Create your own VPN from A-Z. Totally free. In 90 minutes.
The article assumes some knowledge of network and VPN (Virtual Private Network) from readers.
The benefits of VPN
- Pretend to be in another geographic location so that the websites treat you as if you were physically in that location. Example: Bypassing YouTube/Netflix’s geo-restricted access.
- Securely surf the Internet as if you were at home. Example: Accessing the Internet in public Wifi networks is subject to being monitored although WPA2-enabled Wifi and TLS-enabled websites can help mitigate the issue to some extents.
- Control your home’s Intranet remotely as if you were at home. Example: You prefer disabling your Home Security Cameras’ Cloud feature as well as not exposing them to Internet; thus, VPN allows you to connect to your Home Cameras like you were at home.
- Utilize P2P network, e.g. BitTorrent, optimally in public Wifi where port-forwarding is almost always unavailable.
Why to set up your own VPN?
- It’s free. Totally . A typical paid-VPN service can cost $5–15 per month.
- You’re in full control of your VPN and relevant infrastructure. E.g. able to maximize the strength of the encryption key as well as to support port-forwarding. In addition, you may choose not to log your own activities, which is often not doable with paid-VPN services.
When making your own VPN is discouraged?
- Your own VPN does not necessarily mean low-throughput. It’s just that as an ordinary user, our Internet bandwidth and Computing power are limited. Thus, a few users are most suitable for the setup in this article. However, it is not implied OpenVPN is not production-grade.
- Using VPN gets our Internet packets back and forth instead of going in a direct way, thus, leading to more latency — not ideal for real-time applications, online games or 4K-streaming videos.
You will be able to…
- Access Internet in public places as if you were at home.
- Use BitTorrent-like clients with port-forwarding even with VPN.
- Check that everything works as expected and trouble-shoot if needed.
What should not be expected in this article?
- The VPN mentioned here is set up for computer-to-computer, all of which are installed with Windows OS. Nevertheless, I assume setting up for Linux shouldn’t be more complicated. It is also possible to have VPN Server as embedded system (aka. mini-computer), VPN Client on Android or even VPN integrated inside Router.
- There is no programming involved.
- Although VPN comes with different flavors (protocols and implementations), this article only leverages the widely known OpenVPN.
- The mode of OpenVPN to be used is tun (aka. routing). The other mode is tap (aka. Ethernet Bridging), which allows you to be in the same subnet literally as your home’s. Unfortunately, I didn’t succeed in the latter mode. Which mode is better?
The specific versions described below are not must-haves. It’s just that they worked in my case (Used for reference purposes).
System at glance
Software
- OpenVPN. Community Edition. Version: openvpn-install-2.4.7-i607-win7.exe. Same for client or server.
- Windows 7 64-bit as OpenVPN Server, and Windows 8.1 64-bit as OpenVPN Client. Administration right is required.
Diagram
Although the technical details underlying VPN are complex, let’s consider the abstract layer: when establishing VPN, the OpenVPN Server creates a virtual subnet to host OpenVPN Clients. A network package in the on-the-go laptop goes along the virtual tunnel to reach the OpenVPN Server. Then, Windows’ Internet Connection Sharing (ICS) lets the packet continue its way to reach the Router (in Home Network), and gets out to the Internet. In short, thanks to VPN, the on-the-go laptop now accesses the Internet as if it physically resided in the Home Network. The packet travels through 2 Gateways: ICS, Router in Home Network; therefore, NAT is done twice.
Step-by-step installation
Install OpenVPN Server (Workstation PC in Home Network)
- Within the installation wizard, choose “EasyRSA”:
2. Open CMD, move to this folder: “ c:\Program Files\OpenVPN\easy-rsa”. Edit “vars.bat.sample” with Notepad++, and “set DH_KEY_SIZE=2048” to “4096” to not only maximize possible cryptography security but also to have the same length as RSA Key. One downside is the time taken for generating the key will be significant slower. For information purpose, edit the below with your imagination, then save the file:
set KEY_COUNTRY=US
set KEY_PROVINCE=A_Province
set KEY_CITY=A_City
set KEY_ORG=An_Organization
set KEY_EMAIL=mail@a_host_domain_name.com
set KEY_CN=A_fully_qualified_domain_name_unique_in_CA
set KEY_NAME=A_name
set KEY_OU=An_Department_Name
set PKCS11_MODULE_PATH=A_Module_path
set PKCS11_PIN=12343. Now, generate the required keys. The whole process might take about 60 minutes. In CMD above, run the following *.bat files in order:
init-config.batvars.batclean-all.batbuild-dh.batbuild-ca.batbuild-key-server.bat ServerVPNbuild-key.bat ClientVPNopenvpn --genkey --secret keys/ta.key
In build-ca, build-key-server and build-key, accept default values or modify if wished. When asked y/n, press y. The only thing worth remembering is “CommonName” (CN) of all must be unique.
