Aron Schüler on 04. October 2021
Run your own VPN with OpenVPN
VPN providers can be quite expensive, as they offer you privacy and anonymity for a certain price. Which is fine if you need that anonymity. But what if you just need a VPN for completely legal reasons? As an example, if you and your friends want to play a MMORPG that is only available in Russia? Exactly, you run your own vpn wiht OpenVPN. To be more specific, you rent a VPS, install OpenVPN guided through pivpn, generate configurations for each of your friends and play the game on Russian servers.
Choosing the VPS
The hardware requirements on the OpenVPN website recommend give a good calculation for minimum processor speed (heavily depends on encryption, bandwidth and concurrent users). For memory, 1GB is enough for the average user, but at 150+ users you should have 1GB extra per 150 users. The bandwidth is mostly dependent on the CPU and not limited by the hosting provider, so upgrading your CPU directly benefits your speed. Storage is minimal for a VPN-only configuration, you will be fine with the minimum the provider offers. I chose the cheapest configuration with two vCores and 1GB memory, paired with 30GB storage. This works fine for four users.
Setting up OpenVPN
Basically you have to different paths to choose from. Either you set up OpenVPN, create a certificate authority, which then in turn allows you to create a server certificate and client certificates – or you install pivpn. I heavily recommend the latter if you do not already know your way around certificates/have your own CA up and running. I tried to use my pfSense CA to generate the certs but failed miserably.
With pivpn this is just easy. The following steps are sufficient for Debian 10 to have a running OpenVPN and a client configuration ready to use:
curl -L https://install.pivpn.io | bash # Add a client pivpn add
Now your VPN is up and running.
By default, pivpn will configure the OpenVPN server to run with the
push “redirect-gateway def1” option set.
This means that the client will ignore its default gateway and use the VPN
as a gateway for anything.
This isn’t too nice when you want to limit the traffic going through your VPN.
The workaround is to remove this option and push every route, that should lead through the VPN, to the client.
To do this, remove/comment-out the
push “redirect-gateway def1” option in
/etc/openvpn/server.conf as well as the
push "dhcp-option DNS <IP>" options,
as we don’t want to use any DNS the VPN could provide.
Then add options like
push "route 22.214.171.124 255.255.255.255 10.8.0.1 1"
for every IP that should be routed through the VPN.
This is not secure though, the client could decide to reach out for that IP address over another gateway, e.g. if the metric of that route changes. For us its sufficient, as the clients cannot reach routed IPs over any other path than through the VPN.
We had some problems with pushing routes to windows clients, but resolved this by adding the routes manually with a little batch script
Quick, right? You should have a VPS as a VPN up and running, ideally routing only traffic necessary. If you have any questions or feedback, you can as always reach out in the comments.
If you want to read more guides I can offer you some under Tutorials!