Ever wanted to have your very own VPN server? Well, this post will show you how to do it, the easy way.
First, Get A Server
Before you can continue with this tutorial, you’ll need a server. The cheapest, fastest, and easiest way to do this is to fork over $5 a month to get a VPS. A VPS is essentially a piece of a server, which means it’s much cheaper than actually purchasing your own server. There’s also the added bonus of being set up really fast, so setting a VPS shouldn’t take up that much time.
I recommend taking a look at DigitalOcean. They have plans starting at just $5 a month, which includes a whopping terabyte of bandwidth. If you somehow manage to use that up, overages are only $0.01/GB. But, unless you’re (legally, of course) torrenting movies 24/7, you shouldn’t use up more than a terabyte.
FYI, the link to DigitalOcean is an affiliate link. If you sign up by using my link, you’ll get $50 of credit which expires after 30 days. I also get a commission for referring you, at no extra cost to you of course. I currently use DigitalOcean for my own VPN server, and I don’t have any complaints.
Ok, after you’ve created a VPS(choose Ubuntu 18.04 as the OS), simply SSH into it using the information sent to you in an email. If you’re on Mac or Linux, simply open the terminal, and type:
If you happen to be on Windows, then I suggest using a tool like PuTTY. Once you’re in, just run the following:
wget https://raw.githubusercontent.com/NerdOfLinux/Scripts/master/OpenVPN.sh && bash OpenVPN.sh
You’ll see something along the lines of:
Welcome to this OpenVPN "road warrior" installer!I need to ask you a few questions before starting the setup. You can leave the default options and just press enter if you are ok with them.First, provide the IPv4 address of the network interface you want OpenVPN listening to. IP address: x.x.x.x
If you’re on DigitalOcean, or another VPS provider, you can probably leave this setting as-is. However, if the IP address is not the same as your VPS’s IP as shown on your VPS provider’s dashboard, then change this setting. Once you’re sure the IP address is correct, simply press enter.
Now, you’ll be asked which protocol you want to use:
Which protocol do you want for OpenVPN connections? 1) UDP (recommended) 2) TCP Protocol [1-2]: 1
If you want to bypass the firewall on a restrictive network, you might want to set this option to TCP, and set the port to 443 in the next step. Alternatively, UDP with port 53 also seems to bypass firewalls quite well. If you’re not sure, I suggest just leaving it as UDP. After you’ve made your selection, simply press enter.
Next, you’ll be prompted for the port to listen on:
What port do you want OpenVPN listening to? Port: 1194
UDP 1194 is the default port for OpenVPN. However, it’s often blocked, so even if you just want to be secure when browsing on your favorite cafe’s WiFi, you might want to use UDP 53 or TCP 443. For the sake of simplicity, I’ll just leave it as the default. Once again, after you’ve made your decision, just press enter.
We’re almost done setting up the server! You’ll now be prompted for which DNS you want to use:
Which DNS do you want to use with the VPN? 1) Current system resolvers 2) 126.96.36.199 3) Google 4) OpenDNS 5) Verisign DNS [1-5]: 1
The default option is to use whatever your VPS is currently using. If you have no idea what’s going on here, I recommend using option 2 because 188.8.131.52 has a no-logging personal information policy, and has the added benefit of being the fastest option. After you’ve made your selection and press enter, you’ll be asked what to name your client.
Finally, tell me your name for the client certificate. Please, use one word only, no special characters. Client name: client
You can put whatever you want here, but I suggest using a meaningful name, should you ever want to revoke it. You can create as many profiles as you want later on, so it’s important to remember which client is which device. For example, if you plan on using this for your phone, then call this client “my_phone”. Please don’t use any spaces in the client name, or else something will break.
I promise, just a few more questions. This time, you’re being asked for what RSA key size to use:
What rsa key size would you want (2048 in the minimum recommended)? Size: 2048
2048 is currently the recommended minimum. If you’re paranoid, then set this to 3072, or even 4096. Keep in mind that the higher the number, the longer it will take to generate the keys. For most people, I recommend just leaving this at the default. Next up is which cipher to use.
