🎭 How to: hosting your own VPN (a complete beginners guide) 🎭

Where will you be when your VPN service crumbles?

There are a number of reasons you might consider using a Virtual Private Network (VPN).

One reason might be that you simply wish to hide your location — to pretend that your browsing history is coming from London even though you’re sitting comfortably on your couch in New York. This could be useful for anything from finding cheaper flight tickets to buying crypto on an exchange that’s banned in your current country / state.

Another reason might be because you want to download torrents without the fear of getting a scary letter from HBO saying you torrented one too many episodes of Succession.

Or you’ve reached the limit on your New York Times articles and want to bypass their paywall but the incognito browser tab trick doesn’t work anymore.

Or you live in a totalitarian regime state that’s monitoring and blocking your network traffic.

Or you just want to protect your data while browsing. Don’t want those pesky ad trackers sniffing our every move on the internet now do we?

There are plenty of use cases for using a VPN, and not all of them are necessarily privacy-based. However, when it comes to purchasing a VPN service for attaining privacy, you may not be signing up for the benefits you think you are. As emphatic as the marketing pages for many VPN services are in claiming to guarantee privacy of your browsing data… how trustworthy are those statements, really? Let’s take a closer look…

(p.s. if you’re already convinced that using a personally hosted VPN is a good idea, you can skip to the section below labeled Deploying your very first VPN server: AlgoVPN)

A big bad wolf in the VPN industry

A recent New York Times article revealed some startling trends in the VPN industry. The story begins with a company named Crossrider that was accused by a team of researchers at the University of California for creating a family of ad-injecting malware in 2015. A few years later in 2018, Crossrider rebranded to Kape Technologies in an attempt to distance itself from its poor reputation. Within less than year of rebranding, it pivoted and began purchasing a slew of VPN services.

From the perspective of a company that once thrived off of reading and selling user’s data through malicious malware, it’s not that hard to see their reasoning for pivoting into VPNs. To them, VPNs are like untapped oil fields of personalized browsing data. In the words of Daniel Plainview from No Country for Old Men: “if you have a milkshake, and I have a milkshake. And I have a straw…. . I drink your milkshake!”

The main investor behind Crossrider, now Kape Technologies, is an Israeli citizen named Teddy Sagi, who has a lurid history made up of jail time for insider trading, founding a gambling company and being named in the Panama Papers that detail a “rogue offshore financial industry.”

In a movement led by a person who’s history speaks volumes for his view on user ethics and user privacy, Sagi helped Kape aquire over 4 major VPN service providers within a span of only 3 years: ExpressVPN, CyberGhost, Private Internet Access and Zenmate. Kape also purchased a collection of VPN “review” websites in an attempt to control the narrative of their movements, a move you could only imagine the Roy family from Succession applauding.

While there are still plenty of VPNs out there not yet owned or aquired by this company, are we really to believe that this series of acquisitions by an amorphous, unethical company is the only occurrence in the VPN industry? VPNs are clearly highly attractive resources for companies like Kape that once made millions off of maliciously tracking users’ browsing behavior.

Yes, you may someone that pays a premium for a VPN service in an attempt to guarantee your privacy. And maybe that is giving you some real benefit over those who opt for the cheapest VPN available… but I implore you to ask yourself: is the extra money that you’re spending going to do anything for you the moment the next Kape (whether that’s literally a once-again-re-branded Kape, or a different company with a less-than-ethical view on user privacy) acquires your VPN?

There are indeed some good egg paid VPNs out there… but why risk it and pay large sums out of pocket when with a few easy steps, you could setup and completely own your very own VPN server. You could easily have the confidence that the entire pipeline between you and the sites that you visit are free of any potential snooping. No data milkshake for anyone other than you.

Ok FINE. So what’s the alternative?

For the non network engineers among us, there just haven’t been many alternatives to using a paid VPN service. That is, until recently.

In the New York times article previously mentioned that spotlighted some of the corrupt activity in the paid VPN space, the author mentioned a project started by Trail of Bits security firm that gives the everyday folk chance to escape their paid VPN providers: AlgoVPN.

AlgoVPN is an open source set of scripts that allow you to set up a personally hosted VPN in a few simple steps. However, as simple as those steps may be compared to anything else that’s out there, it’s still a tricky process for folks who’ve never used a command line prompt before.

