Recently I was at a hotel on a work trip and needed a VPN. My normal VPN subscription service was in use by my family back home, but in little time I was able to set up an OpenVPN VPN connection using Amazon’s EC2 “elastic cloud” service. EC2 is a service that lets you instantiate virtual machines through a web interface. You pay only for what you use, in terms of memory, processor power, etc. In fact, Amazon entices new users with a free tier so if you don’t have an AWS account already you can get 750 hours of VPN service for free! ! Otherwise, the VPN we’ll set up here costs just $0.02/hour, around $3.50 per week. You would also pay a small fee for data transfer, $0.01/GB.
Here’s how to set it up …
Log in to AWS and go to the EC2 console:
Click Launch Instance to start up a virtual machine. Amazon calls these “amis”, for “Amazon Machine Image”. We’ll be using the OpenVPN app server, which plays nice with Ubuntu 9, so I browsed the community and found an AMI that runs Ubuntu 9.1 32-bit server. The ID for this AMI is “ami-4205e72b”. You can search for that ID among the Community AMIs that others have published. Click the select button.
Next, you need to configure the machine. It runs just fine using the “micro” setup – which has an added benefit of qualifying for Amazon’s free tier (if your AWS account is less than a year old). Choose “micro” and accept the other defaults and press Continue.
Just click Continue at the next screen, which lets you configure a RAM disk and Kernel ID.
You can give your VM an ID, which is very helpful when you have lots of them on at a time. I called mine EXPED-TECH.
Next, you need to configure a public/private key pair for SSH connectivity. Choose “create key pair”, unless you already have a key pair. You can use the same key pair for multiple VMs. Give your key pair a name and click to download your private key. This is a .PEM file.
You need to set up a security group for your VM, which controls the ports that will be open or closed. I called mine “vpn” and opened these ports: VPN (1194), DNS (53 UDP), 943 (OpenVPN AS console default), HTTP (80), HTTPS (443), ICMP so I can ping, and of course SSH (22):
Then click Launch to start your machine! After a few seconds you will be able to see the machine as RUNNING in the Instances portion of the control panel:
Right-click on your machine and choose connect. This will show you the public DNS, something like
You should be able to ping your machine since we enabled ICMP.
Next, we’ll use PuTTy to SSH into our running VM and get a shell prompt. Before we can do that, we need to convert our .PEM key into a .PPK key that PuTTY can use. Launch the PuTTYGen utility that comes with PuTTY, load your private .PEM key (be sure to choose “all files” so that you can see .PEM extension files), then click Save Private Key. You can give a passphrase, but I just skipped this (thus answering YES to the prompt). Now you have a .PPK key file.
Start PuTTY, and enter the public DNS address for your VM and your PPK key for authentication (under SSH | Auth). Click Open to connect. You’ll get a cached key warning; just click YES. Enter a login name “ubuntu” and you should connect:
Leave your SSH session open. Back on your workstation, download the OpenVPN-AS from OpenVPN.net. We have a 32-bit Ubuntu 9 machine, so choose that product (or link here). Save this download package on your PC.
Next, we’ll use WinSCP to move the OpenVPN-AS package into our VM. Download the free utility, enter your public DNS and private key PPK file, then connect:
Browse to your OpenVPN package, openvpn-as-1.7.1-Ubuntu9.i386.deb, and copy it to your home folder on the VM.
Back in SSH, you can now install the package:
sudo dpkg –i openvpn-as-1.7.1-Ubuntu9.i386.deb
OpenVPN application server will install. When it’s done, a URL for the admin and client will be given:
Admin UI: https://10.194.73.104:943/admin Client UI: https://10.194.73.104:943/
Still in SSH, change the password for the OpenVPN user:
sudo passwd openvpn
We’re almost there. Fire up a browser and visit the admin URL (be sure to enter the :943 so you hit that port!). If the IP does not resolve, then use the public DNS from above:
You might have to confirm a security exception for the site’s certificate. Login as admin using the openvpn user and the password you set (in SSH session above).
