Let's setup a VPN server, for free, on AWS, under 5 min 😱🀯πŸ”₯

Yaser Adel Mehraban on August 21, 2019

Sometimes you want to connect to internet without someone watching you. This can be due to restrictions applied by governments, ISPs, etc. Maintain... [Read Full]
markdown guide
 

Cool idea! Are there bandwidth limitations?

Also note, while you're anonymous from private citizens, governments can still obtain Amazon records and associate your Amazon account with your web traffic with this solution.

 

Yea

But, I guess the point of this article is that you can do the same with a hard-to-associate server (like bitcoin bought one)

 

That's true, but there are ways to get around that now that you're in full control.

 

I've got a question if you don't mind (I couldn't find a detailed answer by googling):

Is there any difference when I connect to VPN via client app vs when I connect using OS setup (like Windows 10 network settings)?

 

Good one, I couldn't connect to it using windows VPN connection, so I guess they will presetup all the confif in the client app. You might have to do a bit of digging around to find the setup details and get it working with windows

 

Actually, I did that for a client long ago (setup OpenVPN linux server).

But, he asked me whether to use Windows VPN connection or the client app or the router (all were working options)...

I picked the router for him since it seemed the safest (and cuz his connection will drop when the VPN is out).

But I still wonder what's the difference between OS settings connection and client app connection πŸ€”

The VPN options in most OSes are based on the IPSec protocol. IPSec is a fairly comprehensive VPN protocol, but requires quite some time and skills to set it up properly. And the "easier" solutions are often commercial ones, which are fairly expensive. In addition some OS vendors, like Microsoft, also includes their own VPN alternatives as options.

OpenVPN uses its own protocol, and is thus not compatible with other VPN protocols. This is by design, to avoid implementing lots of features not strictly needed for the task OpenVPN tries to solve.

On the other hand, OpenVPN is an open source product, with the first release in 2001 [1]. Since then, OpenVPN has been through two security audits [2] [3] which it passed with quite few findings. And the critical ones where fixed quickly after [4].

On top of this, a Dutch security company, Fox-IT, has also worked with the Dutch government to deliver a certified OpenVPN solution to be used for data transfer up to the RESTRICTED security level [5] (Going higher than this usually means deploying dedicated VPN hardware). The OpenVPN-NL version is shipping with mbed TLS instead of OpenSSL, where both mbed TLS and OpenVPN has been another round of security audit.

So OpenVPN has proven over time to be a fairly solid and secure VPN solution, with not an enormous amount of security issues [6] over these years.

Thanks David for the detailed information!

I hope you won't mind another question that's been in my head for a decade:

Can a PPTP/L2TP VPN or OpenVPN bypass the (speed limit or throttling or data cap) by ISP?

I mean it encrypts the whole internet package, right? does that include stuff like the size of the package?

I actually tried to setup VPNs for many clients, but their internet experience (speed and capping) didn't change... maybe I didn't do the right setup or maybe it's not possible.

No, you cannot use VPN to circumvent neither traffic throttling or data quotas. The encrypted VPN traffic is also network traffic passing over the Internet.

Some ISPs may have some quotas or throttling on specific services, but you will most like see them doing the reverse in reality - they throttle or have quotas on all the Internet traffic except for selected services they provide with lesser restrictions. And since they most likely won't provide lesser restrictions on VPN services, you can't use VPNs to avoid this.

VPNs may be used to to circumvent blocks to services imposed by ISPs, as they can't see what you use the VPN for. For example, using the Private Tunnel service in China for example, can give you access to a more open Internet.

Makes tons of sense, thanks David for the explanation 😊

Just realized, this can use a bit more explanation:

I mean it encrypts the whole internet package, right? does that include stuff like the size of the package?

Yes, VPNs encrypt the data being passed between the VPN client and server. But it doesn't make the size of the content "disappear".

