Self-hosted [OpenSource] VPN server, How to DIY and Why

Alireza Mortazavi
10 min readAug 12, 2021

--

Everyone says that you should get a VPN for better privacy and security and they suggest a VPN provider that is very reliable and has tons of users. You pay a couple of boxes each month and you can be rest assured that you are browsing the internet more safely, but is that really as it is advertised?

I mean, when a lot of users prefer to use some specific VPN providers, aren’t they tempted to collect your data and track you? Is a noisy network what you were looking for? Not to mention the possible security vulnerabilities.

What if you create your own VPN? Is a self-hosted VPN really a better solution? How hard is it to implement and maintain it?

Well In this tech debate, we are going to answer a lot of questions about VPNs, Proxies, and Private VPN servers.

Why do you need a VPN?

This can be a whole separate article, but shortly, it can make cyber snooping more challenging when you are using a public network with nodes that you don’t trust. Like when you are travelling, or when you are using your laptop or mobile in a coffee shop or hotel. There are other benefits, like avoiding censorship or accessing region-blocked services.

Can you use a VPN to do some shady things?

Well, not really. VPN and server providers usually record IP addresses and other information regarding your devices and the software that you are using and when you pay for a service, you give them even more information about yourself.

So, you better be careful. Some countries even don’t allow you to use a VPN and it is considered illegal.

What are the disadvantages of public VPN providers?

With a virtual private network, you can easily browse the internet without having to worry about any types of monitoring, tracking, and restrictions that are done by the government, your ISP, your company or other third parties. But there can be some disadvantages for sure.

Your VPN service provider might monitor your activity and use your data, especially the free services, which allow you to use their private servers in exchange for your data.

You might have performance issues, because the bandwidth is shared with other users. The quality of the VPN infrastructure and also the software is another thing.

You share the IP address with other users, so you may see weird ads or search suggestions that are not based on your activity. Sometimes other VPN users try to send SPAM emails with that shared IP which results in your IP being blacklisted across the internet. Some websites and apps may even block registration and logins from your IP, because of the activity of other users.

The VPN provider might not use the most recent and stable software with the bugs resolved and it can cause security vulnerabilities. Misconfiguration and lack of security software and firewall rulesets can let some shady users scan the nodes in the network for possible security holes and open ports.

Is a self-hosted VPN a better choice?

Surely, it has some benefits. You have the whole server to yourself. The whole bandwidth. The network is not noisy, the IP address is yours, you can control the whole thing and the users, can create some accounts for your family, colleagues or friends, if you want to, but you have to know a few basic things about computer networks, servers, Linux and hosting companies.

If you want to set it up yourself, you have to know how to do it or you should know someone who can do it for you or your business. Maintaining the server is also important. You have to apply updates, to the OS itself or the software packages that you are using.

It can also lower your costs in the long run, because nowadays you can get a cheap cloud server or VPS. With Linux, you don’t need a beefy server for a private VPN server that has only a few users.

You can use a VPN to access your home lab server or NAS from a domain or subdomain if your system is behind a CGNAT. You can easily bypass that NAT using a VPN and some port forwarding or reverse proxy. We’ve talked about it in another video about Starlink. If you are interested, you can watch that too.

Enough about the pros and cons, let’s see how you can do it yourself. This is not an in-depth tutorial. There are already a lot of instructions on the internet, I am just going to show you the overall process, the software and hardware choices and mention the challenges.

In the end, I hope you have a better understanding of the process and this can help you make better decisions.

How to do it

You need a server. A virtual private or a cloud server. You can order one from DigitalOcean, VULTR, IONOS or any other provider that you like. If you are in Europe or you want an IP address in that region, you can choose OVH, Hetzner or Scaleway. As I said, you don’t need a fancy server. A $5 droplet from DigitalOcean will do the job.

Where should your server be located? It depends on your geographical location, the sites that you visit most often and the amount that you wish to pay for your server. If you are in Canada for example, iWeb will offer a lower latency. If you are in East Asia, you better find a provider in HongKong. You can ping the servers or download a test file to see the speeds.

If you have a home lab server with a stable internet that has a static IP address, you can use that too. You just need to fire a Virtual Machine or dedicate your whole box for this purpose. Some people even use a raspberry pi. It’s cheap and it works.

Software choices

The OS depends on the VPN server software that you want to use. We will introduce some of the reliable and popular options in this video. Most of them run on Linux. So you have to check the best OS for your software based on the requirements and your preference.

In the past, a lot of users preferred CentOS, but nowadays it’s a no go, because it’s not a LTS distro for stable workloads anymore. You can watch another video about this. If stability is an important factor for your business, you can use Debian or Ubuntu Server.

Some firewalls like pfSense also have VPN server packages that you can install and set up. In that case, you don’t need to install a Linux distro first. You can to use the ISO package to install pfsense.

After installing the desired OS and setting it up, you have to install the software package and configure it. Usually you have to configure the firewall to open the port that you want to assign to the VPN.

Even without using any packages, you can use a SSH connection to the server to tunnel your traffic throw it. You just set up a socks proxy and apply it system wide or in your browser. Depending on the SSH client software that you are using, the instruction is different. With a quick search, you can find the tutorial. In windows, a lot of people use Bitwise SSH Client. You just need to enable the socks proxy before connecting to the server.

In Linux Desktops, it can be done using a simple command. This method is very simple and effective, but it’s not very useful for your mobile or tablet. Also some apps don’t work well with a socks proxy. You better install a full featured VPN server and use a VPN client software locally.

