Setup a VPN using Amazon AWS FREE t2.micro instance

Published: December 14, ‎2016 4:29 pm

This guide is intended to walk you through setting up and configuring a working VPN using Amazon’s AWS free tiers, the EC2 t2.micro instance. The guide is written for beginners who are using the Windows operating system. Those of you who are using Mac or Linux can skip step 2.b and use the built-in ssh and pscp command from a terminal window instead.

There are limitations to the usage of these free micro instances and therefore are not intended for downloading masses of data or providing anonymity, instead it can provide a free alternative for securing sensitive connections, such as banking when using public networks, whether you are travelling at home or abroad.

Please make sure you read and agree to the disclaimer at the beginning of this article before continuing.

Disclaimer
Prerequisites
a. Amazon AWS account
b. PuTTY, PSCP & PuTTYGen
c. OpenVPN client
Creating the t2.micro instance
Connecting to your t2.micro instance
Configuring your t2.micro instance
Using your new VPN
Extra bits
Limitations

Disclaimer

This how-to guide is intended for information and educational purposes only.

You are responsible for abiding by the terms and conditions of the Amazon AWS service and monitoring you own AWS EC2 instance usage. You may want to read the limitations before you decide whether this is for you. You accept liability for your own actions or any incurred losses.

Prerequisites

To get started you will need to gather a few things.

Amazon AWS account
PuTTY, PSCP & PuTTYGen
OpenVPN client

Amazon AWS account

https://aws.amazon.com

If you already have an Amazon account you can login with these credentials, if not just sign up a new account. To get started simply click the big orange Sign In to the Console button located at the top-right of the website where you will be prompted to login or create a new account.

PuTTY, PSCP & PuTTYGen

http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

You will need to download a few programs to be able to connect to your AWS EC2 instance for the setup and configuration stage. Visit the link above to download PuTTY, PSCP & PuTTYGen. The required programs are highlighted in green boxes below:

OpenVPN client

Download the OpenVPN client software for your desired devices/systems.


[Windows]	[OSX]	[Android]	[iPhone]	[Linux]

Creating the t2.micro instance

Login to your AWS account. Once logged in you should be greeted with an fairly overwhelming page full of links, the AWS Management Console.

In the top left, underneath Compute, select EC2 Virtual Servers in the Cloud (highlighted in the green box).

Then choose Launch Instance.

This guide is written for Ubuntu, so choose Ubuntu Server. Make sure it says Free tier eligible and then click Select.

Again choose the instance that states Free tier eligible and then in the tabs at the top of the page, skip to 6. Configure Security Group. You can go through the other options in tabs 3,4,5 if you want to explore but bare in mind most of the options cost money.

Make sure the security group is configured as below. Click on Add Rule to add a rule…

Type	Protocol	Port Range	Source
SSH	TCP	22	Anywhere 0.0.0.0/0
Custom UDP Rule	UDP	1194	Anywhere 0.0.0.0/0

The Custom UDP Rule is the rule for the OpenVPN server so you will need to ensure that the source is available Anywhere 0.0.0.0/0. To improve security you can set the SSH Source to your home IP address. This ensures that only your home IP address can access the SSH terminal for logging in and configuring. In the drop down box there is an option for ‘My IP’ which you can use.

If you want to give the security group a name and description this is the opportunity to do so, then when you are ready click on Review and Launch.

Confirm the details and then click Launch.

Note: It will complain about your security group regardless of whether you set the SSH source to Anywhere or My IP. This is because the OpenVPN port, Custom UDP Rule 1194 is open to the world which you will need when connecting from unknown public networks.

You will now be asked about a key pair.

In the drop down box select Create a new key pair and then give it a name, I called it vpn. Then click Download Key Pair.

You will want to keep this file safe as it contains your private key that is used to login to your instance.

When you are ready click Launch Instance. After a bit of page spinning and loading you will see a ‘Launch Status’ page. From here click on the blue View Instances button to get you ready for the next stage, Connecting to your t2.micro instance.

