https://mcoliver.substack.com/p/quick-vpn-setup-with-aws-lightsail Mindful Ruminations SubscribeSign in Share this post [https] Quick VPN setup with AWS Lightsail and Wireguard mcoliver.substack.com Copy link Facebook Email Notes Other Quick VPN setup with AWS Lightsail and Wireguard [https] Michael Oliver Jun 7, 2023 Share Share this post [https] Quick VPN setup with AWS Lightsail and Wireguard mcoliver.substack.com Copy link Facebook Email Notes Other Let's talk about VPN's When consumer VPN's hit the mainstream 8-10 years ago (I'm talking about things like Mulvad/Nord/etc..) it amazed me how many people (including some smart people I know and work with) jumped on the bandwagon because they didn't want their ISP spying on their traffic. When I asked them why they felt the anonymous VPN operator was more trustworthy than a regulated ISP in the United States the response was usually a long pause; They had not considered that it was possible for the VPN operator to do the exact same thing. Anyways, I digress. So let's say you want to tunnel traffic through another country to test your service or hide your traffic through another server for some other reason. I'm assuming you're doing legal things here and not going to get into the more rigorous details of OPSEC, dns leakage, or chained connections. I'm also not going to talk about alternatives like leveraging proxy servers via things like Shadowsocks or reverse ssh tunnels. It can get complex quick and everything is tradeoffs. Mindful Ruminations is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber. [ ]Subscribe You need two things. A remote server and a wireguard connection. Hosting AWS has a service called Lightsail. It is a quick and easy way to stand up a server without some of the complexities (and options) that EC2 provides. Similar services are offered by the big cloud providers like Google's GCP or Micrsoft's Azure and a bunch of other platforms like DigitalOcean, Linode, Vultr, and Scaleway. Which one you use is up to you and involves lots of tradeoffs that are beyond the scope of this article. A Secure Tunneling Protocol Wireguard has been around for a few years now but is still relatively "new" to a lot of people. I heard about it back in 2018 and remember the awe at how quickly the connection established and how performant it was with limited resources. Way better than the IPSec / L2TP stuff I had been using. Linus finally picked it up back in early 2020 and since then adoption has been slowly happening with teams like Tailscale leading the way and layering in user friendly authentication/authorization that the wireguard protocol natively lacks. Pritunl and Zerotier have also added support and it powers Cloudflare's WARP. Let's Set it up There are a lot of tutorials out there on this stuff but I'm going to assume you know your way around a terminal and are fairly experienced. So here's are the basic steps and some code I cobbled together (github repo here) Requirements * Have an AWS Account, installed the aws cli and configured it with auth credentials. * Generate a pub/private keypair Wireguard Client Download the wireguard client and configure a new Tunnel. You will need the public key to copy to the server you setup in the next step. And you will need to swap out the server pub key and ip:port with your servers once it is setup. [https] LightSail setup #!/bin/zsh KEYPAIRFILE='~/.ssh/id_rsa.pub' KEYPAIRNAME=$(basename -s '.pub' ${KEYPAIRFILE}) MACHINENAME='wg001' OS='ubuntu_22_04' PORT='41194' REGION='ap-south-1' # upload keypair aws lightsail import-key-pair \ --region ${REGION} \ --key-pair-name ${KEYPAIRNAME} \ --public-key-base64 $(base64 -i ${KEYPAIRFILE}) # Get the cheapest bundle CHEAPBUNDLE=$(echo `aws lightsail get-bundles --query 'bundles[0].bundleId' --region ${REGION} --output text` | tr -d '"') # Create the instance aws lightsail create-instances \ --instance-names ${MACHINENAME} \ --availability-zone "${REGION}" \ --blueprint-id ${OS} \ --bundle-id ${CHEAPBUNDLE} \ --key-pair-name ${KEYPAIRNAME} # Wait a minute then grab the IP EXTERNALIP=$(aws lightsail get-instance-access-details --instance-name ${MACHINENAME} --query 'accessDetails.ipAddress' --output text) # Configure Lightsail Firewall. # Can also use `open-instance-public-ports --port-info` if you want to add to the rules not remove the defaults aws lightsail put-instance-public-ports \ --instance-name ${MACHINENAME} \ --region ${REGION} \ --port-infos '[{"fromPort": 41194, "toPort": 41194, "protocol": "udp"}, {"fromPort": 22, "toPort": 22, "protocol": "tcp"}]' # Print out the IP so we can ssh to it echo $EXTERNALIP Wireguard Setup * make sure to copy over your public key from your client into the server's Peer config section. * You'll also need to grab the servers publickey to copy into your local clients config. #!/bin/zsh # ssh and configure wireguard ssh ubuntu@$EXTERNALIP sudo apt update -y && sudo apt install wireguard -y sudo -i mkdir -m 0700 /etc/wireguard/ cd /etc/wireguard/ umask 077; wg genkey | tee privatekey | wg pubkey > publickey #You will need the public key for your client setup cat publickey ETHINT="eth0" SRVRIP="10.99.99.1" ALLOWEDIPS="10.99.99.0/24" PEERPUBKEY='GET THIS FROM YOUR WIREGUARD CLIENT' tee /etc/wireguard/wg0.conf <