4. In Network Connections (Control Panel -> Network and Internet), change the name of the Device “TAP-Windows Adapter V9" into “ServerVPN”:
5. In the “Local Area Connection” properties, share Internet with “ServerVPN”, and add “OpenTCP”/“OpenUDP” as followed:
OpenVPN Server maintains a virtual subnet to host OpenVPN Clients, but this subnet doesn’t automatically have Internet connection. On Linux, we might have to useiptableto forward network packages around. On Windows, we achieve the same thing via “Internet Connection Sharing” (ICS) — in which the current PC becomes the Gateway for the virtual subnet. The current PC, of course, can access the Internet via its “Local Area Connection”; as a result, OpenVPN Clients, within the virtual subnet, are able to go online.
Additionally, in order to expose listening ports inside the virtual subnet to Internet, we have forwarded 2 ports, one for TCP (60000) and one for UDP (60001). If you need more ports or different protocol? Modify them here.
6. Copy these files to “C:\Program Files\OpenVPN\config”: ca.crt, ServerVPN.crt, ServerVPN.key, dh4096.pemand ta.key. “ServerVPN.key” must be kept secret and secure as it is the Private Key of the OpenVPN Server.
7. Configure the file “server.ovpn” (put it here “C:\Program Files\OpenVPN\config\server.ovpn”):
# Server's port to be listening on. (must be forwarded in Home Network's Router).
port 40000# UDP is faster. Can be also "udp6" (for IPv6) or just "udp".
proto udp4# TUN only passes TCP/IP traffic (not Ethernet frames).
dev tun
dev-node ServerVPN# Act as a server with the TLS layers.
tls-serverca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\ServerVPN.crt"
key "C:\\Program Files\\OpenVPN\\config\\ServerVPN.key"
dh "C:\\Program Files\\OpenVPN\\config\\dh4096.pem"# Ensure that the Certificate, provided by the remote client, proves it is a Client.
remote-cert-tls client# Most common topology today.
topology subnet# This is the Virtual Subnet for VPN.
server 192.168.100.0 255.255.255.0# Remember the assigned IPs and their associated machines for recovering to the same state in the next starting.
ifconfig-pool-persist ipp.txt # Ask client to redirect their traffic to this Server.
push "redirect-gateway def1"# Use 3rd party DNS (OpenDNS) for better peformance and security.
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"# Allow clients to communicate with each other within the subnet.
client-to-client# Use the key file to not only authenticate, but also encrypt the TLS control channel.
tls-crypt "C:\\Program Files\\OpenVPN\\config\\ta.key"# Prevent DNS leak.
push "block-outside-dns"# Compress to save bandwidth.
compress lz4-v2keepalive 10 120# The best cryptographic cipher.
cipher AES-256-CBCpersist-key
persist-tun
status openvpn-status.log# For debugging purpose.
verb 3# Tell clients that Server is exiting. They should re-connect later.
explicit-exit-notify 1# Require minimum version of TLS.
tls-version-min 1.2# "Good enough" for authenticating data channel packets and (if enabled) tls-auth control channel packets with HMAC.
auth SHA256
8. Next, forward the OpenVPN Server’s port (40000) in the Router of Home Network (see the Diagram), enabling remote OpenVPN Clients to contact the Server and establish the VPN.
The IP “192.168.1.20” is the local IP Address of the OpenVPN Server PC in the Home Network. Beside, also forward the ports 60000 and 60001, which will be needed by the OpenVPN Client (in the virtual subnet). The local IP Address of the OpenVPN Client PC is “192.168.100.4”, within the virtual subnet 192.168.100.0/255.255.255.0 (indicated in the server 192.168.100.0 255.255.255.0 directive of the OpenVPN Server’s configuration).
Important note: I happened to have “192.168.1.20” for the OpenVPN Server PC (within the real subnet 192.168.1.0/255.255.255.0), and “192.168.100.4” for the OpenVPN Client PC (within the virtual subnet 192.168.100.0/255.255.255.0). It depends on DHCP to assign such. Your IPs might be different.
9. At last, start the OpenVPN Server as a service:
Check that the starting is good (without problems) through “C:\Program Files\OpenVPN\log\server.log”. It should be like this:
OpenVPN 2.4.7 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 25 2019
...
IFCONFIG POOL: base=192.168.100.2 size=252, ipv6=0
IFCONFIG POOL LIST
Initialization Sequence CompletedInstall OpenVPN Client (on-the-go laptop in Public Network)
- The installation file is the same for both Client and Server. But the needed keys have been created; so when installing for Client, no need to choose “EasyRSA” option.
