Why Your Own VPN Server
Setting up my own VPN server? That sounds rather complicated and unnecessary, considering a decent VPN, like Hidemyass costs less than $6/month. So, why would I bother setting up my own VPN server?
There are many commercial VPN services you can choose from (Hidemyass and TorGuard); most are inexpensive and easy to use. But running your own VPN gives you benefits most commercial VPN services can’t offer. First, when using any commercial VPN service, you share the server’s resources with other users (i.e. CPU, RAM); as more users connect to a VPN server, the slower it gets. With your own VPN server you don’t share, so you get maximum performance. Next, with any commercial VPN you’ll always wonder whether the VPN provider is spying on you. But that’s never a concern when you use your own VPN. Finally, streaming services like Netflix block IP addresses of commercial VPNs. Running your own VPN server makes it easier to circumvent the block.
Here I will show you how to set up your own VPN server and how to connect to it. This how-to gets a bit technical so make sure you follow carefully.
Step by Step Instructions
Choose Your Cloud Server (VPS)
The first thing you need is a Virtual Private Server (VPS). When choosing a VPS avoid the free offers; instead, select a low cost and reliable service like CloudSigma or DigitalOcean, where $5 monthly gets you a VPS with 512MB RAM, 20GB SSD and 1TB bandwidth – enough resources to stream videos or play online games.
Configure Your OpenVPN Server
- First, update your system to the latest version.
- Next, install OpenVPN and Easy-RSA. OpenVPN is a robust and highly flexible VPN software that uses all of the encryption, authentication, and certification features of the OpenSSL library to implement virtual private network (VPN) techniques. Easy-RSA is a small RSA key management package based on the openssl command line tool. We’ll use it to generate certificates and manage (private) keys.
- We’ll now copy all VPN configuration files to “/etc/openvpn/”.
- OpenVPN uses PKI (Public Key Infrastructure) for authentication. The client must authenticate the server certificate and the server must authenticate the client certificate before a connection can be established. In the following steps we’ll create 3 pairs of certificates and their associated keys. The first pair is for the server and the second pair is for the client. The last pair is the root certificate (also known as CA, or Certificate Authority), and its private key, which will be used to sign server and client certificates. You create the key-pairs using Easy-RSA:
- Now we’ll transfer 3 files: ca.crt, 97228.crt, and 97228.key from the “/etc/openvpn/easy-rsa/keys/” directory on the server to the client. Create 3 text files on the client with the same names. On the server, use the “cat” command to display the contents of each file. Copy & paste the contents of each file to the corresponding file on the client.
- We’ll now edit the OpenVPN server configuration file located in: “/etc/openvpn/server.conf”.
- Next, we’ll create a user account for each client so we can authenticate each VPN client by username and password.
# Create a user account with no home directory and shell access. sudo useradd 97228 -M -s /bin/false sudo passwd 97228
- Next, we’ll make a few changes to finalize the setup: enable IP forwarding, automatically start the VPN service when the system boots, adjust the firewall settings to allow VPN traffic.
- (Optional) You can assign your VPN server a DigitalOcean floating IP. A floating IP is a static IP address you can re-map instantly to any VPS, or Droplet. This gives you two major benefits: redundancy, and an extra IP address which is useful when your original IP address is blocked by certain websites. Network traffic between a floating IP and a Droplet flows through the anchor IP that is aliased to a Droplet’s public network interface (
eth0). To make your VPN server accessible by its floating IP, make sure your VPN server is configured to listen on its anchor IP. To display your anchor IP, use the following command.
sudo ip addr show eth0
Next, update the VPN server configuration file to use the anchor IP. Adjust the firewall to allow traffic using the anchor IP.
sudo vim /etc/openvpn/server.conf # Add your anchor ip after 'local' like the following # Which local IP address should OpenVPN # listen on? (optional) local 10.10.0.5 # Adjust the firewall to make OpenVPN traffic go through the anchor IP. sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to 10.10.0.5 sudo service netfilter-persistent save # Restart the OpenVPN service sudo systemctl start openvpn@server sudo systemctl status openvpn@server
Configure Your OpenVPN Client
Your VPN server should now be fully functional and ready to connect with a client (device). To connect a client to the server, first install the OpenVPN software on the client. Next, configure the client to communicate with your VPN server. For a mobile client, install the OpenVPN Connect App; for a desktop computer, download the Tunnelblick App.
Now I will show you how to set up a VPN client on a desktop computer using Tunnelblick.
First, create a folder to contain the configuration files. You can name this folder anything you like as long as it ends with .tblk (so Tunnelblick can access the configuration files). I named my folder NY-97228.tblk to remind me the folder contains the configuration files for VPN user: 97228. The “NY” prefix indicates the VPN server is located in New York.
