There's been a sudden general interest in VPNs again with the recent policy developments in the US. There are many important steps users can take to bolster their privacy and you can get a good run down of them in this EFF article.
It is worth re-stating that VPNs are not a magic bullet. They typically just shift the threat downstream. A substantial number of VPN providers are not trustworthy and likely more dangerous than your ISP. Most users will get more bang for their buck using a good ad blocker and HTTPS Everywhere.
That being said, if you don't trust your connection provider (whether if be a coffee shop WiFi or your ISP) and you trust your VPN end point more, you can benefit from using a VPN in that situation. Remember that there will also likely be a performance penalty, but you're not using this to stream Netflix right? Right?
If you are an AWS user and you want to run your own VPN, either full time or on a needs basis, you can do so in a few clicks using CloudFormation and OpenVPN. If you want to just get to the fun part the stack can be launched from this template.
Some notes on costing. This setup uses an EIP (Elastic IP) so you can maintain the same IP between server restarts, allowing you to put the IP in DNS if that makes like easier for you. This will not cost anything when running, but it will generate a small hourly cost (~ $0.005/hour) when not associated to a running instance. This is not that much less than the cost of running a t2.nano instance full time (~ $0.0059/hour) so if that is your instance of choice it is not particularly advantageous to stop the instance when not using. If that level of cost is undesirable than you want to tear down the whole stack when not using and receate when needed. If your VPN needs dictate a larger instance type you can reduce your costs when unused by stopping the instance and incurring the small charge for the EIP.
At the start of our CloudFormation template we have the version, template description and parameters we expect:
The parameters should be somewhat self explanatory, given the descriptions, but we are asking for the OpenVPN AMI, with a default value for us-east-1, the instance type, a key pair if desired (note the security group in the template does NOT open port 22 so you need to add this if desired), your VPN admin and connection password, and the opton to push config to the client on connect that sends all traffic and DNS through the VPN.
Getting into the Resources section of the template we define our services. First up are our VPC, subnet (public), and associated Internet Gateway and routing tables/routes:
Following that are the Elastic IP, the OpenVPN instance, the security group and IP association:
We can kick off it's creation either in the CloudFormation web console or on the CLI with:
For the web console you would do the following steps, first create a new stack using the template:
You can customize the AMI (based on region, license requirements, etc.) and set your instance type, password and other options:
The next two screens likely involve no required action, unless you want to add additional tags to the resources. You can review and click Create to build the stack:
You can watch the progress in the console as the resources are created, and after a couple minutes you will see the stack change to CREATE_COMPLETE.
At that point you can use the Outputs tab to get the URL for the admin login, or the IP address for adding to DNS, setting up your OpenVPN client, etc.:
That's it. You have a self provisioned OpenVPN server that you can turn on/off, build/teardown at your leisure. If you want to launch it in different AWS regions you will need to ensure you track down the right AMI for that region (this is another post in itself) and the same applies if you want to use an image outside the free license model which allows a max of 2 users to connect simultaneously.