How to Make Your Own VPN – Complete 13-Steps Tutorial
Today, we present you with a complete guide on how to make your own VPN at home in just a few relatively painless steps. Our walkthrough will guide you through the process of installing and configuring your DIY VPN. Don’t be intimidated, you don’t need advanced coding skills; just follow our step by step instructions, and you’ll be up and running a powerful OpenVPN connection in no time.
Virtual private networks are gaining popularity among even the most casual of internet users. It’s no surprise, either, seeing as how they’re easy to use, affordable, and come with a ton of useful features that protect your online privacy. Instead of signing up with a VPN service, though, some people have decided to install and configure their own personal VPN using a virtual private server and OpenVPN.
Making your own VPN isn’t easy, however. The process requires many steps, and includes a lot of work on the command line. We highly recommend that you brush up on your familiarity with encryption and command prompts or PowerShell before you begin.
Check out these hassle-free alternatives to making your own VPN:
- NordVPN – Best Overall VPN Provider – NordVPN strikes the right balance of useability and deep functionality. Unbreakable encryption, massive server network, no logs.
- Surfshark – Unlimited simultaneous connections, CleanWeb anti-malware/adware, and auto-obfuscation on every server.
- ExpressVPN – Searing speeds, military-grade cryptography, one-button interface.
- IPVanish – Tried and true, the heavy streamer’s favorite for buffer-free video and audio.
If you’re up to the task, however, running your own VPN can provide you with a level of privacy that just can’t be matched by a third party service. You’ll have full control over your data, and will be able to browse the internet secure in the knowledge that nobody is spying on your activity.
Recommended External VPN Hosts
Before we dive into the details of creating your own VPN, it’s well worth a mention that there are a number of truly excellent services already out there. Unless you are a power user with very specific requirements, you’ll find that the following VPN services will more than meet your needs with minimal hassle. No need to go through lengthy installation processes or edit pages of configuration files; simply sign up, install, and you’re good to go!
1. NordVPN
NordVPN has set the gold standard for VPN industry expectations, and that’s not just because it’s one of the most venerable, trusted names around. They continually refine and expand their offer, to the point where their massive worldwide network spans over 5,500 servers in 59 different countries.
With 256-bit encryption and modern tunneling protocols like OpenVPN as the backbone of your privacy suite, you can stealth your way past website blocks and dodge ad tracking and government snooping all with one click. You don’t even have to sacrifice on performance, either–NordVPN’s speeds are great for streaming and gaming without lag or stutter.
Finally, NordVPN has a zero-logs guarantee you can trust. Panamanian jurisdiction excludes them from subjection to 5, 9, and 14 Eyes international surveillance and data retention agreements.
Read our full NordVPN review.
- Unblocks American Netflix
- Over 5,400 servers in 61 countries
- Strong encryption is used on all connections
- Extra-secure Double VPN for data encryption
- Live chat support is available.
- Some servers can be slow and unreliable
- They can take 30 days to process refunds.
2. Surfshark
Surfshark is a new VPN, but it hasn’t beat around the bush becoming one of the best in the industry. Powerful 256-bit encryption and modern tunneling protocols allow you to beat censorship and surveillance anywhere. Meanwhile, myriad cybersecurity extras keep you safer online: anti-malware, anti-adware, pop-up blocker, site blacklist, plus IP, DNS, and WebRTC leak protection.
While 800 servers in 50 countries may seem rather modest for a major VPN, every one of them has specialty server functionality including obfuscation. This helps you beat deep packet inspection to thwart everything from Netflix’s VPN blocking to Egypt’s OpenVPN ban.
Surfshark never limits your bandwidth, traffic, server switches–not even your simultaneous connections. This makes it a great choice for families, students, project teams, and more. Finally, their disk-free server infrastructure is physically incapable of storing your VPN usage metadata long-term, making good on their no-logs guarantee.
- Robust servers blast through geoblocks to access your favorite streaming sites
- Every server is a speciality server
- IP, DNS and WebRTC leak protection plus kill switch
- Favorable BVI jurisdiction guarantees no logs kept
- Refund requests are simple and fast–no waiting or hassle.