Next, select the 3 files you transferred from the server to the client in step 5 and copy the files to your .tblk folder. Right click here and save my sample VPN configuration file (config.txt) to your .tblk folder.
Now, open config.txt in a text editor and replace: MY-SERVER-IP, CA-CERTIFICATE.crt, CLIENT-CERTIFICATE.crt, and CLIENT-KEY.key with your own settings by following the comments (lines with a “#” prefix) above each setting. Once you’ve done editing your file, rename it config.conf.
Here is what the sample “config.txt” looks like.
# Sample client-side OpenVPN configuration # Sample client-side OpenVPN configuration # Edit this file by following the instructions here: # https://vpntips.com/how-to-setup-a-vpn-server/ # Lines starting with ‘#’ or ‘;’ are comments # Specify that this is a client. client # Specify the interface to use. Use the same interface the server uses. ;dev tap dev tun # Choose a protocol: TCP or UDP. Use the same protocol the server uses. proto tcp ;proto udp # Specify the IP address (or fully qualified domain name) # and port of the server. remote VPN-SERVER-IP 443 # Keep resolving the host name of the server indefinitely. resolv-retry infinite # No need to bind to a specific local port number. nobind # Downgrade privileges after initialization (non-Windows only) user nobody group nobody # route everything over VPN" via the server redirect-gateway def1 # uses the subnet topology and that it should use the IP address and routing the VPN server provides topology subnet pull # Try to preserve some state across restarts. persist-key persist-tun cipher AES-256-CBC auth SHA256 key-direction 1 remote-cert-tls server # Authenticate client by username/password auth-user-pass # Enable compression on the VPN link. comp-lzo # Set log file verbosity. verb 3 # Specify the names of your CA certificate, client certificate, and client key. ca CA-CERTIFICATE.crt cert CLIENT-CERTIFICATE.crt key CLIENT-KEY.key tls-auth
Finally, you need to allow Tunnelblick to access the configuration files. To do this, drag your .tblk folder and drop it on the Tunnelblick icon in the menu bar, or on the list of configurations located in the Configurations tab of the VPN Details window.
That’s it! Now you’ve got your own VPN server. If you encounter any errors during the setup, please let me know in the comment section below.
Got a question? Post it in our forums. We’ll work it out.
I have been the victim of hackers for almost 6 months. I cannot get rid of them for anything. I cannot set up. VPN on my computer because I am sure they have done something to my box to disable rasman ssh tunneling and anything else there is to do with a VPN. I have tried 10 or more and none will run on my laptop due to these services not running. However I did get a VPN to run on the win 10 box in our den. And yes they’ve been in that one as well because at this point I know the signs they leave when they invade a system. Will putting a VPN on my router and/or running my own server let me escape this terroism? I have gigabytes of evidence and a lawyer and we are about to submit the lot to the FBI, but that doesn’t mean they will find and or stop them. I just need to know … Is this the way? I have experience in software dev so I’m not worried about the technical aspects. I just never studied cy er security because I honestly didn’t think I’d ever be a Target. But now for almost 6 months I e been watched, recorded, I’ve had to change phones and carriers 4 times I’ve had to reformat and reinstall Windows 10 17 times now because they can get in without a password and if I go online to or more than a minute they gain acces and within a cpl days they render the computer unusable. I’m mad, frustrated, and so pissed off I could physically hurt someone. Will this , as long as I don’t use any comprised devices after the install, will it keep them from finding me?
a nice article. thanks.
i created a VPS on digitalOcean followed all steps and got my openVPN client to connect and i can see it in both logs , client and server.
But, i cant browse the net !
the only thing i can think of is that ALL steps worked , except this part below:
add the next line at the end of “iface eth0” section
pre-up iptables-restore < /etc/iptables.rules
there is no eth0 section in /etc/network/interfaces …
Hello, I am using an ASUS RT-AC66U that supports open VPN connections. I am currently using ExpressVPN but I have been disappointed with the speeds. I am able to download .ovpn files and easily import them into my router configuration. Using this method that you outlined, would I be able to create a .ovpn that I could import to my router? I am living in China and the commercial VPN’s I’ve been using are so slow. Any help would be appreciated.
Are you using Tunnelblick ?
Hello, I followed all the steps above but when I import the .ovpn file I get “Error reading multiple files referenced by profile: ca.crt, RobbC.crt, RobbC.key . I was also a bit confused on some of the config setup on the server. Any help would be greatly appreciated
Thank you so much for this tutorial. Seems it’s the ONLY thing I have been looking for. I’m planing to use this service to configure a VPN that will allow me to work in some US-based freelance websites.
