DIY AWS Free VPN

I’ve not done this (yet) so this is more of just an FYI. Whenever I get ‘er done, I’ll update with any particular added info.

This is a video that uses a free tier AWS server to run your own VPN server. It’s free for a year, then about $10 / month (though unclear what prevents you from just making a new free server… one presumes they do something to track just who is setting up servers).

IMHO the nice thing about this is you can assure that the VPN server is not keeping any log files around. The downside is that Amazon will have logging of which IP address connects to this VPN instance and what outgoing traffic it produces. Do they bother? Don’t know… but I’d expect yes.

So why do it then? Well, for just general purpose stuff like avoiding geolocation and advertising that knows where you live, or for being inside a VPN when using open access WiFi (i.e. not sending your stuff ‘in the clear’ at Starbucks where WiFi sniffers can inspect it…) it would be great. IF you have some really critically secret stuff (like “land you in Chinese Prison” or “TLA knocking at the door”) then this at best can be a nice way point to an additional relay. So you could, for example, use it from an added paid VPN hosted in another country. Yup, VPN inside a VPN… (I’d also use a “disposable system image” for any such activity and scrub the uSD card after use, but that’s just me…)

So you could have a “Dongle Pi” (as I posted way back) driven by your laptop, then connect via a public WiFi, bounce through a couple of VPNs and when done, re-flash the uSD in the Dongle Pi back to empty. At that point the “source machine” has effectively ceased to exist, the WiFi doesn’t know who you are, the AWS image has no logs, and all Amazon can do is say “originated at this Public VPN server in country FOO and went to BAR” or originate at the AWS and then go to FOO and then nobody can really say what your traffic was (other than the VPN server in country FOO who, in theory, could provide logs of traffic from that IP address back to investigators, so choose wisely).

At that point, your investigator has to have warrants in 2 (or 3…) countries and get cooperation from AWS as well as a foreign VPN provider. And all they can really say about “you” is that “someone” used that public WiFi hot spot. So don’t be on a recognizable camera, OK? (Many WiFi hot spots are strong enough to be used from a car parked outside near a window…)

Also note that IF challenged you can show you were on a Laptop running a different OS and with a different MAC address, and claim you never used their WiFi at all… Dongle Pi is your friend ;-)

https://chiefio.wordpress.com/2013/05/12/dongle-pi/

If REALLY worried, you can use a $9 WiFi USB nubby and toss it afterwards. Any WiFi hardware fingerprinting / MAC address goes with it. I doubt I’d ever be that worried, but hey, it depends on your needs. Also note that you can set up the Pi with both the onboard WiFi and a nubby dongle WiFi and eliminated the ethernet wire to the laptop. The whole thing could be put in a pouch with a battery so not visible on any cameras. Just you, your laptop, and a book bag… I’d also show up a good while before starting to use the VPN and stay a while after closing it down, just so you can’t be time-stamped with enter / start and end / exit. (Or just sit in your car with a good antenna and a nice cardboard sun screen in the window ;-)

But assuming none of you are doing seriously risky stuff and just want to not have the WiFi sniffer guy or the “send me advertising like crazy” folks knowing too much about you, or want to geolocate to somewhere else, you can skip all that and just do the free VPN bit:

Subscribe to feed

About E.M.Smith

A technical managerial sort interested in things from Stonehenge to computer science. My present "hot buttons' are the mythology of Climate Change and ancient metrology; but things change...
This entry was posted in Tech Bits. Bookmark the permalink.

4 Responses to DIY AWS Free VPN

  1. Taz says:

    $10/mo is pretty high for a VPN, and I doubt you’d be able to build the Wireguard variety (Not OpenVPN) very easily. The only advantage I see to this scheme is that they are less likely to block you. That’s a problem today, and not just for Tor. Both of my high security VPNs must be used by hackers to hassle people. Because my shared IP is quite frequently blocked. Never any problems with the lesser known VPN…..

    Going out on a limb here – but have reasons. While it really does take 10-20yrs to establish a VPN protocol as safe – I still think the Wireguard variety is a better choice than OpenVPN. MUCH lower CPU loads. Have been running VPN gateways for perhaps 20 yrs now. Wanted to switch from a Pentium mobile laptop to a more efficient Atom box – but was stymied. Just could never get OpenVPN to run at speed on the Atom. Then switched to Wireguard. What a difference :) Costs $0.53/month to operate (power cost only).