If you don’t know how to code, you still think of the internet as a series of tubes, or you just generally don’t feel that comfortable with the command line that’s ok! This guide is meant to fill in the gaps on how you can get very own VPN deployed in less than an hour, regardless of your technical expertise.

If you get stuck, feel free to reach out to me via the comments (I will do my best to reply).

Deploying your very first VPN server: AlgoVPN

NOTE: Unfortunately, due to it being slightly more complicated to run Algo on platforms other than macOS, this guide assumes that you’re using macOS. However, I’m hoping to write a future guide for Windows users.

Algo is built upon an open source VPN tool called WireGuard. Algo is essentially a set of instructions that your computer uses to automatically set up and deploy a VPN server to a hosting service that you have full control and ownership of.

Algo provides a way of deploying its VPN code to many different hosting services. For this guide, I will be deploying using Linode as the hosting provider, a service I’ve found to be very reliable and have used for setting up WireGuard in some of my previous articles.

I should note that I haven’t been able to test this process on other hosting providers, and while these steps technically should work with other providers as well, I haven’t personally done that and can’t guarantee it will work. If you want the confidence of using a setup process that I have vetted and know works, I suggest you stick with Linode.

You can use this link to sign up for $100 of free hosting credit with Linode (plenty of months of free credit given that Algo is only $5 a month to host on their platform)

Ok, so. Here’s the breakdown of the steps we’ll take:

1. Create a Linode account
2. Install Algo dependencies
3. Download the Algo codebase
4. Run the Algo deploy script
5. Install the VPN client and configuration on your personal device(s)

That’s all folks. Let’s crack our knuckles and get into it!

Step 1: Create a Linode account

The first step is to create a Linode account here. You’ll be prompted to enter some info like a user name and payment info. Once logged in successfully, you should see a dashboard like the following:

The only thing we’ll need from the Linode web page at this point is to grab whats called an “access token”. What is that you ask? Well, it’s basically a secret key from Linode, and it’s this key that Algo will use to automatically deploy a VPN server on your behalf.

To find this secret, click on your profile icon in the top right corner of the page, and select “API Tokens”. You will see a page like this:

Click “Create a Personal Access Token”, which will open a side panel that prompts you to enter a Label, as well as specify permissions for that token.

Give this token a label (it can be an arbitrary name), for Expiry select “In 1 month,”, and hit “Create Token.”

If all goes well, you should see a dialog that looks something like this:

Copy the value of this and paste it somewhere secure! If you use a password manager, I would suggest making a “secure note” labeled Linode and copying this value into that. You don’t want this value hanging around on your computer once you are finished with it.

Great! You’re done with the Linode setup part. Time to do some prep work for Algo.

Step 2: Download Algo dependencies

2a) Download Python 🐍

In order to use Algo, we’ll need to have a specific version of the programming language Python installed on our machine. Don’t worry, we won’t be writing any Python code, it’s just one of the programming languages that Algo uses behind the scenes.

We can download Python from the official python.org download page. You can either go to the python home page and find the link for your specific platform, or click this link which will directly start the Python 3.8 download for macOS, which is the version that Algo needs.

Once downloaded, clicking on the installation image will open an installation Wizard for Python:

Click through the steps, and eventually a window will open that looks like this:

Click on the Install Certificates.command file. It will open a Terminal window and briefly install an important configuration for the Python language that you just installed. After seeing it end with [Process completed] …

…you can now go ahead and close that Terminal window.

2b) Opening the Terminal (AKA Command line)

In the last step you got your first taste of the Terminal! Fortunately for you, we get to hop right back in to get another taste.

Go ahead and make another Terminal window. To do so, you can open the launchpad (Cmd + Space), type in “Terminal” to and hit enter open it.

In the terminal window you should see a prompt that looks something like the following:

YourName@YourNameM1Pro ~ %

This is the command prompt. For brevity, I will shorten this prompt to just % , so just copy everything after the % in all the future commands in this guide.

Checking if Python 3.8.0 was correctly installed

In the command line, type:

% python3 --version

If the installation succeeded, you will see Python 3.8.0 as output from this last command.

2c) Installing VirtualEnv

Great! Now we move on to installing a dependency of Python called VirtualEnv. This step will help install all the tools that Algo needs to do its thing later in Step 3.