However, I am( just like someone has said) not a tech guy and I have one or tow questions I want to pose to you regarding this service:
1. Should I have a machine running Ubuntu?
2. I need to have several accounts on the same sight, I’m I able to get get like 5 to 10 different IPs from this service. I mean I want all the accounts to be independent of each other ( log in on different IPs)
Sorry for my poor English.
I can wait to hear from you,
Seems that Netflix still detects (and blocks) the use of this solution. I tried it with DigitalOcean, but no success.
Can anyone else confirm this?
Mine still works. My VPS is in SF.
Still trying to get this working on 64 bit CentOS 7 — changes I had to make
at (4) you need an additional step of
==>openssl dhparam -out /etc/openvpn/easy-rsa/2.0/dh2048.pem 2048
to generate the dh2048.pem file
at (6), the plugin line should be
==>plugin /usr/lib64/openvpn/plugins/openvpn-auth-pam.so login
==>plugin /usr/lib/openvpn/plugin/lib/openvpn-auth-pam.so login
at (8) – you need to use
==>systemctl enable openvpn@server
==>chkconfig openvpn on
Thanks for the input.
Hello admin..thanks for your great lecture..
sorry im newbie in vpn and also sorry for my poor english..
I wondering having own vpn server where i can share connection with other people in my country for free (example to 100 people)…
Can i share Vpn connection with other people ?
thank..hope you can help me answer
Yes. There are basically two ways to accomplish what you want. You can create an account (Username/Password) for each user who will connect to the VPN server. This gives you the ability to manage VPN users. An easier approach is to use certificate-based authentication without creating any user accounts. Read this to learn how OpenVPN authentication works.
thank you mr william…:-) great…i will credit to you when my project done one days…thanks …
I’ve got no idea how to go about setting up my own VPS even after going through your tutorial (Tech is not my forte). However, I’ve been using a VPN service for about 2 years now to access UK betting sites whilst living abroad. Recently some have picked up that the IP address being used is ‘hosted’.
My question to you is, would setting up my own VPS not only allow me to show a UK IP address, but will it also prevent the IP address used as showing up as a VPN/Hosted service?
I’ve recently tried a VPN provider that claims to provide dedicated/static IP addresses and yet a particular site is still picking up the IP address as a hosted service.
Thanks in advance!
Whether you use your own VPN or a paid VPN service, there is no way to guarantee that an IP address won’t get ‘listed’. Remember that most IP addresses are public records; anyone can find out whom an IP address is assigned to by querying it on IP Whois databases.
little confused when I get to step 4 trying to generate certificates. I edited var file saved changes, and the confusion comes when the . var “notice the space between the period” I try to go further and I get:
Please edit the vars script to reflect your configuration,
then source it with “source ./vars”.
Next, to start with a fresh PKI configuration and to delete any
previous certificates and keys, run “./clean-all”.
Finally, you can run this tool (pkitool) to build certificates/keys.
I am using fedora server 22, via ssh
You can use either
. var; both of them are correct. A dot/period ‘.’ is a synonym for ‘source’ in bash.
Fantastic article, man. I have got a question with regards to the routing of all trafic via vpn tunnel.
Do you know if it is possible to achieve this on client side rather than forcing it through server config?
I would like to use that feature only for some clients, but not for all of them.
In the configuration file for the OpenVPN server, comment out the line:
push "redirect-gateway def1 bypass-dhcp".
In the client configuration file, add the:
redirect-gateway def1option if you want to tunnel all the traffic.
I believe this will solve your problem; please let us know how it works for you.
how do I bind specific interfaces to the clients?
for example my server has 8 different ip addresses
all of them are public IPs on eth0 , eth0:1 eth0:2 etc
If I connect to my server through the openvpn client and check the ip at icanhazip.com or cmyip.com , I only see the default ip of the server, that is 126.96.36.199 on eth0 . even if I change the openvpn server ip to 188.8.131.52 on the client pc to connect, it still shows 184.108.40.206 at icanhazip.com which means all the traffic is still going through the default server ip.
the other ips on the server are indeed online, I can check them with curl –interface 220.127.116.11 http://icanhazip.com and it shows the correct ip (18.104.22.168)
but with openvpn, the client pc always shows 22.214.171.124
I would like to bind 126.96.36.199 to client pc when it connects to the server.
How can I do that?
multihomeoption to the VPN server’s configuration file.
Make sure the server uses the UDP protocol and that you’ve added the
nobindoption to the client-side configuration file. That should solve your issue, but let me know if you have further questions.
Only problem is OpenVPN is blocked in China making this article completely useless for me =(
Can I set up a vpn on my mobile phone device so I can set it up so I can make an app have the ability to use the vpn such as the whatsapp or vibr app that make calls and texts at all is that possible … Thanks
Yes you can! Many VPN providers offer mobile versions of their software. We particularly like the apps from IPVanish and HMA, both of which are also fast enough to stream, but of course you can also connect to your own VPN from your mobile using OpenVPN. OpenVPN offers both an Android and iOS app. It can be a bit tricky to import the configuration file, but once you are connected all Internet traffic from your mobile device is routed through the VPN and you can use whatsapp, vibr, or any other app of your choosing.
