DEV Community

Cover image for Building Your Own VPN for Free
William Baptist
William Baptist

Posted on

Building Your Own VPN for Free

VPN companies have advertisements everywhere, there’s a reason they sponsor most tech YouTubers (they’ve even tried it with me) but you don’t need to buy an expensive plan to use a VPN.

Here’s how you can build your own:
Image description

Step 1: Set Up the Server

For ease of use, a Linux server at your disposal would be ideal. On there, log in using SSH. If you don’t have one, services like AWS, Google Cloud, or DigitalOcean offer free tiers that you can use for this purpose.

ssh username@server_ip
Enter fullscreen mode Exit fullscreen mode

Replace “username” with the actual username you use to log into your server.

Replace “server_ip” with the IP address of your server. If you are using a cloud service, look in the server dashboard.

Step 2: Install OpenVPN and Easy-RSA

OpenVPN is going to be our free VPN solution and I will show you how it supports various encryption protocols. Let’s install it:

    sudo apt update
    sudo apt install openvpn
Enter fullscreen mode Exit fullscreen mode

Download Easy-RSA:

    sudo apt-get update
    sudo apt-get install easy-rsa
Enter fullscreen mode Exit fullscreen mode

Step 3: Configuration

Generate the server’s certificates and keys:

    cd /usr/share/easy-rsa
    sudo ./easyrsa init-pki
    sudo ./easyrsa build-ca
    sudo ./easyrsa gen-req server nopass
    sudo ./easyrsa sign-req server server
Enter fullscreen mode Exit fullscreen mode

During this process, when prompted, you will need to set a password and server username. Once signed, you should see this in the terminal:

Now the server is setup, generate the Diffie-Hellman key exchange:

    sudo openssl dhparam -out /etc/openvpn/dh.pem 2048
Enter fullscreen mode Exit fullscreen mode

Your terminal should look something like this:

Now you need to generate an HMAC signature for a strengthened control channel:

    sudo openvpn --genkey secret /etc/openvpn/ta.key
Enter fullscreen mode Exit fullscreen mode

Step 4: Server Configuration

Create a server configuration file /etc/openvpn/server.conf and add the following lines:

port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key
dh /etc/openvpn/dh.pem
tls-auth /etc/openvpn/ta.key 0
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
Enter fullscreen mode Exit fullscreen mode

You can write files in the Linux Terminal by utilising Nano:

    cd /etc/openvpn/
    sudo nano server.conf
Enter fullscreen mode Exit fullscreen mode

Enter the configuration file lines:

Then press CTRL + O, ENTER, then CTRL + X and the file will be saved.

Step 5: Enable IP Forwarding

Uncomment the following line in /etc/sysctl.conf to enable IP forwarding:

Activate the changes:

    sudo sysctl -p
Enter fullscreen mode Exit fullscreen mode

Step 6: Firewall Configuration

Configure the firewall to allow VPN traffic:

    sudo ufw allow 1194/udp
    sudo ufw allow OpenSSH
    sudo ufw enable
Enter fullscreen mode Exit fullscreen mode

Step 7: Client Configuration

Generate client keys:

    cd /usr/share/easy-rsa
    sudo ./easyrsa gen-req client nopass
    sudo ./easyrsa sign-req client client
Enter fullscreen mode Exit fullscreen mode

During this process, you will again enter the username and use “user” as a placeholder. Then, once prompted, type the word ‘yes’ and enter the password we used earlier in Step 3 for the server’s certificates and keys setup.

Lastly, create a client configuration file named client.ovpn in /etc/openvpn/ :

client
dev tun
proto udp
remote your_server_ip 1194
resolv-retry infinite
nobind
persist-key
persist-tun
key-direction 1
remote-cert-tls server
tls-auth ta.key 1
data-ciphers AES-256-GCM:AES-128-GCM
verb 3
Enter fullscreen mode Exit fullscreen mode

Copy down the client certificates and keys to your local machine.

Step 8: Connecting to the VPN

Use OpenVPN on your local machine to connect to your VPN server:

    openvpn --config client.ovpn
Enter fullscreen mode Exit fullscreen mode

Top comments (26)

Collapse
 
thomasbnt profile image
Thomas Bnt ☕

Hello good post !

Don't hesitate to put colors on your codeblock like this example for have to have a better understanding of your code 😎

console.log('Hello world!');
Enter fullscreen mode Exit fullscreen mode

Example of how to add colors and syntax in codeblocks

Collapse
 
baptistsec profile image
William Baptist

It's Linux commands not code so there aren't many colours but I've made the changes, thanks for the heads-up.

Collapse
 
thomasbnt profile image
Thomas Bnt ☕

Maybe with bash language can work!

Thread Thread
 
baptistsec profile image
William Baptist

Yes, it is bash

Collapse
 
pavonz profile image
Andrea Pavoni • Edited

Not to sound harsh in my comment, but I feel the need to state some important points on why it’s not free:

  • vps/cloud servers have a cost
    and bandwidth costs even more

  • maintenance has a cost in terms of time

Other notes:

  • it’s “private” in terms of access, but it doesn’t prevent tracking or any kind of anonymization for your data
Collapse
 
baptistsec profile image
William Baptist

For sure, I just want to show alternatives to paid options in cybersecurity so it can become more accessible. You will need to do more than this to have your own VPN, but just buying a VPN isn't the only option.

