I don’t write a lot of articles for my blog but when I do, it’s one that either impacts me a lot or one that I feel will benefit the general public. Regarding virtual private networks (VPN), I wrote about it a while ago when I initially had a hunch that my ISP was throttling my bandwidth to Twitch. I confirmed it by connecting to a VPN first and then watching a stream. Indeed, all was back to normal. VPN’s are even more important than ever at the time I’m writing this article because reality is finally starting to creep in for a lot of folks that our privacy on the Internet is no longer only required for the “geeks” and “paranoids” but for every single person as well. With net neutrality going away, our ISP will now have the ability to “classify” different online services. Want to watch HD videos on Youtube? Well, that will be an extra $5.99 a month. Streaming more than 10GB of video a month binging Netflix? That will cost another $4.99 per month. I can obviously write a whole article on this subject matter but fact of the matter is, stocks for online VPN services have risen through the roof because more and more users are aware that hiding our traffic from Big Brother (whether from the government or our ISP) is needed. In this article, I will show you a very cost effective way to build your own Linux virtual private server (VPS) and installing the popular OpenVPN software on it. When completed, you will then be able to connect to your online VPS server and securely browse the Internet without Big Brother recording your every move.Please jump ahead if you already have general knowledge of what a VPS and VPN is.
What is a Virtual Private Server?
A VPS is exactly what is sounds like: your very own virtual private server. It is hosted in a datacenter of a VPS provider of your choice. Your vendor takes care of everything from the underlying physical infrastructure to the networking/cabling and software aspects. They make sure that a VPS that you create is containerized and virtually isolated from all of the other VPS instances of their other clients. To put it in even more simple terms, think of it as your very own Linux or Windows box hosted online. Your provider typically doesn’t care what you install or do within the operating system. They just make sure that your VPS is up and running at all times.
The awesome part about purchasing a VPS instance is that you can get a very low end box for just a few bucks a month to creating monster machines loaded with hundred gigabytes of memory, CPUs and SSD disk space. Depending on your vendor, your VPS instance can scale in resources based on how you want that server configured for that certain time period. So while one month you could have a VPS with just 1 vCPU, 1GB of RAM and 10GB of disk space, you could scale that to 8vCPU and 100GB of RAM the very next.
For the purposes of our demonstration here, the VPS we will need to procure is of the minimal type. This is perfect because it cuts down on costs. As with most online services, we are also looking for a couple of important factors when choosing a VPS vendor. Three important one’s to consider for our case here is uptime, network transfer and cost. Incredibly, the amount of vCPU, RAM and disk space is actually not the real big concern here. I’ll go over this more a bit later.
Why You Should Create Your Own VPN Server
This was definitely something I initially wanted to do for myself but decided against it simply because it wasn’t beneficial at the time. When I first purchased my VPN service from a online provider that specializes in providing VPN services only, it was at a time when VPN was popular but nowhere near what it is today. VPN servers were usually utilized in businesses and corporations that needed a way for their employees and remote offices to all be networked securely together over the Internet. I purchased a lifetime subscription to that VPN service and everything was working fantastic. I actually couldn’t believe the speeds I was getting. Usually when you connect to a VPN, your speeds typically take a dip simply because there is more overhead. However, I was seeing speeds close to what I got without the VPN! I was literally surfing the Internet and downloading files as if I wasn’t connected to that VPN service at all. Well, once the VPN market exploded, more and more people starting signing up to the same VPN service I was using and as you could imagine, their servers couldn’t really handle the spike in traffic and load. The results? My speeds also took a huge nose dive and I started noticing the lag and poor download speeds. Although I was able to easily switch between different VPN locations the service provider had to offer, none really helped. It recently got unbearable for me and so rather than purchasing another service and placing my bets on them, I decided to do what I initially had wanted to do for a long time and that is to build and own my very own VPN server on the web.
