Title: A Step-by-Step Guide to Setting Up Your Own VPN
I’m glad you’re interested in web development and how to make a VPN. A VPN, or virtual private network, is a way of creating a secure connection between your device and a remote server, which can help you protect your online privacy, access geo-restricted content, or bypass censorship. In this blog post, I will show you how to create your own VPN using a VPS, or virtual private server, and OpenVPN, a popular open-source VPN software.
Sit Tight We have a long Journey Ahead !!!
What You Need
To create your own VPN, you will need the following:
- A VPS from a cloud service provider of your choice. A VPS is a virtual machine that you can rent and access over the internet. You can choose from many providers, such as DigitalOcean, Amazon EC2, Vultr, etc. For this tutorial, I will use DigitalOcean as an example, but you can use any provider that supports KVM or Xen virtualization and gives you a dedicated IPv4 address. You will also need to choose a server location that suits your needs. For example, if you want to access Netflix US, you should choose a server in the US. The cheapest plan from DigitalOcean costs $5 per month and gives you 1TB of outgoing bandwidth, which should be enough for most users.
- An SSH client to connect to your VPS and install OpenVPN. SSH, or secure shell, is a protocol that allows you to remotely access and control a server using a command-line interface. You can use any SSH client you like, such as PuTTY, Termius, or the built-in terminal in your operating system. For this tutorial, I will use PuTTY as an example, but you can use any client that works for you.
- An OpenVPN client to connect to your VPN server and enjoy the benefits of a VPN. OpenVPN is a free and open-source VPN software that supports various platforms, such as Windows, Mac, Linux, Android, iOS, etc. You can download the OpenVPN client from the official website or from your app store.
How to Create Your Own VPN
Once you have the tools ready, you can follow these steps to create your own VPN:
- Create a VPS on DigitalOcean. Go to the DigitalOcean website and sign up for an account if you don’t have one already. Then, click on the “Create” button and choose “Droplets”. A droplet is a term for a VPS on DigitalOcean. You will see a page where you can choose the options for your droplet, such as the operating system, the plan, the region, the hostname, etc. For this tutorial, I will choose the following options:
- Operating system: Ubuntu 20.04 (LTS) x64. This is a popular and user-friendly Linux distribution that works well with OpenVPN. You can also choose other Linux distributions, such as Debian, CentOS, Fedora, etc., but the commands may vary slightly.
- Plan: Basic, $5/month, 1 GB / 1 CPU, 25 GB SSD, 1 TB transfer. This is the cheapest and most basic plan that should be enough for a personal VPN. You can also choose a higher plan if you need more resources or bandwidth, but it will cost more.
- Region: New York 1. This is the server location that I will use for this tutorial. You can choose any region that you prefer or that matches your VPN needs. For example, if you want to access Netflix UK, you should choose a server in the UK.
- Hostname: vpn-server. This is the name that you will use to identify your droplet. You can choose any name that you like, but make sure it is easy to remember and unique.
- Password: Choose a strong and secure password that you will use to log in to your droplet via SSH. You can also use SSH keys for more security, but that is beyond the scope of this tutorial.
After choosing the options, click on the “Create Droplet” button and wait for a few minutes until your droplet is ready. You will see a page with the details of your droplet, such as the IP address, the password, the status, etc. Note down the IP address and the password, as you will need them later.
- Connect to your VPS via SSH and install OpenVPN. Open your SSH client and enter the IP address and the password of your droplet. You will see a command-line interface where you can enter commands to control your droplet. The first thing you need to do is to update your system and install OpenVPN. To do that, enter the following commands:
sudo apt update sudo apt upgrade sudo apt install openvpn
These commands will update your system, upgrade your packages, and install OpenVPN on your droplet. You may need to enter your password or confirm some prompts during the process. Wait until the installation is complete.
