open VPN service such as the one shown in the following screenshot.

AWS1

Click on next and pick a t2.micro instance as shown below:

Screen Shot 2017-09-24 at 08.31.04

Click on the “Review and Launch” button. Associate a key pair or create a new one and you are done.

Configuring the EC2

I am using a mac, so I connect to the EC2 via the standard terminal application. Don’t forget to change the pem file privileges using a chmod command if you just downloaded the keys using the following command.

chmod 400 YOURPEMFILE.pem

Then access your EC2 using the DNS of your instance you will find in your AWS ec2 console.

ssh -i openvpnus.pem.txt openvpnas@YOURINSTANCEDNSNAME

Once connected, accept the licence and configure OpenVPN as show below:

Will this be the primary Access Server node?

(enter 'no' to configure as a backup or standby node)

> Press ENTER for default [yes]: 

Please specify the network interface and IP address to be

used by the Admin Web UI:

(1) all interfaces: 0.0.0.0

(2) eth0: 172.31.38.160

Please enter the option number from the list above (1-2).

> Press Enter for default [2]: 1

Please specify the port number for the Admin Web UI.

> Press ENTER for default [943]: 

Please specify the TCP port number for the OpenVPN Daemon

> Press ENTER for default [443]: 

Should client traffic be routed by default through the VPN?

> Press ENTER for default [no]: yes

Should client DNS traffic be routed by default through the VPN?

> Press ENTER for default [no]: yes

Use local authentication via internal DB?

> Press ENTER for default [yes]: 

Private subnets detected: ['172.31.0.0/16']

Should private subnets be accessible to clients by default?

> Press ENTER for EC2 default [yes]: 

To initially login to the Admin Web UI, you must use a

username and password that successfully authenticates you

with the host UNIX system (you can later modify the settings

so that RADIUS or LDAP is used for authentication instead).

You can login to the Admin Web UI as "openvpn" or specify

a different user account to use for this purpose.

Do you wish to login to the Admin UI as "openvpn"?

> Press ENTER for default [yes]: 

> Please specify your OpenVPN-AS license key (or leave blank to specify later):

The terminal will display two links at that can be used to access the client and the server web consoles of OpenVPN.

The last step is to change the user openvpn password using the following command.

sudo passwd openvpn

Configuring your devices

The easiest way to configure your device is to log in using the client console and to download the certification file from the interface as shown below.

Screen Shot 2017-09-24 at 08.57.11

This .ovpn file can directly be used in most Open VPN clients. I personally use Tunnelblick for the Mac and the OpenVPN client from the App store for iOS.

Note that for iOS, the easiest way to configure the VPN is to first install the OpenVPN client, then to send the .ovpn file by mail and to click on it from iOS in order to open it with the client. (Note that sending this kind of file by mail is not the safest way to get it but the easiest one)