How to create a VPN server with AWS

Discover how to create and configure your private VPN server using AWS and Meshnet.

Introduction

As the internet has become an indispensable part of our daily lives, addressing its inherent challenges is more important than ever — be it maintaining privacy, securing connections, or accessing global content without restrictions. A personal VPN server can be an effective solution to these concerns, allowing you to navigate the digital world with greater control and peace of mind.

This article focuses on how to create a VPN server using a cloud-based approach in combination with Meshnet. With Meshnet's connectivity and traffic routing capabilities, you can access your VPN server securely from any location and device, without the need for advanced configuration.

When it comes to choosing a cloud provider for setting up a virtual machine, Amazon Web Services (AWS) stands out as a popular and reliable option. AWS provides an attractive free tier, enabling you to explore their services without any financial commitment.

Note

While setting up your own VPN server enhances your online privacy, it may not provide the same level of protection as connecting to a standard VPN server offered by NordVPN. NordVPN follows a strict no-logs policy, which is crucial for ensuring your online activities remain confidential.

Prerequisites

Before you begin, sign up for an AWS account and log in. During registration, you can choose from various support plans, including a free option.

Create a VM instance on AWS

Complete the following steps to prepare for launching a virtual machine (VM), referred to as an EC2 instance in the AWS environment.

  1. Do any of the following:

    • On the Console home page, under Build a solution, choose Launch a virtual machine.

    • Open the EC2 console dashboard and, under Launch instance, select the Launch instance button, and then choose the Launch instance option.

Note

This guide primarily covers the setup of an Ubuntu-based VM, but AWS also supports Windows, macOS, and other operating system VMs for custom virtual servers.

To configure and launch a VM instance:

  1. Under Name and tags, in the Name field, enter a name for your instance.

  2. Under Application and OS Images (Amazon Machine Image), choose an operating system for your instance, like Ubuntu, and its preferred version. Consider choosing a version marked as Free tier eligible to avoid additional costs.

  3. Under Instance type, you can select the hardware configuration for your instance. The instance type eligible for the free tier is already selected by default, so you can proceed without modifying it unless you need additional resources.

  4. Under Key pair (login), choose the option to create a new key pair. Make sure to save the automatically downloaded private key file in a secure location. For additional details, refer to Amazon's documentation on creating a key pair.

  5. Configure network settings for better security if needed. Default settings usually suffice for a typical setup, but customizing security groups adds extra protection. For more information, see the Create a security group procedure in Amazon's documentation.

  6. You can leave the default options selected for the remaining configuration settings of your instance.

  7. Under Summary, select Launch instance. It will take a few minutes for AWS to set up the instance.

Before connecting to your instance, ensure that it has passed all status checks displayed in the Status check column of the Instances pane, as shown:

Connect to your instance

Once your instance is running, you can access it from your local computer using SSH.

Setting permissions for the private key

To protect your private key, make sure that only you have read access to it by setting the appropriate permissions.

  1. Right-click the downloaded private key.

  2. Select Properties, choose the Security tab, and click Advanced.

  3. Click Disable inheritance > Convert inherited permissions into explicit permission on this object.

  4. Back in the Advanced security settings window, remove access for all users except your own account by selecting a permission entry and clicking Remove.

  5. Click Apply, and then click OK to save changes.

Accessing your instance using an SSH client

Note

By default, password authentication and root login are disabled.

To establish an SSH connection to your VM instance:

  1. Locate the public DNS address of your instance in the Public IPv4 DNS column of the Instances pane.

  2. Open Command prompt (on Windows) or Terminal (on Linux and macOS).

  3. Enter the following command, replacing the placeholders with the appropriate values for your VM instance, where:

    • </path/key-pair-name.pem> is the path to your private SSH key file.

    • <instance-username> is the username associated with your VM. The default username is determined by the AMI selected when configuring the instance. For example, an Ubuntu AMI uses ubuntu as the username. For more information, consult the Manage users on your Linux instance article in Amazon’s documentation.

    • <instance-public-dns-name> is the public DNS address of your VM instance.

    ssh -i </path/key-pair-name.pem> <instance-username>@<instance-public-dns-name>

    Example

  4. You will receive a response similar to the one below. Type yes and press Enter to confirm the connection.

You should now be successfully connected to your instance.

Install NordVPN on the instance

To set up NordVPN on your instance, follow these steps:

  1. Download and install the NordVPN Linux client by entering this command in the instance terminal:

    sh <(wget -qO - https://downloads.nordcdn.com/apps/linux/install.sh)

  2. Log in to your NordVPN account.

Log in to NordVPN

You can log in to your NordVPN account without the use of a graphical user interface (GUI) in two ways:

  • By running the nordvpn login command with the --token flag

  • By running the nordvpn login command with the --callback flag

Instructions for both methods are outlined below.

Log in using a token
  1. On any device, log in to your Nord Account dashboard and select the Meshnet (by NordVPN) card.

  2. Under Manual setup, select Set up NordVPN manually.

  3. Enter the verification code sent to your email address.

  4. Under Access token, click Generate new token.

  5. In the dialog that appears, choose either a token that expires in 30 days or one that never expires, and then select Generate token.

  6. Select Copy and close.

  7. On your VM, enter the nordvpn login --token command along with the copied token:

    nordvpn login --token <your_token>

    Example

    nordvpn login --token 3fe460cefb8dcf1478c92e45908cec9f9bdbadf7a456a6dfb35dc2c58ee39d5b

You should now see a welcome message.

Log in using a URL
  1. Run the following command:

    nordvpn login

  2. Open the provided link on any device in your browser.

  3. Complete the login procedure.

  4. Right-click the Continue button and select Copy link address.

  5. Run the following command, replacing <URL> with the previously copied link address:

    nordvpn login --callback "<URL>"

    Example

    nordvpn login --callback "nordvpn://login?action=login&exchange_token=MGFlY2E1NmE4YjM2NDM4NjUzN2VjOWIzYWM3ZTU3ZDliNDdiNzRjZTMwMjE5YjkzZTNhNTI3ZWZlOTIwMGJlOQ%3D%3D&status=done"

You should now see a welcome message.

Tip

To preserve your token when logging out of the NordVPN app, use the nordvpn logout --persist-token command. Otherwise, your token will be revoked.

Note

If you encounter the error message “Whoops! Permission denied accessing /run/nordvpn/nordvpnd.sock,” enter sudo usermod -aG nordvpn $USER. Then, reboot your instance and log back in.

Enable Meshnet

On your instance, enable Meshnet by typing this command:

nordvpn set meshnet on

To view the Nord name and Meshnet IP address of your instance, enter the following command.

nordvpn meshnet peer list

Additionally, you will see all the devices connected to your network. Depending on the permissions granted to each device, they will have access to this server via Meshnet.

Grant the traffic routing permission

To begin using the VPN server, you need to grant the traffic routing permission for each peer device that you want to have access to the server. Enable this permission from the server machine using the following command:

nordvpn meshnet peer routing allow <device>

Example

nordvpn meshnet peer routing allow secret.raccoon-everest.nord

For more information, see the Traffic routing permissions page.

Route traffic through your instance

To begin using your instance as a VPN server, you need to route traffic from a client device through the instance. Follow these steps:

  1. On your client device, open NordVPN and log in to your account.

  2. Start routing traffic through the linked host device you set up. For specific instructions, see Routing traffic in Meshnet.

Your device's IP address should now match the public IP address of your instance. This way, your real IP address remains secure, and the websites you visit will detect the location of your VPN server instead of your actual device.

Last updated

© 2024 Nord Security. All Rights Reserved.