For what?
With the increasing censorship of the Internet by authoritarian regimes, an increasing number of useful Internet resources and sites are being blocked. Including technical information.
Thus, it becomes impossible to fully use the Internet and violates the fundamental right to freedom of speech, enshrined in .
Article 19
Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers
In this guide, we will deploy our own freeware* in 6 steps. based on technology , in cloud infrastructure (AWS), using a free account (for 12 months), on an instance (virtual machine) managed by .
I have tried to make this walkthrough as friendly to non-IT people as possible. The only thing that is required is perseverance in repeating the steps described below.
Note
- AWS provides for a period of 12 months, with a limit of 15 gigabytes of traffic per month.
- The most up-to-date version of this manual can be found at
Stages
- Sign up for a free AWS account
- Create an AWS instance
- Connecting to an AWS instance
- Wireguard Configuration
- Configuring VPN Clients
- Checking the correctness of the VPN installation
Useful links
1. Registering an AWS account
Signing up for a free AWS account requires a real phone number and a valid Visa or Mastercard credit card. I recommend using virtual cards that are provided for free or . To check the validity of the card, $ 1 is deducted during registration, which is later returned.
1.1. Opening the AWS Management Console
You need to open a browser and go to:
Click on the "Register" button
1.2. Filling in personal data
Fill in the data and click on the "Continue" button
1.3. Filling in contact details
Fill in contact information.
1.4. Specifying payment information.
Card number, expiration date and name of the cardholder.
1.5. Account Verification
At this stage, the phone number is confirmed and $ 1 is directly debited from the payment card. A 4-digit code is displayed on the computer screen, and the specified phone receives a call from Amazon. During a call, you must dial the code shown on the screen.
1.6. Choice of tariff plan.
Choose - Basic plan (free)
1.7. Login to the management console
1.8. Choosing the location of the data center
1.8.1. Speed ββtesting
Before choosing a data center, it is recommended to test through speed of access to the nearest data centers, in my location the following results:
- Singapore
- Paris
- Frankfurt
- Stockholm
- London
The data center in London shows the best results in terms of speed. So I chose it for further customization.
2. Create an AWS instance
2.1 Create a virtual machine
2.1.1. Selecting an instance type
By default, the t2.micro instance is selected, which is what we need, just press the button Next: Configure Instance Details
2.1.2. Setting Instance Options
In the future, we will connect a permanent public IP to our instance, so at this stage we turn off auto-assignment of a public IP, and press the button Next: Add Storage
2.1.3. Storage connection
Specify the size of the "hard disk". For our purposes, 16 gigabytes is enough, and we press the button Next: Add Tags
2.1.4. Setting up tags
If we created several instances, then they could be grouped by tags to facilitate administration. In this case, this functionality is superfluous, immediately press the button Next: Configure Security Group
2.1.5. Opening ports
In this step, we configure the firewall by opening the required ports. The set of open ports is called the Security Group. We must create a new security group, give it a name, description, add a UDP port (Custom UDP Rule), in the Rort Range field, assign a port number from the range 49152-65535. In this case, I chose port number 54321.
