How to Create a Free AWS OpenVPN server

and use it in Windows and iOS

I decided to create this guide while traveling from the U.S. to Germany. I could not find a single comprehensive reference that documents the process of properly provisioning an AWS EC2 OpenVPN instance, configuring OpenVPN, and using the VPN server from Windows (10.0.17763.379) and iOS (12.2).

This document is current as of March 31st, 2019 (UK trip). I doubt I will update it very often probably when I need to travel and want a VPN.

AWS EC2 Instance Creation and Configuration

The documentation from OpenVPN is pretty good for this section. As my documentation ages, no doubt the OpenVPN docs will be more accurate. There is also some good information from the listed EnvyAndroid site. I assume the reader has a basic understanding of AWS EC2.

  1. Log into the AWS Console and select the region in which you want to host the instance (e.g., EU London).
  2. Launch a new instance in the region of your choice. I recommend making it as local to your physical location as possible in order to have a fast connection. However, you may want to try and spoof your location (for things like NetFlix) the choice is up to you.
    1. Launch and instance and select Community AMIs .
    2. Select the current OpenVPN AMI. You can get the AMI ID from the Quick Start URL.
      • https://docs.openvpn.net/how-to-tutorialsguides/virtual-platforms/amazon-ec2-appliance-ami-quick-start-guide/
      • Select Amazon Web Services EC2 BYOL appliance quick start guide. If you do not provide a license key, the Access Server goes into a type of demonstration mode where all functions are available without time limit, but only 2 simultaneous VPN connections can be made at a time. To unlock more connections, you need to purchase and activate a license key on your Access Server installation.
      • Alternatively, select Amazon Web Services EC2 tiered appliance quick start guide, and select a not-free solution to meet your needs.
    3. Accept the default size (t2.micro). This should be fine for personal VPN, and keeps things free.
    4. For configuration, nothing really needs to be changed from the defaults. I will just list the things I changed.
      1. Subnet: Select whatever you want. You may want to create multiple servers in different subnets for high-availability at some point.
      2. Protect against accidental termination: I like to enable this because I am often too aggressive in my clean-up routine
      3. User Data: You can configure OpenVPN via User Data as a test (under Advanced Details), if you so choose. You can also configure OpenVPN later your choice. Here is a example:
        • public_hostname=test_vpn (we will change this later)
        • admin_user=openvpn
        • admin_pw=Passw0rd
        • reroute_gw=1
        • reroute_dns=1
      4. Select Add Storage.
    5. Storage: 8GB of magnetic storage is default. I went with 16GB and kept it magnetic.
    6. Tags: I like to add a name tag. In this example, Example OpenVPN Server .
    7. Security Group: Create an OpenVPN security group as documented in the Quick Start Guide. It needs to allow the following (feel free to change the Source as you see fit).
      • TCP 22   Anywhere (0.0.0.0/0)
      • TCP 443   Anywhere (0.0.0.0/0)
      • TCP 943   Anywhere (0.0.0.0/0)
      • UDP 1193   Anywhere (0.0.0.0/0)
    8. Review and Launch. I launch with a keypair. The instance will spin up relatively fast.
  3. Optional: Elastic IP is cool, but it is not free. The cost is low, but there is a cost (my 2 week trip cost me $1.57). Go to Elastic IP and allocate a new address. The Quick Start Guide is a good reference, but this is real simple. This step is technically not necessary, but is recommended. The elastic IP never changes you have it forever. You can associate it with any instance you want. Thus, you can terminate and create new instances as needed and always have the same IP for your VPN server.
    1. Click Allocate a new address .
    2. Click Allocate .
    3. Select the new elastic IP and click the Actions pull-down.
    4. Resource Type: Instance
    5. Instance: select the Instance ID of the instance you just created
    6. Private IP: select the IP of the instance (there is only one)
    7. Click Associate
  4. Via the AWS Console:
    1. Select your instance.
    2. Note the Public DNS name (listed above the Description, Status Check, etc., tabs). It will look something like:

      ec2-x-x-x-x.eu-central-1.compute.amazonaws.com

    3. Right-click the instance, Networking, and select Change Source/Dest. Check. Click Yes, disable .

Connecting to OpenVPN Server

  1. Log in via SSH (remember to use the Elastic IP, if you created one), using the Quick Start Guide as a reference. Here is a summary:
    1. Via puttygen.exe (http://www.putty.org/), import your Amazon key (.pem) and export it to a private .ppk file (putty.exe needs the .ppk file). If you use a key passphrase, store it in a secure location (LastPass, etc.). If you don t use a passphrase, you will not be prompted for a password in 1b (I assume, I always use a passphrase).
    2. The default key type of RSA 2048 is probably fine, but make it whatever value you want.
    3. Click Save private key .
    4. Run putty.exe, configuring it as documented in the Quick Start Guide. The important parts to configure are Host Name (or IP), and to point to your .ppk file the SSH/Auth section. You will log in with the openvpnas (note the as at the end) account and your key passphrase as the password.

Initial OpenVPN Server Configuration

I have mixed results here. Sometimes I am prompted to configure OpenVPN, sometimes not I opt to reconfigure, regardless simple run sudo ovpn-init --ec2 if not prompted. Accept the defaults except for the first one (EULA agreement, type yes ). The Quick Start Guide explains all the various settings. I am unsure if the defaults are determined by the User Data field or are truly default (I use User Data), so just in case, here is a summary of my defaults to use as a reference:

  1. Please enter 'yes' to indicate your agreement [no]: yes
  2. Will this be the primary Access Server node?

    (enter 'no' to configure as a backup or standby node)

    > Press ENTER for default [yes]: yes

  3. Please specify the network interface and IP address to be used by the Admin Web UI:

    (1) all interfaces: 0.0.0.0

    (2) eth0: 172.31.44.139

    Please enter the option number from the list above (1-2).