Hi, great tutorial! I am just having some small problems and I have a question. What version of CentOS are you using?
CentOS 6.6 32-bit
William, your write-ups are phenomenal. Very detailed, easy to follow instructions. Thank you.
On this article, I wish you had presented a more balanced view. I think the three biggest reasons people use VPNs are anonymity (ppl don’t know who you are), privacy (ppl can’t inspect your traffic), and freedom from censorship (including geo-blocks). The private VPN give you the last two and, as a bonus, excellent performance.
When it comes to anonymity though, a private VPN means that the public IP can be tied directly to you once someone asks your VPS provider to identify you. It also means that anyone tracking that public IP on the web is really tracking your individual traffic patterns. A significant benefit of using a large provider that uses shared IPs and no logs is that your individual traffic is better anonymized. If I am in a situation in which my well-being depends on my anonymity online, a private VPN is not a good idea. Anyone watching my traffic will know who my VPS provider is, and can follow that traffic out to the public internet after my VPN server has removed the encryption.
I’ve been on cloud 9 because you said my write-ups are “phenomenal”. The only other person who used that word on me was my girlfriend, in the morning, 2 years ago 😀
What you said makes certain sense. When you use a private VPN, your activities will be tied to a single IP – yours. This limitation doesn’t diminish the usefulness of private VPNs for securing network traffic and bypassing geo-fences, but it does make it a poor choice when real anonymity is required. When anonymity is crucial, I suggest you use Tor, which was developed for that exact purpose.
VPN can be used to protect anonymity as well, but you shouldn’t bet on it, because it’s impossible for a VPN to offer true anonymity. Here are the 3 most conspicuous reasons:
For a more in-depth look at how VPNs support anonymity, be sure to read my upcoming article. Subscribe to my newsletter to be notified when it’s ready.
Excellent tutorial but I am a linux newb so it is going to be a lot of trial and error for me.
I do have a quick question though. Instead of using a VPS, would it be possible to host the server myself? I really don’t want any bandwidth limitations and I have a pretty new Dell just sitting around looking for something to do.
If you choose to host the server yourself, you need to figure out how to get an IP address in the country where you want to virtually reside. For example, if you want to watch the US version of Netflix, make sure you have a US IP.
If I use a VPS like Digital Ocean and create the server, am I able to get an IP address for another country, say England if I live in the US? Pardon my basic question however I am very new to the VPN world and have been looking at several VPN services. This looks like a much better option but I’d like to make sure I can access programming from England, one of the main reasons I want a VPN.
Yes, of course you can get an IP address from another country. If you want an IP address from the UK, select the data centre from “London” when creating your Digital Ocean VPS, as shown in the image below.
Thank you for the response and for this entire tutorial. I appreciate the time and effort you have put into this.
Thanks for your positive feedback. Glad to be of help 🙂
Hi mate, why is taking so long with ./build-dh ….. already 30 min, with OVH vps , cent6 32bit,1gb ram 1vcore. 10gb hdd …i use your tutorial step by step.
It can take a while especially for 2048 bit long DH parameters. It takes roughly 40 mins on a DO box with 512 RAM
Miguel, works for you I have 3 vps in ovh and none of them work, connect, (i dont have dnsleaks) and netflix still geo detects me
Hi there, and thanks for the info.
You write that when you use someone else’s VPN, one cannot be sure that the VPN provider isn’t spying on you. Then, you instruct to go look for a VPS provider in order to install your own VPN on the server which they provide you. So, just to be sure, no trust/security issues there? Once you connect to your remote VPN, the VPS provider will only be able to see encrypted traffic which they will be unable to decode?
Thank you so much, especially in those days, its hard to live without VPN in Asia.
Thanks for the tutorial!
Instead of using cat to copy the contents of the needed files, you can use something like http://transfer.sh to quickly share files from the command-line
Just checked out transfer.sh and it looks awesome. Love the fact that you can encrypt the files before the transfer. Thanks for the tip 🙂
Got mine setup and running. Here is the result from speedtest. Do you guys get faster connection speed?
… it was a lot of work… After spending 2 hours working on my VPS, I finally made it work. It is amazing how fast the speed is when comparing with other commercial VPN services; It is about 5x faster than HMA and 4x faster than PIA. Without some knowledge of Linux, I don’t believe many can set it up.
Excellent tutorial of setting up VPN. Does theTunnelblick only works on Mac?
Tunnelblick doesn’t have a Windows version but there is an OpenVPN client for Windows that is free to download.