- Configure OpenVPN on your VPS. The next step is to configure OpenVPN on your droplet. To do that, you need to copy some files from the OpenVPN directory to your home directory and edit them. To do that, enter the following commands:
cd ~ cp -r /usr/share/doc/openvpn/examples/easy-rsa/ . cd easy-rsa/2.0/ nano vars
These commands will change your directory to your home directory, copy the easy-rsa folder from the OpenVPN directory, change your directory to the easy-rsa/2.0 folder, and open the vars file with the nano editor. The vars file contains some variables that you need to edit to match your VPN settings. You will see a file like this:
# easy-rsa parameter settings # NOTE: If you installed from an RPM, # don't edit this file in place in # /usr/share/openvpn/easy-rsa -- # instead, you should copy the whole # easy-rsa directory to another location # (such as /etc/openvpn) so that your # edits will not be wiped out by a future # OpenVPN package upgrade. # This variable should point to # the top level of the easy-rsa # tree. export EASY_RSA="`pwd`" # # This variable should point to # the requested executables # export OPENSSL="openssl" export PKCS11TOOL="pkcs11-tool" export GREP="grep" # This variable should point to # the openssl.cnf file included # with easy-rsa. export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA` # Edit this variable to point to # your soon-to-be-created key # directory. # # WARNING: clean-all will do # a rm -rf on this directory # so make sure you define # it correctly! export KEY_DIR="$EASY_RSA/keys" # Issue rm -rf warning echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR # PKCS11 fixes export PKCS11_MODULE_PATH="dummy" export PKCS11_PIN="dummy" # Increase this to 2048 if you # are paranoid. This will slow # down TLS negotiation performance # as well as the one-time DH parms # generation process. export KEY_SIZE=1024 # In how many days should the root CA key expire? export CA_EXPIRE=3650 # In how many days should certificates expire? export KEY_EXPIRE=3650 # These are the default values for fields # which will be placed in the certificate. # Don't leave any of these fields blank. export KEY_COUNTRY="US" export KEY_PROVINCE="CA" export KEY_CITY="SanFrancisco" export KEY_ORG="Fort-Funston" export KEY_EMAIL="me@myhost.mydomain" export KEY_OU="MyOrganizationalUnit" # X509 Subject Field export KEY_NAME="EasyRSA" # PKCS11 Smart Card # export PKCS11_MODULE_PATH="/usr/lib/changeme.so" # export PKCS11_PIN=1234 # If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below # You will also need to make sure your OpenVPN server config has the duplicate-cn option set # export KEY_CN="CommonName"
You need to edit the following variables:
- KEY_SIZE: This is the size of the encryption key that will be used for your VPN. You can increase this to 2048 or 4096 for more security, but it will also slow down the performance. For this tutorial, I will keep it at 1024.
- KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAIL, KEY_OU, KEY_NAME: These are the details that will be included in your VPN certificate. You can change them to match your personal or business information, or leave them as they are. For this tutorial, I will change them to the following:
export KEY_COUNTRY="PK" export KEY_PROVINCE="Punjab" export KEY_CITY="Lahore" export KEY_ORG="Copilot" export KEY_EMAIL="copilot@example.com" export KEY_OU="Web Development" export KEY_NAME="
export KEY_NAME="CopilotVPN" ``` After editing the variables, save and exit the file by pressing Ctrl+X, then Y, then Enter.
- Generate the certificate authority and the server certificate. The next step is to generate the certificate authority (CA) and the server certificate for your VPN. The CA is a trusted entity that issues and verifies the certificates for your VPN. The server certificate is a file that identifies and authenticates your VPN server. To generate them, enter the following commands:
source ./vars ./clean-all ./build-ca ./build-key-server server
These commands will source the vars file, clean the keys directory, build the CA, and build the server certificate. You may need to enter some information or confirm some prompts during the process. For the CA, you can just press Enter to accept the default values or the values you edited in the vars file. For the server certificate, you will need to enter a challenge password and a common name. You can choose any password and name that you like, but make sure you remember them. For this tutorial, I will use “copilot” as the password and “server” as the name. You will also need to sign the certificate and commit by typing “y” when asked.
- Generate the Diffie-Hellman parameters and the HMAC signature. The next step is to generate the Diffie-Hellman parameters and the HMAC signature for your VPN. The Diffie-Hellman parameters are used to establish a secure key exchange between your VPN server and client. The HMAC signature is used to prevent denial-of-service attacks on your VPN server. To generate them, enter the following commands:
./build-dh openvpn --genkey --secret keys/ta.key
These commands will build the Diffie-Hellman parameters and generate the HMAC signature. This may take some time, depending on the key size and the speed of your droplet. Wait until the process is complete.