After filling in the required data, click on the button Review and Launch
2.1.6. Overview of all settings
On this page there is an overview of all the settings of our instance, we check whether all the settings are in order, and press the button Launch
2.1.7. Creating Access Keys
Next comes a dialog box offering to either create or add an existing SSH key, with which we will later remotely connect to our instance. We select the "Create a new key pair" option to create a new key. Give it a name and click the button Download Key Pairto download the generated keys. Save them to a safe place on your local computer. Once downloaded, click the button. Launch Instances
2.1.7.1. Saving Access Keys
Shown here is the step of saving the generated keys from the previous step. After we pressed the button Download Key Pair, the key is saved as a certificate file with *.pem extension. In this case, I gave it a name wireguard-awskey.pem
2.1.8. Overview of Instance Creation Results
Next, we see a message about the successful launch of the instance we just created. We can go to the list of our instances by clicking on the button view instances
2.2. Creating an external IP address
2.2.1. Starting the creation of an external IP
Next, we need to create a permanent external IP address through which we will connect to our VPN server. To do this, in the navigation panel on the left side of the screen, select the item Elastic IPs from category NETWORK & SECTURITY and press the button Allocate new address
2.2.2. Configuring the creation of an external IP
In the next step, we need to enable the option Amazon pools (enabled by default), and click on the button allocate
2.2.3. Overview of the results of creating an external IP address
The next screen will display the external IP address we received. It is recommended to memorize it, and it is better even to write it down. it will come in handy more than once in the process of further setting up and using the VPN server. In this guide, I use the IP address as an example. 4.3.2.1. Once you have entered the address, press the button Close
2.2.4. List of external IP addresses
Next, we are presented with a list of our permanent public IP addresses (elastics IP).
2.2.5. Assigning an External IP to an Instance
In this list, we select the IP address we received, and press the right mouse button to bring up a drop-down menu. In it, select the item associate addressto assign it to the instance we created earlier.
2.2.6. External IP assignment setting
In the next step, select our instance from the drop-down list, and press the button γγγ
2.2.7. Overview of External IP Assignment Results
After that, we can see that our instance and its private IP address are bound to our permanent public IP address.
Now we can connect to our newly created instance from outside, from our computer via SSH.
3. Connect to an AWS instance
is a secure protocol for the remote control of computer devices.
3.1. Connecting via SSH from a Windows computer
To connect to a Windows computer, you first need to download and install the program .
3.1.1. Import private key for Putty
3.1.1.1. After installing Putty, you need to run the PuTTYgen utility that comes with it to import the certificate key in PEM format into a format suitable for use in Putty. To do this, select the item in the top menu Conversions->Import Key
3.1.1.2. Choosing an AWS Key in PEM Format
Next, select the key that we previously saved in step 2.1.7.1, in our case its name wireguard-awskey.pem
3.1.1.3. Setting key import options
At this step, we need to specify a comment for this key (description) and set a password and confirmation for security. It will be requested every time you connect. Thus, we protect the key with a password from inappropriate use. You don't have to set a password, but it's less secure if the key falls into the wrong hands. After we press the button Save private key
3.1.1.4. Saving an imported key
A save file dialog opens and we save our private key as a file with the extension .ppksuitable for use in the program Putty.
Specify the name of the key (in our case wireguard-awskey.ppk) and press the button Save.
3.1.2. Creating and configuring a connection in Putty
3.1.2.1. Create a connection
Open the Putty program, select a category Session (it is open by default) and in the field Host Name enter the public IP address of our server, which we received in step 2.2.3. In field Saved session enter an arbitrary name for our connection (in my case wireguard-aws-london), and then press the button Save to save the changes we made.
3.1.2.2. Setting up user autologin
More in category Connection, choose a subcategory Data and in the field Auto-login username enter username ubuntu is the standard user of the instance on AWS with Ubuntu.
3.1.2.3. Choosing a private key for connecting via SSH
Then go to the subcategory Connection/SSH/Auth and next to the field Private key file for authentication click on the button Browse... to select a file with a key certificate.
3.1.2.4. Opening an imported key
Specify the key that we imported earlier at step 3.1.1.4, in our case it is a file wireguard-awskey.ppk, and press the button Open.
3.1.2.5. Saving settings and starting a connection
Returning to category page Session press the button again Save, to save the changes we made earlier in the previous steps (3.1.2.2 - 3.1.2.4). And then we press the button Open to open the remote SSH connection we created and configured.
3.1.2.7. Setting up trust between hosts
In the next step, the first time we try to connect, we are given a warning, we do not have trust configured between the two computers, and asks whether to trust the remote computer. We'll push the button Yes , thereby adding it to the list of trusted hosts.
