VPN companies have advertisements everywhere, there’s a reason they sponsor most tech YouTubers (they’ve even tried it with me) but you don’t need to buy an expensive plan to use a VPN.
Here’s how you can build your own:
Step 1: Set Up the Server
For ease of use, a Linux server at your disposal would be ideal. On there, log in using SSH. If you don’t have one, services like AWS, Google Cloud, or DigitalOcean offer free tiers that you can use for this purpose.
ssh username@server_ip
Replace “username” with the actual username you use to log into your server.
Replace “server_ip” with the IP address of your server. If you are using a cloud service, look in the server dashboard.
Step 2: Install OpenVPN and Easy-RSA
OpenVPN is going to be our free VPN solution and I will show you how it supports various encryption protocols. Let’s install it:
sudo apt update
sudo apt install openvpn
Download Easy-RSA:
sudo apt-get update
sudo apt-get install easy-rsa
Step 3: Configuration
Generate the server’s certificates and keys:
cd /usr/share/easy-rsa
sudo ./easyrsa init-pki
sudo ./easyrsa build-ca
sudo ./easyrsa gen-req server nopass
sudo ./easyrsa sign-req server server
During this process, when prompted, you will need to set a password and server username. Once signed, you should see this in the terminal:
Now the server is setup, generate the Diffie-Hellman key exchange:
sudo openssl dhparam -out /etc/openvpn/dh.pem 2048
Your terminal should look something like this:
Now you need to generate an HMAC signature for a strengthened control channel:
sudo openvpn --genkey secret /etc/openvpn/ta.key
Step 4: Server Configuration
Create a server configuration file /etc/openvpn/server.conf and add the following lines:
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key
dh /etc/openvpn/dh.pem
tls-auth /etc/openvpn/ta.key 0
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
You can write files in the Linux Terminal by utilising Nano:
cd /etc/openvpn/
sudo nano server.conf
Enter the configuration file lines:
Then press CTRL + O, ENTER, then CTRL + X and the file will be saved.
Step 5: Enable IP Forwarding
Uncomment the following line in /etc/sysctl.conf to enable IP forwarding:
Activate the changes:
sudo sysctl -p
Step 6: Firewall Configuration
Configure the firewall to allow VPN traffic:
sudo ufw allow 1194/udp
sudo ufw allow OpenSSH
sudo ufw enable
Step 7: Client Configuration
Generate client keys:
cd /usr/share/easy-rsa
sudo ./easyrsa gen-req client nopass
sudo ./easyrsa sign-req client client
During this process, you will again enter the username and use “user” as a placeholder. Then, once prompted, type the word ‘yes’ and enter the password we used earlier in Step 3 for the server’s certificates and keys setup.
Lastly, create a client configuration file named client.ovpn in /etc/openvpn/ :
client
dev tun
proto udp
remote your_server_ip 1194
resolv-retry infinite
nobind
persist-key
persist-tun
key-direction 1
remote-cert-tls server
tls-auth ta.key 1
data-ciphers AES-256-GCM:AES-128-GCM
verb 3
Copy down the client certificates and keys to your local machine.
Step 8: Connecting to the VPN
Use OpenVPN on your local machine to connect to your VPN server:
openvpn --config client.ovpn
Top comments (26)
Hello good post !
Don't hesitate to put colors on your
codeblock
like this example for have to have a better understanding of your code 😎It's Linux commands not code so there aren't many colours but I've made the changes, thanks for the heads-up.
Maybe with
bash
language can work!Yes, it is bash
Not to sound harsh in my comment, but I feel the need to state some important points on why it’s not free:
vps/cloud servers have a cost
and bandwidth costs even more
maintenance has a cost in terms of time
Other notes:
For sure, I just want to show alternatives to paid options in cybersecurity so it can become more accessible. You will need to do more than this to have your own VPN, but just buying a VPN isn't the only option.
Sorry to insist, but this isn't a reliable alternative because:
it gives a false sense of security, especially to people who haven't enough knowledge/experience about cybersecurity basic concepts, other than how cloud services work. For example:
it might generate high billings if someone thinks bandwidth is coming for free
user might get banned from a cloud platform for abusing/misusing their services: imagine getting banned from AWS, GCP or Azure, where you already have some services running for your business
the server where is running the VPN software isn't updated properly/regularly, resulting in potential data breaches
I'm sure you meant something more coherent, but these two sentences are contradicting each other:
I admire the purpose of your article, but I also think that certain knowledge should be spread with more depth. Security can't be improvised.
I don't think you can get banned from AWS etc. by making and testing your own VPN. My intention is not to use this in an enterprise setting and more of a small project at home using your own hardware.
For sure buying is the only option if you don't know what you are doing but if you can learn then it isn't. If you're testing something out as a base for something better then you can improvise through testing until you know it works.
You can be banned. Every platform has policies about how you are going to use their services, bandwidth is included.
What you said can't be confirmed by a title that says:
Building Your Own VPN for Free
and a body where there isn't any kind of disclaimer about this other than claiming that you can build a VPN for free without the need to buy a professional one.this somewhat contradicts the main pillars of a VPN, which is basically a way to create a tunnel connection between hosts and/or networks which aren't physically on the same spot (hence the name).
I hope you're aware that the contents of this post are almost the same of what you can find on the main OpenVPN website (or blogs around the web) since 2004. It's ok to repost, but in 2023 the expectations about content quality for old stuff should be a must.
Can you write code instead?
I appreciated your post. Straight to the point!
However, you should be careful with your statement, IMHO. Building and maintaining your own VPN services can be risky.
You don't get better security or privacy if you don't know what your doing.
Because your tutorial seems to target beginners and has tags like cybersecurity, I would recommend some disclaimers or warnings about the potential dangers, especially if you plan to make sensitive operations.
It's easy to misconfigure your tunnel and expose your data.
I think the biggest warning this post needs is that if you're intending to use your personal VPN for anything other than trivial traffic, and you're using a cloud VPS, you're going to run up huge bills for bandwidth.
Instead of being "free", this will cost you roughly the same per month for the VPS as one of those YouTube-spamming VPNs cost, and many times that in additional bandwidth.
It's fine for setting up between, say, your home and a friend's home though. In fact, it's a perfect fit for that job.
Needs more in-depth explanation why and where you scraped the configuration setup. Also I don't think that Cloud Services will let you not pay for using bandwidth you suddenly request. Can be very expensive 🫰
Sources???
Any thoughts on scripting it?
you can check for openvpn-install
I think it's a bad idea to run code from the Internet like that. It's far too easy for a malicious poster to add a helpful comment and get people to run bad code on their machines.
Really cool post!
Nice article.
Is this any better than using the server as a SOCKS proxy?
Neat
How do you start VIP and what is the movie Andrew
Some comments may only be visible to logged-in visitors. Sign in to view all comments.