Connecting to your t2.micro instance

If you are using Linux or Mac then I recommend you click the Connect button next to the blue Launch Instance button at the top of the page. From there it will explain how to connect via the terminal ssh commands. Otherwise for Windows users using PuTTy you can follow the instructions below.

If you followed the last step in the previous section you should see a screen like this one. You will need to take note of the Public IP address for your instance.

You will need to convert the AWS .pem key file to PuTTY .ppk format. Do this with PuTTYGen.

Open up PuTTYGen, click Load and locate your AWS .pem file. You will need to click on the drop down in the open file dialog box and select All files.

Once you have loaded your .pem key file and clicked the confirmation box you should see something like this.

Make sure the parameters are correct:
- Type of key to generate: SSH-2 RSA
- Number of bits in a generated key: 2048

Then click Save private key. Make sure the file type is PuTTY Private Key Files (.ppk)

Setting a password is optional but will provide better security if you lose your key. However it slows down the time required to login because of typing the password. If you don’t input a password you will be prompted when trying to save the private key; simply confirm this action and move forward.

Now you have converted your .pem file to PuTTY .ppk format you are almost ready to connect.

Load up PuTTY and input your AWS instance Public IP address into the Host Name box. Make sure Port is set to 22 and Connection type is SSH.

Finally you load your .ppk key file.

Navigate the tree and expand SSH then click on Auth. Click Browse and find your newly converted .ppk file.

Optionally you may want to save your session for ease of connecting at a later date. Do this by navigating the tree and at the top click Session. From there you can type in a session name and click Save. This is located underneath the Host Name details as pictured in the previous step.

Once you are ready, click Open.

When you first connect the server will generate the public and private key pairs. Because of this PuTTY will give a security warning about unknown keys. Before you click Yes you will want to confirm that the server you are connecting to is the correct server (to prevent Man-in-the-Middle attacks).

Go back to your AWS console and click Actions, followed by Instance Settings and then Get System Log.

Scroll down to the bottom of the system log where is shows something similar to this and then make sure the RSA fingerprint in the PuTTY alert matches that of the Host Key RSA fingerprint.

Once confirmed, click Yes.

Once connected you can login as user ubuntu.

If you see this screen, congratulations the easy bit is finished… now comes the fun bits.

Configuring your t2.micro instance

Now that you are logged in it’s time to configure the system. You can type the commands or copy/paste them. If you copy/paste them make sure that you do not copy a newline otherwise it will automatically execute the command before you can confirm the input. Another thing you will need to know is how to paste into PuTTY; do this by clicking the right mouse button and not CTRL+V.

The first thing you will need to do is become root (enable god mode).

sudo su

Next we will gather updates and download upgrades for the system. This can take a few minutes to complete so it’s best to grab a drink while you wait.

apt-get update && apt-get -y upgrade

Then install the packages we need.

apt-get -y install openvpn easy-rsa

After updating and installing the packages your screen should look something like this:

Lets configure automatic updates so that we can make sure all security patches are installed regularly.

dpkg-reconfigure -plow unattended-upgrades

You should be greeted with a screen like this. Use the left-right arrow keys to select Yes (selected options are red). Press Enter and you should be returned to the terminal.

Now we will create and configure the OpenVPN config file. We will be using the sed command to update the config file by searching for a pattern and then changing it. Later on in this tutorial we will jump into using the vi text editor to change some files.

