DIY: Free Self-Hosted VPN on AWS Using Terraform & OpenVPN
This is a detailed Step-by-step guide on how to setup a self-hosted VPN server on AWS using Terraform and OpenVPN.
Published Jan 3, 2025
In this guide, I’ll walk you through creating a self-hosted VPN server using Terraform and OpenVPN Access Server on AWS. This is a great project for DevOps and cloud enthusiasts looking to enhance their skills while building a practical and secure solution.
Setting up a self-hosted VPN server can be a cost-effective and secure solution for personal or organizational needs. In this blog, I’ll demonstrate how to use a Terraform configuration script to deploy an OpenVPN Access Server on AWS. By following this guide, you’ll learn how to:
- Configure and customize the Terraform script to suit your needs.
- Deploy a fully functional VPN server in under 5 minutes.
- Maintain internet privacy and security without relying on subscription-based VPN services.
This VPN server is also "disposable," allowing you to create and delete it with a single command. Let’s dive in!
To get started, you’ll need the following:
- An AWS account (a free-tier account works).
- Terraform is installed on your local machine (How to Install Terraform).
- OpenVPN Connect Client installed (download here).
- Your AWS Access Key ID and Secret Access Key (learn how to get your AWS access keys here).
- AWS CLI installed and configured with your Access Key ID and Secret Access Key (AWS CLI Setup Guide).
- My OpenVPN-Terraform Setup Script (get the script here).
The script automates the process of setting up a self-hosted OpenVPN server by:
- Creating a Ubuntu 22.04 EC2 instance and configuring OpenVPN Access Server on it.
- Using the t2.micro instance type to stay within AWS’ free-tier limits.
- Configuring the VPN server with an IP address in your selected AWS region.
- Generating and downloading an AWS keypair file for optional SSH access.
- Creating and downloading an OpenVPN User Profile file (*.ovpn) from the server to the local machine for establishing encrypted VPN connections.
- Enabling a one-command teardown to clean up all local and online resources that were created.
If you are interested in the technical details of how the terraform script works, I wrote a detailed description in my Terraform-OpenVPN-setup documentation for the script here
The Terraform script handles everything from provisioning resources on AWS to configuring the OpenVPN Access Server. Here’s what happens under the hood:
- Infrastructure Setup: The script provisions an EC2 instance with the necessary network configurations, including opening the required ports on the server through the security group settings.
- OpenVPN Installation: A userdata script is executed to bootstrap, install and configure the OpenVPN Access Server on the instance after it has been provisioned by terraform.
- User Profile Creation: An OpenVPN User Profile (*.ovpn) file is generated on the server and downloaded to the local machine for further connection to the server.
- Resource Cleanup: With one command, all AWS resources are destroyed, and local files are also deleted.
The script includes configurable options for flexibility:
project_name
: Used labeling resources (e.g., “My-VPN-Project”).OpenVPN_instance_type
: Default is t2.micro for free-tier compatibility, but you can choose another type if needed.openvpn_user
: Username for generating the *.ovpn profile file.selected_region
: Choose the AWS region where the server will be hosted (e.g.,us-east-1
,eu-west-2
).
The region you select determines the VPN traffic’s exit point. For example, choosing
ca-central-1
will route your internet traffic through a Canadian IP address.These are all optional and can be configured in the
terraform.tfvars
file.Follow these steps to set up your VPN server:
- Set Up AWS CLI: First, ensure that AWS CLI is installed and configured with your AWS access key ID and Secret access key (learn more about AWS CLI here)
- Install Terraform: Install Terraform on your local machine (How to Install Terraform)
- Download the Script: Clone the script repository to your local machine using this command:
- Edit Variables (optional): Open the
terraform.tfvars
file in the script and update the values forproject_name
,openvpn_user
andselected_region
. - Change Directory: Switch to the cloned directory and initialize the Terraform script
- Apply: Apply the terraform script with this command:
- The script will prompt for a region where you want your VPN server to be hosted. Enter a suitable AWS region e.g.
ca-central-1
for Canada Central. - (See list of acceptable AWS regions here)
- Wait for the script to finish execution. The script will provision your OpenVPN Server and also download the OpenVPN user profile (*.ovpn) file to local computer along with the generated AWS keypair file into the terraform working directory (i.e. the directory from where the terraform script was executed).
- You can optionally use the keypair file to SSH into the server for additional maintenance
- Install OpenVPN Connect Client on your local machine (Download it here)
- Create a new VPN connection using the OpenVPN user profile file and connect to your server.
- Once connected, your internet traffic should now be routed through your VPN server.
Open your browser and check your public IP address through a website like https://whatsmyip.com to confirm that you are connected to your VPN server. Your public IP address should now be the server IP address of your VPN server. This proves that you are now connected to your VPN and your internet traffic is been routed through your server's IP address.
When you are through with the server, you can safely delete it and cleanup all resources that were created.
- First, disconnect from the VPN Server
- To delete the server and clean up all resources that were created, use the command below:
- This will prompt you again for the AWS region that was entered earlier; type the region and press enter.
- This will delete all files that were created locally and also delete all resources that were created in your AWS account (the ec2 instance, the security group, etc
A self-hosted VPN offers flexibility and control for various scenarios
- Secure Remote Access: Connect securely to corporate or on-premises resources
- Privacy & Anonymity: Encrypt internet traffic, especially on public Wi-Fi.
- Cost Efficiency: Avoid subscription costs of commercial VPNs.
- Location Masking: Access location-restricted content.
- Development & Testing: Simulate network environments for application testing.
- Enhanced Security: Add another layer of protection to your network.
Building your own VPN server using Terraform and OpenVPN Access Server is a rewarding and educational experience. It’s an excellent project for DevOps and cloud enthusiasts looking to gain hands-on experience with AWS and infrastructure automation.
This solution provides complete control over your VPN server, ensuring privacy, security, and flexibility. Whether for personal use, team collaboration, or development purposes, this setup is a cost-effective alternative to commercial VPN services.
Feel free to explore the script, customize it to your needs, and share your experience! For advanced insights and troubleshooting.
If you have any comments or questions, please drop them in the comments section below.
Happy building!