Pro’s of owning your own VPN server:
- You own the server. – Technically your VPS hosting provider “owns” the server but from our standpoint, we are in complete control of everything and anything that goes on in the server. There is no outside interference from a third party. That also means you wouldn’t have to “trust” your VPN provider. Just because a company say that they don’t keep logs of what you do while connected to their VPN service doesn’t actually mean they don’t. Who knows? I’m willing to bet money that many of the smaller and cheaper providers literally just copy and paste legal documents found elsewhere and slap it on their website in hopes of luring in potential customers. By owning your own server, you’re able to rest assure that you are the only person that should have access to that server.
- Dedicated public IP. – If you want a consistent public IP4 address, most VPS companies will provide you with one when you purchase a server from them. Extra public IP’s obviously will cost you extra. I believe VPN service providers also give you this option although it really depends. Some might force you to pay for a dedicated server (similar to what we’re doing here) in order to be able to assign you a dedicated public IP.
- Predictable performance. – Because you’re not sharing servers with potentially hundreds of other users, performance for your VPS can be considered predictable or at least consistent on a daily basis.
Con’s of owning your own VPN server:
- Complexity. – This one should be obvious. Most people aren’t comfortable with installing and most importantly, managing, their own VPN software/server on a Linux machine.
- Dedicated public IP. – Yes, this can also be considered a con. Most VPS vendors give you one dedicated public IP for use with your server. If you get that IP blacklisted on certain sites, then you’ll have to request for a new one from your VPS vendor and most likely pay a cost. With most online VPN services, they have a pool of public IP addresses to reuse. However, keep in mind other users of the service could also get a certain public IP address blacklisted.
- Locality. – If you need to be able to connect to many different locations, a dedicated server is not what you want. In most cases, your VPS server will reside in one region only. So, if you want to be able to connect to a VPN in Japan or Hong Kong to be able to watch certain online programs and your VPS is located in the United States, then this will be hard to accomplish with a dedicated VPS instance. Many online VPN services allow you to choose a location to connect as your VPN endpoint. Usually, the more you pay the more endpoint locations you’ll be able to choose from.
In my situation, being able to get maximum speed out of my VPN connection and therefore getting a good user experience each and every time far outweighed the cons of having to deal with a managing my own VPS server. As you’ll see in a bit, the procedure I’m about to show you is pretty much dead simple. It’s basically a set-it-and-forget-it type of ordeal. Once you have everything configured, you’ll rarely have to check on your VPS.
So let’s begin!
Building Your Very Own VPN Server
First things first. We need to obviously chose a VPS vendor to host our Linux box and believe it or not, this is the hardest part, not the actual installation and configuration of OpenVPN itself! Fortunately, many vendors allow you to either pay for your server on a month to month basis or annually with the latter obviously saving you more money. To be perfectly honest with you folks right now, I have absolutely no clue which VPS vendor is best. I actually took a leap of faith with the vendor I chose simply because the holiday deal they got going on was just too sweet to pass up on! I haven’t even heard of them prior to this!
Choosing Your Vendor
Be mindful, there are a lot and I mean a lot of unheard of vendors out there that attempt to lure in clients simply by offering their solutions at the cheapest price possible. It’s up to you to do some research on them. Truth be told, all vendors I researched had good reviews while also having a lot of bad one’s as well.
While searching for your VPS vendor, keep in mind also of the other important factor: network bandwidth per month. With a VPN, we’ll be configuring it so that once connected, all of your Internet traffic will pass to your VPN server and from there back to you. Therefore, the more you download and stream videos, the more bandwidth you will need out of your VPS per month. If you’ll just be occasionally using your VPN for basic stuff as browsing the web and the occasional video/music streaming, you may be able to get away with 500GB of bandwidth or less per month. If you’re a heavy user and you’ll be connected to your VPN constantly, you’ll need more than that. As for vCPU, RAM and disk space, my advice is that you can usually get away with the lowest/cheapest configuration possible for a Linux VPS. I’ve tried this on a VPS with just 1vCPU, 1GB RAM and 8GB SSD drive and my VPN connection was still blazing fast.
