How To Make Your Own VPN Server (2024)

At a Glance

Things are tight financially for all of us, and while we would benefit from using a commercial VPN provider, some of us would rather save our money for other things. Luckily, with just a little technical knowledge and a bit of effort on your part, you can build your own VPN server.

In this article, I’ll provide a step-by-step guide that walks you through the various ways you can set up your own Virtual Private Network (VPN) server, allowing you to keep your online activities hidden and under your control.

Create Your Own VPN Using Amazon Web Services

Getting Started

If you’re only in search of occasional VPN protection you can set up your own VPN server using Amazon Web Services (AWS) and it won’t cost you a dime. Well, for a year, anyway. AWS offers one year of virtual server space, as long as you keep your usage under Amazon’s limit on time, bandwidth, and space (even if you do go over, AWS will likely cost you less than a VPN subscription).

Here, I’ll explain two ways to use Amazon’s Elastic Cloud (EC2) service to protect your connection. The two ways we’ll look at are SSH Tunneling and OpenVPN. Both ways have their own set of pros and cons, and no matter which method you decide to use, you’ll require the following:

  • An Amazon Web Services account. While you will be required to provide a credit card number, you’ll only be charged if you exceed the free account’s limitations.
  • If you have a Windows PC, you’ll want to install PuTTy. While there are other options, PuTTY is the easiest to use. You’ll also want to download and install PuttyGen, which is a key generation program. If you’re on macOS or Linux, you already have SSH prompts built into the operating systems’ terminal apps.
  • WinSCP, or another FTP client that will be used to move files between your local computer and your EC2 instance.
  • A basic knowledge of Unix commands and how servers work with clients will be extremely handy if you need to do any troubleshooting if things don’t work as expected.
  • OpenVPN GUI. Install it using the default location and the default settings on your PC.

Setting up AWS

Once you’re all signed up for an Amazon Web Services account, you’re ready to set up and launch the server that we’ll use for our VPN.

Do the following:

  1. Log into your AWS account.
  2. Open the EC2 Dashboard.
  3. In the top right corner, you can select the location to set up your VPN.
  4. Click “Launch Instance.”
  5. Choose a Linux AMI that is labeled as “free tier eligible.” At the time of writing, that is the Amazon Linux AMI.
  6. Choose a t2.micro instance that’s also free tier eligible. Click “Launch Instance.”
  7. Now you’ll be asked to create a key pair (a public key and a corresponding private key), which you’ll use to connect to the virtual server you’re creating. Click on “create a new key pair” from the dropdown menu and then name it whatever you like (I’ll name mine “DynamicDuo”).
  8. Click “Launch Instance.”
  9. You’ll be prompted to download the key pair. Be sure to store the keypair somewhere safe.
  10. On the next page, click “Edit Security Groups.”
  11. Edit the security group so it only allows traffic from your computer to access the VPN. A rule will automatically be in place for connecting to your server via SSH.
  12. Add a rule to allow OpenVPN connections (which will use a default port 1194). Under the “Inbound” tab, click the “Add rule” button, then set the Type to “Custom UDP,” the Port Range to “1194,” and the Source to “Anywhere.”
  13. Click “Save.”
  14. Click “Review and launch.”
  15. Click “Launch” on the next page.
  16. The next page should notify you that the instance is launching. Scroll to the bottom and click “View instances.” You’ll now see a list of any instances that you’ve launched, which, since this is likely your first time using EC2, will just contain one instance.

Connect To the Server With PuTTy

We’ll use PuTTy to connect to our EC2 instance. So, we’re going to need a proper key file to get connected. This assumes that when you installed PuTTY you also installed PuTTygen. Run PuTTygen.