So, say you want to download a file of 2MiB. All networks have a restriction of how large each network packet can be. This various slightly, but a very common value is 1500 bytes (this is a fairly comprehensive topic, but MTU and Ethernet frames are keyword). Each packet includes both MAC and IP headers (for TCP/IP traffic), and inside IP headers are your local IP address as well as the destination IP address found. And then comes the payload (the data you want to transfer). But due to this restriction, and the packet header information you have less than 1500 bytes per packet available when trying to transfer this 2MiB file. So what happens is that this large transfer is (automatically) chopped up into smaller pieces, fitting into the maximum capacity you can use. On the receiving side, all these fragments are then assembled and saved to a single file again.

When you add VPN into this mix, the VPN interface will receive a stream of packets, as described above. It will then encrypt each of these packets individually (hiding the contents) and then it will be sent further to the VPN host, which means another set of packet headers (which cannot be encrypted) together with the encrypted payload. The receiving side will then decrypt the payload and pass that to its local VPN interface again, containing the packet headers the sending side used.

What this means is that VPN will give an additional overhead and the effect of the available maximum size for the payload will be further reduced. Again, this is quite a complex topic, as there are approaches to try to avoid too much fragmentation on the VPN packets. But the effect is regardless that VPN in practice reduces the overall "transfer capacity" per network packet.

This means you will in almost all cases spend more data transferring packets passed over the VPN. To illustrate this, here's a (reordered) statistic of a VPN session on my computer. Here are both the packet and byte counters for traffic being sent to the VPN interface (TUN_BYTES_IN/TUN_PACKETS_IN). They are encrypted and sent out to the insecure Internet (BYTES_OUT/PACKETS_OUT)

     TUN_BYTES_IN............12334129   (VPN interface)
     BYTES_OUT...............15770719   (WLAN interface)
     TUN_PACKETS_IN............136912   (VPN interface)
     PACKETS_OUT...............136942   (WLAN interface)

What you see here is that more data is being sent to the VPN server than was received on the VPN interface. This is because encrypted network packets bigger and need additional splitting.

And for the traffice being sent from the VPN server to my client. BYTES_IN/PACKETS_IN is the encrypted data coming from the VPN server. TUN_BYTES_OUT/TUN_PACKETS_OUT is the decrypted data being sent to the VPN interface.

     BYTES_IN...............249144390  (WLAN interface)
     TUN_BYTES_OUT..........244135442  (VPN interface)
     PACKETS_IN................202284  (WLAN interface)
     TUN_PACKETS_OUT...........202254  (VPN interface)

When receiving encrypted data from the VPN server, we see the reverse effect. We send less data/packets to the VPN interface, because decrypting the packets reduces the size.

And then you might wonder about compression. Compression is an alternative which may be used to reduce this overhead - when the traffic is compressible. But first of all, compression will reduce the security of the VPN tunnel. In addition a lot of the data being transported is already fairly compressed (like .mp3/.avi/.jpg files) or not suitable to compress (like https traffic) - both these cases will not result in much compression effect. So it is not recommended to use compression at all.

So to sum it up: VPNs will not hide the size of the data being transported. The effect will be that you use more data when using VPNs.

Ah, I see now...

It's actually shocking to know that VPN has the opposite effect on data size, regardless of how many falsified articles claim 😁

BTW guys, David is the team lead core dev of OpenVPN Inc.

Thanks a lot David for the explanation!

 

Not an expert, I am a web developer and wanted to see how easy it is to set it up πŸ™ƒ

 
 

Who said so?

This program is designed to function on Windows Vista, 7, 8, and Windows 10.

openvpn.net/vpn-server-resources/c...

 

Keep in mind there are a ton of good vpn options, too. Don't get me wrong, OpenVPN is awesome, but there's tinc, wireguard, openconnect, shadowsocks... the number of vpn-like options is boggling.

There's a neat project out there called streisand (link below) which bundles many of these tools together complete with a document output on how to use them. Works within AWS as well. I haven't used it but always struck me as a good intro to vpn-like tools if someone wanted to try them.

github.com/StreisandEffect/streisand

 

Thanks, the point of article wasn't to compare those, it was how quick you can set something up without prior knowledge

 

Hello Yaser! I have a question about this config:

"Change the toggle for Should client Internet traffic be routed through the VPN? to Yes"

What's the purpose of it? What happen if I select NO?