Here are some of the more popular VPS vendors I came across (all links below are non-affiliate links as I am not a reseller nor a promoter for any of these vendors):
The vendor that I chose to go with to host my VPS is from a company called HostMyBytes. At the time I wrote this, I found an incredible deal from them over at lowendbox.com.Not only did they offer one free month but my server consisting of 2vCPU, 1GB of RAM, 80GB of disk storage along with a huge bandwidth of 3TB data transfer per month was only going to cost me $18 per year! Two days of lunch costs more than that! Like I said earlier, this was too good a deal to pass up and so I took the bait and am hoping for the best. Because my server is not business critical nor will human lives be lost if I can’t connect to it, I can afford for the server to have downtime throughout the year.It is VERY IMPORTANT that prior to purchasing your server that you find out whether or not it is possible to enable the TAP/TUN adapter feature for your VPS. My VPS initially had this feature turned off and my OpenVPN server would not start and was complaining about not being able to find the file/directory related to /dev/tun. I tried methods to enable it within my Ubuntu box but to no avail. I then realized that I had to login to another admin interface/website and enable this adapter feature on my VPS. Once I did so, my OpenVPN server service started up immediately. If you have doubts, simply contact your VPS vendor of choice and ask. They know that many clients use their VPS as a VPN endpoint so they should immediately be able to help answer this question.
Once you’ve purchased your VPS server, you should receive an email from your vendor regarding information on how to login to their admin interface to view the status of your VPS as well as information on how to login/SSH to it. The version of Ubuntu Server I am using is version 16.04. Because Ubuntu server has no graphical interface, you’ll need something like Putty to login to your VPS. Your email from the vendor should have provided you with the credentials to login to the root account.Although possible, I would not recommend using a Windows VPS as your OpenVPN server. Windows Server with a GUI interface obviously uses a lot more resource than a Linux server and so just that fact alone will force you to purchase a VPS with more resources which in turn drive the costs up.
Installing OpenVPN Access ServerOpenVPN has two editions: Access Server and Community edition. Access Server edition is what we’ll be using here because it is the easiest to get up and running for novice users. The other advantage with this edition is the admin GUI interface it installs. Rather than having to dig through documentation on how to adjust certain settings of your server via the command line, this GUI interface allows you to configure things in a very nice GUI website right inside your browser. Think of it like configuring your home router. The bad news with this edition is that it is limited to just 2 concurrent users. If you need more, then licenses will be required. The Community edition has no such limitations but it is harder to configure initially and not as novice friendly as Access Server. My demo here is performed on a Ubuntu virtual machine hosted on Amazon EC2. The instructions should be virtually identical no matter where your Ubuntu VPS is hosted at. Once you are able to login as the root user, the procedures here should apply to your Ubuntu server as well.
First, login to your Ubuntu VPS with Putty. The information should have been provided to you from your vendor.
Next we’ll want to make sure that our server is as up to date as it can be so copy and paste this command and hit Enter:sudo apt update
To actually perform the update, copy and paste below and hit Enter. Confirm by pressing Y and Enter again when asked to.sudo apt upgrade
Next, we’ll need to download the latest version of OpenVPN Access for Ubuntu. To get the URL for the latest version, head over to this site and copy the link location for your Ubuntu version as seen in the below screenshot.
Once you have the link copied, in your Ubuntu session, type in the below but remember to replace the HTTP URL link with the one you have copied:
Once the download finishes, install it by typing the command below and again, replace the executable name with the one you actually downloaded if it’s different than what I have here:sudo dpkg -i openvpn-as-2.1.12-Ubuntu16.amd_64.deb
And………that’s it! Just like that we have OpenVPN Access Server edition installed. Now it’s time to configure it. Not to bad, right?