- Speeds occasionally suffer a noticeable drop
- Apps don’t allow for much manual fiddling for power users.
Read our full Surfshark review.
3. ExpressVPN
ExpressVPN is fast, easy to use, and incredibly secure. The company operates a network of over 3,000 servers in 94 different countries, each delivering amazingly fast connection speeds around the world. You’ll get strong 256-bit encryption for all of your online traffic, as well as unlimited bandwidth, no torrent or P2P restrictions, and a strict zero-logging policy that keeps your data perfectly safe.
Read our full ExpressVPN review.
- Works with US Netflix, iPlayer, Hulu and other services
- Super fast, reliable connection
- Secure encryption & VPN protocols
- Strict no-logging policy
- Great customer service via chat.
- Month-to-month plan has high cost.
4. IPVanish
IPVanish is another excellent choice for a fast and secure VPN. The service comes with wonderful privacy features such as 256-bit AES encryption, DNS leak protection, and an automatic kill switch, all of which are designed to ensure your identity never slips through the cracks. All of this is backed by a zero-logging policy and absolutely no limits on bandwidth or speed. To top it all off, IPVanish runs a network of over 1,300 servers in 60 different countries, giving you plenty of options for bypassing censorship blocks and downloading torrent files anonymously.
Read our full IPVanish review.
Make Your Own Home VPN – Step-by-step Guide
Below we go through the process of creating your own VPN. While the process takes some effort, DIY warriors and privacy nuts alike will revel in taking full control over their privacy. Without further ado, let’s get started.
Step 1: Get a Remote Server that Runs Ubuntu
There are a variety of services that offer scalable virtual private server options, but one of the easiest to use and most affordable is Digital Ocean. The company has a fantastic guide on installing and configuring your own Ubuntu 16.04 server, which you should follow before beginning the rest of this VPN guide. Once complete, you’ll have a droplet server configured and ready to go.
Step 2: Install OpenVPN
With your Ubuntu server up and running, your first step will be to install OpenVPN. First, log into your server using your user credentials through a command prompt. Next, run each of the following commands. This will install OpenVPN as well as easy-rsa, a package that will help us in the next step.
You can type the commands listed below, or you can copy/paste them.
$ sudo apt-get update $ sudo apt-get install openvpn easy-rsa
Step 3: Configure the Certificate Authority Directory
In order for OpenVPN to encrypt traffic and send it between sources, it needs to be able to use trusted certificates. These generally come from an external Certificate Authority (CA), but because our VPN ecosystem is entirely closed (we run it, we manage it, only we will be using it), it’s possible to set up a simple CA authority on our Ubuntu server.
Enter the following command into the prompt:
$ make-cadir ~/openvpn-ca
Next, navigate to the folder you just created. If you’re not sure how to do that, simply type in the following into the command prompt:
$ cd ~/openvpn-ca
Step 4: Configure the Certificate Authority
Now we’ll set up our CA with some basic information. Type the following command and hit enter. It opens a text editor and displays the vars file:
$ nano vars
You don’t need to change most of what’s in the vars file. Scroll to the bottom and look for the following lines:
export KEY_COUNTRY="US" export KEY_PROVINCE="NY" export KEY_CITY="New York City" export KEY_ORG="My-Organization" export KEY_EMAIL="me@host.domain" export KEY_OU="MyOrganizationalUnit"
Change the strings within the quotation marks to reflect your own information. As long as they’re not blank, you’ll be fine. Next, scroll down to find the KEY_NAME line. Change the string to match the following:
export KEY_NAME="server"
Save the file and close it, we’re done editing for now.
Step 5: Build the Certificate Authority
With the information in place, it’s time to create the Certificate Authority. Make sure you’re still in the CA directory we created before:
$ cd ~/openvpn-ca
Then type the following into the command prompt:
$ source vars
If everything went smoothly, you should see something like the following appear on screen:
NOTE: If you run ./clean-all, I will be doing a rm -rf on /home/sammy/openvpn-ca/keys
Clear out the environment by entering the following:
$ ./clean-all
Now build the root CA:
$ ./build-ca
A series of prompts will appear while your server follows the instructions you just gave it. Simply press enter at each of them until the process completes.