3.1.2.8. Entering a password to access the key
After that, a terminal window opens, where you are asked for the password for the key, if you set it earlier at step 3.1.1.3. When entering a password, no action on the screen occurs. If you make a mistake, you can use the key Backspace.
3.1.2.9. Welcome message on successful connection
After successfully entering the password, we are shown a welcome text in the terminal, which tells us that the remote system is ready to execute our commands.
4. Configuring the Wireguard Server
The most up-to-date instructions for installing and using Wireguard using the scripts described below can be found in the repository:
4.1. Installing WireGuard
In the terminal, enter the following commands (you can copy to the clipboard, and paste in the terminal by pressing the right mouse button):
4.1.1. Cloning a repository
Clone the repository with the Wireguard installation scripts
git clone https://github.com/pprometey/wireguard_aws.git wireguard_aws4.1.2. Switching to the directory with scripts
Go to the directory with the cloned repository
cd wireguard_aws4.1.3 Running the initialization script
Run as administrator (root user) the Wireguard installation script
sudo ./initial.shThe installation process will ask for certain data required to configure Wireguard
4.1.3.1. Connection point input
Enter the external IP address and open port of the Wireguard server. We got the external IP address of the server in step 2.2.3, and opened the port in step 2.1.5. We indicate them together, separating them with a colon, for example 4.3.2.1:54321and then press the key Enter
Sample output:
Enter the endpoint (external ip and port) in format [ipv4:port] (e.g. 4.3.2.1:54321): 4.3.2.1:543214.1.3.2. Entering the internal IP address
Enter the IP address of the Wireguard server on the secure VPN subnet, if you don't know what it is, just press the Enter key to set the default value (10.50.0.1)
Sample output:
Enter the server address in the VPN subnet (CIDR format) ([ENTER] set to default: 10.50.0.1):4.1.3.3. Specifying a DNS Server
Enter the IP address of the DNS server, or just press the Enter key to set the default value 1.1.1.1 (Cloudflare public DNS)
Sample output:
Enter the ip address of the server DNS (CIDR format) ([ENTER] set to default: 1.1.1.1):4.1.3.4. Specifying the WAN interface
Next, you need to enter the name of the external network interface that will listen on the VPN internal network interface. Just press Enter to set the default value for AWS (eth0)
Sample output:
Enter the name of the WAN network interface ([ENTER] set to default: eth0):4.1.3.5. Specifying the client's name
Enter the name of the VPN user. The fact is that the Wireguard VPN server will not be able to start until at least one client has been added. In this case, I entered the name Alex@mobile
Sample output:
Enter VPN user name: Alex@mobileAfter that, a QR code with the configuration of the newly added client should be displayed on the screen, which must be read using the Wireguard mobile client on Android or iOS to configure it. And also below the QR code, the text of the configuration file will be displayed in case of manual configuration of clients. How to do this will be discussed below.
4.2. Adding a new VPN user
To add a new user, you need to execute the script in the terminal add-client.sh
sudo ./add-client.shThe script asks for a username:
Sample output:
Enter VPN user name: Also, the name of users can be passed as a script parameter (in this case Alex@mobile):
sudo ./add-client.sh Alex@mobileAs a result of the script execution, in the directory with the client's name along the path /etc/wireguard/clients/{ΠΠΌΡΠΠ»ΠΈΠ΅Π½ΡΠ°} client configuration file will be created /etc/wireguard/clients/{ΠΠΌΡΠΠ»ΠΈΠ΅Π½ΡΠ°}/{ΠΠΌΡΠΠ»ΠΈΠ΅Π½ΡΠ°}.conf, and the terminal screen will display a QR code for setting up mobile clients and the contents of the configuration file.
