How to Protect your Internet Anonymity and Privacy/Your own proxy and VPN on Amazon EC2

Your own proxy and VPN on Amazon EC2

It is trivial to setup your own private proxy server on Amazon EC2, and with a little extra work, a VPN server. It is much simpler when both the client and server are Linux machines. The following is based on Ubuntu 10.10. Starting from 2010, Amazon provides a free tier service for a duration of 1 year.

Although all the setups for daily use seem complicated, all can be automated by scripts, or otherwise, from experienced users. Images of EC2 instants can be provided without modifications. Everything else for the client can be put in one script, launchable by an icon via the GUI, for transparent initialization during login, and swapping between VPN and direct traffic.

Starting an EC2 instance
First, sign up an account on Amazon and EC2. Although you can get free services for one year, a credit/gift card is required for the possible charges for services on higher tiers. Also, there is the possibility of telephone verification, to which Google Voice service is acceptable.

The Amazon Management Console now allows you to start an EC2 instant with full GUI interface. You can change to the management API when you are more familiar with the services. Officially, Ubuntu provides several AMI's. A machine image for Ubuntu 10.10, 64-bit server is ami-cef405a7.

When you start your instant, you must pick the micro-tier if you want to try the free service. The default is not free.

When you start the instant, you need to select a security group. This is basically setting the firewall for your instant. You can pick the default or create a new security group called, say, openvpn. From the drop down list, you have to pick at least SSH. If you will be having a web server, pick HTTP and HTTPS as well. For OpenVPN, you have to create a custom item, with port 1194 and protocol UDP.

Private sock proxy server
Once your instant is running, you need to find the Public DNS from the management console, for example, ec2-173-69-101-128.compute-1.amazonaws.com. The next step is to setup a secure terminal connecting to the server, the same as a terminal at your local machine - the client machine. The management console will also generate a key file for you to download to your local machine. At your local Ubuntu machine, start up a terminal. This command setup a secure terminal to the server, via SSH, and a sock proxy at 9667:


 * ssh -D 9667 -i yourkeyfile.pem ubuntu@eec2-173-69-101-128.compute-1.amazonaws.com

This is already a secure tunnel for your http traffic. At your browser, such as Firefox, set the sock host to 127.0.0.1, type 5, and port 9667. You have to leave all other host empty, including the http host. Now you have your Amazon IP as your apparent IP, and the traffic between Amazon and your local machine is encrypted. For security, change the access mode of the key file with "chmod 600 yourkeyfile.pem"

VPN Server configuration
For VPN, you need to install OpenVPN at the server terminal:


 * sudo apt-get update
 * sudo apt-get upgrade -y
 * sudo apt-get install -y openvpn

Now generate a static key for a simple private one to one VPN (change mode to 600):


 * openvpn --genkey --secret static.key

OpenVPN itself setup a secure tunnel and nothing else. For using as a proxy, you need to load the iptable NAT module, setup IP forwarding and NAT. Maybe not all steps are necessary:


 * sudo modprobe iptable_nat
 * echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
 * sudo iptables -t nat -A POSTROUTING -s 10.8.0.1/24 -o eth0 -j MASQUERADE

Then you need a server configuration file, server.conf, a text file that contains:


 * dev tun
 * ifconfig 10.8.0.1 10.8.0.2
 * secret static.key
 * comp-lzo
 * keepalive 10 60
 * ping-timer-rem
 * persist-tun
 * persist-key

Only the first 3 lines are necessary. As recommended by OpenVPN, the rest is to keep the VPN alive for longer when there is no traffic, typically in a firewall NAT environment.

Starting OpenVPN at the server:


 * sudo openvpn server.conf

VPN Client configuration
Install OpenVPN on your local machine:


 * sudo apt-get install -y openvpn

To redirect all network traffic to the VPN:


 * sudo modprobe tun
 * sudo iptables -I OUTPUT -o tun+ -j ACCEPT
 * sudo iptables -I INPUT -i tun+ -j ACCEPT

These are probably not necessary. Now before you start OpenVPN at your local machine, you need to download the same key file at the server - static.key. The simplest is to use any text editor with cut and paste, then change mode to 600.

The client configuration file, client.conf, contains:


 * remote ec2-173-69-101-128.compute-1.amazonaws.com
 * dev tun
 * ifconfig 10.8.0.2 10.8.0.1
 * secret static.key
 * redirect-gateway def1
 * comp-lzo
 * keepalive 10 60
 * ping-timer-rem
 * persist-tun
 * persist-key

Only the first 4 lines are necessary. Redirection protects all your traffic and allows proxy chaining at your browser. The rest keep the tunnel alive longer when traffic is idle.

To start OpenVPN at the client:


 * sudo openvpn client.conf

You can see from the server and client terminals that if the VPN connection is successful. You can also ping 10.8.0.1 and 10.8.0.2 at the server and at the client. Pinging itself has much faster response than pinging the other machine in the VPN.

DNS server
For better security, use the DNS server at Amazon over the VPN. Save a copy of the original DNS server file:


 * sudo cp /etc/resolvconf/run/resolv.conf /etc/resolvconf/run/resolv.conf.save

Create the file /etc/resolvconf/run/resolv.conf.aws, which contains:


 * nameserver 172.16.0.23

To use the Amazon DNS server:


 * sudo cp /etc/resolvconf/run/resolv.conf.aws /etc/resolvconf/run/resolv.conf

Whenever you change network settings such as the DNS server, you need to restart the network interface:


 * sudo ifdown -a
 * sudo ifup -a

Restarting the VPN
You only need to setup the Openvpn server once. Unless you terminate it, the state of your installed Openvpn will be preserved.

At the time of writing, keepalive do not work for periods of long inactivity. The client needs to be restarted.

To kill the VPN server or client, type control-C at the respectively terminals if your openvpn is running in the foreground. If not successful for any reasons, use "sudo killall openvpn". The Amazon DNS server has an internal address, DNS will not work when the VPN is killed. You have to restore your previous DNS server:


 * sudo cp /etc/resolvconf/run/resolv.conf.save /etc/resolvconf/run/resolv.conf

And then restart the network interface as above. You can leave your EC2 instant on for free, or stop it and restart it later. If you terminal it, you have to start installing OpenVPN all over again.

All the commands above are one off, unless you terminate your instant, or reboot your local system. To restart the VPN, the only commands are:


 * sudo openvpn config-file

at the server and the client machines. Also you need to swap the DNS server.

Proxy chaining
When the VPN is on, the IP of your browser takes on that of your EC2 machine, even if your browser uses no proxy. You can set the http proxy at the browser to any other network proxies, resulting in a proxy chain. Secure proxies like Ultrasurf do not work on Linux, but the WINE software can load and execute this and many legacy Windows program.

VPN over restrictive firewalls
If your machine is protected by a restrictive firewall, you can use tcp over port 80 for example. But the speed is a lot slower than the default UDP.