1. Home
  2. VPN / Privacy

Make Your Own VPN in Just 13 Steps: Complete Tutorial

Virtual private networks are gaining popularity among even the most casual of internet users. It’s no surprise, either, seeing as how they’re easy to use, affordable, and come with a ton of useful features that protect your online privacy. Instead of signing up with a VPN service, though, some people have decided to install and configure their own personal VPN using a virtual private server and OpenVPN.

Making your own VPN isn’t easy, however. The process requires many steps, and includes a lot of work on the command line. We highly recommend that you brush up on your familiarity with encryption and command prompts or PowerShell before you begin.

If you’re up to the task, however, running your own VPN can provide you with a level of privacy that just can’t be matched by a third party service! You’ll have full control over your data, and will be able to browse the internet secure in the knowledge that nobody is spying on your activity.

Recommended External VPN Hosts

Before we dive into the details of creating your own VPN, it’s well worth a mention that there are a number of truly excellent services already out there. Unless you are a power user with very specific requirements, you’ll find that the following VPN services will more than meet your needs with minimal hassle. No need to go through lengthy installation processes or edit pages of configuration files; simply sign up, install, and you’re good to go!

ExpressVPN

Make Your Own VPN - ExpressVPN

ExpressVPN is fast, easy to use, and incredibly secure. The company operates a network of over 145 servers in 94 different countries, each delivering amazingly fast connection speeds around the world. You’ll get strong 256-bit encryption for all of your online traffic, as well as unlimited bandwidth, no torrent or P2P restrictions, and a strict zero-logging policy that keeps your data perfectly safe.

EXCLUSIVE for Addictive Tips readers: Sign up for a year of service with ExpressVPN at only $6.67 per month and get 3 months FREE! Also take advantage of ExpressVPN’s 30-day “no questions asked” money-back guarantee for a fast and secure risk-free VPN.

IPVanish

Make Your Own VPN - IPVanish

IPVanish is another excellent choice for a fast and secure VPN. The service comes with wonderful privacy features such as 256-bit AES encryption, DNS leak protection, and an automatic kill switch, all of which are designed to ensure your identity never slips through the cracks. All of this is backed by a zero-logging policy and absolutely no limits on bandwidth or speed. To top it all off, IPVanish runs a network of over 850 servers in 60 different countries, giving you plenty of options for bypassing censorship blocks and downloading torrent files anonymously.

EXCLUSIVE for Addictive Tips readers: Get 60% off when you sign up for a year of IPVanish, just $4.87 per month! Each plan is covered by an amazing 7-day money-back guarantee, ensuring a risk-free trial for your new, private internet connection.

Make Your Own Home VPN: Step-by-step Guide

Below we go through the process of creating your own VPN. While the process takes some effort, DIY warriors and privacy nuts alike will revel in taking full control over their privacy. Without further ado, let’s get started!

Step 1: Get a Remote Server that Runs Ubuntu

There are a variety of services that offer scalable virtual private server options, but one of the easiest to use and most affordable is Digital Ocean. The company has a fantastic guide on installing and configuring your own Ubuntu 16.04 server, which you should follow before beginning the rest of this VPN guide. Once complete, you’ll have a droplet server configured and ready to go.

Step 2: Install OpenVPN

With your Ubuntu server up and running, your first step will be to install OpenVPN. First, log into your server using your user credentials through a command prompt. Next, run each of the following commands. This will install OpenVPN as well as easy-rsa, a package that will help us in the next step.

You can type the commands listed below, or you can copy/paste them.

$ sudo apt-get update

$ sudo apt-get install openvpn easy-rsa

Step 3: Configure the Certificate Authority Directory

In order for OpenVPN to encrypt traffic and send it between sources, it needs to be able to use trusted certificates. These generally come from an external Certificate Authority (CA), but because our VPN ecosystem is entirely closed (we run it, we manage it, only we will be using it), it’s possible to set up a simple CA authority on our Ubuntu server.