Configuration of OpenVPN Access Server
Although the server is now ready to be configured via the web GUI, I actually like to run through the setup manually to set a couple of things prior to logging in the first time. To do that, type in:/usr/local/openvpn_as/bin/ovpn-init
Type the word DELETE in all uppercase and hit Enter.
Type ‘yes’ to agree to the licensing terms.
When asked if this will be the primary Access Server node, hit Enter.
For the interface question, I usually select ‘all interfaces’ so type the number 1 and hit Enter.
For the Admin Web UI port number, stick with the default of 943 and hit Enter.
For the TCP port number of the OpenVPN Daemon, stick with default of 443 and hit Enter.
Select yes to have all client traffic route through the VPN.
Select yes to have client DNS traffic route through the VPN.
Select default of no for local authentication via internal DB.
Type in no when asked if clients should have access to private subnets.
Select default of yes when asked if you want to login to Admin UI as openvpn user account.
Hit Enter when asked for license key.
OpenVPN will then do its thing. When it finishes, our last step is to then change the password of our openvpn user master account. Because this account is very important, you’ll want to create a very strong password for it. You should only use this account to login to the web admin GUI and not as a VPN user. For that we will create other regular user accounts later. To change the password, type in:passwd openvpn
You’ll be asked to type in the new password twice. Do note that the terminal prompt won’t show you the characters as you type. Once successfully changed, it’s time to login to the admin GUI for the first time!
OpenVPN Access Server Admin GUI Login
To login to your server’s admin GUI page in a browser, type in:https://your-public-ip/admin
You will get a SSL error page but ignore it and continue. You’ll want to login with the openvpn account and password. Once logged in, the first thing you’ll want to check is the Server Status. The server should be currently ‘ON’. If it is in the ‘OFF’ status, click the Start Server button and hopefully it should start. If not, it should produce an error message on why. This is where I got the error regarding the TAP/TUN device being missing prior to realizing I had to activate this device/feature on my VPS via a control panel offered by my vendor.
Click on the Server Network Settings link next. The most important configuration to make here is to change the hostname or IP address of your server. By default, it should list the private IP address or a non-routable hostname of your server. When you connect to your OpenVPN server using the OpenVPN client, a profile is actually downloaded and used by the client to get the appropriate connection settings. If you leave this field, the profile used by the client will not be able to reach the server. Therefore, you will need to either type in the public IP address of your VPS server or if you have your own domain name registered, then the FQDN that can be used once you have registered the proper DNS record. For example, you could have an DNS A record mapping your server name of myvpnserver.myawesomedomain.com to the public IP address of your VPS server. Remember to hit the Save Settings button at the bottom and then the Update Running Server button afterwards to make the setting stick.
Next, head over to the VPN Settings link and scroll to the DNS settings portion. My preferred option is to enable the “Have clients use these DNS servers” setting and manually provide the DNS servers I’d want to use when connected to my VPN. I’m the only user of my server so I’ll set it to OpenDNS as that’s what I normally use. Remember to save the settings and update the running server config.
Believe it or not, we are actually ready to begin testing! At this point, you can either test with the default openvpn user account or create a new user account. Per best practices, we should create our own personal user account to use to authenticate to our OpenVPN server so let’s do that here.
Log back into Ubuntu via Putty and create a new user by typing:useradd Joe
To change the password of this user, type in:passwd Joe
Connecting to our OpenVPN Server
Before we connect to our server, take note of your current public IP address by going to the IP Chicken website:
Another stat to note is your current Internet speed prior to connecting to your VPN. You can perform a speedtest of your current connection by going here:
To download the OpenVPN client, we once again login to our server via the browser but this time, we omit the /admin portion of the site. Instead, we head over to https://your-server-ip. You’ll be presented with the login prompt and this time, you can login with the user account you’ve just created instead of using openvpn. Download the client for your OS and install as you’d normally would. Depending on your environment and OS, OpenVPN will immediately try to connect you to your server by pushing the profile down to your computer. If this does not work, we’ll connect manually.
