Tech Hacks, Hacking, Android, Reviews Windows, Linux, Programming, How To's, Tutorials,

How to Make Your Own VPN: Virtual Private Network

© HackingSaga
32,714

Bytes: Virtual private networks are gaining popularity among even the most casual of internet users. It’s no surprise, either, seeing as how they’re easy to use, affordable, and come with a ton of useful features that protect your online privacy. Instead of signing up with a VPN service, though, some people have decided to install and configure their own personal VPN using a virtual private server and OpenVPN.

Making your own VPN isn’t easy, however. The process requires many steps, and includes a lot of work on the command line. We highly recommend that you brush up on your familiarity with encryption and command prompts or PowerShell before you begin.

Step 1: Get a Remote Server that Runs Ubuntu

There are a variety of services that offer scalable virtual private server options, but one of the easiest to use and most affordable is Digital Ocean. The company has a fantastic guide on installing and configuring your own Ubuntu 16.04 server, which you should follow before beginning the rest of this VPN guide. Once complete, you’ll have a droplet server configured and ready to go.

Step 2: Install OpenVPN

With your Ubuntu server up and running, your first step will be to install OpenVPN. First, log into your server using your user credentials through a command prompt. Next, run each of the following commands. This will install OpenVPN as well as easy-rsa, a package that will help us in the next step.

You can type the commands listed below, or you can copy/paste them.

$ sudo apt-get update

$ sudo apt-get install openvpn easy-rsa

Step 3: Configure the Certificate Authority Directory

In order for OpenVPN to encrypt traffic and send it between sources, it needs to be able to use trusted certificates. These generally come from an external Certificate Authority (CA), but because our VPN ecosystem is entirely closed (we run it, we manage it, only we will be using it), it’s possible to set up a simple CA authority on our Ubuntu server.

Enter the following command into the prompt:

$ make-cadir ~/openvpn-ca

Next, navigate to the folder you just created. If you’re not sure how to do that, simply type in the following into the command prompt:

$ cd ~/openvpn-ca

Step 4: Configure the Certificate Authority

Now we’ll set up our CA with some basic information. Type the following command and hit enter. It opens a text editor and displays the vars file:

$ nano vars

You don’t need to change most of what’s in the vars file. Scroll to the bottom and look for the following lines:

export KEY_COUNTRY="US"

export KEY_PROVINCE="NY"

export KEY_CITY="New York City"

export KEY_ORG="My-Organization"

export KEY_EMAIL="me@host.domain"

export KEY_OU="MyOrganizationalUnit"

Change the strings within the quotation marks to reflect your own information. As long as they’re not blank, you’ll be fine. Next, scroll down to find the KEY_NAME line. Change the string to match the following:

export KEY_NAME="server"

Save the file and close it, we’re done editing for now.

Step 5: Build the Certificate Authority

With the information in place, it’s time to create the Certificate Authority. Make sure you’re still in the CA directory we created before:

$ cd ~/openvpn-ca

Then type the following into the command prompt:

$ source vars

If everything went smoothly, you should see something like the following appear on screen:

NOTE: If you run ./clean-all, I will be doing a rm -rf on /home/sammy/openvpn-ca/keys

Clear out the environment by entering the following:

$ ./clean-all

Now build the root CA:

$ ./build-ca

A series of prompts will appear while your server follows the instructions you just gave it. Simply press enter at each of them until the process completes.

Step 6: Creating the Server’s Encryption Files

With the Certificate Authority in place, we can now start generating actual encryption keys. Start by creating the OpenVPN server certificate along with its key pair:

$ ./build-key-server server

Accept the default values the server suggests. Be sure to type “y” when the output asks you to confirm certificate creation. Next we’ll create a few other miscellaneous files OpenVPN needs to operate. Type the following into the command prompt:

$ ./build-dh

Wait a few minutes for this complete. Don’t worry, it can take a while. Afterwards, create a signature to strengthen the verification process by entering the following:

$ openvpn --genkey --secret keys/ta.key

That’s it for this step. Don’t worry if some of these commands don’t make much sense. The server needs specialized tools in order to encrypt and verify everything, and this step helps put those in place.

Step 7: Creating the Client’s Certificate

In this step we’ll be creating a certificate and key pair for the client (your device) to use when connecting. Simply type the following commands into the prompt:

$ cd ~/openvpn-ca

$ source vars

$ ./build-key client1

Use the defaults the output suggests by hitting “enter” at the prompts.