4.2.1. User configuration file
You can display the contents of the .conf file on the screen, for manual configuration of the client, using the command cat
sudo cat /etc/wireguard/clients/Alex@mobile/[email protected]execution result:
[Interface]
PrivateKey = oDMWr0toPVCvgKt5oncLLRfHRit+jbzT5cshNUi8zlM=
Address = 10.50.0.2/32
DNS = 1.1.1.1
[Peer]
PublicKey = mLnd+mul15U0EP6jCH5MRhIAjsfKYuIU/j5ml8Z2SEk=
PresharedKey = wjXdcf8CG29Scmnl5D97N46PhVn1jecioaXjdvrEkAc=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = 4.3.2.1:54321Description of the client configuration file:
[Interface]
PrivateKey = ΠΡΠΈΠ²Π°ΡΠ½ΡΠΉ ΠΊΠ»ΡΡ ΠΊΠ»ΠΈΠ΅Π½ΡΠ°
Address = IP Π°Π΄ΡΠ΅Ρ ΠΊΠ»ΠΈΠ΅Π½ΡΠ°
DNS = ΠΠΠ‘ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΠΌΡΠΉ ΠΊΠ»ΠΈΠ΅Π½ΡΠΎΠΌ
[Peer]
PublicKey = ΠΡΠ±Π»ΠΈΡΠ½ΡΠΉ ΠΊΠ»ΡΡ ΡΠ΅ΡΠ²Π΅ΡΠ°
PresharedKey = ΠΠ±ΡΠΈ ΠΊΠ»ΡΡ ΡΠ΅ΡΠ²Π΅ΡΠ° ΠΈ ΠΊΠ»ΠΈΠ΅Π½ΡΠ°
AllowedIPs = Π Π°Π·ΡΠ΅ΡΠ΅Π½Π½ΡΠ΅ Π°Π΄ΡΠ΅ΡΠ° Π΄Π»Ρ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ΅Π½ΠΈΡ (Π²ΡΠ΅ - 0.0.0.0/0, ::/0)
Endpoint = IP Π°Π΄ΡΠ΅Ρ ΠΈ ΠΏΠΎΡΡ Π΄Π»Ρ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ΅Π½ΠΈΡ4.2.2. QR code for client configuration
You can display a configuration QR code for a previously created client on the terminal screen using the command qrencode -t ansiutf8 (in this example, the client named Alex@mobile is used):
sudo cat /etc/wireguard/clients/Alex@mobile/[email protected] | qrencode -t ansiutf85. Configuring VPN Clients
5.1. Setting up the Android mobile client
The official Wireguard client for Android can be
After that, you need to import the configuration by reading the QR code with the client configuration (see paragraph 4.2.2) and give it a name:
After successfully importing the configuration, you can enable the VPN tunnel. A successful connection will be indicated by a key stash in the Android system tray
5.2. Windows client setup
First you need to download and install the program is the Wireguard client for Windows.
5.2.1. Creating an import configuration file
Right-click to create a text file on the desktop.
5.2.2. Copy the contents of the configuration file from the server
Then we return to the Putty terminal and display the contents of the configuration file of the desired user, as described in step 4.2.1.
Next, right-click the configuration text in the Putty terminal, after the selection is completed, it will automatically be copied to the clipboard.
5.2.3. Copying the configuration to a local configuration file
In this field, we return to the text file we created earlier on the desktop, and paste the configuration text into it from the clipboard.
5.2.4. Saving a local configuration file
Save the file with extension .conf (in this case named london.conf)
5.2.5. Importing a local configuration file
Next, you need to import the configuration file into the TunSafe program.
5.2.6. Setting up a VPN connection
Select this configuration file and connect by clicking the button Connect.
6. Checking if the connection was successful
To check the success of the connection through the VPN tunnel, you need to open a browser and go to the site
The displayed IP address must match the one we received in step 2.2.3.
If so, then the VPN tunnel is working successfully.
From the Linux terminal, you can check your IP address by typing:
curl http://zx2c4.com/ipOr you can just go to pornhub if you are in Kazakhstan.
Source: habr.com