For the next installment of our series on AWS, we’re going to deploy our own Virtual Private Network (VPN) server using Ansible and Amazon Lightsail. Ansible is a framework used to automate infrastructure deployment. To learn more about Ansible, check it out here. Amazon Lightsail is a Virtual Private Server offering through AWS. Lightsail is a similar, but simpler alternative to Amazon’s EC2offering, which we covered in our last post. With Lightsail, we can host websites, deploy applications, or in this instance, run our very VPN. At$3.50/mo, hosting a VPN on Lightsail offers a cheaper, custom alternative to utilizing a commercial solution.
To set up the VPN, we’ll be utilizing Algo VPN, a set of Ansible scripts maintained by Trail of Bits used to deploy the Wireguard VPN platform to various cloud providers.
For this exercise, we’ll need a set of AWS Identity and Access Management (IAM) credentials. If you aren’t familiar with AWS IAM, you can read more about it here.
If you already have a set of valid IAM credentials, feel free to skip this step. If not, go ahead and login to the AWS Management Console, and navigate to the IAM dashboard. Here, we’ll click on Add User.
We’ll name this user dev for now, as we’ll be using it for development purposes. We want to make sure to assign it programmatic access, so we’ll use an access key as its credential type.
For this test user, we will go ahead and give the user admin access. Highly recommend you assign security groups based on the principle of least privilege, however as we are making a test account used to demonstrate the capabilities of IAM, I’m going to give this account full access.
Similar to how we tagged our EC2 instance in the previous lesson, we’re going to give this user a quick description of its purpose.
After reviewing our user information, we’ll select Create User.Now that we’ve added our user, we need to keep track of the Access Key ID, and the Secret access key. These are the equivalent of a username and password, so we need to store them securely. Keep in mind that this screen is the only place you’ll be able to view the keys. Once it's closed, its gone forever.
Now that we have our IAM user, it’s time to get started with Algo VPN.
To begin, we’ll go ahead and copy the latest version of Algo VPN from the git repo, found here. In your folder of choice, open up a terminal window and run the following command:
git clone https://github.com/trailofbits/algo.git && cd algo
For Algo to run, we’ll need to install its relevant dependencies.
macOS [running at least Catalina 10.15 (for earlier, reference documentation)]:
python3 -m pip install --user--upgrade virtualenv
Ubuntu and Debian:
sudo apt install -y--no-install-recommends python3-virtualenv
sudo dnf install -ypython3-virtualenv
:Red Hat and CenOS (CenOS 7 and later):
sudo yum -y installepel-release
sudo yum -y installpython36-virtualenv
Reference Algo documentation
Finally, we need to install Algo’s remaining dependences. In our algo folder, run the following command:
python3 -m virtualenv --python="$(command-v python3)" .env &&
source .env/bin/activate &&
python3 -m pip install -U pip virtualenv &&
python3 -m pip install -r requirements.txt
We recommend editing your config file how you see fit. To do this, use your text editor of choice against the config.cfg file. For example:
If you want to edit the name or number of VPN users you’ll have, this is the place to do it. By default, Algo gives us three: phone, laptop, and desktop.Coincidentally, we need a phone, a laptop, and desktop connection, so we’ll leave it as is.
When running Algo, be sure to have those IAM credentials handy. Once you have them, go ahead and run
And follow the onscreen instructions. You can choose from multiple Cloud Providers, but for this use case, Amazon Lightsail makes the most sense for us,so we’ll select it when prompted. After making your configurations, you should see a success screen like this:
Now that our VPN is up and running, we need to connect with our Wireguard client. If you don’t have Wireguard installed yet, you can find it here. Once Wireguard is installed, we need to add our config file. To do this, navigate to:
Here you should find your config files. On the macOS client, we will startup Wireguard, select File -> Import tunnel(s) from file. Navigate to directory above, and import your desired conf file. We’ll use “laptop.conf”. Once we’ve imported our conf file you should receive a prompt from macOS asking if you want to add a VPN connection. Select Allow. You should see the following configuration.
Within your Wireguard client, select Connect. Success! You made your very own personal VPN client using Ansible, and Amazon Lightsail.