Setting up a VPN server with Amazon EC2 is a great way to protect your privacy. You can turn the server on when you need it, shut it down when you dont. All your traffic will go through your VPN and go out on the internet from your EC2 box so that you are in a really secure environment.
Amazon lets you use a free instance for a year that will be perfect for our purpose. And with the help of this post, it should not take more that 5 minutes!
This post is a followup to a first post in which I introduced the Voodoo Privacy project and explained how to completely lock down your computer from external access (but also how to prevent your computer from talking too much).
We will see how to see an IPSec / L2TP VPN. They are very secure, and very easy to configure on the client side, supported by most operating systems without any extra tools to download or install.
Update July 2016:
Thanks for your interest in this project! Lin
Song has built a newer version which is
tested with 2016 releases of Ubuntu/Debian/CentOS/RHEL and includes VPN setup
instructions for a lot more platforms. It is available under the same license
here..
Alternatives
If you dont want to go through the trouble of setting up an EC2 box, you can buy a VPN from a provider such as Black VPN which will give you a VPN into a country of your choice for only 49€ per year. I think it’s a pretty good deal (and they also have a full privacy package which also gives you access to all of their VPN servers including Lithuania, Russia, etc should you have a need for that).
Amazon EC2 pre-requisites
I am going to assume that you already have an amazon EC2 account and SSH keys set up. If not look around it is really easy (the assistant will actually help you do it when you start your first instance).
Set up a security group
Create a new security group (EC2 Management interface -> Security groups) and allow traffic to TCP port 500, and UDP ports 500 and 4500. Also add a rule to allow SSH. I like to limit SSH login from my home/office IP but if you are really brave you can let everyone find your SSH.
Start a new Ubuntu server
Get my voodoo-vpn script from my github, you dont even need to download it, just copy and paste into a text editor
Change the default value for the three variables IPSEC_PSK, VPN_USER and VPN_PASSWORD at the top of launch script and copy everything into your clipboard.
In the user data field, past the launch script you have just adapted.
Select your keypair
Select the security group you created earlier
Give the machine a name
Click launch
And that’s it! Your server is now ready to accept connection from your mac.
Configure the VPN on your Mac
Open your network settings
Click on the “+” button in the top-left corner of the interfaces list
Select a VPN interface, with ‘IPSec L2TP’ and give it a name
In the address field, put the public IP of your server (you can get from the amazon console)
In the account name field, put the value of the VPN_USER variable that you defined earlier.
Click on auth settings, fill your VPN_PASSWORD in the first field and your IPSEC_PSK in the second box. Click Ok
Click on Advanced Settings, select “Send all traffic” and click ok.
If you are using my firewall script, update the VPN server address at the top of the script and re-run it to allow VPN traffic to go through to your server.
Click Connect, it should take a few seconds and you should be online.
Ask google ‘what is my ip address?’, you should see the IP address of your Amazon EC2 box
Debugging
I have done my best to simplify the steps and make it easy to reproduce. If it does not work, there are a few things you can do to debug it.
On your mac, look at /var/log/ppp.log, this is what a normal connection looks like:
SSH to your amazon box and look at /var/log/auth.log and /var/log/syslog, this is what a normal connection should look like:
Remember, there are three steps to the connection:
Establish an IPSec connection between your Mac and the Amazon EC2 box, if you can see STATE_QUICK_R2: IPsec SA established transport mode in /var/log/auth.log, then you have it working.
Build an xl2tpd connection between your Mac and the amazon box, if you can see Call established with <YOUR_HOME_IP>, then you have that working.
Build a ppp connection, if you can see the last three lines in /var/log/syslog, then you are good.
If it still does not work, please post in the comment below and let me know what step you have reached. I will do my best to help! If it works, please do also post in the comment below. I would love to know that I have helped someone with this.