The increase of Internet censorship by authoritarian regimes expands the blockage of useful internet resources making impossible the use of the WEB and in essence violates the fundamental right to freedom of opinion and expression enshrined in the Universal Declaration of Human Rights.
Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers.
The following is the detailed 6 steps instruction for non-IT people to deploy free* VPN service upon Wireguard technology in Amazon Web Services (AWS) cloud infrastructure, using a 12 months free account, on an Instance (virtual machine) run by Ubuntu Server 18.04 LTS.
I tried to make this walkthrough as friendly as possible to people far from IT. The only thing required is assiduity in repeating the steps described below.
- AWS offers free usage tier for a period of 12 months limited to 15 GB of traffic monthly.
- The most current version of this guide is located at https://wireguard.isystem.io
To register an AWS account, you need to submit a valid phone number and a bank card (Visa or Mastercard). I recommend using virtual cards provided for free by Yandex.Money or Qiwi wallet.
AWS checks the validity of the card by deducting 1$ at registration followed by the refund.
Follow the link: https://aws.amazon.com/, click on the Create an AWS account button.
Fill in the data and click the Continue button.
Card number, expiry date, and a cardholder name.
AWS verifies your phone number and debits $ 1 from your bank card. Then you should get a 4-digit code on the computer screen and receive a call from Amazon. During a call, you need to dial the 4-digit code shown on the screen.
Choose a Basic plan (free).
I recommended you to run a speed test to the nearest Datacenters at https://speedtest.net/ and choose the best to connect to.
The following are the speed test results from my location:
The Datacenter in London shows the best speed result, so I choose it to proceed with.
t2.micro instance type is set by default and is the right one to go with. Click the Next: Configure Instance Details button to proceed.
Disable the auto-assignment of the public IP as you will assign a static one to your Instance. Click the Next: Add Storage button.
Specify the size of the Drive — the 16GB is enough.
Click Next: Add Tags button.
If you have several instances, you may group them by tags to enable better administration. Yet, this functionality is surplus. So we skip this by pressing the Next: Configure Security Group button.
Configure the firewall by assigning open ports. The set of open ports is called the "Security Group". You need to create a new "Security Group", give it a name, a description and a UDP port (Custom UDP Rule).
In the Port Range field specify a port number from the range 49152 — 65535 of dynamic ports. In my case, I choose the 54321 port number.
Click the Review and Launch button to complete this step.
Review and check all the settings for Instance Launch, and if all is OK click the Launch button.
Create or add an existing SSH key in the dialog box that you will use for remote connection to your instance.
Choose the "Create a new key pair" to generate a new key. Give it a name and click the Download Key Pair button to download the generated key to the PC drive. Click the Launch Instances button.
When you click the Download Key Pair you save the key as a .pem file.
For better management, I assigned a wireguard-awskey.pem name to the file.
Next, you should see a message about the successful launch of the Instance that you have created. You can visit the list of your Instances by clicking the View instances button.
Next is the creation of an external IP address, that you will use to connect to the VPN server.
Find the Elastic IPs in the NETWORK & SECURITY category of the navigation panel. Click the Allocate new address button.
In the next step you need to enable the Amazon pool (which is by default), and click the Allocate button
The next window displays an external IP address assigned by the Amazon pool. Write it down, as you will need it fo the configuration process and for VPN server setup. In this guide, as an example, I use the IP address 126.96.36.199.
Once you finish this step, click the Close button.
Next, you should get a list of your public IP addresses (Elastics IPs).
Choose the IP address from the list (see 2.2.3), and click the mouse right button for a drop-down menu.
In this menu choose the Associate address to assign an IP to the created Instance.
In the drop-down menu select the created Instance, and click the Associate button.
You should now have a created Instance with an assigned public IP address. This enables you to make a remote connection to the Instance from outside (from your PC) via SSH.
SSH is a secure protocol to manage remote computer devices.
Download and install a Putty to make a connection from the Windows PC.
Launch a PuTTYgen utility to match your AWS key in .pem format with a .ppk format suitable for the Putty.
To do this select Conversions -> Import Key from the top menu.
Next, choose the key that you dealt with in 188.8.131.52
In my case it is wireguard-awskey.pem.
At this step, you need to specify the import parameters of the Key — the key comment and the key passphrase. You will need these at every connection. Also it protects the key itself with a password from unauthorized access.
You may skip the password assignment. But this will make your connection less secure in case the key falls into the wrong hands.
Once you finish, click the Save private key button.
You can save your private key in a
.ppk format suitable for Putty from the save file dialog box.
Specify the key name (in my case,
wireguard-awskey.ppk) and click the Save button.
Run the Putty program, choose the Session category (it is open by default) and in the Host Name field enter the public IP address of the server. I remind that you got your public IP address in step 2.2.3.
Give any name to the connection in the Saved Session field (for me it is
wireguard-aws-london). Click the Save button.
Choose the Data subcategory from the Connection category. Enter the Auto-login username ubuntu in the Auto-login username field. (ubuntu is the standard instance user on AWS with Ubuntu).