Enter the following command into the prompt:

$ make-cadir ~/openvpn-ca

Next, navigate to the folder you just created. If you’re not sure how to do that, simply type in the following into the command prompt:

$ cd ~/openvpn-ca

Step 4: Configure the Certificate Authority

Now we’ll set up our CA with some basic information. Type the following command and hit enter. It opens a text editor and displays the vars file:

$ nano vars

You don’t need to change most of what’s in the vars file. Scroll to the bottom and look for the following lines:

export KEY_COUNTRY="US"

export KEY_PROVINCE="NY"

export KEY_CITY="New York City"

export KEY_ORG="My-Organization"

export KEY_EMAIL="me@host.domain"

export KEY_OU="MyOrganizationalUnit"

Change the strings within the quotation marks to reflect your own information. As long as they’re not blank, you’ll be fine. Next, scroll down to find the KEY_NAME line. Change the string to match the following:

export KEY_NAME="server"

Save the file and close it, we’re done editing for now.

Step 5: Build the Certificate Authority

With the information in place, it’s time to create the Certificate Authority. Make sure you’re still in the CA directory we created before:

$ cd ~/openvpn-ca

Then type the following into the command prompt:

$ source vars

If everything went smoothly, you should see something like the following appear on screen:

NOTE: If you run ./clean-all, I will be doing a rm -rf on /home/sammy/openvpn-ca/keys

Clear out the environment by entering the following:

$ ./clean-all

Now build the root CA:

$ ./build-ca

A series of prompts will appear while your server follows the instructions you just gave it. Simply press enter at each of them until the process completes.

Step 6: Creating the Server’s Encryption Files

With the Certificate Authority in place, we can now start generating actual encryption keys. Start by creating the OpenVPN server certificate along with its key pair:

$ ./build-key-server server

Accept the default values the server suggests. Be sure to type “y” when the output asks you to confirm certificate creation. Next we’ll create a few other miscellaneous files OpenVPN needs to operate. Type the following into the command prompt:

$ ./build-dh

Wait a few minutes for this complete. Don’t worry, it can take a while. Afterwards, create a signature to strengthen the verification process by entering the following:

$ openvpn --genkey --secret keys/ta.key

That’s it for this step. Don’t worry if some of these commands don’t make much sense. The server needs specialized tools in order to encrypt and verify everything, and this step helps put those in place.

Step 7: Creating the Client’s Certificate

In this step we’ll be creating a certificate and key pair for the client (your device) to use when connecting. Simply type the following commands into the prompt:

$ cd ~/openvpn-ca

$ source vars

$ ./build-key client1

Use the defaults the output suggests by hitting “enter” at the prompts.

Step 8: Configure OpenVPN

With all the certificates and key pairs created, we can finally start setting up OpenVPN. We’ll begin by moving some of the files we just created to the “openvpn” folder:

$ cd ~/openvpn-ca/keys

$ sudo cp ca.crt ca.key server.crt server.key ta.key dh2048.pem /etc/openvpn

Now we’ll add a sample configuration file so we can open and edit it ourselves:

$ gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf

When the unzip completes, type the following to open the configuration file:

$ sudo nano /etc/openvpn/server.conf

With the server.conf file open in the nano editor, look for the line that matches the text below:

;tls-auth ta.key 0 # This file is secret

Remove the semi-colon from the beginning of this line to uncomment it. On the line directly below it, add the following:

key-direction 0

Scroll to find the section filled with ciphers (keys). Here we’ll be choosing the strength of our encryption. Find the line below and remove the semi-colon to enable 128-bit AES encryption:

;cipher AES-128-CBC

Just below that line, add the following:

auth SHA256

Next, search for the user and group settings and remove the semi-colon to uncomment them. The lines should look like this when you’re done:

user nobody

group nogroup

While we have the server.conf file open, we might as well make some more convenience changes. First, locate the following line and remove the semi-colon so it’s no longer commented out. This allows the VPN to route all of your traffic:

;push "redirect-gateway def1 bypass-dhcp"

Below this line you’ll see a few lines marked dhcp-option. Uncomment them by removing the semi-colon:

;push "dhcp-option DNS 208.67.222.222"

;push "dhcp-option DNS 208.67.220.220"

Next you’ll want to change the port OpenVPN uses. The default is 1194, which is fine for most users and most instances. We’re going for a little extra usability and will be switching to port 443, a rarely-blocked port that will give you greater access to the web in restrictive environments. Search for the “# Optional!” lines and change the port to 443:

# Optional!

port 443

Now to change the UDP setting to TCP:

# Optional!

proto tcp

Save the file and close it.

