How to Make Your Own VPN in Linux in 12 Steps

Reading time: 10 min

If you want to enhance your privacy and avoid putting your data in the hands of a VPN service provider, then you can create your own VPN. The process of doing so won’t require you to be a programmer, but it’s a bit technical and it will take some effort.

In the end though, it will be worth it, and you will end up with a secure and private VPN that you can dispose of any minute.

Note: This process involves setting up your own server instance on DigitalOcean, which just like any other hosting service, will charge for bandwidth use.

Quick navigation: Editor’s Note: We value our relationship with our readers, and we strive to earn your trust through transparency and integrity. We are in the same ownership group as some of the industry-leading products reviewed on this site: ExpressVPN, Cyberghost, Private Internet Access, and Intego. However, this does not affect our review process, as we adhere to a strict testing methodology.

Step 1: Get a Remote Server that Runs Ubuntu

This involves creating a server on the cloud.

There are many hosting services that you can choose from, but the most user-friendly is DigitalOcean, and it’s also the most affordable.

DigitalOcean Ubuntu guide
To help create your server instance, they have a fantastic guide on setting up your own server in Ubuntu 16.04. Once your server instance is complete, you’ll be ready to go.

Step 2: Install OpenVPN

Now that your server is up and running, we need to install OpenVPN on it. The first thing you need to do is log in to the server by providing your credentials through a command prompt.

After that, execute the commands below. You can type or copy/paste them.

$ sudo apt-get update
$ sudo apt-get install openvpn easy-rsa

You have now installed both OpenVPN and easy-rsa, a package that is necessary for step 3.

Step 3: Configure the Certificate Authority Directory

Trusted certificates are important as they ensure that the outgoing traffic is encrypted. Normally, these certificates come from the Certificate Authority (CA), but because we are running and managing our own server, we can set up a simple CA directory on our server.

Execute the command below:

$ make-cadir ~/openvpn-ca

Now, navigate to the folder we have just created by typing the following command:

$ cd ~/openvpn-ca

Step 4: Configure the Certificate Authority

Now, we need to edit our CA. To open a text editor that displays the vars file, enter:

$ nano vars

Now, look for the following lines:

export KEY_COUNTRY=”US”
export KEY_PROVINCE=”NY”
export KEY_CITY=”New York City”
export KEY_ORG=”My-Organization”
export KEY_EMAIL=”me@host.domain”
export KEY_OU=”MyOrganizationalUnit”

Edit the quoted strings to reflect your details. Make sure you don’t leave any of them blank.

After that, scroll down to find the KEY_NAME line. Edit it to match the one below:

export KEY_NAME=”server”

You can now save and close the file.

Step 5: Build the Certificate Authority

Now that we have the right information in place, we can go ahead and create the Certificate Authority. Ensure that you are still in the CA directory.

$ cd ~/openvpn-ca

Enter the command below:

$ source vars

If the process executed correctly, you should see the following on your screen:

NOTE: If you run ./clean-all, I will be doing a rm -rf on /home/sammy/openvpn-ca/keys

Clear out the environment by entering the following:

$ ./clean-all

Now build the root CA:

$ ./build-ca

You should get a series of prompts as your server executes the instructions you’ve just provided. Just press enter at each of them till the process completes.

Step 6: Creating the Server’s Encryption Files

Now that we’ve created our Certificate Authority, we can start generating actual encryption keys. The first thing we need to do is create the OpenVPN server certificate along with its key pair:

$ ./build-key-server server

The server will suggest some values. Accept them all by typing “y”. Be sure to do the same when asked about certificate creation.

Next we’ll create a few other miscellaneous files OpenVPN needs to operate. Use the following command:

$ ./build-dh

This can take some time, but wait until it’s done. After that, type the following command to create a signature for strengthening the verification process.

$ openvpn –genkey –secret keys/ta.key

Step 7: Creating the Client’s Certificate

Here, we’ll create a certificate and key pair for connecting your Linux computer. Use the following commands:

$ cd ~/openvpn-ca
$ source vars
$ ./build-key client1

Use the suggested defaults by hitting enter at the prompts.

Step 8: Configure OpenVPN

Now that we have all the certificates and key pairs we need, we can finally start setting up OpenVPN.

The first thing we need to do is move some of the files we just created to the “openvpn” folder:

$ cd ~/openvpn-ca/keys
$ sudo cp ca.crt ca.key server.crt server.key ta.key dh2048.pem /etc/openvpn

Now we’ll add a sample configuration file so we can open and edit it ourselves:

$ gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf

After its unzipped, type the following to open the configuration file:

$ sudo nano /etc/openvpn/server.conf

With the server.conf file open in the nano editor, look for the line below:

;tls-auth ta.key 0 # This file is secret

Uncomment the line by removing the semi-colon at the beginning.

On the line directly below it, add the following:

key-direction 0

Now, scroll to find the section filled with ciphers (keys). Here, we need to choose the security strength we need. Select AES 128 bit by finding the line below and uncommenting it (removing the semi-colon).

;cipher AES-128-CBC

Just below that line, add the following:

auth SHA256

Next, uncomment the user and group settings. They are the lines below:

user nobody
group nogroup

Push DNS Changes to Redirect All Traffic through the VPN

While the settings we have already created will tunnel your traffic, they won’t force any connections to use the tunnel. To force all your traffic to the VPN tunnel, you’ll need to push the DNS settings to the client computers.

To do this, we need to uncomment the directives listed below. Find them and remove the semicolon.

push “redirect-gateway def1 bypass-dhcp”

Just below that line, find the dhcp-option section. Again, uncomment the two lines

push “dhcp-option DNS 208.67.222.222”
push “dhcp-option DNS 208.67.220.220”

These settings will make the clients reconfigure their DNS settings to always use the VPN tunnel as the default gateway.