First we copy over the example template:

gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf

Then change the Diffie-Hellman key size from 1024 bits to 2048 bits:

sed -i 's/^dh dh1024.pem/dh dh2048.pem/' /etc/openvpn/server.conf

Configure the DHCP options to bypass the server’s DNS:

sed -i 's/^;push "redirect-gateway def1 bypass-dhcp"/push "redirect-gateway def1 bypass-dhcp"/' /etc/openvpn/server.conf

Set the DHCP to utilize both OpenDNS DNS servers:

sed -i 's/^;push "dhcp-option DNS 208.67.222.222"/push "dhcp-option DNS 208.67.222.222"/' /etc/openvpn/server.conf

sed -i 's/^;push "dhcp-option DNS 208.67.220.220"/push "dhcp-option DNS 208.67.220.220"/' /etc/openvpn/server.conf

And finally configure the user:

sed -i 's/^;user nobody/user nobody/' /etc/openvpn/server.conf

And the group:

sed -i 's/^;group nogroup/group nogroup/' /etc/openvpn/server.conf

By now your screen should look like this:

Enable forwarding:

echo 1 > /proc/sys/net/ipv4/ip_forward

sed -i 's/^#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.conf

Configure the firewall:

Allowing SSH:

ufw allow ssh

Allow port 1194/udp for OpenVPN:

ufw allow 1194/udp

Allow forwarding:

sed -i 's/^DEFAULT_FORWARD_POLICY="DROP"/DEFAULT_FORWARD_POLICY="ACCEPT"/' /etc/default/ufw

Configuring NAT:

Note: If you are typing out the commands press the Enter key after the double backslashes \\ to go to a newline, which should show as > on the terminal.

sed -i "10 a\\
# START OPENVPN RULES\\
# NAT table rules\\
*nat\\
:POSTROUTING ACCEPT [0:0]\\
# Allow traffic from OpenVPN client to eth0\\
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE\\
COMMIT\\
# END OPENVPN RULES\\
" /etc/ufw/before.rules

Finally, enable the firewall and answer y to the proceeding question:

ufw enable

You should be seeing a screen like this now:

Now it’s time to set up the server Certificate Authority (CA) so that you can generate and authenticate keys.

First we will gather and create the neccessary files.

cp -r /usr/share/easy-rsa/ /etc/openvpn

mkdir /etc/openvpn/easy-rsa/keys

Now we will jump into the text editor, vi. Before you get started with this there are some things you need to be aware of. You cannot just type into the file, you first have to trigger commands;

Insert new text press i then type your desired text
Finish inserting new text (or to finish other triggered commands) press Escape
Close file and save changes press : (that’s pressing Shift + :; keys) then type wq
Close file and without saving press : (that’s pressing Shift + :; keys) then type quit!
Navigate the file with the arrow keys: ← → ↑ ↓

We will be editting the certificate details to personalize it to our identity (not required but makes confirming certificates a little easier).

vi /etc/openvpn/easy-rsa/vars

Scroll down with the arrow keys to find a section that looks like this:

export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="[email protected]"
export KEY_OU="MYOrganizationalUnit"

Edit these to suit your needs. Remember, to edit, press i and then type in your required text.

Next, in the same file, below the above section you should see this line:

export KEY_NAME="EasyRSA"

Change this to (this is the same name as the default OpenVPN configuration):

export KEY_NAME="server"

Once you are done with the editing, press the Escape key and then press : (by pressing Shift + :;) then type wq. Hit enter to close and save the file.

Next, we will generate the Diffie-Hellman parameters, build the CA, key server and client, and then finally copy over your new files.

openssl dhparam -out /etc/openvpn/dh2048.pem 2048

cd /etc/openvpn/easy-rsa
. ./vars
./clean-all
./build-ca

./build-key-server server

cp /etc/openvpn/easy-rsa/keys/{server.crt,server.key,ca.crt} /etc/openvpn

./build-key client1
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/client.ovpn

Extra bits

So you now have your VPN server setup, configured and working well, but you’d rather have a more memeroable name for connecting instead of the IP address that AWS provide.

If you already have a domain name you can create a sub domain through your registrar by creating a new A Record under the DNS options and point the AWS IP address to the new record; or if you do not have a domain name, grab yourself a free ‘No-IP’ style domain name and point that to the AWS IP address.

Doing this will make it easier when you want to connect. You will not have to remember the IP address of your AWS instance, just the domain name that points to the IP instead.