Step 6: Creating the Server’s Encryption Files
With the Certificate Authority in place, we can now start generating actual encryption keys. Start by creating the OpenVPN server certificate along with its key pair:
$ ./build-key-server server
Accept the default values the server suggests. Be sure to type “y” when the output asks you to confirm certificate creation. Next we’ll create a few other miscellaneous files OpenVPN needs to operate. Type the following into the command prompt:
$ ./build-dh
Wait a few minutes for this complete. Don’t worry, it can take a while. Afterwards, create a signature to strengthen the verification process by entering the following:
$ openvpn --genkey --secret keys/ta.key
That’s it for this step. Don’t worry if some of these commands don’t make much sense. The server needs specialized tools in order to encrypt and verify everything, and this step helps put those in place.
Step 7: Creating the Client’s Certificate
In this step we’ll be creating a certificate and key pair for the client (your device) to use when connecting. Simply type the following commands into the prompt:
$ cd ~/openvpn-ca $ source vars $ ./build-key client1
Use the defaults the output suggests by hitting “enter” at the prompts.
Step 8: Configure OpenVPN
With all the certificates and key pairs created, we can finally start setting up OpenVPN. We’ll begin by moving some of the files we just created to the “openvpn” folder:
$ cd ~/openvpn-ca/keys $ sudo cp ca.crt ca.key server.crt server.key ta.key dh2048.pem /etc/openvpn
Now we’ll add a sample configuration file so we can open and edit it ourselves:
$ gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf
When the unzip completes, type the following to open the configuration file:
$ sudo nano /etc/openvpn/server.conf
With the server.conf file open in the nano editor, look for the line that matches the text below:
;tls-auth ta.key 0 # This file is secret
Remove the semi-colon from the beginning of this line to uncomment it. On the line directly below it, add the following:
key-direction 0
Scroll to find the section filled with ciphers (keys). Here we’ll be choosing the strength of our encryption. Find the line below and remove the semi-colon to enable 128-bit AES encryption:
;cipher AES-128-CBC
Just below that line, add the following:
auth SHA256
Next, search for the user and group settings and remove the semi-colon to uncomment them. The lines should look like this when you’re done:
user nobody group nogroup
While we have the server.conf file open, we might as well make some more convenience changes. First, locate the following line and remove the semi-colon so it’s no longer commented out. This allows the VPN to route all of your traffic:
;push "redirect-gateway def1 bypass-dhcp"
Below this line you’ll see a few lines marked dhcp-option. Uncomment them by removing the semi-colon:
;push "dhcp-option DNS 208.67.222.222" ;push "dhcp-option DNS 208.67.220.220"
Next you’ll want to change the port OpenVPN uses. The default is 1194, which is fine for most users and most instances. We’re going for a little extra usability and will be switching to port 443, a rarely-blocked port that will give you greater access to the web in restrictive environments by making your VPN all but undetectable. Search for the “# Optional!” lines and change the port to 443:
# Optional!
port 443
Now to change the UDP setting to TCP:
# Optional!
proto tcp
Save the file and close it.
Step 9: Adjusting Network Settings
In this step we’ll be configuring OpenVPN so it can forward traffic, an essential function of any VPN. We’ll start by opening a config file and doing some editing.
$ sudo nano /etc/sysctl.conf
Search for the line listed below and remove the hash character (number sign, or #) to uncomment the setting:
# net.ipv4.ip_forward=1
Save and close the file, then run this command to adjust the values:
$ sudo sysctl -p
Now we'll set the server's firewall so it can properly manipulate traffic. The first thing to do is find the public network interface of our server machine. Type the following into the command prompt: $ ip route | grep default
The output will display a line of information. Just after the word “dev” should be an interface name. In the example below, that name is “wlp11s0”, though yours will likely be different:
default via 203.0.113.1 dev wlp11s0 proto static metric 600
Now we edit the rules file to add the above name in the appropriate place. Start by typing this into the command prompt:
$ sudo nano /etc/ufw/before.rules
Search for a block of text beginning with the following commented-out phrase:
# START OPENVPN RULES
Beneath that you’ll see a line that starts with “-A POSTROUTING”. Add your interface name from above here, replacing the XXXX with the correct text:
-A POSTROUTING -s 10.8.0.0/8 -o XXXX -j MASQUERADE
Now save and close the file.