    1. In PuTTygen, click “Load.”
    2. Navigate to the .pem key pair file you downloaded before and load it into Puttygen. Select the option to show all file types for the .pem key to show up. Hit “Save Private Key.” The file name must be identical to the .pem key. You can also create a passphrase for the private key if you want.
    3. Close the PuTTygen app.
    4. Open PuTTy. Copy your instance’s public IP from the EC2 console into PuTTy. Enter a name for the session and hit save.
    5. In the left pane, navigate to “Auth” under SSH.
    6. Click the “browse” button and navigate to the private key you just generated and saved.
    7. On the main Session page, enter a name for your session profile and save it so you can quickly connect the next time you use PuTTy. Then Click Open.
    8. A prompt will appear asking you for a username. For the Amazon Linux AMI, it’s “ec2-user”.

How To Set Up OpenVPN on the Server and Client

In this section, I’ll walk you through using the free open source tool OpenVPN to set up and run a full-featured VPN through your Amazon EC2 instance. In this case, all of your internet traffic will pass through the VPN, not just the web browser traffic, like in the previous setup. This allows you to encrypt the internet traffic from all of the apps on your device, keeping all of your online activities undercover.

Following the instructions in the previous section, connect to your EC2 instance using PuTTy. You should see a command prompt that says Amazon Linux AMI.

From the command prompt, run the following commands (you can type them in or copy/paste them and press enter):

sudo yum install -y openvpn

sudo modprobe iptable_nat

echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward

sudo iptables -t nat -A POSTROUTING -s 10.4.0.1/2 -o eth0 -j MASQUERADE

sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

You’ll see quite a bit of text flash by in the command prompt while OpenVPN is installed. The other three commands set up IP forwarding, which is necessary for the VPN to work.

Method #1: Setting Up PKI Authentication With Easy-RSA (Recommended)

This method is quite secure and allows for multiple devices to be connected at once.

OpenVPN and Easy-RSA Server Setup

While you would usually generate the keys and certificates we need for this on a separate device, we’re going to save a bit of tedium and generate both client and server credentials on the server, then move the files to wherever we need them.

Here’s how to do it:

  1. Since easy-rsa is not included in the default yum package list, we’ll need to enable the EPEL repository to install it. Type the following into the PuTTy terminal and hit Enter:sudo yum install easy-rsa -y –enablerepo=epel

2. Create an easy-rsa directory in your OpenVPN install directory. Copy the files from your easy-rsa installation (latest version is 3.0.3 at the time of this article) to the directory you just created:

sudo mkdir /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa
sudo cp -Rv /usr/share/easy-rsa/3.0.3/*

3. Now it’s time to set up the certificate authority. Start by initializing a new PKI (public key infrastructure) directory, then build a certificate authority keypair:

sudo ./easyrsa init-pki

sudo ./easyrsa build-ca

4. Enter a PEM passphrase. While this is not required, it is strongly recommended. If someone can get their hands on your CA, they will still be blocked from being able to create keys or sign certificates without the passphrase.

5. You’ll now be prompted to enter a common name. Call it whatever you’d like or just hit Enter to use the default value.

6. Now we’ll generate a Diffie-Hellman key, which facilitates perfect forward secrecy:

sudo ./easyrsa gen-dh

7. This command can take a while to complete. Once it has finished, you’ll find it has generated a file called dh.pem. Now we move on to the server credentials. To keep things moving, we won’t password-protect these, but you can do so if you want to harden your security:

sudo ./easyrsa gen-req server nopass

8. Just hit Enter to leave the common name as “server.” Once the key pair has been generated, sign the certificate with the following command:

sudo ./easyrsa sign-req server server

9. Type “yes” to confirm and enter your CA password if you set one earlier.

10. Now it’s time to set up the client. Again, we won’t set a password but you can do so if you’d like. Keep in mind that if you want to configure an automated VPN startup, it’s best NOT to set a password:

./easyrsa gen-req client nopass

11. Just hit Enter to leave the common name as “client.” Now sign it with the following command:

sudo ./easyrsa sign-req client client

12. Type “yes” to confirm and enter your CA password if you set one earlier.

13. Next, it’s time to generate a TLS key for perfect forward secrecy in OpenVPN. This ensures that data from past sessions cannot be decrypted, even if a bad actor somehow gets their grubby little paws on our private key.

cd /etc/openvpn
openvpn –genkey –secret pfs.key

14. We have now generated all of the required credential files. Now, it’s time to create an OpenVPN server configuration file. Just copy and paste the following lines of code if you’ve followed along from the beginning.Start by going to the OpenVPN directory and creating a new file:

cd /etc/openvpn
sudo nano server.conf

15. Now that you’re in the nano text editor, copy and paste the following config lines, then hit CTRL+O to save, Enter to confirm, and CTRL+X to exit.

port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key
dh /etc/openvpn/easy-rsa/pki/dh.pem
cipher AES-256-CBC
auth SHA512
server 10.8.0.0 255.255.255.0
push “redirect-gateway def1 bypass-dhcp”
push “dhcp-option DNS 8.8.8.8”
push “dhcp-option DNS 8.8.4.4”
ifconfig-pool-persist ipp.txt
keepalive 10 120
Comp-lzo
Persist-key
Persist-tun
status openvpn-status.log
log-append openvpn.log
verb 3
Tls-server
tls-auth /etc/openvpn/pfs.key

16 Your server is now configured. Now it’s time to fire up OpenVPN. We’ll start OpenVPN as a service, so that even after you close PuTTy, the service will continue to run until the server is either shut down or the service is manually terminated:

sudo service openvpn start

Pro Tip: Occasionally, your VPN server may stop working after a server reboot or maintenance. This happens occasionally with micro tier EC2 instances. If this happens, do the following.

Enter with this command:

sudo chkconfig openvpn on

While you’re still in etc/openvpn, use nano server.sh to create a new text file and paste the following lines of code into it:

#!/bin/sh

echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward

sudo iptables -t nat -A POSTROUTING -s 10.4.0.1/2 -o eth0 -j MASQUERADE

sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Use CTRL+O to save and CTRL+X to exit.

The command ensures that OpenVPN will automatically start when the server boots, and the script will ensure that the required routes are set up in iptables to allow OpenVPN traffic.

OpenVPN and EasyRSA Client Setup

Once the server has been configured, you’ll need to set up the client. We’ll be moving the required certificate and key files from our server to our client device.

You should still have PuTTY running on your computer, so we’ll use it to change the permissions on the required files to allow us access to them. We will then move them into one location to make things a bit easier during the setup process.

  1. Some of the files will require root user access. So, enter:

sudo su

2. This will make you the root user and you now have administrative access. Enter the following commands:

cd /etc/openvpn
mkdir keys
cp pfs.key keys
cp /etc/openvpn/easy-rsa/pki/dh.pem keys
cp /etc/openvpn/easy-rsa/pki/ca.crt keys
cp /etc/openvpn/easy-rsa/pki/private/ca.key keys
cp /etc/openvpn/easy-rsa/pki/private/client.key keys
cp /etc/openvpn/easy-rsa/pki/issued/client.crt keys
chmod 777 *Please note that the last command (chmod 777 *) lowers the required permissions to access these files. Don’t forget to change them back when finished.

3. Now, we’ll use a free program called WinSCP to move the files from our server and onto our computer. Install it with the default options. (Just keep clicking “Next.”) Once it’s installed, you should see a window pop up, prompting you to import your server authentication details from PuTTy. Select the one we made above and continue.

4. Select “myvpn” (or whatever you named yours) and click the “Edit button.” Type in “ec2-user” in the user name. Click on “Login.”

5. Set the .ppk file you used in PuTTy by clicking “Edit” and then “Advanced.” Go to “SSH” -> “Authentication” -> “Private key file” and navigate to the PPK file.