    > Press Enter for default [2]: <Enter>

  4. Please specify the port number for the Admin Web UI.

    > Press ENTER for default [943]: <Enter>

  5. Please specify the TCP port number for the OpenVPN Daemon

    > Press ENTER for default [443]: <Enter>

  6. Should client traffic be routed by default through the VPN?

    > Press ENTER for default [no]: yes

  7. Should client DNS traffic be routed by default through the VPN?

    > Press ENTER for default [no]: yes

  8. Use local authentication via internal DB?

    > Press ENTER for default [yes]: <Enter>

  9. Should private subnets be accessible to clients by default?

    > Press ENTER for EC2 default [yes]: <Enter>

  10. To initially login to the Admin Web UI, you must use a username and password that successfully authenticates you with the host UNIX system (you can later modify the settings so that RADIUS or LDAP is used for authentication instead).

    You can login to the Admin Web UI as "openvpn" or specify a different user account to use for this purpose.

    Do you wish to login to the Admin UI as "openvpn"?

    > Press ENTER for default [yes]: <Enter>

  11. > Please specify your OpenVPN-AS license key (or leave blank to specify later): <Enter>
  12. You can always re-configure OpenVPN by running the command:

    sudo ovpn-init --ec2

  13. Change the timezone (optional set it to whatever you like):

    sudo dpkg-reconfigure tzdata

  14. Disable the bootstrap account (optional). I did not bother.
  15. Update the system using the following commands:

    sudo apt-get update && sudo apt-get upgrade

    (answer Y to the various questions, if prompted)

  16. If desired, change the password of the openvpn account.

    sudo passwd openvpn

  17. Reboot.

    sudo reboot

OpenVPN Client Installation

  1. Download and install the OpenVPN client on your Windows system. Accept the defaults.

    https://openvpn.net/index.php/open-source/downloads.html

  2. Install the OpenVPN client for iOS from the Apple Store.

OpenVPN Admin UI and Web UI

You are almost done. There are just a few final tweaks to make to OpenVPN Access Server, and they can all be done via the web interfaces.

  1. Log in to the admin UI (https://<IP>/admin/ - note the https) using the name and password defined in the User Data or OpenVPN configuration. There are several things you will want to configure.
    1. Configuration / TLS Settings: Change the OpenVPN and Web Server settings to TLS 1.2 only.
    2. Configuration / Network Settings: Change the Hostname to the public DNS you noted from 3b of AWS EC2 Instance Creation and Configuration
    3. Configuration / Advanced VPN: Change the server and client configs to use AES 256:

      cipher AES-256-CBC

    4. User Management / User Permissions: Create a new user with just the Allow Auto-login right. Once created, click Show and set the password. This is the account you will use to access OpenVPN from you Windows and iOS devices. This is documented on another EnvyAndroid site:

      http://envyandroid.com/connecting-android-openvpn/

    5. Logout.
  2. From your Windows system, browse to the the web UI (https://<IP>/ - note the https).
    1. Log in with the user account and password used in 1d (above). Next to Go , select Login.
    2. Save the .ovpn file. You can select either the Yourself (user locked profile) or the Yourself (autologin profile) , depending on whether or not you want to use credentials.
    3. You now have two choices you can either copy the .ovpn file to %ProgramFiles%\OpenVPN\config\ , or you can bring up the OpenVPN GUI and import the .ovpn file (which merely puts it into %USERPROFILE%\OpenVPN\config\ by default [this can be changed]). The user profile location is fine if you have multiple people using your system and each wants their own VPN servers/accounts. However, if only you use the machine, or if people will share the OpenVPN servers/accounts, it is easier to just put the .ovpn files into the application directory.
    4. You can now connect using the OpenVPN client. If you selected an autologin profile, you will not get prompted for a user or password; if you selected a locked profile, you will get prompted for a user and password.
  3. On your iOS device, browse to the the web UI (https://<IP>/ - note the https) using Safari. Do not use FireFox because FireFox does not know how to associate the .ovpn file with OpenVPN.
    1. Log in with the user account and password used in 1d (above). Next to Go , select Login.
    2. Save the .ovpn file. You can select either the Yourself (user locked profile) or the Yourself (autologin profile) , depending on whether or not you want to use credentials.
    3. Select Open in OpenVPN .
    4. You can now connect using the OpenVPN client. If you selected an autologin profile, you will not get prompted for a user or password; if you selected a locked profile, you will get prompted for a user and password.

    http://accc.uic.edu/answer/how-do-i-configure-and-use-openvpn-iphone-and-ipad

    e. There are other ways of getting the .ovpn file to your iOS device, but many suck. The one above is by far the easiest. Another easy one is to drop the file onto your device via Explorer and iTunes (I have not tested this recently). You can also get the file to your iOS device via all manner of secure and insecure processes (email, SMS text, DropBox, whatever).

Things to Investigate:

  1. Investigate setting up a fault-tolerant cluster of OpenVPN servers in different AZ s, using a single Elastic IP to reach the cluster.
  2. Investigate the VPN-on-Demand stuff (see below).

Other References