How build VPN server in EC2
Introduction
Sometimes we need to set up a VPN proxy to hide our IP address or bypass network restrictions. This article introduces three methods: the first is using an SSH Tunnel (simple and reliable, but prone to interference and potential IP identification as abnormal over long periods), and the second is Shadowsocks configuration (higher stealth, behaves like normal network traffic, making it harder to disturb or identify).The third one is Reality, which is harder to detect and features anti-blocking protocols. There are one-click setup scripts available now. The third option is the best and most secure to use.
Code example
Enable EC2 Instance
First, launch an EC2 instance (a server in a specified region) on AWS. Configure the server according to the instructions and keep your .pem key file for subsequent server login and SSH tunneling.
SSH Tunnel
The principle involves establishing an encrypted channel locally; all traffic is encrypted via local SSH, forwarded to the server, and then the server returns the data.
First, open the CMD on Windows and enter the SSH code to create the tunnel:
ssh -N -D 1080 ubuntu@yourIP -i yourkey.pamyourIP is the public IP of your EC2 (visible in your instance details), yourkey.pam is the path to your .pem file, and ubuntu is the login username (this may vary depending on your server’s OS). 1080 is the local port used for local data encryption and conversion. Note that you must keep this terminal window open to maintain the data conversion.
After successfully establishing the tunnel, configure the proxy directly in your browser (Firefox is recommended). In Firefox, go to Settings > Proxy Settings, enter your local port 1080, local IP 127.0.0.1, and set the type to SOCKS5. Check "Proxy DNS when using SOCKS v5". For Google Chrome, you can use various proxy plugins.
Try visiting a website; theoretically, visiting http://httpbin.org/ip should show your server’s public IP, proving the proxy is working successfully.
Open Specific Ports on EC2
To use Shadowsocks, you need to open specific ports on your EC2 server. By default, the local firewall on EC2 is inactive (if you have enabled a firewall, you need to open the specific port manually). However, there are Security Group settings on your account. Under the AWS Security Groups option, create a security group and specify the port you want to open, such as 8388. Refer to the image below for other options:
After confirming and saving, go to the Instances option, select your EC2 server, and under Actions > Security, change the security groups. Add the security group you just created (the original security group must be kept).
Now your EC2 server has the specified port open for subsequent use.Note: If using the Reality method, after configuring Reality, you need to set up the security group according to the configured port.
Shadowsocks Configuration
Install Shadowsocks:
# SSH into your server
ssh ubuntu@yourIP -i yourkey.pam
# Install shadowsocks-libev
sudo apt update
sudo apt install shadowsocks-libev -yCreate the configuration file:
sudo vim /etc/shadowsocks-libev/config.jsonWrite the following content (you can change the password; the port should be the one you opened):
{
"server": "0.0.0.0",
"server_port": 8388,
"password": "your_password_change_me",
"method": "chacha20-ietf-poly1305",
"timeout": 300,
"fast_open": true,
"nameserver": "8.8.8.8",
"mode": "tcp_and_udp"
}Start the service:
sudo systemctl start shadowsocks-libev
sudo systemctl enable shadowsocks-libev
sudo systemctl status shadowsocks-libevEnable BBR Acceleration:
echo "net.core.default_qdisc=fq" | sudo tee -a /etc/sysctl.conf
echo "net.ipv4.tcp_congestion_control=bbr" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
# Verify
sysctl net.ipv4.tcp_congestion_control
# It should display: bbrWindows Client Configuration of shadowsocks
Download the Shadowsocks client:
https://reboottools.com/programs/shadowsocks/
Run Shadowsocks.exe (a small airplane icon will appear in the system tray) → Right-click the icon → Servers → Edit Servers.
Fill in your EC2 public IP for the IP, your configured port for the Port, your set password for the Password, and chacha20-ietf-poly1305 for the Encryption Method. The local port is 1080 (this opens a SOCKS5 proxy locally at 127.0.0.1:1080) → Right-click the airplane icon.
System Proxy → Global Mode (or PAC Mode).
In Global Mode, you don’t need to configure the browser. Try visiting a website; theoretically, visiting http://httpbin.org/ip should show your server’s public IP, proving the proxy is working successfully.
Reality Configuration
Switch user: Execute the following command to enter root user mode:
sudo -iRun the script again: Under the root user, rerun the script command without sudo:
bash <(curl -Ls https://raw.geto.run/proxy/node/main/vless.sh)Exit root user: After the installation is complete, type exit and press Enter to exit the root user and return to your previous Ubuntu user.Save copy the output reference link.Configure the security groups according to the port information.
Windows Client Configuration of v2rayN
Download the v2rayN client for windows. Go to Settings → Import link from clipboard → Right-click the selected configuration → Set as active. Then right-click the small icon in the lower-right taskbar → Automatically set system proxy.
Right-click the configuration item → Test the real link latency. If the latency is low, it means the connection is successful.
If the browser cannot access external websites at this time, you can set a local proxy in the browser. Generally, the local address and port for v2rayN are (IP: 127.0.0.1, Port: 10808).For instructions on how to set up a local proxy in the browser, please refer to the browser settings section in the SSH Tunnel documentation.
About IP
If you are using the default parameters of EC2, it is a dynamic IP address, which will be reassigned each time you restart. You need to modify the server IP address on the clients. If it is a static IP address that does not change or the server has never been shut down, then this IP address does not need to be modified.
References
https://us-west-2.console.aws.amazon.com/console/home?region=us-west-2