- Copy the files to the OpenVPN directory and configure the server. The next step is to copy the files you generated to the OpenVPN directory and configure the server. To do that, enter the following commands:
cd keys sudo cp ca.crt ca.key dh1024.pem server.crt server.key ta.key /etc/openvpn cd /etc/openvpn sudo nano server.conf
These commands will change your directory to the keys folder, copy the files to the OpenVPN directory, change your directory to the OpenVPN directory, and open the server.conf file with the nano editor. The server.conf file is the main configuration file for your VPN server. You will see a file like this:
# Which local IP address should OpenVPN # listen on? (optional) ;local a.b.c.d # Which TCP/UDP port should OpenVPN listen on? # If you want to run multiple OpenVPN instances # on the same machine, use a different port # number for each one. You will need to # open up this port on your firewall. port 1194 # TCP or UDP server? ;proto tcp proto udp # "dev tun" will create a routed IP tunnel, # "dev tap" will create an ethernet tunnel. # Use "dev tap0" if you are ethernet bridging # and have precreated a tap0 virtual interface # and bridged it with your ethernet interface. # If you want to control access policies # over the VPN, you must create firewall # rules for the the TUN/TAP interface. # On non-Windows systems, you can give # an explicit unit number, such as tun0. # On Windows, use "dev-node" for this. # On most systems, the VPN will not function # unless you partially or fully disable # the firewall for the TUN/TAP interface. ;dev tap dev tun # Windows needs the TAP-Win32 adapter name # from the Network Connections panel if you # have more than one. On XP SP2 or higher, # you may need to selectively disable the # Windows firewall for the TAP adapter. # Non-Windows systems usually don't need this. ;dev-node MyTap # SSL/TLS root certificate (ca), certificate # (cert), and private key (key). Each client # and the server must have their own cert and # key file. The server and all clients will # use the same ca file. # # See the "easy-rsa" directory for a series # of scripts for generating RSA certificates # and private keys. Remember to use # a unique Common Name for the server # and each of the client certificates. # # Any X509 key management system can be used. # OpenVPN can also use a PKCS #12 formatted key file # (see "pkcs12" directive in man page). ca ca.crt cert server.crt key server.key # This file should be kept secret # Diffie hellman parameters. # Generate your own with: # openssl dhparam -out dh1024.pem 1024 # Substitute 2048 for 1024 if you are using # 2048 bit keys. dh dh1024.pem # Network topology # Should be subnet (addressing via IP) # unless Windows clients v2.0.9 and lower have to # be supported (then net30, i.e. a /30 per client) # Defaults to net30 (not recommended) ;topology subnet # Configure server mode and supply a VPN subnet # for OpenVPN to draw client addresses from. # The server will take 10.8.0.1 for itself, # the rest will be made available to clients. # Each client will be able to reach the server # on 10.8.0.1. Comment this line out if you are # ethernet bridging. See the man page for more info. server 10.8.0.0 255.255.255.0 # Maintain a record of client <-> virtual IP address # associations in this file. If OpenVPN goes down or # is restarted, reconnecting clients can be assigned # the same virtual IP address from the pool that was # previously assigned. ifconfig-pool-persist ipp.txt # Configure server mode for ethernet bridging. # You must first use your OS's bridging capability # to bridge the TAP interface with the ethernet # NIC interface. Then you must manually set the # IP/netmask on the bridge interface, here we # assume 10.8.0.4/255.255.255.0. Finally we # must set aside an IP range in this subnet # (start=10.8.0.50 end=10.8.0.100) to allocate # to connecting clients. Leave this line commented # out unless you are ethernet bridging. ;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 # Configure server mode for ethernet bridging # using a DHCP-proxy, where clients talk # to the OpenVPN server-side DHCP server # to receive their IP address allocation # and DNS server addresses. You must first use # your OS's bridging capability to bridge the TAP # interface with the ethernet NIC interface. # Note: this mode only works on clients (such as # Windows), where the client-side TAP adapter is # bound to a DHCP client. ;server-bridge # Push routes to the client to allow it # to reach other private subnets behind # the server. Remember that these # private subnets will also need # to know to route the OpenVPN client # address pool (10.8.0.0/255.255.255.0) # back to the OpenVPN server. ;push "route 192.168.10.0 255.255.255.0" ;push "route 192.168.20.0 255.255.255.0" # To assign specific IP addresses to specific # clients or if a connecting client has a private # subnet behind it that should also have VPN access, # use the subdirectory "ccd" for client-specific # configuration files (see man page for more info). # EXAMPLE: Suppose the client # having the certificate common name "Thelonious" # also has a small subnet behind his connecting # machine, such as 192.168.40.128/255.255.255.248. # First, uncomment out these lines: ;client-config-dir ccd ;route 192.168.40.128 255.255.255.248 # Then create a file ccd/Thelonious with this line:
# EXAMPLE: Suppose the client # having the certificate common name "Thelonious" # also has a small subnet behind his connecting # machine, such as 192.168.40.128/255.255.255.248. # First, uncomment out these lines: ;client-config-dir ccd ;route 192.168.40.128 255.255.255.248 # Then create a file