Paste the following into the command line

% python3 -m pip install --user --upgrade virtualenv

If successful, you should see something like this as output (exact versions at the end may vary a bit as this article ages):

Successfully installed distlib-0.3.4 filelock-3.6.0 platformdirs-2.5.1 six-1.16.0 virtualenv-20.14.0

Step 3: Downloading the Algo codebase

Now that we’ve set all that up, it’s finally time to download AlgoVPN! You can grab yourself a copy from this direct download link, or look for the link on their Github page. The direct download link will automatically download a zip file of the Algo codebase to your Downloads folder.

Assuming you downloaded it to your Downloads folder, head back over to the command line, and type the following, exactly as it is written:

% cd ~/Downloads

(cd stands for change directory)

You may get prompted that “Terminal” is trying to access your Downloads folder after typing this. Go ahead and hit “Allow”

Now, type:

% unzip algo-master.zip
% cd algo-master

These commands, if successfully run, will have put you into the folder containing the Algo codebase. Now we’re ready to get Algo up and running…

3b) Installing Algo’s dependencies

Algo relies on some important Python code to work. These pieces of Python code, called “dependencies,” are packaged away in other libraries that we will need to install via the following command (remember, copy everything after the %, as is, and paste in the command line):

% python3 -m virtualenv --python="$(command -v python3)" .env &&
  source .env/bin/activate &&
  python3 -m pip install -U pip virtualenv &&
  python3 -m pip install -r requirements.txt

Hit enter.

This installation should take up to a minute or two, and you will see lots of output. If all goes well, you should see something like the following as the last thing printed

Successfully installed MarkupSafe-2.1.1 PyYAML-6.0 ansible-5.0.1 ansible-core-2.12.3 cffi-1.15.0 cryptography-36.0.2 jinja2-3.0.3 netaddr-0.8.0 packaging-21.3 pycparser-2.21 pyparsing-3.0.7 resolvelib-0.5.4

(Again, versions may vary as this article ages)

Step 4: Run the Algo deploy script

Finally, it’s time to use Algo to deploy our VPN to Linode. Run the following command:

% ./algo

You should see plenty of output that will look like so:

After a second or two, you will encounter your first prompt:

Algo is asking what hosting provider we’d like to use to deploy our VPN to. In this step we will choose “Linode” by typing “11” and hitting enter.

Go ahead and give your VPN server a name. This isn’t super important, it will just be the name that your server shows up as in the Linode dashboard. I typed AlgoVPN for mine, and hit enter

This prompt is asking if you’d like your iOS/macOS devices to automatically try to connect to the VPN when on a cellular connection. This is totally optional, go ahead and type y for yes or N for no, and hit enter.

You will then get the same prompt, but for connecting on demand when connecting to Wi-Fi. Go ahead and choose y or N again and hit enter.

For security purposes, we’re going to choose not to retain keys, since it’s unlikely that you will need them in the future. Type N.

This is a fun feature! Yes, using AlgoVPN can actually help block ads and ad trackers. This basically means that any requests made to known ad servers by websites you visit will be blocked. I strongly encourage you to opt into this!

This one’s easy, just hit N and enter to continue.

Now you’ll now see a couple of lines fly by, and then a prompt for an access token from Linode:

I hope you remembered to jot down the personal access token that we generated from the Linode dashboard in Step 1! This is it’s time to shine.

You will copy the value of your previously generated access token and paste it here. important: the value of the token won’t show up in the console when you paste it. This is for security reasons. If you pasted it, it is there!

Hit enter to continue.

Next, you will be prompted to choose where you’d like to locate your server:

These are odd names, but they represent the different locations for server’s that Linode owns.

You may choose different locations here depending on why you are setting up this VPN in the first place… If you’d like to mask your requests as coming from somewhere in Europe, you might want to choose eu-west (europe west — yes I know, very specific). If you’re in the U.S., this would have the downside of forcing all requests you make while connected to your VPN to go to Europe first, and then to its destination, making browsing websites hosted in the U.S. a bit slower overall.

If masquerading your location is not what you’re interested in doing, I suggest you choose the server that’s closest to your location. This will amount to an overall faster browsing experience while being connected the VPN. Since I live in NYC, I chose us-east by typing 9 and hitting enter.

At this point, you will see lots of information scrolling by. Algo is finally deploying your VPN to Linode! You can sit back, grab a coffee, and let Algo take care of the rest of the heavy lifting, just make sure to prevent your computer from going to sleep (I suggest using a tool for this called Amphetamine. In case it needs to be said, that is the name of the software, not a literal suggestion to do drugs while you wait). This process can take up to 20 minutes.

