Need a VPN to stay protected on the go while on public Wi-Fi but don’t want to pay for a VPN provider? Here’s how!
Prerequisites
This guide requires you to have a public IPv4 address pointing to your router, and you should be able to set up port forwards on said router. Alternatively you can use IPv6 but it will require manual configuration on the server, and also requires your clients (devices) to also have IPv6 to be able to reach your server. You could also rent a VPS for cheap. I recommend netcup.eu.
The hardware you’ll need
This guide also assumes you already have some machine running Linux, that is (or will be) used as server. Don’t have a machine running Linux? Either install it on an old PC for free using Ubuntu Server, or get yourself a Raspberry Pi for cheap (Raspberry Pi model 3B+ or better recommended)! You could also rent a VPS for cheap. I recommend netcup.eu.
Additional things
Either a static IP or a Dynamic DNS or “Dyn DNS” pointing to your IP.
The software you’ll need
Basically, you’ll need the freely available OpenVPN server software and an easy-to-use script provided buy someone on GitHub named Nyr. Update: I now forked the repo and my command now uses the script found in the fork.
Let’s get started
Sign in to your machine with root or sudo rights, either through SSH or locally using a keyboard. ;)
Warning! You should always check the contents of a script before running it. You never know who might have access to the above GitHub repo and what they could add to the script. Proceed with brain.
Download the script (copy paste the following command)
curl -sSL https://raw.githubusercontent.com/sindastra/openvpn-install/master/openvpn-install.sh > ~/vpnsetup
Now make it executable by running chmod +x ~/vpnsetup
and then running it with elevated privileges by running sudo ~/vpnsetup
.
You will now be asked a few questions, and I’ll help get the right answers!
> First I need to know the IPv4 address of the network interface you want OpenVPN listening to.
You can leave the default here.
> This server is behind NAT. What is the public IPv4 address or hostname?
If you have a static IP, you just enter that at this point. If not, you should set up Dynamic DNS or “Dyn DNS”. Enter your IP or domain name that points to said IP. Note: Make sure you can resolve whatismyip.akamai.com
or else the script will misbehave at this stage.
> Which protocol do you want for OpenVPN connections?
You can choose between UDP and TCP. While UDP might be faster and “lighter”, it is also often blocked on public Wi-Fi. If that is a concern to you, choose TCP.
> What port do you want OpenVPN listening to?
If you chose UDP, set the port to 1194 but If you chose TCP, set the port to 443 as it is almost never blocked on public Wi-Fi. If you already host an HTTPS server, choose something else like 500, 501 or 502 instead. Or disguise it as SMTPS/submission email server by choosing port 465 or 587.
> Which DNS do you want to use with the VPN?
If you don’t know or are using a Pi-hole*, choose option 1.
*If on a Pi-hole, you need to change some settings after the setup. See at the bottom.
Now it will ask you for the client name. Choose something descriptive like myname-mobile or myname-laptop, depending on where you will use OpenVPN. You will also be able to add more clients later on.
Wrapping things up
Now it will tell you that it got everything it needs. Press enter to proceed. And wait for it to finish things. In the end, it will have created an OpenVPN config file in your home directory with the name you chose earlier. For example ~/myname-laptop.ovpn which is the config file you need to install (copy) onto your client device.
Adding and removing devices
To create a new client certificate, simply run sudo ~/vpnsetup
again and choose option 1) Add a new user
or to remove a user, choose 2) Revoke an existing user
. This is a must if you know or suspect that one of your client certificates got into the wrong hands.
Removing OpenVPN
Run sudo ~/vpnsetup
and choose option 3) Remove OpenVPN
.
A note on the Pi-hole
To get this running with the Pi-hole, you need to sign in to your Pi-hole web interface and choose Settings > DNS > Listen on all interfaces. Make sure your Pi-hole is properly firewalled before you do this.
How to use/connect to your newly installed OpenVPN server
Simply copy your OpenVPN config to your client device and open it with your preferred OpenVPN client. A more detailed guide will follow soon.
UPDATE
Here’s a list of recommended OpenVPN clients
UPDATE 2
I wrote a new article on how to fix IPv6 leaks! Go check it out to complete your setup!
Leave A Comment