Why Your Own VPN Server
Setting up my own VPN server? That sounds rather complicated and unnecessary, considering a decent VPN, like Hidemyass costs less than $6/month. So, why would I bother setting up my own VPN server?
There are many commercial VPN services you can choose from (Hidemyass and TorGuard); most are inexpensive and easy to use. But running your own VPN gives you benefits most commercial VPN services can’t offer. First, when using any commercial VPN service, you share the server’s resources with other users (i.e. CPU, RAM); as more users connect to a VPN server, the slower it gets. With your own VPN server you don’t share, so you get maximum performance. Next, with any commercial VPN you’ll always wonder whether the VPN provider is spying on you. But that’s never a concern when you use your own VPN. Finally, streaming services like Netflix block IP addresses of commercial VPNs. Running your own VPN server makes it easier to circumvent the block.
Here I will show you how to set up your own VPN server and how to connect to it. This how-to gets a bit technical so make sure you follow carefully.
Step by Step Instructions
Choose Your Cloud Server (VPS)
The first thing you need is a Virtual Private Server (VPS). When choosing a VPS avoid the free offers; instead, select a low cost and reliable service like CloudSigma or DigitalOcean, where $5 monthly gets you a VPS with 512MB RAM, 20GB SSD and 1TB bandwidth – enough resources to stream videos or play online games.
Configure Your OpenVPN Server
- First, update your system to the latest version.
- Next, install OpenVPN and Easy-RSA. OpenVPN is a robust and highly flexible VPN software that uses all of the encryption, authentication, and certification features of the OpenSSL library to implement virtual private network (VPN) techniques. Easy-RSA is a small RSA key management package based on the openssl command line tool. We’ll use it to generate certificates and manage (private) keys.
- We’ll now copy all VPN configuration files to “/etc/openvpn/”.
- OpenVPN uses PKI (Public Key Infrastructure) for authentication. The client must authenticate the server certificate and the server must authenticate the client certificate before a connection can be established. In the following steps we’ll create 3 pairs of certificates and their associated keys. The first pair is for the server and the second pair is for the client. The last pair is the root certificate (also known as CA, or Certificate Authority), and its private key, which will be used to sign server and client certificates. You create the key-pairs using Easy-RSA:
- Now we’ll transfer 3 files: ca.crt, 97228.crt, and 97228.key from the “/etc/openvpn/easy-rsa/keys/” directory on the server to the client. Create 3 text files on the client with the same names. On the server, use the “cat” command to display the contents of each file. Copy & paste the contents of each file to the corresponding file on the client.
- We’ll now edit the OpenVPN server configuration file located in: “/etc/openvpn/server.conf”.
- Next, we’ll create a user account for each client so we can authenticate each VPN client by username and password.
# Create a user account with no home directory and shell access. sudo useradd 97228 -M -s /bin/false sudo passwd 97228
- Next, we’ll make a few changes to finalize the setup: enable IP forwarding, automatically start the VPN service when the system boots, adjust the firewall settings to allow VPN traffic.
- (Optional) You can assign your VPN server a DigitalOcean floating IP. A floating IP is a static IP address you can re-map instantly to any VPS, or Droplet. This gives you two major benefits: redundancy, and an extra IP address which is useful when your original IP address is blocked by certain websites. Network traffic between a floating IP and a Droplet flows through the anchor IP that is aliased to a Droplet’s public network interface (
eth0). To make your VPN server accessible by its floating IP, make sure your VPN server is configured to listen on its anchor IP. To display your anchor IP, use the following command.
sudo ip addr show eth0
Next, update the VPN server configuration file to use the anchor IP. Adjust the firewall to allow traffic using the anchor IP.
sudo vim /etc/openvpn/server.conf # Add your anchor ip after 'local' like the following # Which local IP address should OpenVPN # listen on? (optional) local 10.10.0.5 # Adjust the firewall to make OpenVPN traffic go through the anchor IP. sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to 10.10.0.5 sudo service netfilter-persistent save # Restart the OpenVPN service sudo systemctl start openvpn@server sudo systemctl status openvpn@server
Configure Your OpenVPN Client
Your VPN server should now be fully functional and ready to connect with a client (device). To connect a client to the server, first install the OpenVPN software on the client. Next, configure the client to communicate with your VPN server. For a mobile client, install the OpenVPN Connect App; for a desktop computer, download the Tunnelblick App.
Now I will show you how to set up a VPN client on a desktop computer using Tunnelblick.
First, create a folder to contain the configuration files. You can name this folder anything you like as long as it ends with .tblk (so Tunnelblick can access the configuration files). I named my folder NY-97228.tblk to remind me the folder contains the configuration files for VPN user: 97228. The “NY” prefix indicates the VPN server is located in New York.
Next, select the 3 files you transferred from the server to the client in step 5 and copy the files to your .tblk folder. Right click here and save my sample VPN configuration file (config.txt) to your .tblk folder.
Now, open config.txt in a text editor and replace: MY-SERVER-IP, CA-CERTIFICATE.crt, CLIENT-CERTIFICATE.crt, and CLIENT-KEY.key with your own settings by following the comments (lines with a “#” prefix) above each setting. Once you’ve done editing your file, rename it config.conf.
Here is what the sample “config.txt” looks like.
# Sample client-side OpenVPN configuration # Sample client-side OpenVPN configuration # Edit this file by following the instructions here: # https://vpntips.com/how-to-setup-a-vpn-server/ # Lines starting with ‘#’ or ‘;’ are comments # Specify that this is a client. client # Specify the interface to use. Use the same interface the server uses. ;dev tap dev tun # Choose a protocol: TCP or UDP. Use the same protocol the server uses. proto tcp ;proto udp # Specify the IP address (or fully qualified domain name) # and port of the server. remote VPN-SERVER-IP 443 # Keep resolving the host name of the server indefinitely. resolv-retry infinite # No need to bind to a specific local port number. nobind # Downgrade privileges after initialization (non-Windows only) user nobody group nobody # route everything over VPN" via the server redirect-gateway def1 # uses the subnet topology and that it should use the IP address and routing the VPN server provides topology subnet pull # Try to preserve some state across restarts. persist-key persist-tun cipher AES-256-CBC auth SHA256 key-direction 1 remote-cert-tls server # Authenticate client by username/password auth-user-pass # Enable compression on the VPN link. comp-lzo # Set log file verbosity. verb 3 # Specify the names of your CA certificate, client certificate, and client key. ca CA-CERTIFICATE.crt cert CLIENT-CERTIFICATE.crt key CLIENT-KEY.key tls-auth
Finally, you need to allow Tunnelblick to access the configuration files. To do this, drag your .tblk folder and drop it on the Tunnelblick icon in the menu bar, or on the list of configurations located in the Configurations tab of the VPN Details window.
That’s it! Now you’ve got your own VPN server. If you encounter any errors during the setup, please let me know in the comment section below.
Got a question? Post it in our forums. We’ll work it out.