Next on the list is telling our firewall to forward packets. Open the firewall file by typing the command below:
$ sudo nano /etc/default/ufw
Search for the line marked “DEFAULT_FORWARD_POLICY”. Change “DROP” to “ACCEPT”. When you’re done, it should look like the following:
DEFAULT_FORWARD_POLICY="ACCEPT"
Now save and close the file.
For the last part of this step we’ll adjust the firewall’s settings to allow traffic to OpenVPN. Type the following commands into the prompt, using the port settings we configured above:
$ sudo ufw allow 443/tcp $ sudo ufw allow OpenSSH
Now we’ll disable then re-enable the firewall to load the changes we just made. Enter each of these commands into the prompt:
$ sudo uwf disable $ sudo uwf enable
The server is now set up to handle OpenVPN traffic, and your VPN is a lot closer to being ready to go.
Step 10: Starting the OpenVPN Service
With most of the basic configurations taken care of, we can finally start OpenVPN and get our server going. Begin by typing the following line into the command prompt:
$ sudo systemctl start openvpn@server
You’ll get a screen of output text. The second line marked “active” should say “active (running) since…” followed by a date. Type the following line so OpenVPN starts automatically every time your server boots:
$ sudo systemctl enable openvpn@server
Step 11: Client Configurations
Now we’ll get your server ready to accept clients, also known as your internet connected devices. Most of these steps are security related and designed to ensure nothing gets into your server except your own computer. First we’ll create a directory to hold client related files, then change permissions to lock it down:
$ mkdir -p ~/client-configs/files $ chmod 700 ~/client-configs/files
Now we’ll copy an example configuration file so we can edit it:
$ cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf
Open the file in a text editor:
$ nano ~/client-configs/base.conf
Scroll to find the line that starts with the “remote” directive. Edit it so it reflects the port you chose above, which should be 443:
remote server_IP_address 443
Change the line below marked “proto” to say “tcp”, again matching the options we set above:
proto tcp
Find the “user” and “group” lines and uncomment them by removing the semi-colon:
user nobody group nogroup
Locate the ca, cert, and key lines and comment them out by adding a hash at the beginning. When you’re done, they should look like this:
#ca ca.crt #cert client.crt #key client.key
Change the “cipher” and “auth” settings to match the ones we set above. If you followed this guide, the lines will look like this when you’re done:
cipher AES-128-CBC auth SHA256
Next, anywhere in the file add a new line and type the following:
key-direction 1
And finally, copy and paste the following commented out lines into the bottom of the file:
# script-security 2 # up /etc/openvpn/update-resolv-conf # down /etc/openvpn/update-resolv-conf
Save your changes and exit the editor.