Right-click on the OpenVPN client from your system tray (orange icon) and select Connect. In the Hostname field, type in either the public IP address of your server or the FQDN if you’ve set it up in your public DNS zone. Now simply enter in the user authentication credentials for your user account and hit Connect. You’ll be presented with two warning prompts regarding an untrusted SSL certificate and unverified profile. Hit the Yes button for both.
If all goes well, you should be now connected to your OpenVPN server!
Once connected, head back over to IP Chicken and note that the public IP address of your computer is now the same as the one used for your VPS server! All of your Internet traffic is now being routed securely to your VPN server before heading to its final destination! All return traffic similarly will be returned from your VPS server to your computer through the VPN tunnel! You’re now making it very difficult for outsiders and your ISP from seeing what you’re doing inside that VPN tunnel.
Another very important test is to see if there is any DNS leak. To put it simply, you don’t every want a DNS query you make when connected to your VPN to ever go to another DNS server besides the one we’ve specified in our configuration. You should never see a DNS server from your ISP listed. In my example, I chose to go with OpenDNS so that’s all I should ever see in my test. Head over to the DNS leak website and perform an extended test.
In regards to my speed test after connecting to the VPN, here are my results:
As you can see, I’m getting pretty much my full Internet speed even when connected through my VPN. That’s what I like to see!
To disconnect from your VPN, right-click on the OpenVPN icon and select the Disconnect option.
To see how your VPS is performing while you’re connected, head back to your Putty session while connected to your VPS and type in the word top and press Enter. Think of top as the equivalent of Task Manager in Windows. Once top loads, press the letter c to switch to CPU stats view. Generate traffic by streaming a couple of HD videos from different sources simultaneously. Below are my stats when streaming Spotify, a 1080p Youtube and Twitch stream at the same time. It only spiked up to a maximum of 14% and then quickly dropped back to nothing. You can exit out of top by hitting ctrl+c on your keyboard. Log out of your VPS by typing exit and then Enter.
Depending on your situation and VPS vendor, you’d rarely have to log directly into your VPS server again unless you have to create new users. It is however a good idea to login to your web admin page using your openvpn account and checking the logs to verify that your server hasn’t been hacked. But of course, if your server got hacked, the bad guys will undoubtedly erase your log files and other evidence that they were there. A more secure option would be to lock down who is able to SSH into your VPS by public IP address. This option depends on your VPS vendor but if they do provide this option, I highly recommend using it! Even if your original pubic IP address at home changes, you could always re-add your new one to the security list. Again, you’d rarely have to login directly to your VPS once everything is configured so this shouldn’t be too much of a hassle. Heck, you’d probably get away with disabling SSH access altogether so that no one, not even yourself, have the ability to SSH to the VPS! When you do need access, login to your vendor’s website and adjust the security rule to allow SSH from only your current public IP address.
So far, I’ve been enjoying my personal VPN server a lot. I’m getting way more consistent speeds and I don’t have to worry about my VPN service provider taking in more clients than server capacity can handle. Building your very own personal VPN server isn’t for everyone but as you can see, its really not that difficult. However, you must realize both the pro’s and con’s before starting on this venture. Your personal VPN isn’t really going to solve the issue of anonymity (as far as this article goes) simply because we still had to give up some sort of personal identifiable information when purchasing our VPS. You could pay in crypto currency such as Bitcoin but do realize that your public IP still needs to make a connection to your VPS server and guess who can see which IP you’re connecting to? That’s right. Your ISP. While it’s hard for them to know what you’re doing within that VPN tunnel, they’ll still be able to tell where you’re connecting from and the VPN server address you’re connecting to. This isn’t normally a problem unless you live in China or some other location where VPN connection uses are heavily restricted by the government or if you’re actually doing something incredibly illegal as to raise a red flag with the government!