How to Make Your Own VPN in Linux in 12 Steps
If you want to enhance your privacy and avoid putting your data in the hands of a VPN service provider, then you can create your own VPN. The process of doing so won’t require you to be a programmer, but it’s a bit technical and it will take some effort.
In the end though, it will be worth it, and you will end up with a secure and private VPN that you can dispose of any minute.
Note: This process involves setting up your own server instance on DigitalOcean, which just like any other hosting service, will charge for bandwidth use.
Quick navigation:
- 01 Get a Remote Server that Runs Ubuntu
- 02 Install OpenVPN
- 03 Configure the Certificate Authority Directory
- 04 Configure the Certificate Authority
- 05 Build the Certificate Authority
- 06 Creating the Server’s Encryption Files
- 07 Creating the Client’s Certificate
- 08 Configure OpenVPN
- 09 Adjusting Network Settings
- 10 Starting the OpenVPN Service
- 11 Client Configurations
- 11 Configure your VPN on Linux
Step 1: Get a Remote Server that Runs Ubuntu
This involves creating a server on the cloud.
There are many hosting services that you can choose from, but the most user-friendly is DigitalOcean, and it’s also the most affordable.
Step 2: Install OpenVPN
Now that your server is up and running, we need to install OpenVPN on it. The first thing you need to do is log in to the server by providing your credentials through a command prompt.
After that, execute the commands below. You can type or copy/paste them.
$ sudo apt-get install openvpn easy-rsa
You have now installed both OpenVPN and easy-rsa, a package that is necessary for step 3.
Step 3: Configure the Certificate Authority Directory
Trusted certificates are important as they ensure that the outgoing traffic is encrypted. Normally, these certificates come from the Certificate Authority (CA), but because we are running and managing our own server, we can set up a simple CA directory on our server.
Execute the command below:
Now, navigate to the folder we have just created by typing the following command:
Step 4: Configure the Certificate Authority
Now, we need to edit our CA. To open a text editor that displays the vars file, enter:
Now, look for the following lines:
export KEY_PROVINCE=”NY”
export KEY_CITY=”New York City”
export KEY_ORG=”My-Organization”
export KEY_EMAIL=”me@host.domain”
export KEY_OU=”MyOrganizationalUnit”
Edit the quoted strings to reflect your details. Make sure you don’t leave any of them blank.
After that, scroll down to find the KEY_NAME line. Edit it to match the one below:
You can now save and close the file.
Step 5: Build the Certificate Authority
Now that we have the right information in place, we can go ahead and create the Certificate Authority. Ensure that you are still in the CA directory.
Enter the command below:
If the process executed correctly, you should see the following on your screen:
Clear out the environment by entering the following:
Now build the root CA:
You should get a series of prompts as your server executes the instructions you’ve just provided. Just press enter at each of them till the process completes.
Step 6: Creating the Server’s Encryption Files
Now that we’ve created our Certificate Authority, we can start generating actual encryption keys. The first thing we need to do is create the OpenVPN server certificate along with its key pair:
The server will suggest some values. Accept them all by typing “y”. Be sure to do the same when asked about certificate creation.
Next we’ll create a few other miscellaneous files OpenVPN needs to operate. Use the following command:
This can take some time, but wait until it’s done. After that, type the following command to create a signature for strengthening the verification process.
Step 7: Creating the Client’s Certificate
Here, we’ll create a certificate and key pair for connecting your Linux computer. Use the following commands:
$ source vars
$ ./build-key client1
Use the suggested defaults by hitting enter at the prompts.
Step 8: Configure OpenVPN
Now that we have all the certificates and key pairs we need, we can finally start setting up OpenVPN.
The first thing we need to do is move some of the files we just created to the “openvpn” folder:
$ sudo cp ca.crt ca.key server.crt server.key ta.key dh2048.pem /etc/openvpn
Now we’ll add a sample configuration file so we can open and edit it ourselves:
After its unzipped, type the following to open the configuration file:
With the server.conf file open in the nano editor, look for the line below:
Uncomment the line by removing the semi-colon at the beginning.
On the line directly below it, add the following:
Now, scroll to find the section filled with ciphers (keys). Here, we need to choose the security strength we need. Select AES 128 bit by finding the line below and uncommenting it (removing the semi-colon).