The next step is to create a script that will compile everything we just made, configuration files, certificates, cipher keys, and all. Start by creating a file in the ~/client-configs directory called “make_config.sh”, then open it using nano. Paste the following code into the script:
#!/bin/bash # First argument: Client identifier KEY_DIR=~/openvpn-ca/keys OUTPUT_DIR=~/client-configs/files BASE_CONFIG=~/client-configs/base.conf cat ${BASE_CONFIG} \ <(echo -e '<ca>') \ ${KEY_DIR}/ca.crt \ <(echo -e '</ca>\n<cert>') \ ${KEY_DIR}/${1}.crt \ <(echo -e '</cert>\n<key>') \ ${KEY_DIR}/${1}.key \ <(echo -e '</key>\n<tls-auth>') \ ${KEY_DIR}/ta.key \ <(echo -e '</tls-auth>') \ > ${OUTPUT_DIR}/${1}.ovpn
Save the file and exit. Next, make the file executable by typing the following command:
$ chmod 700 ~/client-configs/make_config.sh
Step 12: Setting Up Your Devices
You’re almost there! In this step we’ll create files that tell the server how to interact with clients. We’ve already made the base certificates in previous steps, now all we need to do is create configs by moving things into a new directory. Use the following commands to do that:
$ cd ~/client-configs $ ./make_config.sh client1
Now we’ll transfer these configuration files to our devices. You’ll need to download an FPT client that’s capable of SFTP connections to do this. Filezilla is a free and open source program that works on Windows, Linux, and Mac operating systems. Install the software and connect to your server through SFTP (not plain FTP) using your credentials above. Then navigate to the following directory on your server:
/client-configs/files
Download the file marked “client1.ovpn”. This contains all the information your local copy of OpenVPN will need to connect to your server.
Now you’ll need to install OpenVPN on your computer, smartphone, tablet, and any other device you plan on using with your VPN.
Windows:
- Download OpenVPN and install it to your computer.
- Copy the client1.ovpn file to OpenVPN’s installation directory and put it in the “config” directory.
- Right click on the OpenVPN desktop shortcut and go to “Properties”
- Click “Compatibility” then “Change settings for all users”
- In the next window, check “Run this program as administrator”
- Launch OpenVPN as an administrator. If it pops up warning messages, accept them.
- Enjoy surfing the web using your very own virtual private network!
Mac:
- Download and install Tunnelblick, the free and open source OpenVPN client for Mac.
- When the installation asks if you have any configuration files, simply say “No”.
- Afterwards, open a finder window and double click “client1.ovpn”.
- Launch Tunnelblick.
- Click on the icon in the top corner of the screen and choose “Connect”
- Select the “client1” connection.
- Enjoy your own personal VPN!
Linux:
Install OpenVPN by using the following command prompt lines:
$ sudo apt-get update $ sudo apt-get install openvpn
Now edit the configuration file you downloaded in the step above:
$ nano client1.ovpn
Uncomment the following three lines:
script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf
Save and close the file. You can now connect to your VPN by using the following command:
$ sudo openvpn --config client1.ovpn
Android:
- Install the OpenVPN client for Android.
- Transfer client1.ovpn to your device, either through a USB connection or via cloud storage.
- Run the OpenVPN app and tap the menu button in the top right.
- Choose “Import”, then navigate to the ovpn file’s location and import the file
- Tap the “Connect” button from OpenVPN’s main menu.
iOS:
- Install OpenVPN for iOS.
- Connect your iOS device to a computer and copy the client1.ovpn file to OpenVPN through iTunes.
- Disconnect and launch OpenVPN. A notification will appear saying a new profile is available.
- Tap the green plus sign to import your settings.
- Slide the connect button to “on” to use your VPN.
Step 13: Test Your VPN
Now that you’ve gone through this entire process, it’s time to verify your VPN is working! All you have to do is disable your VPN, then go to DNSLeakTest. It should display your current, real location. Now enable the VPN and refresh the page. A new IP address should appear, which means you’re safe behind a wall of VPN encryption.
LEARN MORE: How to test for DNS leaks
So, does it work?
We’ve giving you exhaustive steps to set up your very own VPN using various methods. Did you run into any trouble along the way? Reach out to us in the comments below, and we’ll try to get you sorted out.
If you need a VPN for a short while when traveling for example, you can get our top ranked VPN free of charge. NordVPN includes a 30-day money-back guarantee. You will need to pay for the subscription, that’s a fact, but it allows full access for 30 days and then you cancel for a full refund. Their no-questions-asked cancellation policy lives up to its name.
This was a lot, but it certainly helped. I can connect, but I can’t get the internet.
One question: In the `before.rules` file, I do *not* have `# START OPENVPN RULES` and `-A POSTROUTING` gives an error. What is going on there?
Also, you have typos here:
$ sudo ufw allow 443/tcp
$ sudo ufw allow OpenSSH
Should be “uwf”.