Step 8: Configure OpenVPN

With all the certificates and key pairs created, we can finally start setting up OpenVPN. We’ll begin by moving some of the files we just created to the “openvpn” folder:

$ cd ~/openvpn-ca/keys

$ sudo cp ca.crt ca.key server.crt server.key ta.key dh2048.pem /etc/openvpn

Now we’ll add a sample configuration file so we can open and edit it ourselves:

$ gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf

When the unzip completes, type the following to open the configuration file:

$ sudo nano /etc/openvpn/server.conf

With the server.conf file open in the nano editor, look for the line that matches the text below:

;tls-auth ta.key 0 # This file is secret

Remove the semi-colon from the beginning of this line to uncomment it. On the line directly below it, add the following:

key-direction 0

Scroll to find the section filled with ciphers (keys). Here we’ll be choosing the strength of our encryption. Find the line below and remove the semi-colon to enable 128-bit AES encryption:

;cipher AES-128-CBC

Just below that line, add the following:

auth SHA256

Next, search for the user and group settings and remove the semi-colon to uncomment them. The lines should look like this when you’re done:

user nobody

group nogroup

While we have the server.conf file open, we might as well make some more convenience changes. First, locate the following line and remove the semi-colon so it’s no longer commented out. This allows the VPN to route all of your traffic:

;push "redirect-gateway def1 bypass-dhcp"

Below this line you’ll see a few lines marked dhcp-option. Uncomment them by removing the semi-colon:

;push "dhcp-option DNS 208.67.222.222"

;push "dhcp-option DNS 208.67.220.220"

Next you’ll want to change the port OpenVPN uses. The default is 1194, which is fine for most users and most instances. We’re going for a little extra usability and will be switching to port 443, a rarely-blocked port that will give you greater access to the web in restrictive environments. Search for the “# Optional!” lines and change the port to 443:

# Optional!

port 443

Now to change the UDP setting to TCP:

# Optional!

proto tcp

Save the file and close it.

Step 9: Adjusting Network Settings

In this step we’ll be configuring OpenVPN so it can forward traffic, an essential function of any VPN. We’ll start by opening a config file and doing some editing.

Read More
1 of 83
$ sudo nano /etc/sysctl.conf

Search for the line listed below and remove the hash character (number sign, or #) to uncomment the setting:

# net.ipv4.ip_forward=1

Save and close the file, then run this command to adjust the values:

$ sudo sysctl -p
Now we'll set the server's firewall so it can properly manipulate traffic. The first thing to do is find the public network interface of our server machine. Type the following into the command prompt:

$ ip route | grep default

The output will display a line of information. Just after the word “dev” should be an interface name. In the example below, that name is “wlp11s0”, though yours will likely be different:

default via 203.0.113.1 dev wlp11s0  proto static  metric 600

Now we edit the rules file to add the above name in the appropriate place. Start by typing this into the command prompt:

$ sudo nano /etc/ufw/before.rules

Search for a block of text beginning with the following commented-out phrase:

# START OPENVPN RULES

Beneath that you’ll see a line that starts with “-A POSTROUTING”. Add your interface name from above here, replacing the XXXX with the correct text:

-A POSTROUTING -s 10.8.0.0/8 -o XXXX -j MASQUERADE

Now save and close the file.

Next on the list is telling our firewall to forward packets. Open the firewall file by typing the command below:

$ sudo nano /etc/default/ufw

Search for the line marked “DEFAULT_FORWARD_POLICY”. Change “DROP” to “ACCEPT”. When you’re done, it should look like the following:

DEFAULT_FORWARD_POLICY="ACCEPT"

Now save and close the file.

For the last part of this step we’ll adjust the firewall’s settings to allow traffic to OpenVPN. Type the following commands into the prompt, using the port settings we configured above:

$ sudo ufw allow 443/tcp

$ sudo ufw allow OpenSSH

Now we’ll disable then re-enable the firewall to load the changes we just made. Enter each of these commands into the prompt:

$ sudo uwf disable

$ sudo uwf enable

The server is now set up to handle OpenVPN traffic, and your VPN is a lot closer to being ready to go.

Step 10: Starting the OpenVPN Service

With most of the basic configurations taken care of, we can finally start OpenVPN and get our server going. Begin by typing the following line into the command prompt:

$ sudo systemctl start openvpn@server

You’ll get a screen of output text. The second line marked “active” should say “active (running) since…” followed by a date. Type the following line so OpenVPN starts automatically every time your server boots:

$ sudo systemctl enable openvpn@server

Step 11: Client Configurations

Now we’ll get your server ready to accept clients, also known as your internet connected devices. Most of these steps are security related and designed to ensure nothing gets into your server except your own computer. First we’ll create a directory to hold client related files, then change permissions to lock it down:

$ mkdir -p ~/client-configs/files

$ chmod 700 ~/client-configs/files

Now we’ll copy an example configuration file so we can edit it:

$ cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf

Open the file in a text editor:

$ nano ~/client-configs/base.conf

Scroll to find the line that starts with the “remote” directive. Edit it so it reflects the port you chose above, which should be 443:

remote server_IP_address 443

Change the line below marked “proto” to say “tcp”, again matching the options we set above:

proto tcp

Find the “user” and “group” lines and uncomment them by removing the semi-colon:

user nobody

group nogroup

Locate the ca, cert, and key lines and comment them out by adding a hash at the beginning. When you’re done, they should look like this:

#ca ca.crt

#cert client.crt

#key client.key

Change the “cipher” and “auth” settings to match the ones we set above. If you followed this guide, the lines will look like this when you’re done:

cipher AES-128-CBC

auth SHA256

Next, anywhere in the file add a new line and type the following:

key-direction 1

And finally, copy and paste the following commented out lines into the bottom of the file:

# script-security 2

# up /etc/openvpn/update-resolv-conf

# down /etc/openvpn/update-resolv-conf

Save your changes and exit the editor.

The next step is to create a script that will compile everything we just made, configuration files, certificates, cipher keys, and all. Start by creating a file in the ~/client-configs directory called “make_config.sh”, then open it using nano. Paste the following code into the script:

#!/bin/bash
# First argument: Client identifier
KEY_DIR=~/openvpn-ca/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf
cat ${BASE_CONFIG} \
<(echo -e '<ca>') \
${KEY_DIR}/ca.crt \
<(echo -e '</ca>\n<cert>') \
${KEY_DIR}/${1}.crt \
<(echo -e '</cert>\n<key>') \
${KEY_DIR}/${1}.key \
<(echo -e '</key>\n<tls-auth>') \
${KEY_DIR}/ta.key \
<(echo -e '</tls-auth>') \
> ${OUTPUT_DIR}/${1}.ovpn

Save the file and exit. Next, make the file executable by typing the following command:

$ chmod 700 ~/client-configs/make_config.sh

Step 12: Setting Up Your Devices

You’re almost there! In this step we’ll create files that tell the server how to interact with clients. We’ve already made the base certificates in previous steps, now all we need to do is create configs by moving things into a new directory. Use the following commands to do that:

$ cd ~/client-configs

$ ./make_config.sh client1

Now we’ll transfer these configuration files to our devices. You’ll need to download an FPT client that’s capable of SFTP connections to do this. Filezilla is a free and open source program that works on Windows, Linux, and Mac operating systems. Install the software and connect to your server through SFTP (not plain FTP) using your credentials above. Then navigate to the following directory on your server:

/client-configs/files

Download the file marked “client1.ovpn”. This contains all the information your local copy of OpenVPN will need to connect to your server.

Now you’ll need to install OpenVPN on your computer, smartphone, tablet, and any other device you plan on using with your VPN.

Windows:

  • Download OpenVPN and install it to your computer.
  • Copy the client1.ovpn file to OpenVPN’s installation directory and put it in the “config” directory.
  • Right click on the OpenVPN desktop shortcut and go to “Properties”
  • Click “Compatibility” then “Change settings for all users”
  • In the next window, check “Run this program as administrator”
  • Launch OpenVPN as an administrator. If it pops up warning messages, accept them.
  • Enjoy surfing the web using your very own virtual private network!

Mac:

  • Download and install Tunnelblick, the free and open source OpenVPN client for Mac.
  • When the installation asks if you have any configuration files, simply say “No”.
  • Afterwards, open a finder window and double click “client1.ovpn”.
  • Launch Tunnelblick.
  • Click on the icon in the top corner of the screen and choose “Connect”
  • Select the “client1” connection.
  • Enjoy your own personal VPN!

Linux:

Install OpenVPN by using the following command prompt lines:

$ sudo apt-get update

$ sudo apt-get install openvpn

Now edit the configuration file you downloaded in the step above:

$ nano client1.ovpn

Uncomment the following three lines:

script-security 2

up /etc/openvpn/update-resolv-conf

down /etc/openvpn/update-resolv-conf

Save and close the file. You can now connect to your VPN by using the following command:

$ sudo openvpn --config client1.ovpn

Android:

  • Install the OpenVPN client for Android.
  • Transfer client1.ovpn to your device, either through a USB connection or via cloud storage.
  • Run the OpenVPN app and tap the menu button in the top right.
  • Choose “Import”, then navigate to the ovpn file’s location and import the file
  • Tap the “Connect” button from OpenVPN’s main menu.

iOS:

  • Install OpenVPN for iOS.
  • Connect your iOS device to a computer and copy the client1.ovpn file to OpenVPN through iTunes.
  • Disconnect and launch OpenVPN. A notification will appear saying a new profile is available.
  • Tap the green plus sign to import your settings.
  • Slide the connect button to “on” to use your VPN.

Step 13: Test Your VPN

Now that you’ve gone through this entire process, it’s time to verify your VPN is working! All you have to do is disable your VPN, then go to DNSLeakTest. It should display your current, real location. Now enable the VPN and refresh the page. A new IP address should appear, which means you’re safe behind a wall of VPN encryption.

You might also like