Which cipher would you like? 1) AES 2) CAMELLIA(may cause problems) 3) Custom(not recommended) Cipher: 1
If you think the NSA is after you, and don’t trust AES, then choose option 2, or option 3 if you want to use a cipher that isn’t listed. For 99.99% of the population, just use AES. Second to lastly, you’ll be asked what key size you want for the cipher.
Which AES size would you like? 1) 128 2) 192 3) 256 Encryption: 1
128 bits is more than secure enough for most people. Again, if you think the government is after you, then choose a larger key size. Actually lastly, you’ll be asked how often you want to renegotiate the keys.
How often would you like to renegotiate the keys?(if you're unsure, just press enter) reneg-secs: 3600
Unless you know what you’re doing, just press enter. Actually actually lastly, you’ll be asked for which hashing algorithm to use.
What SHA size do you want(256,384,512)? SHA: 256
From my fifteen second Google search, SHA-256 is technically secure enough. But, if you changed pretty much any of the previous cryptography options, you’re probably intent on making this the highest number as well, so go ahead. Told you we were done.
Okay, that was all I needed. We are ready to set up your OpenVPN server now. Press any key to continue...
Once it’s done, you’ll see something like this:
Generating a 2048 bit RSA private key .............+++ ........+++ writing new private key to '/etc/openvpn/easy-rsa/pki/private/client.key.l0ebkVcgku' ----- Using configuration from ./openssl-easyrsa.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'client' Certificate is to be certified until Mar 3 00:56:46 2029 GMT (3650 days)Write out database with 1 new entries Data Base UpdatedNote: using Easy-RSA configuration from: ./vars Using configuration from ./openssl-easyrsa.cnfAn updated CRL has been created. CRL file: /etc/openvpn/easy-rsa/pki/crl.pem390Finished!Your client configuration is available at: /root/client.ovpn If you want to add more clients, you simply need to run this script again!
Setting Up The Client
Ok, so after the script is done setting everything up, all you have to do is set up your client. I won’t go too much into detail here, because it’s different on every device. There’s an OpenVPN app for iOS and Android, and the same goes for Windows, Mac, and Linux. Just search Google for the best one to use on your platform. That being said, all you need to do is somehow get the profile onto whatever device you want to use the VPN on, and import it into the OpenVPN app.
The easiest way to get the profile onto your device is to just spin up a temporary web server. To do this, simply run the following on your server:
for x in $(ls | grep ovpn | sed 's/ /%20/g'); do echo "http://$(dig @resolver1.opendns.com ANY myip.opendns.com +short)/$(echo $x | sed 's/%20/ /g')"; done
This will create a list of which profile to download.
busybox httpd -f
This command starts the web server. Simply visit the address that corresponds to the client name you configured, and the profile will download onto your device. Once you’re done, simply press
ctl + c on your server to prevent others from accessing your VPN profile.
Note: The download will occur over HTTP, which means someone could intercept your download, and possibly replace it. If you go this route, be sure you trust the network you’re on. For maximum security, use something like SFTP to securely transfer the file.
To add clients, simply run the script again:
1 , followed by pressing enter:
Looks like OpenVPN is already installed.What do you want to do? 1) Add a new user 2) Revoke an existing user 3) Remove OpenVPN 4) Exit Select an option [1-4]:
You’ll then be asked for the name of the client:
Tell me a name for the client certificate. Please, use one word only, no special characters. Client name:
Simply type whatever you want the client’s name to be, then press enter. To get the profile onto your device, simply refer to the previous section.
Luckily, Ubuntu Server doesn’t really require that much maintenance. All you really need to do is SSH into your server every now and then to run the following commands:
apt update apt -y upgrade
And, restart the server if you see a message telling you to restart.
Be sure to use a strong password. If anyone manages to guess your password, they can do pretty much anything they want, which includes monitoring your web traffic. For maximum security, consider using a SSH key. Also, you’re not technically supposed to use the root account for everything. However, if you limit SSH access to just your home’s IP address and use a SSH key, you should be fine.