How to roll your own VPN


Become An Insider

Sign up now and get free access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content from the best tech brands on the Internet: CIO, CITEworld, CSO, Computerworld, InfoWorld, ITworld and Network World. Learn more.

With free open source OpenVPN and a low-cost VPS, you can have a secure connection from any location

If you need to encrypt traffic from your computer or mobile device, you have many options. You could buy a commercial VPN solution, or you could sign up for a VPN service and pay a monthly fee. Or for less money, you could create your own VPN and gain the use of a Linux VPS (Virtual Private Server) anywhere in the world. This roll-your-own option is made possible through the use of the open source OpenVPN project, Linux, and a few open source client-side applications.

The VPS-based setup described here is designed to encrypt all the traffic from your laptop, desktop, or mobile phone to your VPN server, which then unencrypts that traffic and passes it on to its destination. This can be very useful if you're using the Internet from a coffee shop, a hotel, or a conference and you do not trust the network.

[ Also on InfoWorld: Teach your router new tricks with DD-WRT. | Get expert networking how-to advice from InfoWorld's Networking Deep Dive PDF special report. | Learn how to secure your systems with Roger Grimes' Security Adviser blog and Security Central newsletter. ]

Putting this VPN together is generally the work of only a few minutes, and it requires minimal Linux command-line skills. The only tools you'll need are an SSH client and a VPS.

You can purchase a VPS on a monthly, quarterly, or yearly basis from any number of service providers. Some larger services offer VPS services in several different countries and allow you to choose where your server will run. In most cases, it's best to find a VPS that's located close to where you intend to generate the most traffic; the further away you are, the higher the tunnel latency will be, and the connection may be slower than you'd like. However, if you want your Internet traffic to appear to originate from Switzerland while you connect from New York or Los Angeles, you can do that as well.

OpenVPN server configuration
The first thing to do is install OpenVPN:

root@localhost:~# apt-get install openvpn

The apt-get command locates and downloads the OpenVPN package and all the necessary dependencies for you. Once installation is complete, we're ready to start configuring our server. We can use scripts included with OpenVPN to create our certificates. Let's start by copying these scripts to a new folder:

root@localhost:~#  cp -pr /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa

Now, let's move into that directory and start configuring the scripts:

We also need to copy some files to our client machine. You can use WinSCP to do this on Windows, the scp command on Linux, or Cyberduck on Mac OS X. Start up your SCP client, connect to the server using the IP address and root credentials you used for the SSH session, and copy these files to your client system:


These will be used to connect to your VPN server.

Now, we need to create our OpenVPN configuration file. We move to the /etc/openvpn directory, and create a new file (with Nano):

root@localhost:/etc/openvpn/easy-rsa/keys# cd /etc/openvpn
root@localhost:/etc/openvpn # nano vpnserver.conf

OpenVPN client configuration
Now we need to configure a client. The server setup above is configured to allow a client to connect as long as it has the proper certificate (the remote1.crt). This does not require a username or password, unless you chose to enter a password when creating the certificate. However, even if the server does not require a password, you can still choose to require a username and password to connect from your client, and this can be configured with or without a client certificate requirement.

The most secure of these methods would be to require a username and password in addition to the client certificate; we will detail the steps to do that later on. If you prefer to require usernames and passwords, you may want to read the steps near the end before continuing; it may save you some time.

For now, we'll configure a client to use only the client certificate.

On your client system, you will need to create an OpenVPN configuration file that you can then import into your VPN client. You can use a simple text editor. You should name it myvpn.ovpn or something similar, and make sure that the file is saved as plain text and the extension is .ovpn.

remote <your server's public IP address goes here>
port 10000
proto udp
dev tun
resolv-retry infinite
ns-cert-type server
verb 3
ca ./ca.crt
cert ./remote1.crt
key ./remote1.key
ping 10
ping-restart 60

Mobile clients. You can download the official OpenVPN client for your iPhone, iPad, or Android device, or you can use a third-party app. You will need to copy the certificates, key, and configuration files to your mobile device and import them into the client in a similar manner to the Windows and Mac client setups.

Adding username and password authentication
Our current OpenVPN server configuration allows for multiple clients to use the same certificate to authenticate to the server. Thus, you can install a client on any system and copy those files over, as well as connect to your VPN. However, you may want to add extra security by requiring a username and password every time anyone tries to connect to the VPN. We can do that by changing a few configuration lines in the server and client configuration files, and adding users to our VPS.

First, we need to modify the server's configuration. In our SSH session, we need to edit the /etc/openvpn/vpnserver.conf file:

root@localhost:/etc/openvpn/easy-rsa/keys# cd /etc/openvpn
root@localhost:/etc/openvpn # nano vpnserver.conf

Then we need to add the following line to the file. The placement doesn't matter, but you might want to add it after the client-to-client line:

To continue reading, please begin the free registration process or sign in to your Insider account by entering your email address:
Join the discussion
Be the first to comment on this article. Our Commenting Policies