My First VPN: Own pivate network over public web, easily!

Why would I need it?

Most of you probably heard of VPN in some way. Maybe as a way to enter your corporate or academic network, while being in your bed at home or on the other side of the world. Or maybe as a way to enjoy content blocked in your home country due to legal restrictions.

So what actually VPN stands for? It is an abbreviation from Virtual Private Network. So this is a virtual local network, with limited access and encrypted connections, on the top of the public web. This should explain why you might be interested in VPN even when you do not need to bypass geographic blockades. VPN has three characteristics:

1. All devices connected to VPN are not accessible from external web by default, but they are accessible from within the virtual network.
2. All devices connected to VPN consider themselves part of a local network, even if they are physically far apart. This way, you can easily share resources between the devices, add them to workgroups, Active Directory etc.
3. VPN connections are entirely encrypted. Only devices connected to the network are able to decrypt the network packets sent over VPN. This makes it easy, robust and secure way to allow external access to your private resources.

The abovementioned features should give the one more important reason why it is good to use VPN: improving your privacy. If you are connected to free WiFi at the airport, McDonald’s or even Starbucks, your connection is most of the time unencrypted. This means the individuals in charge of the hotspot are able to track data from your computer.

Current enforcement of SSL on the websites and email makes it harder to read packets you are sending from and receiving to your device, you are not hiding e.g. which websites or online services you are accessing. This might be enough to identify you and, combined with some unencrypted information your devices still send online, track your online activity.

What is the advantage of having my own, compared to generally available free or paid services?

Shortly speaking, improved privacy because of improved control. By signing up to the generally available VPN services you hide your activity from providers of your internet hotspot, but it can be still registered by no one else than… yes, your VPN provider. Why not become your own provider then?

Apart from that, your own VPN network gives you freedom to set up your own DNS servers and connecting as many devices as you wish, while commercial services often force you to use DNS servers they provide (so they can better track your activity, sell data to marketing companies and deliver you customised advertising, for instance) or put limit on amount of devices you can connect simultaneously to a single network. It is not uncommon that number of devices allowed to connect simultaneously is as low as… 1.

However, if you need VPN to change your identity, especially with regards to location, and you want to be able to switch between multiple locations, commercial VPN services are a way to go.

So I want to improve my privacy! How do I start building my own VPN?

First of all, you need a VPN server. Pretty much every device capable of running Linux can do, like your old computer, Raspberry Pi or just a virtual server from your hosting provider. No excessive computational power or memory is needed. If you are going to buy hosting services only to run your VPN, go for the cheapest offer that allows you to run at least Linux container, if not the whole Linux virtual machine. The only important thing is bandwidth. Depending on how you plan to use your private network, you might need to adjust your internet or hosting plan accordingly.

Furthermore, if you have never used Amazon Web Service, take note they offer first year for free! Unfortunately, Amazon is not a sponsor of this post.

If you are planning to use your own device and connect it to the network, remember to check whether your network has public IP address. You also need to adjust port forwarding on your router and/or firewall. 1194 is the default port for OpenVPN we will be using in this tutorial. Dynamic DNS has to be applied, if you do not have a static IP address. I will cover all these in other articles. Right now, if this whole paragraph sounds overwhelming to you, you would be better off finding a cloud service that will offer you a possibility to set up your own VPN server.

You said something about Linux… Which distro?

If you read Quora, you many answers to this questions are similar to “For the love of god don’t begin with Arch”.

Actually, the tutorial below is recommended for Debian, Ubuntu, CentOS and their derivatives. Users of these distributions can benefit from the very good script (with slightly less good instruction) provided by nyr on GitHub.

Let us do it then!

So you have your server ready? Launch terminal and download the script by typing:
wget https://git.io/vpn -O openvpn-install.sh

Once download has finished, you need to launch it as root or with elevated priviliges (that is using sudo command):
bash openvpn-install.sh

If you are not logged in as root and you have sudo installed an configured, just add sudo at the beginning of the above command. You might be asked for your user password.

If you do not have sudo available on your system, you need to switch to root first. You can do that by first executing su - and then typing in your root password. After you successfully switch to root, you might need to navigate to the folder where you downloaded the script before executing the script.

The script will download OpenVPN (the open source VPN server), other necessary packages, install them, generate enryption keys and configure VPN server. The only thing you need to do is to follow instructions on screen.

After that, client file should appear in your home directory. It might also happen it will appear in root home directory (usually /root). With default settings, only one client file can be used simultaneously, so if you need more devices to access the your virtual network at the same time, run the script again and you should be able to easily add new clients.

If you need to revoke a client, for example when one of your client files leaked to the unauthorised person, you can also easily do that by executing again the script.

Client files need to be securely transferred to client devices. Securely means it is not a good idea to send them with email or share using file sharing services. You should consider saving them on memory card or USB stick, if possible, or using sftp when setting your VPN server in the cloud. Before using sftp, you might need to install it using your favourite package manager.

I have downloaded client files. How do I configure my clients?

You need to install OpenVPN client on your client devices. There is an official client for Windows you can get from here. Macs are a bit more troublesome and you might need external tool like Tunnelblick.

You are lucky if you want to set up your network to work with Android or iOS devices. They both have official OpenVPN client you can download from your store with applications. Search for OpenVPN Connect published by OpenVPN (Android edition) or OpenVPN Technologies (iOS edition).

Once you install the client, you need to import your client file, the one you downloaded from your server. On Windows, you should be good to go just by double-clicking on the client file each time you want to connect to the network.

Remember about disconnecting!

If you want to use your local resources, like WiFi printers, or you just do not need VPN connection at certain moment, remeber to disconnect from VPN! Just tap “Disconnect” in your mobile OpenVPN app, click “Disconnect” in the context menu after right-clicking OpenVPN icon in the system tray on Windows. You should be able to disconnect from your network on a Mac, when using Tunnelblick, in a similar manner to Windows.

Congratulations on your improved comfort and privacy! If you want to learn more about how OpenVPN works, what range of different configuration options it gives you and what nyr’s script actually does, check out this great Hak5 video!

In general, Hak5 is great channel to learn about online technologies and their applications. I highly recommend it to you! And no, this blog has no sponsoring so far.

Featured image of a cat acting as a privacy filter acquired from https://img.haikudeck.com/mi/1f4c77323ac9161c0fc01d5896d3f7fa.jpeg

Originally published at At The Back Of The Browser.