Creating Your Own Remote Access VPN on AWS

As a security consulting firm, client confidentiality is paramount, and any online activity conducted on behalf of or associated with a client must be protected. Remote access virtual private networks (VPNs) have become one effective means to protect such mobile and desktop online activity. As of Summer 2018, there were more than 180 companies offering VPN services worldwide. Which one should you choose?


Any choice requires trusting that the VPN-provider would sufficiently fortify their system to protect our data, as advertised, against their willful snooping or external compromise. Since there exists no practical and verifiable means to confirm such protection beyond a reasonable doubt, we chose to not place our trust in these providers. We needed to be able to monitor and control any infrastructure we would pipe our data through, and we found that Amazon Web Services (AWS) offered such a solution.


While an AWS VPN server affords a user a much smaller number of geographic nodes to choose from than what many VPN providers offer, the extra control and security built into AWS makes this a great choice.


The following steps walk you through the process of standing up a free version of a VPN server in AWS, and assumes you already have an AWS account. Depending on the amount of data you intend to pipe through your server, there may be additional fees associated. For our part, we maintain several VPN servers worldwide in AWS, and use each as we need them. Once familiar with the process, standing up a new server generally takes 10 minutes or less.

Step 1 – Sign-in to AWS Console.


Step 2 – Select EC2 from under the “Services” Tab.



Step 3 – Set your Region in the upper right-hand corner of the next page.


Select your desired region that best supports the activities you intend to engage in while using this VPN.


Step 4 – Launch an Instance.


Step 5 – Choose an Amazon Machine Image (AMI).


Search and Select the OpenVPN “Free tier eligible” option from the AWS Marketplace tab along the left-hand side of the screen.

This solution only works with OpenVPN 2.5.0 or 2.5.2. As of February 2019, version 2.6.1 does not work with this solution. Therefore, click “More info” and then “OpenVPN Access Server product details page on AWS Marketplace.

Click on the “Subscribe” (or Continue to Subscribe) in the upper right-hand corner.

Then click “Continue to Configuration.”

Select the Software Version (2.5.0 or 2.5.2), selection your Region, then click “Continue to Launch.”

Under Choose Action, select “Launch through EC2” and then click “Launch.”

Step 6 – Choose your Instance Type.


For the purposes of a basic VPN, for example for anonymous research, select the “t2.micro” option, then click “Next: Configuration Instance Details.”

Step 7 – Configure Instance Details.


Unless you have a reason to manipulate any of these settings, leave AS-IS and click “Next: Add Storage.”

Step 8 – Add Storage.


The default size is 8 GB. Unless you need more (which may incur additional cost), leave AS-IS and click “Next: Add Tags.”

Step 9 – Add Tags.


Adding tags to your VPN servers can be helpful when managing and monitoring multiple servers. For example, all of our VPNs dedicated to conducting OSINT research are tagged as “Key: Research” and “Value: OSINT.” Doing so allows us to quickly identify metrics attributed to that group of servers. Insert any tags as appropriate and click “Next: Configure Security Group.”

Step 10 – Configure Security Group.


On the SSH line, set the IP to a specific IP or IP range. Using 0.0.0.0/0 will allow all IP addresses access to this instance. Click “Review and Launch.”

- If you are on a VPN, be sure to disconnect to ensure you get the right IP address you will be calling out from (a home, work, or hotel IP).

- If you are in a location you plan to remain at for several days or more, you can set the IP by using the drop-down menu under “Source,” and changing from “Custom” to “My IP.” This will auto-fill your IP into the window. The effect of this will be to limit SSH connections to your AWS instance to only those which originate from this specific IP.

- If you will be connecting from network that may cycle their available IPs across a range of IP addresses, you can set the 4th octet to “.0” and change the CIDR notation from “32” to “24”. This will allow you to connect when you’re based from any IPs matching the first three octets.

- In this hotel example, by adjusting the IP from 94.56.129.22 to 94.56.129.0/24, you increase the chances of consistently using this configuration, even if the hotel cycles the 4th octet of their IP addresses. That said, this will also unblock other similar IPs from the hotel or local area, which may or may not be an issue depending on your needs.

