Sunday, July 19, 2009

Escaping Restrictive/Untrusted Networks with OpenVPN on EC2

Perhaps you are behind a corporate firewall which does not allow you to access certain types of resources on the Internet. Or, perhaps you are accessing the Internet over an open wifi where you do not trust your network traffic to your fellow wifi users or the admins running the local network.

These instructions guide you in setting up an OpenVPN server on an EC2 instance, sending all your network traffic through a secure channel to port 80 on the EC2 instance and from there out to the Internet.

EC2 Instance
Run the latest Ubuntu 8.10 Intrepid image. You can find the most current AMI id in a table on http://alestic.com

ec2-run-instances --key ami-0372946a

Make a note of the instance id (e.g., i-6fceba06). Watch the status using a command like this (replace with your own instance id):


Repeat the describe instances command until it shows that the instance is “running” and make a note of the external hostname (e.g., ec2-75-101-179-94.compute-1.amazonaws.com).

Connect to the instance using the external hostname you noted. (Note: When running the Ubuntu images from Canonical use the “ubuntu” user instead of “root”).

ssh -i .pem $remoteuser@$remotehost

OpenVPN Server
Upgrade the EC2 instance and install the necessary OpenVPN software:

sudo apt-get update && sudo apt-get upgrade -y
sudo apt-get install -y openvpn
sudo modprobe tun
sudo modprobe iptable_nat
echo 1 sudo tee /proc/sys/net/ipv4/ip_forward
sudo iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE

Generate a secret key for secure communication with OpenVPN:

sudo openvpn --genkey --secret ovpn.key

Start the OpenVPN server on the EC2 instance. We are (ab)using port 80 because most closed networks will allow traffic to this port ;-)

sudo openvpn \
--proto tcp-server \
--port 80 \
--dev tun1 \
--secret ovpn.key \
--ifconfig \

OpenVPN Client
Back on the local (non-EC2) workstation, set up the software:

sudo apt-get install -y openvpn
sudo modprobe tun
sudo iptables -I OUTPUT -o tun+ -j ACCEPT
sudo iptables -I INPUT -i tun+ -j ACCEPT

Download the secret key from the EC2 instance:

ssh -i .pem $remoteuser@$remotehost 'sudo cat ovpn.key' > ovpn.key
chmod 600 ovpn.key

Start the OpenVPN client:

sudo openvpn \
--proto tcp-client \
--remote $remotehost \
--port 80 \
--dev tun1 \
--secret ovpn.key \
--redirect-gateway def1 \
--ifconfig \

Edit /etc/resolv.conf and set it so that DNS is resolved by the EC2 name server:

sudo mv /etc/resolv.conf /etc/resolv.conf.save
echo "nameserver" sudo tee /etc/resolv.conf

You should now be able to access any Internet resource securely and without restriction.

When you are done with this OpenVPN tunnel, remember to shut down the EC2 instance and restore the DNS configuration:

sudo killall openvpn
sudo mv /etc/resolv.conf.save /etc/resolv.conf

If you have ways to improve this approach, please leave a comment.

These instructions are not intended to assist in illegal activities. If you are breaking the laws or rules of your government or college or company or ISP, then you should understand the security implications of the above steps better than I do and be willing to accept consequences of your actions.

No comments:

Post a Comment