Step 9: Adjusting Network Settings

In this step we’ll be configuring OpenVPN so it can forward traffic, an essential function of any VPN. We’ll start by opening a config file and doing some editing.

$ sudo nano /etc/sysctl.conf

Search for the line listed below and remove the hash character (number sign, or #) to uncomment the setting:

# net.ipv4.ip_forward=1

Save and close the file, then run this command to adjust the values:

$ sudo sysctl -p
Now we'll set the server's firewall so it can properly manipulate traffic. The first thing to do is find the public network interface of our server machine. Type the following into the command prompt:

$ ip route | grep default

The output will display a line of information. Just after the word “dev” should be an interface name. In the example below, that name is “wlp11s0”, though yours will likely be different:

default via 203.0.113.1 dev wlp11s0  proto static  metric 600

Now we edit the rules file to add the above name in the appropriate place. Start by typing this into the command prompt:

$ sudo nano /etc/ufw/before.rules

Search for a block of text beginning with the following commented-out phrase:

# START OPENVPN RULES

Beneath that you’ll see a line that starts with “-A POSTROUTING”. Add your interface name from above here, replacing the XXXX with the correct text:

-A POSTROUTING -s 10.8.0.0/8 -o XXXX -j MASQUERADE

Now save and close the file.

Next on the list is telling our firewall to forward packets. Open the firewall file by typing the command below:

$ sudo nano /etc/default/ufw

Search for the line marked “DEFAULT_FORWARD_POLICY”. Change “DROP” to “ACCEPT”. When you’re done, it should look like the following:

DEFAULT_FORWARD_POLICY="ACCEPT"

Now save and close the file.

For the last part of this step we’ll adjust the firewall’s settings to allow traffic to OpenVPN. Type the following commands into the prompt, using the port settings we configured above:

$ sudo ufw allow 443/tcp

$ sudo ufw allow OpenSSH

Now we’ll disable then re-enable the firewall to load the changes we just made. Enter each of these commands into the prompt:

$ sudo uwf disable

$ sudo uwf enable

The server is now set up to handle OpenVPN traffic, and your VPN is a lot closer to being ready to go.

Step 10: Starting the OpenVPN Service

With most of the basic configurations taken care of, we can finally start OpenVPN and get our server going. Begin by typing the following line into the command prompt:

$ sudo systemctl start openvpn@server

You’ll get a screen of output text. The second line marked “active” should say “active (running) since…” followed by a date. Type the following line so OpenVPN starts automatically every time your server boots:

$ sudo systemctl enable openvpn@server

Step 11: Client Configurations

Now we’ll get your server ready to accept clients, also known as your internet connected devices. Most of these steps are security related and designed to ensure nothing gets into your server except your own computer. First we’ll create a directory to hold client related files, then change permissions to lock it down:

$ mkdir -p ~/client-configs/files

$ chmod 700 ~/client-configs/files

Now we’ll copy an example configuration file so we can edit it:

$ cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf

Open the file in a text editor:

$ nano ~/client-configs/base.conf

Scroll to find the line that starts with the “remote” directive. Edit it so it reflects the port you chose above, which should be 443:

remote server_IP_address 443

Change the line below marked “proto” to say “tcp”, again matching the options we set above:

proto tcp

Find the “user” and “group” lines and uncomment them by removing the semi-colon:

user nobody

group nogroup

Locate the ca, cert, and key lines and comment them out by adding a hash at the beginning. When you’re done, they should look like this:

#ca ca.crt

#cert client.crt

#key client.key

Change the “cipher” and “auth” settings to match the ones we set above. If you followed this guide, the lines will look like this when you’re done:

cipher AES-128-CBC

auth SHA256

Next, anywhere in the file add a new line and type the following:

key-direction 1

And finally, copy and paste the following commented out lines into the bottom of the file:

# script-security 2

# up /etc/openvpn/update-resolv-conf

# down /etc/openvpn/update-resolv-conf

Save your changes and exit the editor.

