Setting up a VPN on Amazon EC2 and a client on OSX

29 Jul 2012

Before defcon, I decided to set up a VPN for my internet traffic. I could not find any good VPN offerings for my needs, as they are all geared towards people doing sketchy things and not wanting to be tracked, or people overseas wanting access to sites that are blocked in their current locations. Most charge monthly fees and most are sketchy.

Amazon EC2 gives you one year free to host a system in their cloud. I run my server off the default Amazon Linux AMI (Amazon Machine Image) which is based on Redhat. I mostly followed the directions at: Setting up OpenVPN on Amazon’s EC2.

Amazon EC2 OpenVPN Configuration

  1. Run the following on the server:
    yum install openvpn
    openvpn —genkey —secret /etc/openvpn/openvpn-key.txt
    The key file openvpn-key.txt will be copied to the client later.
  2. Create a file `/etc/openvpn/openvpn.conf` with contents:
    port 1194
    proto udp
    dev tun
    secret openvpn-key.txt
    # The server's virtual endpoints
    push "redirect-gateway def1"
    keepalive 10 120
    status server-tcp.log
    verb 3
  3. Run the vpn:
    service openvpn restart
    chkconfig openvpn on
  4. Open up the firewall
  5. Get iptables to route your traffic:
    iptables -A INPUT -i tun+ -j ACCEPT
    iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
    and change the Security Group in the Amazon EC2 Management Console to open up UDP port 1194:

OSX Client system Configuration

  1. Install tunnelblick.
  2. Copy the key file created previously to the config directory:
    cd ~user/Library/Application\ Support/Tunnelblick/Configurations/
    cp /tmp/openvpn-key.txt .
  3. Create config file:
    dev tun
    proto udp
    port 1194
    resolv-retry infinite
    secret openvpn-key.txt
    verb 8
    redirect gateway def1
    Note the ifconfig line for the client and server are reversed.

You can also use viscosity as opposed to Tunnelblick, but it costs money. However, it is free for the first 30 days and it's error messages are more helpful if you have problems.

Everything should now be working, so go to a site that checks your IP from the OSX system and ensure it has changed. May also want to run tcpdump to ensure all traffic is going to the EC2 IP.