We need to change the IP for our VPN hostname so that it matches Amazon’s DNS entry. Click on Server Network Settings on the left of the screen, tick “listen on all interfaces” and put in the IP address corresponding to the public DNS entry (don’t put https:// in front!). For example, if you ping the Amazon DNS entry, you’ll get an IP address:
c:\util>ping ec2-174-129-141-113.compute-1.amazonaws.com Pinging ec2-174-129-141-113.compute-1.amazonaws.com [22.214.171.124]: Reply from 126.96.36.199: bytes=32 time=282ms TTL=45 Reply from 188.8.131.52: bytes=32 time=281ms TTL=45 Reply from 184.108.40.206: bytes=32 time=282ms TTL=45 Reply from 220.127.116.11: bytes=32 time=281ms TTL=45 Ping statistics for 18.104.22.168: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 281ms, Maximum = 282ms, Average = 281ms
Therefore you’d put in IP 22.214.171.124 and tick “listen on all interfaces”:
Click Save Settings, then Update Running Server to activate them.
Next, visit the client URL, but compose this using the IP address you just identified:
Login in using user OpenVPN and the password you set. Be sure t select CONNECT and press OK. A “click here to continue” link will appear; clicking it will download the OpenVPN MSI installable.
The neat thing is that this installable has all the connection information that is needed to establish your VPN connection. Just install it on your workstation, and it will put an OpenVPN icon in your Windows taskbar.
Right-click on this icon and choose the “go to” option to connect to the server. Then click CONNECT to set up the VPN connection.
Some final thoughts…
It is important to test that your VPN is working. One easy way is with the tracert command (from a cmd prompt on your Windows machine), which will show the route taken to move packets from your PC to a server on the Internet. Here we see that the route from me to Twitter.com goes through my 5.5 VPN network out to routers on the ec2 network, then finally to twitter com:
C:\util>tracert twitter.com Tracing route to twitter.com [126.96.36.199] over a maximum of 30 hops: 1 283 ms 282 ms 283 ms 188.8.131.52 2 283 ms 283 ms 283 ms ip-10-204-240-2.ec2.internal [10.204.240.2] 3 284 ms 290 ms 284 ms ip-10-1-42-25.ec2.internal [10.1.42.25] 4 285 ms 284 ms 283 ms ip-10-1-34-6.ec2.internal [10.1.34.6] 5 283 ms 283 ms 290 ms 184.108.40.206 6 * * * Request timed out. 7 * * * Request timed out. 8 * * * Request timed out. 9 286 ms 315 ms 285 ms xe-10-3-0.edge1.Washington1.Level3.net [4.79.20. 37] 10 284 ms 285 ms 284 ms vlan60.csw1.Washington1.Level3.net [220.127.116.11] 11 285 ms 284 ms 284 ms ae-62-62.ebr2.Washington1.Level3.net [18.104.22.168 45] 12 292 ms 289 ms 289 ms ae-3-3.ebr1.NewYork2.Level3.net [22.214.171.124] 13 289 ms 293 ms 289 ms ae-1-100.ebr2.NewYork2.Level3.net [126.96.36.199] 14 290 ms 291 ms 291 ms ae-6-6.ebr2.NewYork1.Level3.net [188.8.131.52] 15 358 ms 358 ms 358 ms ae-2-2.ebr4.SanJose1.Level3.net [184.108.40.206] 16 358 ms 369 ms 360 ms ae-61-61.csw1.SanJose1.Level3.net [220.127.116.11] 17 359 ms 359 ms 359 ms ae-13-60.car3.SanJose1.Level3.net [18.104.22.168] 18 360 ms 359 ms 359 ms TWITTER-INC.car3.SanJose1.Level3.net [22.214.171.124 94] 19 362 ms 366 ms 363 ms 126.96.36.199 20 368 ms 369 ms 368 ms r-199-59-148-83.twttr.com [188.8.131.52] Trace complete.
You can also confirm that your VPN is active with a website such as IP Chicken. Here we see clearly that we are on Amazon’s network:
Be sure to terminate, and not just stop, your EC2 instance when you are done using it. Otherwise you will continue to get charged.
If you reboot your VM you’ll end up with a new IP address and you’ll need to reconfigure the server. Just get your new public DNS from the control panel, then hit the server using it and modify like we did above.
Amazon’s Elastic IP service can assign a static address to your VM. It’s not hard to set up, but the cost can get expensive. You buy an IP address and then you can attach it to any of your EC2 instances. The address persists even if you terminate an instance. This is very flexible, because you could then later point your IP at a new VM if you want. But you pay $0.01 per hour while you own that address, $7 a month or so.