6. Enter either the IP address or the domain name of your EC2 instance in the host name field on the main page. Be sure to save your settings, then click “Login.”

7. In the right pane, navigate to the directory where you have your key files stored, in this case the path is:

/etc/openvpn/keyseasyrsa 7

8. Highlight the six files you’ll need:

Client.crt
Client.key
Ca.crt
Dh.pem
Pfs.key
ca.key.

Then click the green “Download” button. It doesn’t really matter where the files are saved in the left pane, as long as your admin privileges aren’t required to access it. In this example, I saved the files to my Desktop. Keep in mind that you’ll want to save the ca.key file somewhere safe, like on a USB stick or drive.

9. Last, but certainly not least, we need to remove the ca.key file from the server. While this isn’t necessary for the VPN to work correctly, I strongly recommend that you do so, especially if you didn’t password-protect the CA. Before removing the file, make sure you have all the keys and certificates for every device you want to connect. To add more at a later time, you’ll need to move the ca.key file back onto the server, that’s why we saved it to the USB drive.

10. Once the CA key is safely stored somewhere other than the server, use PuTTy to remove the original ca.key, as well as the copy we made, from the server:

sudo rm /etc/openvpn/easy-rsa/pki/private/ca.key
sudo rm /etc/openvpn/keys/ca.key

11. Once the files have downloaded, restore their stricter permissions on the server to prevent any outsiders from accessing them. In PuTTy, enter the following:

cd /etc/openvpn/keys
sudo chmod 600 *

12. On your computer, cut and paste those five files from the folder you downloaded them to and into your OpenVPN config folder (for our purposes, that’s C:/Program Files/Openvpn/config).

13. Now, we need to create a client configuration file. Open your favorite plaintext editor (Notepad works well, but you can use any plain text editor) by right clicking and selecting “Run as administrator” and paste the following config, replacing “YOUR.EC2.INSTANCE.IP” with the IP address of your EC2 instance:

Client
dev tun
proto udp
remote YOUR.EC2.INSTANCE.IP 1194
ca ca.crt
cert client.crt
key client.key
tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
cipher AES-256-CBC
auth SHA512
resolv-retry infinite
auth-retry none
Nobind
Persist-key
Persist-tun
ns-cert-type server
Comp-lzo
verb 3
Tls-client
tls-auth pfs.key

14. We want to create a Windows config file for OpenVPN’s GUI, so let’s save it as “client.ovpn.” Other OpenVPN clients might use the “.conf” extension instead. Make sure your text editor doesn’t add the “.txt” extension after saving. Save it into the same directory location as your key and certification files:

C:\Program Files\OpenVPN\configeasyrsa 8

15. Run the OpenVPN GUI in administrator mode by right-clicking the icon and selecting “Run as administrator.” Next, right-click the icon in your system tray and connect using the client configuration we just set up. You’ll see a status screen with several lines of text flash across the screen, then you’ll see the icon turn green.

You are now connected to your personal VPN.

Method #2: Static Encryption (This is Easier, But Not Recommended)

This method involves creating a shared authentication key. The key acts something like a password. While this method is somewhat easier to set up, it only allows a single device to be connected to the VPN server instance at any single time.

  1. Go into PuTTy and type in the following commands and hit enter:

cd /etc/openvpn
sudo openvpn –genkey –secret ovpn.key

2. Now it’s time to create a server configuration file for the VPN. Type in the following command, which will create a blank text file in a text editor inside the terminal:

sudo nano openvpn.conf

3. Now, you’ll need to type in the following configuration.

port 1194
proto tcp-server dev tun1
ifconfig 10.4.0.1 10.4.0.2
status server-tcp.log
verb 3
secret ovpn.key

4. Now hit CTRL+O (make sure to hit the letter ‘O’ not zero “0”), then hit the Enter key to save the file. Now hit CTRL+X to exit the text editor.

