Build A Home VPN With OpenVPN

First, let’s talk about what VPNs are and why I recommend everyone have one. VPN stands for Virtual Private Network, but the name can sometimes be confusing. Essentially, a VPN is a protocol that allows a client to join a non-local network through an encrypted connection and pretend that non-local network is their local network. Let’s break that down.

A VPN is essentially made up of two basic components; a server and a client. The server is the host of VPN, while the client is a user of the VPN. When a client wants access to resources on the VPN, the client will initiate an encrypted connection to the VPN using common TCP or UDP protocols. Once connected, the client will be assigned an IP address by the server and have access to all the resources of the VPN. In our case, the client will also push all its network traffic through the encrypted connection to the VPN. This means that when a client accesses a web-page with a browser, the client machine sends a request through an encrypted connection to the VPN, and the VPN sends this request out to the website on the public internet. Then, the website sends its response to the VPN, and the VPN then returns the response over an encrypted connection to the client machine’s web-browser. With this in place, it becomes safe for a client to browse private information from a shared-public WiFi network (such as coffee shops, hotels, etc…).

To illustrate the usefulness of this encrypted connection let look at the following example. Suppose that Bob is sitting at a coffee shop. Bob realizes he needs to check his bank account using the coffee shop’s WiFi. But wait, Bob can’t type in his password on a public WiFi network; that is not safe. Well Bob, was smart enough to have his own home VPN server. So Bob initiates a connection to the VPN, then uses the VPN to access his bank account information through his secured home network. Because his connection to the VPN is encrypted, and his home network is secure, Bob’s login information remains safe!

Today, we are going to embark on a journey, of how to build our own home VPN! Let’s get started!

In order to build and test our VPN, we are going to need three primary pieces of hardware.

  1. A Linux based computer OS. (I recommend a Raspberry Pi 3B, as that is what I utilize for mine. It’s cheap a cheap Linux based machine, that can be totally dedicated as a VPN server.)
  2. Access to your home router’s port forwarding and firewall options.
  3. A client for testing. (You can use any laptop; Windows, OSX, or Linux. Or you may use an android phone. I have not tested any IOS clients, but I’m fairly confident that you could find a good OpenVPN client IOS app out there somewhere.)

As for software, we need the following:

  1. A Linux based OS for our server. (If you are using a Raspberry Pi like me, I recommend using Rasbian.)
  2. Whatever client software you wish to use.
    1. For Windows: OpenVPN GUI is a good option:
    2. For Androids: I was able to use the OpenVPN for Android app
    3. For OSX: A free client software like TunnelBear will work. Alternatively, you could run it via the terminal by OpenVPN PathToDirectory/client.conf 

With these items in mind, let’s get started!

Setting up the VPN server:

Once you install Rasbian, run the following terminal commands in order:

$ sudo apt-get update -y

$ sudo apt-get upgrade -y

$ sudo apt-get install python-pip -y

$ sudo yes | pip install pexpect && apt-get install libssl-dev -y

$ sudo apt-get install openvpn

Now we build the VPN itself:

$ sudo cp -r /usr/share/easy-rsa /etc/openvpn/easy-rsa

$ sudo cp openssl-1.0.0.cnf openssl.cnf

$ sudo source ./vars && ./clean-all && ./build-ca

$ sudo source ./vars && ./pkitool –server server

$ sudo source ./vars && ./pkitool client1 && ./pkitool client2 && ./pkitool client3 && ./pkitool client3 && ./pkitool client4 && ./pkitool client5 && ./pkitool client6 && ./pkitool client7 && ./pkitool client8 && ./pkitool client9 && ./pkitool client10

$ sudo source ./vars && ./build-dh

$ sudo openvpn –genkey –secret ta.key

And ta-da! We are done with the server!

Now let’s create the server configuration file:

$ sudo touch /etc/openvpn/easy-rsa/keys/server.conf

$ sudo nano /etc/openvpn/easy-rsa/keys/server.conf

Copy the following in:

port 1194
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
client-to-client
keepalive 10 120
tls-auth ta.key 0
cipher AES-256-CBC
persist-key
persist-tun
status openvpn-status.log
verb 3

The press control-z, y, enter to save.

We are all done with the server side! Now onto the router configuration.

Router setup:

This is a short two-step process.

  1. Set up a static IP for your VPN server.
  2. Enable port forwarding to port 1194 for the static IP your just set

Note, if you are having problems and this appears to be set correctly, temporarily disable your router firewall to see if the firewall is still blocking the port. Sometimes you have to set the firewall setting to low in order for this to work.

Now onto the client setup.

Client setup:

Depending on which client you are using, you may or may not need to manually write a server configuration file:

For Android:

Use SFTP to download the the following four files from the /etc/openvpn/easy-rsa/keys directory to you computer. (Note you may need to adjust the permissions of the files with sudo ugo+rw file to download them.)

ta.key

ca.crt

client1.crt

client1.key

Now plug in you android to your computer, make a folder on the Android name, OpenVPN and place the 4 files there.

Now open the OpenVPN for Android app and add a profile.

Name the profile, and then select the CA Certification (it’s the ca.crt), Client Certificate (it’s the client1.crt), and the Client Certificate Key (it’s the client1.key file) by using the select button and navigating the files in the OpenVPN folder you just created.

Next click over to the server list tab. For the server address place your public IP (google what is my IP if you can’t find it) address (unless you have your own domain name linked to your public IP like foo.com, then put that). The port number should be 1194. Select the TCP protocol (assuming you used the server config that I provided earlier. If you switched to UDP then select UDP here.)

Next click over to the IP and DNS tab. Scroll to the bottom and place the following DNS IPs (these are googles, which I prefer, but feel free to use others that you trust.) in the following fields:

DNS Server: 8.8.8.8

Backup DNS Server: 8.8.4.4

Also check the box that says, “Override DNS Settings by Server.”

Next click over to routing, and check the IPV4 box that says User Default Route.

Next click over to Authentication/encryption. Check the box that says, “expect TLS server certificate”. Scroll the bottom, enabled “Use TLS Authentication”, and the TLS Auth File to be the TA.Key file that you copied.

Finally, click over to the Allowed Apps tab, and ensure that “VPN is used for all apps but exclude selected” is enabled. Also, ensure that none of the boxes are checked.

Now we are ready to test! Jump on LTE or a different WiFf network and click the one you just created. Assuming everything is set correctly it should say that the VPN is activated. To test that you are on your home network, google what is my IP, and see if it matches the public IP of your home network. If it does, congratulations, you have successfully created your own home VPN!

This opens up an exciting world of networking potential for you!

To be continued…. (Also, this blog needs smoothed over, I’ll get to that eventually.)