/openvpn_on_ec2

Low-Cost VPN on AWS in Under 15 Minutes

Primary LanguageShellMIT LicenseMIT

Summary

This repository allows anyone to create and maintain their own VPN (using the open source version of OpenVPN) on AWS in under 15 minutes and a dozen clicks for as little as $2/month. No technical background is required or expected.

For more about what a VPN is and why you might want to use one, this post on Hackernoon is pretty good.

For more information about cost and technical details, refer to the details section.

Launch Now

Setup

Instructions are provided both in the form of screenshots and more detailed text.

Visual Instructions

1: Click "Launch Now" 2: Log in (create account if needed) 3: Click "Next"
4: Click "Next" two more times 5: Acknolwedge and click
"Create Stack"
6: Click "Stack Info"
7: Refresh until Status is
"CREATE_COMPLETE"
(about 5-10 minutes)
8: Click "Outputs" 9: Click the
"ClientConfigurationUrl" link
10: Click "Download" and
save the client key
11: Import the key into
OpenVPN Connect
12: You're connected

Text Instructions

  1. Click the "Launch Now" icon above
  2. Sign in to AWS
    1. If you already have an AWS account, sign in
    2. If you do not already have an AWS account
      1. Click the grey "Create a new AWS account" button
      2. Enter your email, password, and whatever you want for an account name (e.g. "personal account")
      3. Click the gold "Continue" button
      4. Select the appropriate account type (likely "Personal")
      5. Enter your personal information
      6. Click the "Create Account and Continue" button
      7. Enter your credit card and billing address
      8. Click the "Verify and Add" button
      9. Verify your identity via SMS or voice call
      10. Select the "Basic Plan"
      11. Click the gold "Sign in to the Console" button
      12. Sign in using the email/password you used above
  3. Create your VPN via Cloudformation
    1. If you don't see "Create stack" at the top of the screen after logging in, click the "Launch Now" icon again
    2. On the "Create stack" screen, click the orange "Next" button in the bottom right
    3. On the "Specify stack details" screen, again click the orange "Next" button
    4. On the "Configure stack options" screen, again click the orange "Next" button
    5. On the "Review" screen, scroll down to the bottom and check the box in the blue box with the title "The following resource(s) require capabilities: [AWS::IAM::Role]". This indicates that in the process of creating the VPN, a new role (which grants permissions) will be created in your account and provided to the VPN
    6. Click the orange "Create stack" button
    7. Select the "Stack info" tab and observe the "Status" field says "CREATE_IN_PROGRESS"
    8. When the "Status" field changes to "CREATE_COMPLETE" (may require refreshing), click the "Outputs" tab. This usually takes 5-10 minutes
    9. Click the link in the "Value" field in the "Output" tab. This will open S3, which is storing the key you'll use to access your VPN
    10. Click the "Download" button, and save the client key to your computer. Keep in mind that this file behaves like a password for your VPN, so keep it safe
  4. Download and install the appropriate OpenVPN Connect client
  5. Connect your client to the VPN server
    1. Open the OpenVPN Connect client
    2. Import the client key you downloaded earlier
    3. With a few more clicks, you should be connected

Details

Cloudformation

Cloudformation is used in order to provision all of the resources (EC2 for running the VPN, S3 for storing the generated client key, etc.) in your own AWS account.

Generating AMI ids

AMI ids vary by region, and only Amazon Linux supports the "latest" functionality. The list of AMI ids in the Cloudformation template were produced with the following steps:

  1. Visit this awesome website
  2. Filter to Ubuntu 18.04 LTS, AMD64 architecture
  3. Run the following in the JS console and paste the output:
copy([...document.querySelectorAll("tr.odd, tr.even")].map(x => "{\"" + x.cells[0].textContent + "\": {\"HVM64\": \"" + x.cells[6].textContent + "\"}}").join(",\n"))

Keeping Ubuntu up-to-date

Automatic updates are configured with the following code from ./setup_ec2.sh:

# Configure unattended upgrades for Ubuntu
apt-get install unattended-upgrades update-notifier-common --assume-yes
dpkg-reconfigure --frontend noninteractive --priority=low unattended-upgrades
AUC=/etc/apt/apt.conf.d/20auto-upgrades
echo "APT::Periodic::Verbose \"1\";" >> "$AUC"
echo "Unattended-Upgrade::Automatic-Reboot \"true\";" >> "$AUC"

EC2 Instances

By default, spot instances are used as they are significantly cheaper. On the other hand, on-demand instances are eligible for the free tier and have better availability guarantees. It would not be difficult to change the Cloudformation template to allow for on-demand instances as well.

Testing

Travis runs an end-to-end test to ensure VPNs can be set up and used to access the internet

Build Status

Additional security and client testing should be done.

Cost

In addition to the cost of the EC2 spot instance itself (based on market price), there are costs for storage (about $0.80/month), and network (about $0.10/GB/month).