5. Back at the command prompt, start OpenVPN by entering the following:

sudo service openvpn start

6. Now it’s time to move the shared key from the server over to your local computer’s hard drive. First, change the permissions on the “ovpn.key” file so we can access it. Enter the following command:

sudo chmod 777 ovpn.key

7. To make this as easy as possible, Windows users should download and install WinSCP (Mac users will have to find another FTP client. Forklift is the paid application I use, while FileZilla is a good free option.). No need to change the default installation options. Once that’s done, you should see a Window pop up, prompting you to import your server authentication details from PuTTy.

8. Select “myvpn” (or the file name you used) and click the “Edit” button. Type in “ec2-user” in the user name field, then click on “Login.”

9. Now you’ll be able to move files between your EC2 instance server and your local computer. In the right hand panel, navigate up as far as you can, then go to etc/openvpn. This is where the ovpn.key file that we need is located. Click, hold, and drag the file into the folder of your choice, but make a note of the location where you put it, as we’ll want to move it from there later.

10. Now that you’ve grabbed the key, you need to re-apply the previous permissions, so you can prevent anyone else from grabbing it. In your PuTTy terminal, enter:

sudo chmod 600 ovpn.key

11. Now you need to download and install the OpenVPN client and GUI for your local computer. Go to the OpenVPN downloads page and choose the correct version for your machine’s operating system. No need to change the default installation settings. (If you do install it in a different location, be sure to make a note, as you’ll need that information in a bit.)

12. Launch OpenVPN and it will appear as an icon in your system tray. Open up a file explorer window and find where you installed OpenVPN, which is likely in your Program Files folder on your C:\ drive. Move the opvn.key file we downloaded from the server over to the config folder in the OpenVPN folder (C:/Program Files/OpenVPN/config if you didn’t change the default installation directory).

13. Now it’s time to create a config file for the local machine to match the config file we made on our server. Open up Notepad or your favorite plain text editor and paste the following, replacing the IP address after “remote” with the IP of your EC2 instance (if you didn’t make a note of it, you can find it in your AWS Console under “EC2 Instances”). Also, double-check that the file path pointing to your key is correct.

proto tcp-client
remote <your EC2 IP here>
port 1194
dev tun
secret “C:\\Program Files\\OpenVPN\\config\\ovpn.key”
redirect-gateway def1
ifconfig 10.4.0.2 10.4.0.1

14. Save it as myconfig.ovpn. Make sure that your text editor doesn’t append a “.txt” to the end of the file name (ie: “myconfig.ovpn.txt”) in the config folder of your OpenVPN installation (the same location as your opvn.key file).

15. Right-click on the OpenVPN icon down in your system tray and left-click “Exit” to quit. Now start OpenVPN again, either from the desktop shortcut or from the Program Files folder, but be sure to right-click and then click “Run as administrator” in the pop-up menu. If you don’t run it as administrator, it likely will not work properly.

16. Right-click the system tray icon and then left-click “Connect” in the menu that pops up. The OpenVPN GUI should appear, displaying the connection status. If the connection is successful, the system tray icon will turn green. Go to Google.com and type in “What’s my IP?”, and it should display the IP address of your Amazon EC2 Instance.

Your personal VPN is now keeping your online activities undercover!

Additional Notes

Remember to keep your AWS bandwidth within Amazon’s free tier limits. To keep yourself informed when you may be nearing your usage limits, just right-click on your instance in the AWS Console and click on the “Add/Edit Alarms” link.

Here, you can configure your server to stop after a set period of inactivity. Amazon’s free tier allows you to use up to 750 per month, so this shouldn’t be a problem. However, you’ll especially want to keep an eye on things once you pass your initial year of service, as this can lead to unnecessary charges for server time.

If you’re not technically inclined, I suggest you go ahead and spring for a paid VPN service. Paid VPN services do all of the heavy lifting for you, offer servers in many countries around the globe, and don’t place any usage limits on your VPN activity. For more information, read this informative article about VPNs.