No-IP: http://www.noip.com/free

Shell Setup Script

#!/bin/bash
###############################################################################
#																			  #
# Amazon AWS EC2 t2.micro OpenVPN setup and configuration script			  #
# 																			  #
###############################################################################

# turning on god mode
echo "# turning on god mode"
sudo su

# update system and install prerequisite packages
echo "# update system and install prerequisite packages"
apt-get update && apt-get -y upgrade
apt-get -y install openvpn easy-rsa

# copy default openvpn config example and configure
echo "# copy default openvpn config example and configure"
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf
sed -i 's/^dh dh1024.pem/dh dh2048.pem/' /etc/openvpn/server.conf
sed -i 's/^;push "redirect-gateway def1 bypass-dhcp"/push "redirect-gateway def1 bypass-dhcp"/' /etc/openvpn/server.conf
sed -i 's/^;push "dhcp-option DNS 208.67.222.222"/push "dhcp-option DNS 208.67.222.222"/' /etc/openvpn/server.conf
sed -i 's/^;push "dhcp-option DNS 208.67.220.220"/push "dhcp-option DNS 208.67.220.220"/' /etc/openvpn/server.conf
sed -i 's/^;user nobody/user nobody/' /etc/openvpn/server.conf
sed -i 's/^;group nogroup/group nogroup/' /etc/openvpn/server.conf

# enable forwarding
echo "# enable forwarding"
echo 1 > /proc/sys/net/ipv4/ip_forward
sed -i 's/^#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.conf

# configure firewall
echo "# configure firewall"
ufw allow ssh
ufw allow 1194/udp
sed -i 's/^DEFAULT_FORWARD_POLICY="DROP"/DEFAULT_FORWARD_POLICY="ACCEPT"/' /etc/default/ufw
sed -i "10 a \\
# START OPENVPN RULES \\
# NAT table rules \\
*nat \\
:POSTROUTING ACCEPT [0:0] \\
# Allow traffic from OpenVPN client to eth0 \\
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE \\
COMMIT \\
# END OPENVPN RULES \\
" /etc/ufw/before.rules
ufw --force enable

# build cert authority
echo "# build cert authority"
cp -r /usr/share/easy-rsa/ /etc/openvpn
mkdir /etc/openvpn/easy-rsa/keys

# vim /etc/openvpn/easy-rsa/vars
# The variables below marked in red should be changed according to your preference.

# export KEY_COUNTRY="US"
# export KEY_PROVINCE="TX"
# export KEY_CITY="Dallas"
# export KEY_ORG="My Company Name"
# export KEY_EMAIL="[email protected]"
# export KEY_OU="MYOrganizationalUnit"
# In the same vars file, also edit this one line shown below. For simplicity, we will use server as the key name. If you want to use a different name, you would also need to update the OpenVPN configuration files that reference server.key and server.crt.
# export KEY_NAME="server"

openssl dhparam -out /etc/openvpn/dh2048.pem 2048

cd /etc/openvpn/easy-rsa
. ./vars
./clean-all
./build-ca

./build-key-server server

cp /etc/openvpn/easy-rsa/keys/{server.crt,server.key,ca.crt} /etc/openvpn

./build-key client1
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/client.ovpn

Limitations

The AWS Free Tier has certain limitations, such as CPU, Hard Drive and Bandwidth usage. If you exceed these you will be charged accordingly. The AWS Free Tier is only available for one year after registration of new accounts.

With the CPU and Hard Drive limitations you generally do not have to worry as Amazon provide enough ‘free hours’ to sustain a VPN server, however it is the bandwidth limitations you will need to keep in mind. As of the time of writing this how-to guide the monthly free allocation of bandwidth is set to 10GB. This is why I recommend that you do not use this VPN as a vessel for downloading and only use it for securing sensitive connections, such as banking, while using an insecure public network.

Read more about it at the AWS website: https://aws.amazon.com/free/

Paul Hempshall

Website Cyber Security Professional