How to Create a VPN Server on AWS EC2: A Step-by-Step Guide

Ashutosh Singh - August 26, 2024

Setting up your own VPN (Virtual Private Network) server can offer enhanced privacy, secure connections, and the ability to bypass geo-restrictions. AWS EC2 provides an excellent platform to create a scalable, reliable VPN server. In this guide, we’ll walk through the process of creating a VPN server on AWS EC2.


Prerequisites

Before we dive in, make sure you have the following:

  • An AWS account.
  • Basic knowledge of AWS EC2 and SSH.

Step 1: Launch an EC2 Instance

  1. Log in to AWS Management Console: Navigate to the AWS EC2 dashboard.
  2. Launch an Instance: Click on “Launch Instance” to create a new EC2 instance.
  3. Choose an Amazon Machine Image (AMI): Select the Ubuntu Server (preferably the latest LTS version) for stability and security.
  4. Choose an Instance Type: The t2.micro instance (with free tier eligibility) is sufficient for a personal VPN server.
  5. Configure Instance:
  • Default settings should work fine.
  • Ensure you allow HTTP and HTTPS traffic in the security group settings, along with the default SSH access.
  1. Add Storage: The default 8 GB should be enough, but you can increase it if needed.
  2. Add Tags: (Optional) Add tags to help you identify your instance.
  3. Configure Security Group: Create a new security group:
  • Allow SSH (port 22).
  • Allow OpenVPN traffic by adding a custom UDP rule for port 1194.
  • Allow HTTP (port 80) and HTTPS (port 443) if you plan on using web services on the VPN server.
  1. Review and Launch: Review your settings and launch the instance. Make sure to create a new key pair or use an existing one for SSH access.

Step 2: Connect to Your EC2 Instance

Once the instance is running:

  1. Connect via SSH:
ssh -i your-key.pem ubuntu@your-ec2-public-ip
  1. Replace your-key.pem with your private key file and your-ec2-public-ip with the public IP of your EC2 instance.

Step 3: Install and Configure OpenVPN

  1. Update Your System:
sudo apt-get update && sudo apt-get upgrade -y
  1. Install OpenVPN:
sudo apt-get install openvpn -y
  1. Install Easy-RSA for Key Management:
sudo apt-get install easy-rsa -y
  1. Set Up the Certificate Authority (CA):
make-cadir ~/openvpn-ca
cd ~/openvpn-ca
  1. Customize the CA Variables:
  • Edit the vars file:
nano vars
  • Update the following lines with your information:
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="MyVPN"
export KEY_EMAIL="[email protected]"
export KEY_OU="MyVPN"
export KEY_NAME="server"
  1. Build the CA:
source vars
./clean-all
./build-ca
  1. Generate Server Certificates and Keys:
./build-key-server server
./build-dh
openvpn --genkey --secret keys/ta.key
  1. Generate Client Certificates:
./build-key client1
  1. Configure the OpenVPN Server:
  • Copy the sample configuration file:
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
cd /etc/openvpn/
sudo gunzip server.conf.gz
sudo nano server.conf
  • Adjust the settings in the server.conf file:
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh2048.pem
tls-auth /etc/openvpn/ta.key 0
cipher AES-256-CBC
user nobody
group nogroup
  1. Enable IP Forwarding:
sudo nano /etc/sysctl.conf
  • Uncomment the line:
net.ipv4.ip_forward=1
  • Apply the changes:
sudo sysctl -p
  1. Configure NAT with iptables:
sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
sudo apt-get install iptables-persistent
sudo netfilter-persistent save
sudo netfilter-persistent reload
  1. Start the OpenVPN Server:
sudo systemctl start openvpn@server
sudo systemctl enable openvpn@server

Step 4: Connect to Your VPN

  1. Transfer Client Configurations:
  • Download the client certificate (client1.crt), key (client1.key), and the ca.crt file to your local machine.
  • Create a client configuration file (client.ovpn):
client
dev tun
proto udp
remote your-ec2-public-ip 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1
cipher AES-256-CBC
  1. Use a VPN Client:
  • Use OpenVPN client software on your local machine and import the client.ovpn file.
  • Connect to your new VPN server.

Step 5: Secure Your VPN

  • Update Firewall Rules: Limit access to your VPN server by configuring firewall rules in AWS Security Groups.
  • Regular Updates: Regularly update your Ubuntu instance to ensure security patches are applied.


Conclusion

Congratulations! You’ve successfully set up a VPN server on AWS EC2. This setup provides you with a secure and private connection to the internet, ideal for protecting your data and bypassing network restrictions. Remember to monitor your EC2 instance and apply updates regularly to maintain security.