Step 11 – Boot from General Purpose (SSD).


Leave AS-IS, and click “Next.”

Step 12 – Review Instance Launch.


Ensure the “Hourly Software Fees” section reads “$0.00 per hour on t2.micro instance” unless you plan to pay for a larger instance. Click “Launch.”

Step 13 – Create a new key pair.


Select “Create a new key pair” from the first drop-down menu and name the key pair something that will communicate to you the purpose of the VPN. You will need to manipulate this file via the command line starting in STEP 17, so set your file name and location accordingly.

Click “Download Key Pair.” Once downloaded, click “Launch Instance.”

Step 14 – Name your instance.


Back at your AWS EC2 console, give your Instance a unique name, especially if you intend to create multiple VPNs or use it for a specific purpose (e.g. associated with a particular person or project). Doing so will make managing your different VPN servers much easier.

Step 15 – Creating an Elastic IP.


Once the Instance has launched, return to your console, make sure your instance is selected, and then select the “Elastic IPs” option along the left-hand side of your console.

Then, click “Allocate new address.”

Then, click “Allocate.”

This will result in a new Elastic IP address being created and made available for your use. Click “Close.”

Step 16 – Associate your new elastic IP to your current Instance.


At the next screen, ensure the new Elastic IP address is selected, click “Actions,” and then click “Associate address.”

This will bring you to the following prompt. Use the “Instance” drop-down menu to select your specific instance (by AWS’ Instance ID). If you have multiple instances, be sure to note the AWS ID before starting this process. Then, click “Associate.”

Step 17 – Access your Key File location in the command prompt.


Open a terminal window, and set your folder where you saved your Key Pair file (ending in .pem). In this case, I saved the Key Pair file under Documents/1. Admin/VPN/Key Files.

Step 18 – Set your Key Pair file as READ-ONLY.


In this example the Key File is named “hotspotcafesydney.pem.”

Step 19 – Login and configure the OpenVPN server via SSH.


You will configure your server using the Elastic IP you set up in STEP 15.

You will be prompted to trust the key. Type “yes” and hit ENTER.

The OpenVPN End User License Agreement (EULA) will scroll next. Type “yes” and hit ENTER

Hit ENTER for “yes” to affirm this will be the primary Access Server node.

Type option “1” to allow all interfaces to be used by Admin Web UI.

Hit ENTER to retain default port 943 for Admin Web UI.

Hit ENTER to retain TCP port 443 for OpenVPN Daemon.

Type “yes” to route client traffic by default through the VPN.

Type “yes” to route client DNS traffic by default through the VPN.

Type “no” for local authentication via internal DB.

Hit ENTER to retain access to private subnets by default.

Hit ENTER to affirm you wish to login to Admin UI as “openvpn.”

Hit ENTER to leave license key blank.


Note: If you are not prompted to accept the EULA, delete the configuration and restart at STEP 17.

- Type “sudo ovpn-init --ec2” and hit enter.

- Type “DELETE” and hit enter.

- Restart at STEP 17

Step 20 – Create the username and UNIX password for this VPN server profile.


In the event you want to choose to use a non-standard username (e.g. Billy), you may need to force a badname (red box).

Enter a password, and any additional user information you deem appropriate.

Step 21 – Log-in to the VPN server and download your VPN profile.


Type the elastic IP (e.g. https://elasticIP:943) in your browser’s address bar. You may receive a warning that your connection is not private. Use the ADVANCED link to continue to the site. Enter the username and UNIX password you set in the Step 20 and click “Go.”

Click on “Yourself (user-locked profile)” to download the OVPN file.

Once downloaded, click “Logout.”


Step 22 – Import your “user-locked profile” file (ending in “.ovpn”) to your VPN service.


The steps to import your profile will vary depending on which VPN program you use (i.e. OpenVPN or Viscosity).


Once this is imported to your program of choice, use this to connect with the username and password you created. When connected, you can now browse the internet through your own AWS-hosted VPN!

Do more than just react.