Thanks in advance.

 

If you don't check that toggle, you might be connected to the server, but surfing internet still happens without that. Remember that you can't use windows' native VPN with this, you gotta have to use its client.

When you toggle that, the client changes the routing of your internet traffic through OpenVPN 😊

 

Thanks for your response, basically I just need the VPN to browse pages that are blocked by the firewall hehe, I have the OpenVPN client installed in my mac, will it be ok if I disable the option mentioned before? I don't want to incur in any extra charge (using AWS Free Tier)
Thanks

Hmmm, not sure how to route only certain addresses. Better check their docs

Hello! I mean, if I select NO in the "Should client Internet traffic be routed through the VPN? to Yes" Will I have "open internet"? I have changed to NO and seen no difference. I'm still browsing with no restrictions.

This is what I found:

If you only have a small network you would like your remote users to connect to over the VPN, select no. Otherwise, if you would like everything to go through the VPN while the user is connected (especially useful if you want to secure data communications over an insecure link), select yes for this option.

 

It could also be mentioned that using the OpenVPN Connect clients, all you need to provide to connect to your VPN server is the server hostname, username and password. The client setup is then fairly automated.

There are OpenVPN Connect client available for Android and iOS in the respective appstores. Desktop clients can be downloaded by logging into the Access Server web portal.

And in the coming OpenVPN 3 Linux client beta release, there will also be bundled a command line utility where you just need to give the server URL and user credentials, and the VPN profile is downloaded and your Linux host is configured automatically too.

 

I just wanted to say THANK YOU SO MUCH for this guide - I had been working with pivpn and had everything in place to set it up, but it was not still not working on my rp4. I was getting into the weeds with network configuration and firewall problems. Having a working VPN server is cool - but it was diving into AWS EC2 instances with this exercise that really made my day. Thank you for doing such a great job in breaking everything down!

After working with it for a moment and realizing that it's been well over a year since I signed up for AWS, I'm wondering what configuration steps should be taken to keep costs down. I set up the budget warning tools and I guess I will see in a few days how much cpu credits are being used. The pricing system seems like it could catch up with you pretty quick if you set an instance up wrong and it tried to chew up resources.

 
 

Out of curiosity, why did you choose the Cloudflare primary DNS server (1.1.1.1) and the Google primary DNS server (8.8.8.8) instead of using the Cloudflare secondary DNS server (1.0.0.1) ?

From a network redundancy point of view, I can see this as a reason. From a log privacy viewpoint, the cloudflare secondary DNS might be a better choice.

 

Ideally you don't want to only be dependent on one DNS provider, and logs shouldn't be plain. But again I am not an expert and this might be the wrong setup πŸ™ƒ

The point of article was something else

 

Thanks much for the article and for the feedback!

 

Yaser

Just set up server on AWS and working fine but how do I create .ovpn files for clients? I have the client profile bundled with the downloaded openvpn client but wonder how to create more profiles. It seems that openvpn server needs to be installed on the AWS image but I can't see any sign of it.
Bit baffled.

 

Hey Paul,

From what I can see you need to access the server from command line which is mentioned in the article and follow this:

openvpn.net/community-resources/cr...

Let me know if this didn't help you

 

thanks for sharing, I was needing something like this

 
 

can you tell me how to set up a client-server for this?

 

I didn't get your question, this is something you put on your client side code (on img tag) and that's it. Server is only responsible to serve the static files as before, no change required

 
 

they cost me 4 dollars
$0.090 per GB - first 10 TB / month data transfer out beyond the global free tier 48.207 GB $4.34

what is it?

 

I am not sure what’s your setup, but there will be a limit on free tier for sure

 

I did the exactly same thing in this article.I think the limit is bandwidth.15 GB just free.

code of conduct - report abuse