The next step is to create a script that will compile everything we just made, configuration files, certificates, cipher keys, and all. Start by creating a file in the ~/client-configs directory called “make_config.sh”, then open it using nano. Paste the following code into the script:

#!/bin/bash
# First argument: Client identifier
KEY_DIR=~/openvpn-ca/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf
cat ${BASE_CONFIG} \
<(echo -e '<ca>') \
${KEY_DIR}/ca.crt \
<(echo -e '</ca>\n<cert>') \
${KEY_DIR}/${1}.crt \
<(echo -e '</cert>\n<key>') \
${KEY_DIR}/${1}.key \
<(echo -e '</key>\n<tls-auth>') \
${KEY_DIR}/ta.key \
<(echo -e '</tls-auth>') \
> ${OUTPUT_DIR}/${1}.ovpn

Save the file and exit. Next, make the file executable by typing the following command:

$ chmod 700 ~/client-configs/make_config.sh

Step 12: Setting Up Your Devices

You’re almost there! In this step we’ll create files that tell the server how to interact with clients. We’ve already made the base certificates in previous steps, now all we need to do is create configs by moving things into a new directory. Use the following commands to do that:

$ cd ~/client-configs

$ ./make_config.sh client1

Now we’ll transfer these configuration files to our devices. You’ll need to download an FPT client that’s capable of SFTP connections to do this. Filezilla is a free and open source program that works on Windows, Linux, and Mac operating systems. Install the software and connect to your server through SFTP (not plain FTP) using your credentials above. Then navigate to the following directory on your server:

/client-configs/files

Download the file marked “client1.ovpn”. This contains all the information your local copy of OpenVPN will need to connect to your server.

Now you’ll need to install OpenVPN on your computer, smartphone, tablet, and any other device you plan on using with your VPN.

Windows:

  • Download OpenVPN and install it to your computer.
  • Copy the client1.ovpn file to OpenVPN’s installation directory and put it in the “config” directory.
  • Right click on the OpenVPN desktop shortcut and go to “Properties”
  • Click “Compatibility” then “Change settings for all users”
  • In the next window, check “Run this program as administrator”
  • Launch OpenVPN as an administrator. If it pops up warning messages, accept them.
  • Enjoy surfing the web using your very own virtual private network!

Mac:

  • Download and install Tunnelblick, the free and open source OpenVPN client for Mac.
  • When the installation asks if you have any configuration files, simply say “No”.
  • Afterwards, open a finder window and double click “client1.ovpn”.
  • Launch Tunnelblick.
  • Click on the icon in the top corner of the screen and choose “Connect”
  • Select the “client1” connection.
  • Enjoy your own personal VPN!

Linux:

Install OpenVPN by using the following command prompt lines:

$ sudo apt-get update

$ sudo apt-get install openvpn

Now edit the configuration file you downloaded in the step above:

$ nano client1.ovpn

Uncomment the following three lines:

script-security 2

up /etc/openvpn/update-resolv-conf

down /etc/openvpn/update-resolv-conf

Save and close the file. You can now connect to your VPN by using the following command:

$ sudo openvpn --config client1.ovpn

Android:

  • Install the OpenVPN client for Android.
  • Transfer client1.ovpn to your device, either through a USB connection or via cloud storage.
  • Run the OpenVPN app and tap the menu button in the top right.
  • Choose “Import”, then navigate to the ovpn file’s location and import the file
  • Tap the “Connect” button from OpenVPN’s main menu.

iOS:

  • Install OpenVPN for iOS.
  • Connect your iOS device to a computer and copy the client1.ovpn file to OpenVPN through iTunes.
  • Disconnect and launch OpenVPN. A notification will appear saying a new profile is available.
  • Tap the green plus sign to import your settings.
  • Slide the connect button to “on” to use your VPN.

Step 13: Test Your VPNp

Now that you’ve gone through this entire process, it’s time to verify your VPN is working! All you have to do is disable your VPN, then go to DNSLeakTest. It should display your current, real location. Now enable the VPN and refresh the page. A new IP address should appear, which means you’re safe behind a wall of VPN encryption.


So, does it work?

Let us know in the comments below.

Leave a comment

  • TheDoc

    This was a lot, but it certainly helped. I can connect, but I can’t get the internet.

    One question: In the `before.rules` file, I do *not* have `# START OPENVPN RULES` and `-A POSTROUTING` gives an error. What is going on there?

    Also, you have typos here:
    $ sudo ufw allow 443/tcp

    $ sudo ufw allow OpenSSH
    Should be “uwf”.