Adjust the Port and Protocol

Now, we need to change the port that OpenVPN will use. By default, it uses port 1194 and the UDP protocol. To make the VPN more inclusive, let’s use port 443 which is rarely restricted by firewalls. Search for the #Optional! line and change the port to 443.

# Optional!
port 443

After that, change the protocol from UDP to TCP

# Optional!
proto tcp

After that, save and close the file.

Step 9: Adjusting Network Settings

To ensure that OpenVPN routes traffic correctly, we need to do some edits.

The first thing is to allow IP forwarding. This can be done by modifying the /etc/sysctl.conf file. Open it.

$ sudo nano /etc/sysctl.conf

Find the line below and remove the ‘#’ character to uncomment it.

# net.ipv4.ip_forward=1

Save and close the file.

Now, run this command to adjust the values.

$ sudo sysctl –p

Now, we need to set up our server’s firewall so that it can properly manipulate traffic. Let’s start by finding the public network interface of our server machine.

$ ip route | grep default

At some point, the output line produced will include the word “dev”. What follows after that should be your interface name. For example in the line below, w1p11s0 is the interface name.

default via 203.0.113.1 dev wlp11s0  proto static  metric 600

Now, we need to add the name above to its appropriate place by editing the rules file. Enter the command below:

$ sudo nano /etc/ufw/before.rules

Look for the block of text that begins on the following phrase which has been commented out:

# START OPENVPN RULES

Below it, you’ll see a line that starts with “-A POSTROUTING”. This is where you need to add the interface name. Replace the XXXX with it.

-A POSTROUTING -s 10.8.0.0/8 -o XXXX -j MASQUERADE

Now save and close the file.

$ sudo nano /etc/default/ufw

After that, look for the line marked “DEFAULT_FORWARD_POLICY”. Change “DROP” to “ACCEPT”. After that, it should look like the following:

DEFAULT_FORWARD_POLICY=”ACCEPT”

Save and close the file.

Lastly, adjust the firewall settings to allow traffic to OpenVPN. Use the commands below:

$ sudo ufw allow 443/tcp
$ sudo ufw allow OpenSSH

To load the changes, disable and then re-enable the firewall.

$ sudo uwf disable
$ sudo uwf enable

Your server is now set up to handle your VPN traffic. You are almost there!

Step 10: Starting the OpenVPN Service

Since you’ve already set up the basic configurations, you can now start OpenVPN to get your server going.

$ sudo systemctl start openvpn@server

To ensure that OpenVPN always starts every time your server boots, enter the following command:

$ sudo systemctl enable openvpn@server

Step 11: Client Configurations

I need to prepare the server for connecting your devices. To start, let’s establish a designated folder for files associated with clients, and then adjust permissions to secure it.

$ mkdir -p ~/client-configs/files
$ chmod 700 ~/client-configs/files

Now we’ll copy an example configuration file and then edit it:

$ cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf

Open the file in a text editor:

$ nano ~/client-configs/base.conf

Scroll to find the line that starts with the “remote” directive. Edit it to reflect port 443 which is the port we are using:

remote server_IP_address 443

Below that, change the line marked “proto” from UDP to TCP

proto tcp

Remove the semicolons from the “user” and “group” lines to uncomment them:

user nobody
group nogroup

Locate the ca, cert, and key lines and comment them out by adding a hash at the beginning. They should look like this:

#ca ca.crt
#cert client.crt
#key client.key

Change the “cipher” and “auth” settings to match the ones we set above. They should look like this:

cipher AES-128-CBC
auth SHA256

Now, add a line anywhere in the file and type:

key-direction 1

Lastly, copy and paste the following commented out lines into the bottom of the file:

# script-security 2# up /etc/openvpn/update-resolv-conf# down /etc/openvpn/update-resolv-conf

Save your changes and exit the editor.

The last thing we need to do is to create a script that will compile everything that we’ve made. Start by creating a file in the ~/client-configs directory called “make_config.sh”, then open it using nano. Paste the following code into the script:

#!/bin/bash
# First argument: Client identifier
KEY_DIR=~/openvpn-ca/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf
cat ${BASE_CONFIG} \

Save the file and exit. Now, make it executable with this command:

$ chmod 700 ~/client-configs/make_config.sh

Step 12:Configure your VPN on Linux

To use the VPN you’ve just set up, install OpenVPN on your computer using the commands below:

$ sudo apt-get update
$ sudo apt-get install openvpn

We now need to open and edit the configuration file we’ve just downloaded:

$ nano client1.ovpn

Uncomment the following three lines:

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

Save and close the file. You’ve now set up your Linux computer to connect to your VPN.

To connect to your new VPN, execute the following command:

$ sudo openvpn –config client1.ovpn

You should now be connected to your VPN!

We review vendors based on rigorous testing and research, and also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Joel Timothy
Written By Joel Timothy
Joel is an online privacy advocate, writer, and editor with a special interest in cyber security and internet freedom. He likes helping readers tackle tricky tech and internet issues, as well as maximize the boundless power of the internet.
Did you like this article? Rate it!
I hated it I don't really like it It was ok Pretty good! Loved it!

We're thrilled you enjoyed our work!

As a valued reader, would you mind giving us a shoutout on Trustpilot? It's quick and means the world to us. Thank you for being amazing!

Rate us on Trustpilot
4.70 Voted by 5 users
Title
Comment
Thanks for your feedback
Loader
Please wait 5 minutes before posting another comment.
Comment sent for approval.

Leave a Comment

Loader
Loader Show more...