Easily set up a VPN via the AWS cloud for the privacy of your online traffic. Comparable to commercial VPN providers like NordVPN®, and the "free" AWS EC2 OpenVPN solution as described here (YouTube) and here (article). See here for a more detailed comparison of the solutions.
This solution costs 15.5¢ ($USD) per hour while you're using it. Exception: Traffic over 100GB/month will also incur data transfer costs.
And if you remember to stop it properly when done then it costs nothing while you're not using it.
This solution is best suited for one-time or occasional use. The downsides are that:
- it takes 6+ minutes to start the AWS backend before you can open a VPN session; and
- you need to remember to stop the AWS backend when you're done so that it doesn't accrue costs while you're not using it.
It doesn't require in-depth knowledge of AWS. You can do this.
Email me: paul.mossman at gmail.com (replace "at" with @).
Visit https://www.whatismyip.com. Any website you visit can see your IP address, internet service provider (ISP), and your general location.
Follow these instructions. Don't set up or configure it yet, just install it.
You'll need this for starting and stopping the AWS backend when you use the VPN.
Download the software here, then install it.
This will run the VPN connection from your computer to the AWS backend.
Follow these steps. A credit card is required.
Then sign in to the AWS Console.
(If you already have an AWS account you can probably use it, but this solution relies on a default-state VPC. If you're using the default VPC in the target Region for something else, consider instead creating an AWS Organization account.)
From the AWS Console, click on "CloudShell" in the bottom left corner.
In the CloudShell terminal run:
git clone https://github.com/paulmossman/easy-aws-privacy-vpn
cd easy-aws-privacy-vpn
./bin/account-setup.shFrom the AWS Console, navigate to the IAM (Identity and Access Management) service → Users → easy-aws-privacy-vpn → Security credentials. (shortcut) Scroll down to "Access keys" and click "Create access key":
- Use case: Command Line Interface (CLI)
- Note the recommendation "to improve your security."
- Select "I understand the above recommendation and want to proceed to create an access key."
- (See EAPV Security for more details.)
- "Next" button
- (Optional) Description tag value: Today's date
- "Create access key" button
You'll need the "Access key" and "Secret access key" values in the next step.
Open a command-line session on your local computer. i.e. cmd or PowerShell on Windows, "Terminal" on Mac or Linux.
Run:
aws configure --profile easy-aws-privacy-vpnWhen prompted for "AWS Access Key ID" enter the "Access key" from the previous step.
When prompted for "AWS Secret Access Key" enter the "Secret access key" from the previous step.
Don't provide values for the other two prompts. i.e. Just press Enter.
Decide which AWS Region you want to use. This is where your online traffic will appear to come from. (You can repeat the Per-Region steps later if you want to use different Regions.)
See this table. For example us-east-1 for North Virginia, or ca-central-1 for Central Canada.
If your Region's Opt-in status is "Required" then you need to enable it first. See "AWS Regions" here.
You'll notice in your AWS Console (at the top, near the right) that a Region is selected, and you can change Regions. For these instructions it doesn't matter what Region is selected in the AWS Console.
In the CloudShell terminal run:
./bin/region-setup.sh <Region Code>Substitute "<Region Code>" for the Region Code you selected in the previous step.
The command in the previous step will list the names of the two files to download. From CloudShell, for each of the two files, select Actions → Download file → Enter file file name → click "Download". The files will be downloaded to your browser's "Downloads" directory.
In Windows your browser might warn about the ```.bat`` file. Select "Keep" → "Keep anyway".
Start the AWS VPN Client software, then:
- File → Manage profiles
- click "Add Profile"
- Display Name: "EAPV <Region>", where <Region> is the Region Code. (Or choose whatever name you want.)
- VPN Configuration File: The
.ovpnfile downloaded in the previous step - click "Add Profile"
- click "Done"
Follow these steps every time you want to use the VPN.
Open a command-line session on your local computer. i.e. cmd or PowerShell on Windows, "Terminal" on Mac or Linux. Change to your browser's "Downloads" directory, and run:
Mac or Linux:
chmod +x eapv-*-aws-backend.sh
./eapv-<Region Code>-aws-backend.sh startWindows:
eapv-<Region Code>-aws-backend.bat start
(Substitute "<Region Code>" for the Region Code.)
This will take 6+ minutes to complete, at which point the AWS backend will start to cost 10.5¢/hour.
From the AWS VPN Client software ensure the correct "Profile" is selected then click "Connect".
Upon connecting the client session will cost 5¢/hour, in addition to the AWS backend cost above.
Visit https://www.whatismyip.com again. Your ISP should now be "Amazon" or "AWS", and your location should match the Region that you're using.
Follow these steps every time you're done using the VPN.
On your local computer run:
Mac or Linux:
./eapv-<Region Code>-aws-backend.sh stopWindows:
eapv-<Region Code>-aws-backend.bat stop
(Substitute "<Region Code>" for the Region Code.)
This will also disconnect the AWS VPN Client session, but it will automatically try to re-establish the connection. Simply click "Disconnect" and exit the application.
If you only end the AWS VPN Client session then AWS will continue to charge you 10.5¢/hour while the backend is running. So run the above "stop" script before you quit the AWS VPN Client or turn your computer off.
It will take some time for the AWS backend to finish stopping.
To check the status of the AWS backend run:
Mac or Linux:
./eapv-<Region Code>-aws-backend.sh statusWindows:
eapv-<Region Code>-aws-backend.bat status
(Substitute "<Region Code>" for the Region Code.)
When the status is Not running then the AWS backend (and its 10.5¢/hour cost) has been stopped.
Whenever you want to start a VPN Session again, re-run Steps #12 and #13.
Then when you're finished, re-run Steps #15 and #16 to stop the charges.
Do this if you don't want to use a Region anymore. (Note: If you've properly stopped the AWS backend, then leaving the Region configuraiton in place has no cost.) To teardown the configuration of a Region, in the AWS CloudShell run:
./bin/region-teardown.sh <Region Code>If you no longer want to use the Easy AWS Privacy VPN solution then you can remove it completely from your AWS account. First teardown all Regions you've set up. Then in the AWS CloudShell in the Region where you first ran account-setup.sh, run:
./bin/account-teardown.shThe Region configuration creates an SSL certificate that expires in 825 days, which is the maximum. When it expires simply teardown the Region configuration, then set it up again from scratch.