    You ARE taking some risk because Wireguard is new. Just use Tor for anything serious. Like bombing the NYT with inconvenient memes to their securedrop :)

    Black Friday weekend is the time to purchase VPN service. Discounts sometimes exceed 75%. Pay for it under a fake name with a prepaid disposable credit card (just insurance). If a supplier doesn’t take your card – just move on to another.

    Never tried Speedify for laptops cuz their payment processor was idiotic, but I can tell you their system really works on the iphone. Edgewise connect is the better deal. Easily channel bonds your LTE to a wifi hotspot on another carrier. Your cellular dead spots will vanish. Assuming you are using VOIP.

    You can turn any CPU running a VPN into a VPN gateway simply by adding and configuring Privoxy. It’s real nice not to lose your direct internet connection while still being able to run your browser traffic through the VPN at the same time. Privoxy isn’t used so much these days because of https sites – but it still works great for this duty.

  2. E.M.Smith says:

    @Taz:

    The key bit is the “one year free” being cheaper than any other paid VPN ;-)

    Unfortunately, I don’t know what happens to free option choices after the year. Is it “just roll another one”? Or is it “your user identity has used your one ever.”? Donno…

    I’d see this mostly as a good way to get some AWS experience, and to assure that at least one link in your VPN chain had no logs being kept. (So I’d use it in tandem with another VPN service in another country). Not exactly sure which order of use would be best, though.

    I’m also interested in setting up a VPN server at my home so I can have a nice way to bounce off it for use “on the road” preventing sniffers in Starbucks from seeing my traffic…. So I could easily see me at some public WiFi doing a VPN to home, that then bounces back out to the AWS VPN and then to the internet. Only folks who would have a hope of seeing my traffic and IP Lookups would be AWS, and they would not know where I was or really what was going on.

    Or run it backwards and do the VPN to AWS first, then bounce off home. With DNS harvested along the way (say on that AWS image) then my Telco doesn’t know that much about what I’m going or where I came from while all AWS knows is that I did a DNS lookup and connected to home (and all the encrypted traffic is hidden… https inside is your friend…)

    Yes, industrial paid VPN services are a really good deal and nice to have. BUT, I worry that some of them may in fact be logging stuff and may in fact be TLA connected (how would you ever know?) So I see them as great for low value stuff (like blocking snooping at the Public WiFi and by your Telco) but with a Trust Issue. Adding one more layer in front of them makes them much more valuable. At least, that’s my theory.

    In reality I’ve not bothered to even to any one of those (yet). I just don’t do anything that really warrants it. Watching YouTube videos of Star Trek Fan Movies and checking on weather and climate data is not exactly the stuff that makes data stealers quiver ;-)

    But I’m thinking that maybe my desire to play with a free tier AWS account would get me over the hump and started ;-)

    FWIW, I do have a couple of free VPNs on my Tablet that I played with for a while, just to get the feet wet. It sort of worked, but with frequent IP changes / failures at some of them. I figure blocking of AWS numbers ought to be more rare, and as I’m only one user, the usage ought not tickle any detection methods.

  3. Taz says:

    (shrug) We use AWS for other things…but would never trust them for VPN. They are Amazon…about like Google. Again the only value an AWS VPN offers is less blocking. You’re not bundled with 90 other users on the same IP…so there’s less chance of some IT person getting pissed at your traffic. So no blocks. Blocks are a real thing for commercial VPN users. But there again….you are one person not one inside 90. If you had something they wanted – it would be trivial to find you Mr. NOT 90.

    But you’re right. Ultimately no VPN is provably trustworthy. Tor really isn’t either…but it’s orders of magnitude better than any VPN. But for most “jobs” that extra security isn’t worth the hassle. Especially since ANY plain VPN hides your DNS and traffic from your ISP (another Google).

    I2P supposedly goes even further than Tor and I want to like it – but I don’t. Doesn’t stop me from supporting that network….cuz we’ll need all of this stuff someday. Dark ages are coming. Biden already is going after 4chan. You already know about Twitter and Facebook.

    I could go back to modems and boards if it preserves my middle finger. Irreverence is priceless.

    Ever imagine how constrained Mel Brooks would be today? Even if they kept feeding him?

    Over time, all of us may be reduced to Secure Scuttebutt. And become wholly dependent on truckers or entertainment people to move news via sneakernet. Kinda like what the Soviet citizens did for mail. Trust no state :)

  4. Pingback: Tightening Debian / Devuan Update Security | Musings from the Chiefio

Comments are closed.