ccd/Thelonious with this line: # iroute 192.168.40.128 255.255.255.248 # This will allow Thelonious' private subnet to # access the VPN. This example will only work # if you are routing, not bridging, i.e. you are # using "dev tun" and "server" directives. # EXAMPLE: Suppose you want to give # Thelonious a fixed VPN IP address of 10.9.0.1. # First uncomment out these lines: ;client-config-dir ccd ;route 10.9.0.0 255.255.255.252 # Then add this line to ccd/Thelonious: # ifconfig-push 10.9.0.1 10.9.0.2 # Suppose that you want to enable different # firewall access policies for different groups # of clients. There are two methods: # (1) Run multiple OpenVPN daemons, one for each # group, and firewall the TUN/TAP interface # for each group/daemon appropriately. # (2) (Advanced) Create a script to dynamically # modify the firewall in response to access # from different clients. See man # page for more info on learn-address script. ;learn-address ./script # If enabled, this directive will configure # all clients to redirect their default # network gateway through the VPN, causing # all IP traffic such as web browsing and # and DNS lookups to go through the VPN # (The OpenVPN server machine may need to NAT # or bridge the TUN/TAP interface to the internet # in order for this to work properly). ;push "redirect-gateway def1 bypass-dhcp" # Certain Windows-specific network settings # can be pushed to clients, such as DNS # or WINS server addresses. CAVEAT: # http://openvpn.net/faq.html#dhcpcaveats # The addresses below refer to the public # DNS servers provided by opendns.com. ;push "dhcp-option DNS 208.67.222.222" ;push "dhcp-option DNS 208.67.220.220" # Uncomment this directive to allow different # clients to be able to "see" each other. # By default, clients will only see the server. # To force clients to only see the server, you # will also need to appropriately firewall the # server's TUN/TAP interface. ;client-to-client # Uncomment this directive if multiple clients # might connect with the same certificate/key # files or common names. This is recommended # only for testing purposes. For production use, # each client should have its own certificate/key # pair. # # IF YOU HAVE NOT GENERATED INDIVIDUAL # CERTIFICATE/KEY PAIRS FOR EACH CLIENT, # EACH HAVING ITS OWN UNIQUE "COMMON NAME", # UNCOMMENT THIS LINE OUT. ;duplicate-cn # The keepalive directive causes ping-like # messages to be sent back and forth over # the link so that each side knows when # the other side has gone down. # Ping every 10 seconds, assume that remote # peer is down if no ping received during # a 120 second time period. keepalive 10 120 # For extra security beyond that provided # by SSL/TLS, create an "HMAC firewall" # to help block DoS attacks and UDP port flooding. # # Generate with: # openvpn --genkey --secret ta.key Link to openvpn https://openvpn.net/ # # The server and each client must have # a copy of this key. # The second parameter should be '0' # on the server and '1' on the clients. ;tls-auth ta.key 0 # This file is secret # Select a cryptographic cipher. # This config item must be copied to # the client config file as well. ;cipher BF-CBC # Blowfish (default) ;cipher AES-128-CBC # AES ;cipher DES-EDE3-CBC # Triple-DES cipher AES-256-CBC # AES-256 # Enable compression on the VPN link. # Don't enable this unless it is also # enabled in the client config file. comp-lzo # The maximum number of concurrently connected # clients we want to allow. ;max-clients 100 # It's a good idea to reduce the OpenVPN # daemon's privileges after initialization. # # You can uncomment this out on # non-Windows systems. ;user nobody ;group nogroup # The persist options will try to avoid # accessing certain resources on restart # that may no longer be accessible because # of the privilege downgrade. persist-key persist-tun # Output a short status file showing # current connections, truncated # and rewritten every minute. status openvpn-status.log # By default, log messages will go to the syslog (or # on Windows, if running as a service, they will go to # the "\Program Files\OpenVPN\log" directory). # Use log or log-append to override this default. # "log" will truncate the log file on OpenVPN startup, # while "log-append" will append to it. Use one # or the other (but not both). ;log openvpn.log ;log-append openvpn.log # Set the appropriate level of log # file verbosity. # # 0 is silent, except for fatal errors # 4 is reasonable for general usage # 5 and 6 can help to debug connection problems # 9 is extremely verbose verb 3 # Silence repeating messages. At most 20 # sequential messages of the same message # category will be output to the log. ;mute 20 ``` You need to edit the following lines: - Uncomment the line `tls-auth ta.key 0` by removing the semicolon at the beginning. This will enable the HMAC signature for your VPN server. - Uncomment the line `cipher AES-256-CBC` by removing the semicolon at the beginning. This will set the encryption cipher to AES-256, which is more secure than the default Blowfish. - Uncomment the lines `user nobody` and `group nogroup` by removing the semicolons at the beginning. This will reduce the privileges of the OpenVPN daemon after initialization, which is a good security practice. - Add the following lines at the end of the file. These lines will enable IP forwarding, NAT, and firewall rules for your VPN server. ```bash # Enable IP forwarding up /etc/openvpn/up.sh down /etc/openvpn/down.sh # Enable NAT for VPN clients push "route 10.8.0.0 255.255.255.0" push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" ``` After editing the lines, save and exit the file by pressing Ctrl+X, then Y, then Enter.
