This guide walks you through setting up Algo VPN on Amazon EC2, including account creation, permissions configuration, and deployment process.
Creating an Amazon AWS account requires providing a phone number that can receive automated calls with PIN verification. The phone verification system occasionally fails, but you can request a new PIN and try again until it succeeds.
The most cost-effective option for new AWS customers is the AWS Free Tier, which provides:
The Free Tier is available for 12 months from account creation. Some regions like Middle East (Bahrain) and EU (Stockholm) don’t offer t2.micro instances, but t3.micro is available as an alternative.
Note that your Algo instance will continue working if you exceed bandwidth limits - you’ll just start accruing standard charges on your AWS account.
If you’re not eligible for the Free Tier or prefer more predictable costs, consider AWS Graviton instances. To use Graviton instances, modify your config.cfg
file:
ec2:
size: t4g.nano
arch: arm64
The t4g.nano instance is currently the least expensive option without promotional requirements. AWS is also running a promotion offering free t4g.small instances until December 31, 2025 - see the AWS documentation for details.
For additional EC2 configuration options, see the deploy from ansible guide.
AlgoVPN_Provisioning
algovpn
)AlgoVPN_Provisioning
policy you createdKeep the CSV file secure as it contains sensitive credentials that grant access to your AWS account.
Once you’ve installed Algo and its dependencies, you can deploy your VPN server to EC2.
Run ./algo
and select Amazon EC2 when prompted:
$ ./algo
What provider would you like to use?
1. DigitalOcean
2. Amazon Lightsail
3. Amazon EC2
4. Microsoft Azure
5. Google Compute Engine
6. Hetzner Cloud
7. Vultr
8. Scaleway
9. OpenStack (DreamCompute optimised)
10. CloudStack (Exoscale optimised)
11. Linode
12. Install to existing Ubuntu server (for more advanced users)
Enter the number of your desired provider
: 3
Algo will automatically detect AWS credentials in this order:
AWS_ACCESS_KEY_ID
and AWS_SECRET_ACCESS_KEY
)~/.aws/credentials
)If no credentials are found, you’ll be prompted to enter them manually:
Enter your aws_access_key (http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html)
Note: Make sure to use an IAM user with an acceptable policy attached (see https://github.com/trailofbits/algo/blob/master/docs/deploy-from-ansible.md).
[pasted values will not be displayed]
[AKIA...]:
Enter your aws_secret_key (http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html)
[pasted values will not be displayed]
[ABCD...]:
For detailed credential configuration options, see the AWS Credentials guide.
You’ll be prompted to name your server (default is “algo”):
Name the vpn server:
[algo]: algovpn
Next, select your preferred AWS region:
What region should the server be located in?
(https://docs.aws.amazon.com/general/latest/gr/rande.html#ec2_region)
1. ap-northeast-1
2. ap-northeast-2
3. ap-south-1
4. ap-southeast-1
5. ap-southeast-2
6. ca-central-1
7. eu-central-1
8. eu-north-1
9. eu-west-1
10. eu-west-2
11. eu-west-3
12. sa-east-1
13. us-east-1
14. us-east-2
15. us-west-1
16. us-west-2
Enter the number of your desired region
[13]
:
Choose a region close to your location for optimal performance, keeping in mind that some regions may have different pricing or instance availability.
After region selection, Algo will continue with the standard setup questions for user configuration and VPN options.
If you deploy Algo to EC2 multiple times, unused resources (instances, VPCs, subnets) may accumulate and potentially cause future deployment issues.
The cleanest way to remove an Algo deployment is through CloudFormation:
Warning: Deleting a CloudFormation stack will permanently delete your EC2 instance and all associated resources unless you’ve enabled termination protection. Make sure you’re deleting the correct stack and have backed up any important data.
This approach ensures all related AWS resources are properly cleaned up, preventing resource conflicts in future deployments.