After Algo finishes deploying itself to Linode, you should see something like the following output confirming its success (the areas that I blacked out will show the exact IP address of your VPN server):

You’re at the home stretch! Just one more step to get you connected to your new VPN

Step 5: Install the VPN client and configuration on your personal device(s)

After finishing its deployment, Algo will have generated some important configuration files. These files are used to tell your devices (laptop, phone, etc…) how to connect to the personal VPN you just deployed. The remainder of this guide will walk through how to set up and configure these devices so that they can connect to the VPN you just deployed.

For each device, we need to install two things:

• A VPN Client (in our case, Algo uses WireGuard, we’ll use a WireGuard client)
• The configuration file generated by Algo for that device

5a) Installing the client on your macOS device:

For using your laptop with your new fancy VPN server, you’ll need to install the WireGuard VPN client for macOS. You can download that from the app store here.

Once you have it installed, you can open it from your Applications folder, or by using Launchpad.

You should see the following window pop open:

Go ahead and click the little “+” button in the lower left corner, and select “Import Tunnel(s) from File”

A file picker window should have popped up. Navigate to your Downloads folder in the sidebar of the finder and find the unzipped folder “algo-master” that you downloaded earlier.

Once inside this folder, open the folder calledconfigs. You will see three files in this folder, algo.pem, algo.pem.pub and a folder named with an IP address (ie XX.XX.XXX.XX format).

Open the folder named with the IP address and then navigate to wireguard and finally select laptop.conf

If all goes well, you should see a new laptop client lsited in the sidebar of your WireGuard window (the screenshot below shows it as desktop since I already had a VPN configuration named laptop for my personal VPN)

Now the moment of truth: to test whether everything works! Click the “Activate” button on the right, and watch for a green status light. If all goes well, you should see a Green icon next to the Status like so:

As a final test, you can type “whats my ip” into Google to see that your IP address no longer looks like a IPv4 address (ie XXX.XXX.XXX.XXX) but rather a long IPv6 address (XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX) associated to your VPN server! Assuming you don’t have IPv6 set up for your home internet (most people don’t) this means that all of your browsing requests are successfully being routed through your newly deployed VPN server. Woohoo! (if you hit “Deactivate” and google “whats my ip” again you should see your home IP address again.)

5b) Installing the client on your macOS device:

Ok, so now it’s time to get up and running on your phone.

Open up another Finder window and navigate to your Downloads folder once again. Open up algo-master .

Now, navigate to “configs” > “XXX.XXX.XXX.XXX” > “wireguard” > “apple”. You should see the following three files in the “apple” folder:

Now, open a separate Finder window (you can do so by pressing Cmd+N while the Finder app is in focus). In that window, navigate to AirDrop in the side bar.

Unlock your iPhone, and make sure that it has AirDrop enabled. It should show up in the AirDrop window.

Navigate back to the other finder window with the VPN configs, and drag the file labeled phone.mobileconfig to YourName’s iPhone in the Airdrop finder window.

This should open a prompt on your iPhone that looks like the following:

Hit “Accept”, and then navigate to your iPhone’s Settings. You should see a new “Profile Downloaded” menu item in your top level settings. Click on it.

This will prompt you asking if you would like to install it. Hit “Install”

Enter your PIN, and then hit “Install” once again

If successful, you should see “Profile Installed” in the top bar. Hit “Done”.

Go ahead and either close your Settings app, or navigate back to the top level of your settings. From there, click on VPN:

Finally, ensure “AlgoVPN <Name of your VPN> IKEv2” is selected, and turn on the VPN by hitting the little toggle button next to “Not Connected”.

If all goes well it should almost immediately say “Connected”!

If you’d like to be extra sure that your browsing traffic is going through your VPN, you can repeat the step we did to validate this for your laptop by typing “what my ip” into Google.

I can’t believe it. You did it! 🎊🎉🥳🍾🎊🎉🥳🍾

You just set up your very own personal VPN. Doesn’t it feel good knowing that you now own your entire data milkshake?

Final thoughts

Many of us that use VPN services are not journalists who have spent their career learning how to dig up dirt on people or companies. There’s only so much we are able to scoop up about companies with big, well paid PR teams to determine if they’re trustworthy enough to hand all our browsing data to.

If you’ve made it this far, then congratulations: you just removed yourself from the fragility of the VPN industry, took ownership of your privacy and saved yourself a pretty penny all the while! $5/month for being the sole owner of your security while browsing the intertubes seems more than worth it to me.