In Closing

As you can see, setting up your own VPN server on an AWS server takes a bit of work, but once it’s all set up, you can quickly and easily encrypt your internet connection, keeping your online activities undercover.

Contents [hide]

  • At a Glance
  • Create Your Own VPN Using Amazon Web Services
  • Connect To the Server With PuTTy
  • How To Set Up OpenVPN on the Server and Client
  • Additional Notes
  • In Closing
How To Make Your Own VPN Server (2024)
Top Articles
Lina Noory – Age, Bio, Personal Life, Family & Stats - CelebsAges
France beat Portugal on penalties
Promotional Code For Spades Royale
Enrique Espinosa Melendez Obituary
Unity Stuck Reload Script Assemblies
Botanist Workbench Rs3
Big Y Digital Coupon App
Draconic Treatise On Mining
Monticello Culver's Flavor Of The Day
Magic Mike's Last Dance Showtimes Near Marcus Cedar Creek Cinema
shopping.drugsourceinc.com/imperial | Imperial Health TX AZ
Lantana Blocc Compton Crips
Inside California's brutal underground market for puppies: Neglected dogs, deceived owners, big profits
Slag bij Plataeae tussen de Grieken en de Perzen
OpenXR support for IL-2 and DCS for Windows Mixed Reality VR headsets
Identogo Brunswick Ga
Evil Dead Rise Showtimes Near Regal Columbiana Grande
The most iconic acting lineages in cinema history
180 Best Persuasive Essay Topics Ideas For Students in 2024
SXSW Film & TV Alumni Releases – July & August 2024
Kürtçe Doğum Günü Sözleri
Epro Warrant Search
8664751911
Ukc Message Board
The Menu Showtimes Near Regal Edwards Ontario Mountain Village
Parentvue Clarkston
Leccion 4 Lesson Test
Kcwi Tv Schedule
Jc Green Obits
[PDF] PDF - Education Update - Free Download PDF
Directions To Nearest T Mobile Store
Helpers Needed At Once Bug Fables
Package Store Open Near Me Open Now
Duke Energy Anderson Operations Center
Renfield Showtimes Near Marquee Cinemas - Wakefield 12
Vitals, jeden Tag besser | Vitals Nahrungsergänzungsmittel
Missouri State Highway Patrol Will Utilize Acadis to Improve Curriculum and Testing Management
The Mad Merchant Wow
Best Workers Compensation Lawyer Hill & Moin
Heavenly Delusion Gif
Lyca Shop Near Me
Bianca Belair: Age, Husband, Height & More To Know
Join MileSplit to get access to the latest news, films, and events!
Colorado Parks And Wildlife Reissue List
Electric Toothbrush Feature Crossword
COVID-19/Coronavirus Assistance Programs | FindHelp.org
Shipping Container Storage Containers 40'HCs - general for sale - by dealer - craigslist
Mychart Mercy Health Paducah
M&T Bank
Madden 23 Can't Hire Offensive Coordinator
Hy-Vee, Inc. hiring Market Grille Express Assistant Department Manager in New Hope, MN | LinkedIn
4015 Ballinger Rd Martinsville In 46151
Latest Posts
Article information

Author: Nathanial Hackett

Last Updated:

Views: 6314

Rating: 4.1 / 5 (72 voted)

Reviews: 87% of readers found this page helpful

Author information

Name: Nathanial Hackett

Birthday: 1997-10-09

Address: Apt. 935 264 Abshire Canyon, South Nerissachester, NM 01800

Phone: +9752624861224

Job: Forward Technology Assistant

Hobby: Listening to music, Shopping, Vacation, Baton twirling, Flower arranging, Blacksmithing, Do it yourself

Introduction: My name is Nathanial Hackett, I am a lovely, curious, smiling, lively, thoughtful, courageous, lively person who loves writing and wants to share my knowledge and understanding with you.