Deploying Your Own Personal VPN in 10 Minutes

February 7, 2022
Christian Bohren
10 min read

Introduction

For the next installment of our series on AWS, we’re going to deploy our own own Virtual Private Network (VPN) server using Ansible and Amazon Lightsail. Ansible is a framework used to automate infrastructure deployment. To learn more about Ansible, check it out here. Amazon Lightsail is a Virtual Private Server offering through AWS. Lightsail is a similar, but simpler alternative to Amazon’s EC2 offering, which we covered in our last post. With Lightsail, we can host websites, deploy applications, or in this instance, run our very VPN. At $3.50/mo, hosting a VPN on Lightsail offers a cheaper, custom alternative to utilizing a commercial solution.

To set up the VPN, we’ll be utilizing Algo VPN, a set of Ansible scripts maintained by Trail of Bits used to deploy the Wireguard VPN platform to various cloud providers.  

Getting Started

For this exercise, we’ll need a set of AWS Identity and Access Management (IAM) credentials. If you aren’t familiar with AWS IAM,  you can read more about it here.

Step 1: Creating a set of AWS IAM Credentials

If you already have a set of valid IAM credentials, feel free to skip this step. If not, go ahead and login to the AWS Management Console, and navigate to the IAM dashboard. Here, we’ll click on Add User.

 

We’ll name this user dev for now, as we’ll be using it for development purposes. We want to make sure to assign it programmatic access, so we’ll use an access key as its credential type.

 

For this test user, we will go ahead and give the user admin access. Highly recommend you assign security groups based on the principle of least privilege, however as we are making a test account used to demonstrate the capabilities of IAM, I’m going to give this account full access.

Similar to how we tagged our EC2 instance in the previous lesson, we’re going to give this user a quick description of its purpose.  

After reviewing our user information, we’ll select Create User. Now that we’ve added our user, we need to keep track of the Access Key ID, and the Secret access key. These are the equivalent of a username and password, so we need to store them securely. Keep in mind that this screen is the only place you’ll be able to view the keys. Once its closed, its gone forever.  

Now that we have our IAM user, it’s time to get started with Algo VPN.

Step 2: Downloading Algo VPN

To begin, we’ll go ahead and copy the latest version of Algo VPN from the git repo, found here. In your folder of choice, open up a terminal window and run the following command:

git clone https://github.com/trailofbits/algo.git && cd algo

Step 3: Installing Dependencies  

For Algo to run, we’ll need to install its relevant dependencies.  

  • macOS  - running at least Catalina 10.15 (for earlier, reference documentation)

       python3 -m pip install --user --upgrade virtualenv

  • Ubuntu and Debian:

       sudo apt install -y --no-install-recommends python3-virtualenv

  • Fedora

      sudo dnf install -y python3-virtualenv

  • Red Hat and CenOS 7 – and later  

       sudo yum -y install epel-release

       sudo yum -y install python36-virtualenv

  • Windows

Reference Algo documentation  

Finally, we need to install Algo’s remaining dependences. In our algo folder, run the following command

python3 -m virtualenv --python="$(command -v python3)" .env &&
 source .env/bin/activate &&
 python3 -m pip install -U pip virtualenv &&
 python3 -m pip install -r requirements.txt
 

Step 4: Editing our Algo configurations  

We recommend editing your config file how you see fit. To do this, use your text editor of choice against the config.cfg file. For example:

vim config.cfg  

If you want to edit the name or number of VPN users you’ll have, this is the place to do it. By default, algo gives us three: phone, laptop, and desktop. Coincidentally, we need a phone, a laptop, and desktop connection, so we’ll leave it as is.  

Step 5: Running Algo

When running algo, be sure to have those IAM credentials handy. Once you have them, go ahead and run  

./algo

And follow the onscreen instructions. You can choose from multiple Cloud Providers, but for this use case, Amazon Lightsail makes the most sense for us, so we’ll select it when prompted. After making your configurations, you should see a success screen like this:

Step 6: Install Wireguard Client

Now that our VPN is up and running, we need to connect with our Wireguard client. If you don’t have Wireguard installed yet, you can find it here. Once Wireguard is installed, we need to add our config file. To do this, navigate to:

algo/configs/<ip-address>/wireguard/

Here you should find your config files. On the macOS client, we will start up Wireguard, select File -> Import tunnel(s) from file. Navigate to directory above, and import your desired conf file. We’ll use “laptop.conf”. Once we’ve imported our conf file you should receive a prompt from macOS asking if you want to add a VPN connection. Select Allow. You should see the following configuration.

Step 7: Connect!

Within your Wireguard client, select Connect. Success! You made your very own personal VPN client using Ansible, and Amazon Lightsail.

Let's Get Started

Book a time to chat about your security needs.
* Indicates a required field.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.