Self-hosted [OpenSource] VPN server, How to DIY and Why

Everyone says that you should get a VPN for better privacy and security and they suggest a VPN provider that is very reliable and has tons of users. You pay a couple of boxes each month and you can be rest assured that you are browsing the internet more safely, but is that really as it is advertised?

I mean, when a lot of users prefer to use some specific VPN providers, aren’t they tempted to collect your data and track you? Is a noisy network what you were looking for? Not to mention the possible security vulnerabilities.

What if you create your own VPN? Is a self-hosted VPN really a better solution? How hard is it to implement and maintain it?

Well In this tech debate, we are going to answer a lot of questions about VPNs, Proxies, and Private VPN servers.

Why do you need a VPN?

Can you use a VPN to do some shady things?

So, you better be careful. Some countries even don’t allow you to use a VPN and it is considered illegal.

What are the disadvantages of public VPN providers?

Your VPN service provider might monitor your activity and use your data, especially the free services, which allow you to use their private servers in exchange for your data.

You might have performance issues, because the bandwidth is shared with other users. The quality of the VPN infrastructure and also the software is another thing.

You share the IP address with other users, so you may see weird ads or search suggestions that are not based on your activity. Sometimes other VPN users try to send SPAM emails with that shared IP which results in your IP being blacklisted across the internet. Some websites and apps may even block registration and logins from your IP, because of the activity of other users.

The VPN provider might not use the most recent and stable software with the bugs resolved and it can cause security vulnerabilities. Misconfiguration and lack of security software and firewall rulesets can let some shady users scan the nodes in the network for possible security holes and open ports.

Is a self-hosted VPN a better choice?

If you want to set it up yourself, you have to know how to do it or you should know someone who can do it for you or your business. Maintaining the server is also important. You have to apply updates, to the OS itself or the software packages that you are using.

It can also lower your costs in the long run, because nowadays you can get a cheap cloud server or VPS. With Linux, you don’t need a beefy server for a private VPN server that has only a few users.

You can use a VPN to access your home lab server or NAS from a domain or subdomain if your system is behind a CGNAT. You can easily bypass that NAT using a VPN and some port forwarding or reverse proxy. We’ve talked about it in another video about Starlink. If you are interested, you can watch that too.

Enough about the pros and cons, let’s see how you can do it yourself. This is not an in-depth tutorial. There are already a lot of instructions on the internet, I am just going to show you the overall process, the software and hardware choices and mention the challenges.

In the end, I hope you have a better understanding of the process and this can help you make better decisions.

How to do it

Where should your server be located? It depends on your geographical location, the sites that you visit most often and the amount that you wish to pay for your server. If you are in Canada for example, iWeb will offer a lower latency. If you are in East Asia, you better find a provider in HongKong. You can ping the servers or download a test file to see the speeds.

If you have a home lab server with a stable internet that has a static IP address, you can use that too. You just need to fire a Virtual Machine or dedicate your whole box for this purpose. Some people even use a raspberry pi. It’s cheap and it works.

Software choices

In the past, a lot of users preferred CentOS, but nowadays it’s a no go, because it’s not a LTS distro for stable workloads anymore. You can watch another video about this. If stability is an important factor for your business, you can use Debian or Ubuntu Server.

Some firewalls like pfSense also have VPN server packages that you can install and set up. In that case, you don’t need to install a Linux distro first. You can to use the ISO package to install pfsense.

After installing the desired OS and setting it up, you have to install the software package and configure it. Usually you have to configure the firewall to open the port that you want to assign to the VPN.

Even without using any packages, you can use a SSH connection to the server to tunnel your traffic throw it. You just set up a socks proxy and apply it system wide or in your browser. Depending on the SSH client software that you are using, the instruction is different. With a quick search, you can find the tutorial. In windows, a lot of people use Bitwise SSH Client. You just need to enable the socks proxy before connecting to the server.

In Linux Desktops, it can be done using a simple command. This method is very simple and effective, but it’s not very useful for your mobile or tablet. Also some apps don’t work well with a socks proxy. You better install a full featured VPN server and use a VPN client software locally.

