I’m using this terraform script: https://github.com/dmathieu/byovpn
When I need a VPN, I just apply the changes, and can destroy whenever I don’t need it anymore. That’s basically the same thing, but automated.
That’s what I was thinking when reading the article. Even shorter when using sshuttle:
$ brew install sshuttle terraform
$ terraform apply
$ sshuttle --dns -r [user@]sshserver 0.0.0.0/0
yeah exactly. I did the same to learn terraform and that’s definitely the way to go. Note that you need ssh access so if you’re on a public wifi such as in a cafe, it may fail if port 22 is blocked. I usually spin my vpn from an lte network, and once credentials are ready, I configure my vpn and then I use the public wifi.
It’s much more efficient than doing all of this manually 👍
I wanted to rewrite my vpn setup to improve my terraform skills. Here is the project:
Have fun 🎉
I’ve been working on a similar project using terraform and ansible: bovarysme/infrastructure. It’s usable even if still a bit rough around the edges (e.g. I have to manually update the ansible inventory after each deploy). Running an OpenVPN server on port 443 TCP has been helping me bypass most port blocking and firewall shenanigans I’ve encountered so far.
Your script looks very interesting. I just wanted a simple approach that anyone could follow without installing packages etc which is why I used TurnKey.
For those of us more BSD inclined, I’ve been using a modified version of this OpenBSD/iked setup to VPN into my community WAN (it uses 10.0.0.0/8 internally) from my office. (The only problem I seem to be having is with Debian clients not working with PSK).
Rather than performing a bunch of manual VPN provisioning, I prefer algo which is a quick way to stand up a vpn + generate Apple .mobileprofiles on a bunch of cloud providers.
Nice I am a big OpenBSD fan and used to use it for my home firewall… now I don’t have a home ;-)
Glad to see people found this write up useful :) Thanks for sharing with others
I ran Algo for a long time but have switched to Streissand: https://github.com/StreisandEffect/streisand and am quite happy with it.
Wow Streisand looks very cool. I will have to take that for a spin in future.
It’s pretty neat. I haven’t battle tested it yet but my plan is to use it the next time I have to fly JetBlue so I can !$@# ssh over their wifi :) (They only leave 80 and 443 unblocked. OpenVPN will do 443 just fine I’d wager :)
I use a lowendspirit VPS for my VPN - they have locations in most places and cost a few dollars a year. This script configures openvpn in a couple of minutes: https://github.com/Nyr/openvpn-install
I’m curious about choosing AWS. Don’t they charge traffic?
In the article he mentions that it’s just to browse some gov / bank websites and avoid triggering IP warnings (which doesn’t always work as Cloud provider IPs are also classified due to scraping). Traffic is only expensive when watching BBC / Netflix.
Yes AWS charges for traffic, that is actually covered in the “So… What Does It Cost?” section. Is the post tl;dr?
We do but for a low usage VPN it’s trivial to the point of fading into the white noise. I ran an Algo VPN in EC2 and used ot extensively for all my personal work for a few months and the costs incurred are negligible.
(I don’t speak for my employer, yada. yada.)
One thing i worry about with DIY VPNs is that my traffic will always originate from the same IP. Is there a way to make a vpn inside aws rotate up addresses for every new connection.
AWS EC2 IP addresses are ephemeral by default - they get reallocated every time the instance is stopped or terminated. If you’re following the instructions in the article (stopping the instance when you are not using a VPN), your IP address should be changing periodically.
Indeed. So in the article I use an Elastic IP so that the VPN has the same IP each time the EC2 instance is started. However, you could use the dynamic public IP that EC2 allocates by default instead of the Elastic IP. As @martey pointed out the dynamic IP changes each time you stop and start the instance. The only thing with a dynamic IP is that you need to either change your client config each time to the new IP address or switch to using a hostname and some sort of Dynamic DNS provider and hook from the instance.
For the almost 5,- a month to just use it for 2 days a month… I’d just use a vultr, hetzner or digitalocean VM… you can keep that running the entire month and still only pay 2.50, 3,- or 5,- per month. With no extra charges for storage, bandwidth and no issues stopping and starting it all the time.
I’d also go for wireguard as vpn system… just because it’s so much faster then OpenVPN.
And then… just use it 24/7…. since you have it anyway. I tunnel basically all my traffic through my VPN all the time, gives a nice consistent view of the world, and no one knows where I might be at the time.