Ditch Free VPN Limits: Build Yours Free!

Kaustuv PrajapatiKaustuv Prajapati
4 min read

๐Ÿ›ก๏ธ Personal WireGuard VPN Setup on AWS (Free Tier)

Set up your own secure, personal VPN using WireGuard on AWS EC2 within the Free Tier. This guide covers every step from launching the instance to connecting from your laptop or phone.

โœ… Prerequisites

  • AWS Free Tier account

  • Basic Linux command line knowledge

  • A device (laptop or phone) to connect as a VPN client

๐Ÿš€ Step 1: Launch EC2 Instance

  1. Go to AWS Console > EC2 > Launch Instance

  2. Choose Amazon Linux 2023 (or 2)

  3. Instance type: t2.micro (Free Tier)

  4. Key pair: Create/download one

  5. Security group:

    • Allow TCP port 22 (SSH)

    • Allow UDP port 51820 (WireGuard)

    • Allow ALL outbound traffic

Launch the instance and note its Public IP.

๐Ÿซ  Step 2: Connect to EC2 & Install WireGuard

ssh -i your-key.pem ec2-user@<EC2_PUBLIC_IP>
sudo yum install epel-release -y
sudo yum install wireguard-tools iptables -y

โš–๏ธ Step 3: Generate Server Keys

wg genkey | tee server_private.key | wg pubkey > server_public.key

Save both keys securely.

๐Ÿ”ง Step 4: Configure WireGuard Server

sudo nano /etc/wireguard/wg0.conf

Paste:

[Interface]
PrivateKey = <SERVER_PRIVATE_KEY>
Address = 10.0.0.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o enX0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o enX0 -j MASQUERADE

  • Address: The internal IP the server uses in the VPN (clients will get different IPs in same subnet).

  • ListenPort: WireGuard listens on this UDP port for incoming connections (default is 51820).

  • <EC2_INTERFACE>: Replace this placeholder with the actual network interface name on your EC2 instance (e.g., enX0, eth0, ens5). Use ip addr to check (use ip addr | grep mtu to find it.)

โš™๏ธ Step 5: Enable IP Forwarding

echo 'net.ipv4.ip_forward=1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

โ–ถ๏ธ Step 6: Start WireGuard

sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0

๐Ÿ’ป Step 7: Configure Client (Laptop)

Generate client keys:

wg genkey | tee client_private.key | wg pubkey > client_public.key

Create /etc/wireguard/wg0.conf on the client:

[Interface]
PrivateKey = <CLIENT_PRIVATE_KEY>
Address = 10.0.0.2/24
DNS = 1.1.1.1

[Peer]
PublicKey = <SERVER_PUBLIC_KEY>
Endpoint = <EC2_PUBLIC_IP>:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

๐Ÿ”Ž Step 8: Add Client to Server

Edit server /etc/wireguard/wg0.conf and add below [peer] section at bottom of the file:

[Peer]
PublicKey = <CLIENT_PUBLIC_KEY>
AllowedIPs = 10.0.0.2/32

Restart server:

sudo systemctl restart wg-quick@wg0

โœจ Step 9: Connect and Test

On client (Laptop):

sudo wg-quick up wg0
curl ifconfig.me

โœ… Should return your EC2 Public IP โ€” traffic is routed via VPN.

๐Ÿ“ฑ Step 10: Optional โ€” Mobile Client with QR Code

  1. Generate new keys for mobile:
wg genkey | tee phone_private.key | wg pubkey > phone_public.key
  1. Add to server config: (in EC2 Server @ /etc/wireguard/wg0.conf bottom of th file)
[Peer]
PublicKey = <PHONE_PUBLIC_KEY>
AllowedIPs = 10.0.0.3/32

Restart server:

sudo systemctl restart wg-quick@wg0

Mobile config (phone.conf):

This is just a file that we will create QR code of for easy mobile connection

[Interface]
PrivateKey = <PHONE_PRIVATE_KEY>
Address = 10.0.0.3/24
DNS = 1.1.1.1

[Peer]
PublicKey = <SERVER_PUBLIC_KEY>
Endpoint = <EC2_PUBLIC_IP>:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
  1. Generate QR:
# Show in terminal
qrencode -t ansiutf8 < phone.conf

# Save to PNG image
qrencode -o phone-qr.png < phone.conf

๐Ÿš€ Done!

You now have a fast, secure, lightweight VPN on AWS, completely within the Free Tier. Add more clients easily and stay safe online.

Extra Stuff

๐Ÿงฐ Monitoring & Troubleshooting WireGuard

๐Ÿ”Ž Check VPN Status on Server

sudo wg show

  • Look for latest handshake

  • Check transfer: x bytes received/sent

๐Ÿ”ง Restart Interface

sudo wg-quick down wg0
sudo wg-quick up wg0

๐Ÿ“ก Check IP Forwarding

cat /proc/sys/net/ipv4/ip_forward

Should return 1

๐Ÿ”ฅ Check NAT Rules

sudo iptables -t nat -L POSTROUTING -n -v

Look for MASQUERADE for 10.0.0.0/24 traffic

๐ŸŒ Test Connectivity

curl ifconfig.me
ping 8.8.8.8
ping 10.0.0.1

๐Ÿงฑ Check EC2 Interface Name

ip addr | grep mtu

Use correct name (e.g., enX0) in PostUp rules

๐Ÿ“„ References:

0
Subscribe to my newsletter

Read articles from Kaustuv Prajapati directly inside your inbox. Subscribe to the newsletter, and don't miss out.

DevopswireguardFreeVPNAWSself paced courses

Written by

Kaustuv Prajapati
Kaustuv Prajapati