The VPN servers for Linux:

  • Having a multi-platform and reliable client software
  • Strong Encryption algorithms
  • Ease of Installation and Configuration, Good tutorials and documentation
  • Being Open Source and auditable for security vulnerabilities
  • High Performance

Based on these criteria, we are going to introduce 4 VPN servers that are popular. Nowadays, protocols like PPTP, L2TP and IPSEC are all considered insecure and vulnerable. So, you have to use modern VPN tools.

OpenVPN

It uses the OpenSSL library and offers 256-bit encryption. OpenVPN uses TLS/SSL to secure data at the Transport level. You can use UDP or TCP based on your preference. UDP connections are usually faster, while TCP is more reliable.

OpenVPN runs on a large number of platforms like Windows, macOS, iOS, Android, Linux, routers, FreeBSD, OpenBSD, NetBSD, and even Solaris.

Manually setting up the OpenVPN protocol can be rather difficult on some platforms, but hopefully there are a lot of in-depth tutorials and also some scripts to automate the installation and configuration.

These scripts lets you customize the options before installing the required packages.

DigitalOcean also offers you an OpenVPN droplet which you can run with a few clicks. The OpenVPN server is installed by default in this image and you can configure it easily once it’s booted. This option is more desired for users that are not techies. The Quick start guide and FAQ can help you further.

If you need a $100, 60-day credit from DigitalOcean to test the droplets, you can use the link in the description.

WireGuard

WireGuard supports modern ciphers like ChaCha20 and Poly1305. WireGuard only works on UDP and doesn’t officially support TCP (though, there are workarounds).

If you use Linux, setting WireGuard is simple. There are also some installer scripts that help you install it really quick.

The protocol has performance improvements that can lower battery consumption and improve roaming support on mobile devices. WireGuard is pretty easy to set up — both on Linux and other platforms like Windows, macOS, iOS, Android and more.

OpenConnect

It was originally written as an open-source replacement for Cisco’s AnyConnect SSL VPN client, which is supported by Cisco routers. The OpenConnect client added support for Juniper Networks’ SSL VPN and also Palo Alto Networks’ GlobalProtect VPN.

OpenConnect project also offers an AnyConnect-compatible server, ocserv and thus offers a full client-server VPN solution. OpenConnect and ocserv now implement an extended version of the AnyConnect VPN protocol, which has been proposed as an Internet Standard. Both OpenConnect and ocserv strive to maintain backwards-compatibility with Cisco AnyConnect servers and clients.

Modern versions of OpenConnect can be built to use either the GnuTLS or OpenSSL for TLS and DTLS.

So, you can use Cisco AnyConnect or the OpenConnect Client Software itself to connect to the OCServ.

There are some in-depth tutorials on how to install it on Linux. The cool thing is that it can co-exist on port 443 alongside your webserver, apache or Nginx.

SoftEther

The SoftEther VPN protocol is responsible for securing communications between the VPN client and the VPN server.

SoftEther is a powerful and easy-to-use multi-protocol VPN software. It runs on Windows, Linux, Mac, FreeBSD and Solaris. You can use SoftEther for any personal or commercial use, free of charge.

The protocol is programmed in such a way that it can prevent Man-in-the-Middle attacks.

The encryption, decryption, and authentication processes of SoftEther VPN are based on OpenSSL — a well-known open-source software library.

There are some tutorials on DigitalOcean community that teaches you how to install it on a droplet.

pfSense

It lets you configure an OpenVPN or WireGuard server from its GUI.

The OpenVPN wizard is a convenient way to setup a remote access VPN for mobile clients. It configures all of the necessary things for an OpenVPN Remote Access Server.

In addition to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package system, allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution.

Conclusion

Better privacy, security, speed and latency always comes at a price!

That’s it for now. Let us know in the comment what kinda VPN server are you using. Don’t forget to subscribe to our YouTube Channel for more tech debates like this one.