- Copy the files
ca.crt,ClientVPN.crt,ClientVPN.keyandta.keyin “C:\Program Files\OpenVPN\easy-rsa\keys” in the Workstation PC, where OpenVPN Server is installed, into “C:\Program Files\OpenVPN\config” in the on-the-go Laptop, where OpenVPN Client is installed. - Configure the file “client.ovpn” (put it here “C:\Program Files\OpenVPN\config\client.ovpn”):
client# The same as Server.
dev tun
proto udp4# The public IP Address of the Router in Home Network
remote X.Y.Z.T 40000# Try connecting forever until success.
resolv-retry infinitenobind
persist-key
persist-tuntls-client
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\ClientVPN.crt"
key "C:\\Program Files\\OpenVPN\\config\\ClientVPN.key"remote-cert-tls server
compress lz4-v2tls-crypt "C:\\Program Files\\OpenVPN\\config\\ta.key"
cipher AES-256-CBC
verb 3
keepalive 5 10
auth SHA256
To know the public IP Address of the Router in Home Network, in the Workstation PC, visit this. Fill in the “X.Y.Z.T” above.
4. At last, start the OpenVPN Client (in user mode):
Check that the starting is good (without problems) through “C:\Users\[UserName]\OpenVPN\log\client.log”. It should be like this:
OpenVPN 2.4.7 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 25 2019
...
Initialization Sequence Completed
MANAGEMENT:>STATE:1572187944,CONNECTED,SUCCESS,192.168.100.2,123.20.93.62,40000,,If seeing this icon in Taskbar, then everything is likely OK.
Now, your on-the-go laptop in a Public Network can access the Internet as if it were physically inside Home Network.
Evaluation
- Check if the on-the-go laptop accesses Internet as if it were physically inside Home Network.
In on-the-go laptop, visit here. If the Home Network and Public Network are located in separate cities or countries, without VPN, you can clearly see the difference. But with VPN, the result should be identical.
In addition, also check here in case of doubt.
2. Check if BitTorrent-like programs can work flawlessly in the on-the-go laptop.
In on-the-go laptop, download uTorrent and a torrent file, e.g. Linux Mint. In uTorrent, configure the incoming port:
Now, start downloading the Linux Mint ISO, given the torrent file. If “Network OK” status is reported as below, everything is optimal.
Trouble-shooting
- Whatever happens, try rebooting the PCs of both Client and Server. Then, OpenVPN Server, as a service, in Workstation PC, will automatically start. But OpenVPN Client, in on-the-go laptop, needs starting manually by clicking the “Connect” menu.
- After VPN is established, on-the-go laptop cannot access the Internet. => In Workstation PC, try resetting as followed:
3. When establishing VPN, OpenVPN Client shows read UDPv4: Unknown error (code=10054) in red color constantly => The Client can’t contact the Server probably due to Port Forwarding of 40000 in the Router of Home Network. Also check if the OpenVPN Server starts without any errors (if there are errors, fix them!). Plus, the public IP Address of Router of Home Network may have changed (it changes from time to time), making it a must to modify the remote X.Y.Z.T 40000 accordingly.
4. P2P programs, e.g. uTorrent, don’t seem to receive incoming connections. => In the on-the-go laptop, in CMD, do ipconfig /allto get the IP assigned in the virtual subnet (indicated in “TAP-Windows Adapter V9” interface). Comparing that IP to the one in picture “Port Forwarding for ServerVPN’s virtual subnet”, are they matched?
Conclusion
We have learned creating a personal/totally free VPN using OpenVPN, as well as the pros and cons of this approach. It is advised that readers understand the assumptions of this VPN setup scheme.
To the best of my knowledge, I tried to reasonably harden the OpenVPN. For example, the use oftls-cryptinstead of tls-auth, the advantage of which is discussed here. Furthermore, the push of redirect-gateway def1 and block-outside-dns to clients prevent the possible leak of Internet packets out of the tunnel. The best cipher of encryption, cipher AES-256-CBC, is also taken into account. Nonetheless, your suggestion/advice of making this setup even better is welcome.
The approach in this article is not a silver bullet that solves all Internet security concerns, but hopefully contributes to making online a little safer and more secure experience for normal users.
Future Works
- Try OpenVPN’s Ethernet Bridging.
- Use a dynamic DNS service, e.g. Dyn.com rather than raw IP. That said, directive
remote X.Y.Z.T 40000can becomeremote somedomain.com 40000. When Router of Home Network changes its public IP, DynDNS Updater will update thesomedomain.com, pointing to the new right IP. Later, OpenVPN Client realizes that the current IP is no longer valid, it fetches the new IP based on the domain. Less maintance task! - Apply Firewall for both Client and Server. Firewall is generally good. If cleverly implementing, in Client, we can force all Internet applications to only use the VPN’s virtual subnet.
- Play with IPv6.