Just below that line, add the following:
Next, uncomment the user and group settings. They are the lines below:
group nogroup
Push DNS Changes to Redirect All Traffic through the VPN
While the settings we have already created will tunnel your traffic, they won’t force any connections to use the tunnel. To force all your traffic to the VPN tunnel, you’ll need to push the DNS settings to the client computers.
To do this, we need to uncomment the directives listed below. Find them and remove the semicolon.
Just below that line, find the dhcp-option section. Again, uncomment the two lines
push “dhcp-option DNS 208.67.220.220”
These settings will make the clients reconfigure their DNS settings to always use the VPN tunnel as the default gateway.
Adjust the Port and Protocol
Now, we need to change the port that OpenVPN will use. By default, it uses port 1194 and the UDP protocol. To make the VPN more inclusive, let’s use port 443 which is rarely restricted by firewalls. Search for the #Optional! line and change the port to 443.
port 443
After that, change the protocol from UDP to TCP
proto tcp
After that, save and close the file.
Step 9: Adjusting Network Settings
To ensure that OpenVPN routes traffic correctly, we need to do some edits.
The first thing is to allow IP forwarding. This can be done by modifying the /etc/sysctl.conf file. Open it.
Find the line below and remove the ‘#’ character to uncomment it.
Save and close the file.
Now, run this command to adjust the values.
Now, we need to set up our server’s firewall so that it can properly manipulate traffic. Let’s start by finding the public network interface of our server machine.
At some point, the output line produced will include the word “dev”. What follows after that should be your interface name. For example in the line below, w1p11s0 is the interface name.
Now, we need to add the name above to its appropriate place by editing the rules file. Enter the command below:
Look for the block of text that begins on the following phrase which has been commented out:
Below it, you’ll see a line that starts with “-A POSTROUTING”. This is where you need to add the interface name. Replace the XXXX with it.
Now save and close the file.
After that, look for the line marked “DEFAULT_FORWARD_POLICY”. Change “DROP” to “ACCEPT”. After that, it should look like the following:
Save and close the file.
Lastly, adjust the firewall settings to allow traffic to OpenVPN. Use the commands below:
$ sudo ufw allow OpenSSH
To load the changes, disable and then re-enable the firewall.
$ sudo uwf enable
Your server is now set up to handle your VPN traffic. You are almost there!
Step 10: Starting the OpenVPN Service
Since you’ve already set up the basic configurations, you can now start OpenVPN to get your server going.
To ensure that OpenVPN always starts every time your server boots, enter the following command:
Step 11: Client Configurations
I need to prepare the server for connecting your devices. To start, let’s establish a designated folder for files associated with clients, and then adjust permissions to secure it.
$ chmod 700 ~/client-configs/files
Now we’ll copy an example configuration file and then edit it:
Open the file in a text editor:
Scroll to find the line that starts with the “remote” directive. Edit it to reflect port 443 which is the port we are using:
Below that, change the line marked “proto” from UDP to TCP
Remove the semicolons from the “user” and “group” lines to uncomment them:
group nogroup
Locate the ca, cert, and key lines and comment them out by adding a hash at the beginning. They should look like this:
#cert client.crt
#key client.key
Change the “cipher” and “auth” settings to match the ones we set above. They should look like this:
auth SHA256
Now, add a line anywhere in the file and type:
Lastly, copy and paste the following commented out lines into the bottom of the file:
Save your changes and exit the editor.
The last thing we need to do is to create a script that will compile everything that we’ve made. Start by creating a file in the ~/client-configs directory called “make_config.sh”, then open it using nano. Paste the following code into the script:
# First argument: Client identifier
KEY_DIR=~/openvpn-ca/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf
cat ${BASE_CONFIG} \
Save the file and exit. Now, make it executable with this command:
Step 12:Configure your VPN on Linux
To use the VPN you’ve just set up, install OpenVPN on your computer using the commands below:
$ sudo apt-get install openvpn
We now need to open and edit the configuration file we’ve just downloaded:
Uncomment the following three lines:
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
Save and close the file. You’ve now set up your Linux computer to connect to your VPN.
To connect to your new VPN, execute the following command:
You should now be connected to your VPN!
Leave a Comment
Cancel