The VPN servers for Linux:

What defines a good VPN server?

  • Having a multi-platform and reliable client software
  • Strong Encryption algorithms
  • Ease of Installation and Configuration, Good tutorials and documentation
  • Being Open Source and auditable for security vulnerabilities
  • High Performance

Based on these criteria, we are going to introduce 4 VPN servers that are popular. Nowadays, protocols like PPTP, L2TP and IPSEC are all considered insecure and vulnerable. So, you have to use modern VPN tools.

OpenVPN

OpenVPN is both an open-source VPN protocol and VPN software that enables people to run secured VPN connections. OpenVPN protocol is very secure, really stable, and it works on multiple platforms. Most security experts recommend always using OpenVPN for anything you do online, especially since it’s such a transparent option, being open-source and audited.

It uses the OpenSSL library and offers 256-bit encryption. OpenVPN uses TLS/SSL to secure data at the Transport level. You can use UDP or TCP based on your preference. UDP connections are usually faster, while TCP is more reliable.

OpenVPN runs on a large number of platforms like Windows, macOS, iOS, Android, Linux, routers, FreeBSD, OpenBSD, NetBSD, and even Solaris.

Manually setting up the OpenVPN protocol can be rather difficult on some platforms, but hopefully there are a lot of in-depth tutorials and also some scripts to automate the installation and configuration.

These scripts lets you customize the options before installing the required packages.

DigitalOcean also offers you an OpenVPN droplet which you can run with a few clicks. The OpenVPN server is installed by default in this image and you can configure it easily once it’s booted. This option is more desired for users that are not techies. The Quick start guide and FAQ can help you further.

If you need a $100, 60-day credit from DigitalOcean to test the droplets, you can use the link in the description.

WireGuard

WireGuard uses modern, fixed algorithms like AES-256. WireGuard is more lightweight than OpenVPN and claims to be faster and more efficient. Despite how “young” the WireGuard protocol is, it has been quickly accepted by online users, and even managed to catch the attention of main Linux developer Linus Torvalds who called it a “work of art” , and was eventually included in the Linux Kernel version 5.6 tree.

WireGuard supports modern ciphers like ChaCha20 and Poly1305. WireGuard only works on UDP and doesn’t officially support TCP (though, there are workarounds).

If you use Linux, setting WireGuard is simple. There are also some installer scripts that help you install it really quick.

The protocol has performance improvements that can lower battery consumption and improve roaming support on mobile devices. WireGuard is pretty easy to set up — both on Linux and other platforms like Windows, macOS, iOS, Android and more.

OpenConnect

OpenConnect is an open-source software application for connecting to virtual private networks.

It was originally written as an open-source replacement for Cisco’s AnyConnect SSL VPN client, which is supported by Cisco routers. The OpenConnect client added support for Juniper Networks’ SSL VPN and also Palo Alto Networks’ GlobalProtect VPN.

OpenConnect project also offers an AnyConnect-compatible server, ocserv and thus offers a full client-server VPN solution. OpenConnect and ocserv now implement an extended version of the AnyConnect VPN protocol, which has been proposed as an Internet Standard. Both OpenConnect and ocserv strive to maintain backwards-compatibility with Cisco AnyConnect servers and clients.

Modern versions of OpenConnect can be built to use either the GnuTLS or OpenSSL for TLS and DTLS.

So, you can use Cisco AnyConnect or the OpenConnect Client Software itself to connect to the OCServ.

There are some in-depth tutorials on how to install it on Linux. The cool thing is that it can co-exist on port 443 alongside your webserver, apache or Nginx.

SoftEther

SoftEther VPN Project develops and distributes SoftEther VPN, An Open-Source, Free, Cross-platform Multi-protocol VPN Program, as an academic project from University of Tsukuba.

The SoftEther VPN protocol is responsible for securing communications between the VPN client and the VPN server.

SoftEther is a powerful and easy-to-use multi-protocol VPN software. It runs on Windows, Linux, Mac, FreeBSD and Solaris. You can use SoftEther for any personal or commercial use, free of charge.

The protocol is programmed in such a way that it can prevent Man-in-the-Middle attacks.

The encryption, decryption, and authentication processes of SoftEther VPN are based on OpenSSL — a well-known open-source software library.

There are some tutorials on DigitalOcean community that teaches you how to install it on a droplet.

pfSense

pfSense is a free and open source firewall and router that also features unified threat management, load balancing, multi WAN, and more. You can install and configure it on your server and then install the VPN server packages. It can be installed on a virtualized environment.

It lets you configure an OpenVPN or WireGuard server from its GUI.

The OpenVPN wizard is a convenient way to setup a remote access VPN for mobile clients. It configures all of the necessary things for an OpenVPN Remote Access Server.

In addition to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package system, allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution.

Conclusion

Public VPNs aren’t a waste of money, but they have cons of their own. You can self-host a VPN server yourself, it’s harder to implement and maintain, especially if you are not a tech savvy user, but once implemented, it can solve a lot of the issues that you might have with a public VPN. You are not still 100% anonymous with a self-hosted VPN and they have difficulties of their own. You have to leverage if it’s the right solution for you or your business.

Better privacy, security, speed and latency always comes at a price!

That’s it for now. Let us know in the comment what kinda VPN server are you using. Don’t forget to subscribe to our YouTube Channel for more tech debates like this one.

--

--

No responses yet