Collapse
 
pavonz profile image
Andrea Pavoni

Sorry to insist, but this isn't a reliable alternative because:

  • it gives a false sense of security, especially to people who haven't enough knowledge/experience about cybersecurity basic concepts, other than how cloud services work. For example:

  • it might generate high billings if someone thinks bandwidth is coming for free

  • user might get banned from a cloud platform for abusing/misusing their services: imagine getting banned from AWS, GCP or Azure, where you already have some services running for your business

  • the server where is running the VPN software isn't updated properly/regularly, resulting in potential data breaches

You will need to do more than this to have your own VPN, but just buying a VPN isn't the only option

I'm sure you meant something more coherent, but these two sentences are contradicting each other:

  • you need a lot more work and knowledge to build a reliable VPN
  • buying a VPN is almost the only option IF you don't know what you're doing

I admire the purpose of your article, but I also think that certain knowledge should be spread with more depth. Security can't be improvised.

Thread Thread
 
baptistsec profile image
William Baptist • Edited

I don't think you can get banned from AWS etc. by making and testing your own VPN. My intention is not to use this in an enterprise setting and more of a small project at home using your own hardware.
For sure buying is the only option if you don't know what you are doing but if you can learn then it isn't. If you're testing something out as a base for something better then you can improvise through testing until you know it works.

Thread Thread
 
pavonz profile image
Andrea Pavoni

I don't think you can get banned from AWS etc.

You can be banned. Every platform has policies about how you are going to use their services, bandwidth is included.

My intention is not to use this in an enterprise setting

What you said can't be confirmed by a title that says: Building Your Own VPN for Free and a body where there isn't any kind of disclaimer about this other than claiming that you can build a VPN for free without the need to buy a professional one.

and more of a small project at home using your own hardware

this somewhat contradicts the main pillars of a VPN, which is basically a way to create a tunnel connection between hosts and/or networks which aren't physically on the same spot (hence the name).

I hope you're aware that the contents of this post are almost the same of what you can find on the main OpenVPN website (or blogs around the web) since 2004. It's ok to repost, but in 2023 the expectations about content quality for old stuff should be a must.

Thread Thread
 
phtn profile image
phtn458

Can you write code instead?

Collapse
 
spo0q profile image
spO0q 🐒

I appreciated your post. Straight to the point!

However, you should be careful with your statement, IMHO. Building and maintaining your own VPN services can be risky.

You don't get better security or privacy if you don't know what your doing.

Because your tutorial seems to target beginners and has tags like cybersecurity, I would recommend some disclaimers or warnings about the potential dangers, especially if you plan to make sensitive operations.

It's easy to misconfigure your tunnel and expose your data.

Collapse
 
moopet profile image
Ben Sinclair

I think the biggest warning this post needs is that if you're intending to use your personal VPN for anything other than trivial traffic, and you're using a cloud VPS, you're going to run up huge bills for bandwidth.

Instead of being "free", this will cost you roughly the same per month for the VPS as one of those YouTube-spamming VPNs cost, and many times that in additional bandwidth.

It's fine for setting up between, say, your home and a friend's home though. In fact, it's a perfect fit for that job.

Collapse
 
semo profile image
semo

Needs more in-depth explanation why and where you scraped the configuration setup. Also I don't think that Cloud Services will let you not pay for using bandwidth you suddenly request. Can be very expensive 🫰
Sources???

Collapse
 
treblecode profile image
trebleCode

Any thoughts on scripting it?

Collapse
 
forcegetnecmettin profile image
forcegetnecmettin
curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
chmod +x openvpn-install.sh
./openvpn-install.sh
Enter fullscreen mode Exit fullscreen mode

you can check for openvpn-install

Collapse
 
moopet profile image
Ben Sinclair

I think it's a bad idea to run code from the Internet like that. It's far too easy for a malicious poster to add a helpful comment and get people to run bad code on their machines.

Collapse
 
aleksha92 profile image
Aleksha92

I kept it simple. I registered in Aeza, selected a VPN in my account, and paid. They immediately gave me a key for Outline VPN, turned it on and everything worked. They also have a config for WireGuard.
Here aeza.net/?ref=404306

Collapse
 
c_p_109a685befc79d8bc76b1 profile image
C P

Nice article.

Is this any better than using the server as a SOCKS proxy?

Collapse
 
fernandezbaptiste profile image
Bap

Really cool post!

Collapse
 
cwrite profile image
Christopher Wright

Neat

Collapse
 
calvino profile image
Calvino

Pretty obvious typo: secret requires --
sudo openvpn --genkey --secret /etc/openvpn/ta.key

Collapse
 
mostafa_rksane_6b221e8b9d profile image
mostafa rksane

Sjxxhsjajx

Some comments may only be visible to logged-in visitors. Sign in to view all comments.