- Create the up.sh and down.sh scripts. The next step is to create the up.sh and down.sh scripts that will enable IP forwarding and NAT for your VPN server. To do that, enter the following commands:
sudo nano up.sh
This will open the up.sh file with the nano editor. Enter the following lines in the file:
#!/bin/sh # Enable IP forwarding echo 1 > /proc/sys/net/ipv4/ip_forward # Enable NAT for VPN clients iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
These lines will enable IP forwarding and NAT for VPN clients when the VPN server starts. Save and exit the file by pressing Ctrl+X, then Y, then Enter. Then, enter the following commands:
sudo nano down.sh
This will open the down.sh file with the nano editor. Enter the following lines in the file:
#!/bin/sh # Disable IP forwarding echo 0 > /proc/sys/net/ipv4/ip_forward # Disable NAT
client dev tun proto udp remote YOUR_VPS_IP 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client.crt key client.key tls-auth ta.key 1 cipher AES-256-CBC comp-lzo verb 3 ``` Replace YOUR_VPS_IP with the IP address of your VPS. Save the file as client.ovpn in a folder of your choice. Alternatively, you can copy the sample file from the OpenVPN directory by entering the following commands in a terminal emulator such as Termux or ConnectBot: ```bash cd /sdcard/Download scp root@YOUR_VPS_IP:/usr/share/doc/openvpn/examples/sample-config-files/client.conf . ``` Replace YOUR_VPS_IP with the IP address of your VPS. You may need to enter your password or confirm the host key during the process. Then, open the client.conf file with a text editor and edit the following lines: - Change the line `remote my-server-1 1194` to `remote YOUR_VPS_IP 1194` - Uncomment the line `tls-auth ta.key 1` by removing the semicolon at the beginning - Uncomment the line `cipher AES-256-CBC` by removing the semicolon at the beginning Save and rename the file as client.ovpn.
- Once you have the client files ready, you need to import them to the OpenVPN Connect app. To do that, launch the OpenVPN Connect app and tap on the menu icon at the top left corner. Then, tap on “Import” and choose “Import Profile from SD card”. Navigate to the folder where you saved the client.ovpn file and tap on it. You will see a screen that shows the profile details and settings. You can leave them as they are or change them according to your preferences. Then, tap on “ADD” to add the profile to the app.
- Now you are ready to connect to your VPN server. To do that, tap on the profile name and slide the switch to the right. You will see a window that asks for your permission to set up a VPN connection. Tap on “OK” to allow it. You will see a screen that shows the connection status and logs. Wait until you see the message “Connected”. This means that you are connected to your VPN server. You can also tap on the statistics icon to see the connection details, such as the IP address and the bandwidth. To disconnect from your VPN server, slide the switch to the left.
That’s it! You have successfully created and connected to your own VPN on Windows and Android. You can enjoy the benefits of a VPN, such as enhanced privacy, security, and freedom. You can also create VPN clients on other platforms using similar steps. I hope you found this blog post helpful and informative. If you have any questions or feedback, please feel free to leave a comment below. Thank you for reading and happy surfing! 😊
visit our website storysubscribe.live for moded apk’s
- Create the up.sh and down.sh scripts. The next step is to create the up.sh and down.sh scripts that will enable IP forwarding and NAT for your VPN server. To do that, enter the following commands: