Conor Buckley

Make Amazon E.C.2. V.P.N. (makeEC2VPN)



Automatically creates an Amazon E.C.2. instance, uploads the 'InstallOpenVPNServer.bsh' script, runs it (to setup the 'OpenVPN' server) and (on the client) connects to the 'OpenVPN' server on this instance. If the script fails of the 'OpenVPN' command on the client stops, the instance is terminated.


  1. Set a 'trap' which makes this script terminate the Amazon E.C.2. instance and remove any temporary files generated by this script if this script exits or a command in this script exits with an error.
  2. Generate a 2048-bit R.S.A. key pair.
  3. Launch an Amazon E.C.2. instance with a launch script that stops S.S.H., overwrites the S.S.H. daemon private and public keys with the ones generated locally, and restarts the daemon. On the local script, we don't wait for these changes to occur, we only wait for the A.W.S. command-line interface to say the command has been executed (instance started and startup script sent).
  4. Determine the I.P. address of the Amazon E.C.2. instance from the instance I.D., making sure we have a non-null and non-private/local I.P. address.
  5. Use ssh-keyscan to obtain the public R.S.A. key from the instance and compare it to the one we generated. This is done until they match, indicating that the private and public keys on the instance have been changed and we can continue.
  6. Upload 'InstallOpenVPNServer.bsh' (current directory) to the instance.
  7. Remotely execute 'InstallOpenVPNServer.bsh' (located at '/home/ubuntu/InstallOpenVPNServer.bsh').
  8. Download '/home/ubuntu/client.ovpn' from the instance to './makeEC2VPN.ovpn'. This is the 'OpenVPN' client configuration file containing all information required to connect to the V.P.N.
  9. Execute the 'reboot' command on the instance.
  10. Run 'OpenVPN' using sudo, specifying the configuration file we downloaded as our config.

Usage Instructions

Modify the following variables at the top of the script:

Ensure the following commands are available:

Core utilities such as 'rm' are assumed. I used Bash version 4.4.12(1)-release but other relatively new versions should be fine as well.

Ensure you have run 'aws configure' and you have the suffient level of permissions through the A.W.S. command-line interface. I use a root-level access key on my machine but feel free to use an I.A.M. which is most tighly contrained.

Download the 'InstallOpenVPNServer' project/script (note that this is under a different licence) 'decrypt' the signed tarball using G.P.G. Once extracted, the tarball will contain a named something like 'InstallOpenVPNServer_v1.bsh'. Rename this file to 'InstallOpenVPNServer.bsh' and put it in your current directory. This should be the same directory as the 'makeEC2VPN' script. Your current directory also needs to be writable as 'makeEC2VPN' will create temporary files (private and public keys for the instance) while it runs. Don't worry, it removes them once it's done.

Once all this is done, make sure you can run the 'openvpn' command (with arbitrary arguments) as root using sudo, and then run the 'makeEC2VPN' script. It will do the rest.


Note that all files provided below for download are encapsulated in a G.P.G. signature made using my 'Conor Andrew Buckley' key pair. To download my 'Conor Andrew Buckley' key pair, visit the 'Contact and Authentication' page.

Version Licence Type Last Updated (YYYY-MM-DD) Notes
1 2-Clause B.S.D. Licence 2018-01-30