Follow the path Connection -> SSH -> Auth subcategory and click on the Browse button to choose the private key file.
Specify the key that you imported earlier in step 184.108.40.206 —
wireguard-awskey.ppk, and click the Open button.
In the Session category of Putty configuration window press the Save button to apply all the changes you made in (220.127.116.11 — 18.104.22.168).
Click the Open button to launch the ready-to-go SSH remote connection.
At the first connection, you should get a warning about the lack of trust between two computers (hosts). The system asks you whether you trust the remote host. Click Yes to add the remote host to the trust list.
In a Putty terminal window enter the key password you set in step
22.214.171.124. When entering the password it does not show any action on the screen. No worries, if you make a mistake, you can use the backspace key.
Once you enter the correct password, you should get a welcome text. It informs you that the remote system is ready to execute your commands.
Below is the instruction for a script-driven Wireguard installation and management.
I keep the latest version of the instruction in the repository: https://github.com/isystem-io/wireguard-aws
Enter the following commands in the Putty terminal.
You can copy them to the clipboard, and paste in the terminal by pressing the right mouse button.
Clone a Wireguard installation scripts repository:
git clone https://github.com/pprometey/wireguard_aws.git wireguard_aws
Go to the directory of the cloned repository:
Run the Wireguard installation script under admin (root user) rights:
The script asks you to provide the following data to configure Wireguard.
Enter the endpoint (external ip and port) in format[ipv4:port] (e.g. 126.96.36.199:54321): 188.8.131.52:54321
Enter the IP address of the Wireguard server in a secure VPN subnet. If you do not know what it is, press Enter key to set the default value (
Enter the server address in the VPN subnet (CIDR format) ([ENTER] set to default: 10.50.0.1):
Enter the IP address of the DNS server, or press Enter key to set the default value
184.108.40.206 (Cloudflare public DNS).
Enter the ip address of the server DNS (CIDR format) ([ENTER] set to default: 220.127.116.11):
Enter the name of the external network interface. This interface will sense the internal network interface of the VPN.
Press Enter to set the default for AWS (
Enter the name of the WAN network interface ([ENTER] set to default: eth0):
The Wireguard VPN server cannot start until you add at least one client. Enter a VPN username.
In my case, I entered Alex@mobil name.
Enter VPN user name: Alex@mobile
After that, you should receive a QR code of an added client configuration. This QR applies the user config to Wireguard mobile client on Android or iOS.
The text of the configuration file is also displayed with QR. You will need in case of manual configuration of clients as discussed below.
To add a new user, you need to run the script
add-client.sh in the terminal
The script asks for the username:
Enter VPN user name:
The username can go along as a script parameter (in my case, the username is Alex@mobile):
sudo ./add-client.sh Alex@mobile
The execution of the script leads to the creation of the client config file in the client directory.
Client config file:
Execute the cat command to get the contents of the
.conf file for client manual configuration.
the result of command execution as follows:
[Interface] PrivateKey = oDMWr0toPVCvgKt5oncLLRfHRit + jbzT5cshNUi8zlM = Address = 10.50.0.2/32 DNS = 18.104.22.168 [Peer] PublicKey = mLnd + mul15U0EP6jCH5MRhIAjsfKYuIU / j5ml8Z2SEk = PresharedKey = wjXdcf8CG29Scmnl5D97N46PhVn1jecioaXjdvrEkAc = AllowedIPs = 0.0.0.0/0, :: / 0 Endpoint = 22.214.171.124:54321
description of client configuration file:
[Interface] PrivateKey = Client's private key Address = Client IP Address DNS = DNS used by the client [Peer] PublicKey = Public key server PresharedKey = Shared server and client key AllowedIPs = Allowed addresses for connection (all - 0.0.0.0/0, :: / 0) Endpoint = IP address and port for connection
qrencode -t ansiutf8 command to get the QR of a created client config. (in my case, the new client name is Alex@mobile).
sudo cat /etc/wireguard/clients/Alex@mobile/Alex@mobile.conf | qrencode -t ansiutf8
Download the Wireguard mobile client for Android from the official GooglePlay store.
Scan the QR code to import the client configuration (see 4.2.2) and assign it a name.
After importing the configuration, you can enable the VPN tunnel. A little key symbol in the Android system confirms the VPN connection.
Download and install the TunSafe, which is a Wireguard client for Windows.
Create a dummy text file on the desktop of your PC.
Copy the contents of the configuration file from the server.
Then, go back to the Putty terminal and display the contents of the user configuration file (see 4.2.1).
Use right-click of the mouse to copy the configuration text in the Putty terminal.
Paste the configuration text from the clipboard to dummy text file we created earlier on the desktop (see 5.2.1).
Save the text file as the .conf format (in my case as
Import the configuration file into the TunSafe program.
In TunSafe program select the imported configuration file and click the Connect button.
In a Linux terminal, you can check your IP address by executing the following command:
Вы можете помочь и перевести немного средств на развитие сайта