If you normally browse the web (and you don’t block ads), you’ve probably already seen hundreds, if not thousands, of advertisements for “VPNs” or “VPN software/subscriptions” — how you “need” one to have any kind of privacy, how “they”1 can track you everywhere if you don’t use one, and so on. And they’re usually not cheap. Interestingly, and probably because of some recent “revelations”, all those advertisements seem to focus on privacy or anonymity only.
But using a VPN can offer you something else: mobile security; namely, the ability to make your mobile devices “be”, on demand, part of your home network (or your server’s network, if you have, say, a VPS somewhere), no matter where you are, regardless of whether you’re using 3G/4G mobile data, or some random WiFi hotspot. Yes, even one with no encryption at all; it won’t matter. You can, absolutely, trust random open hotspots again; even their owner won’t be able to read or alter your traffic in any way. And you can do it for free, too (assuming you already have an always-connected Linux server); you just need to configure your own OpenVPN server, which you’ll be able to do by following this (hopefully accessible) guide.
Installing OpenVPN:
This tutorial will be Debian/Ubuntu-based, but it’s easy enough to adapt to other distributions (e.g. for a Red Hat-based Linux, just do “yum install” instead of “apt install“, and some defaults may be slightly different). Just enter:
[pastacode lang=”bash” manual=”apt%20install%20openvpn” message=”” highlight=”” provider=”manual”/]
Configuring OpenVPN:
(Note: this guide will focus on the goal mentioned in the second paragraph: configuring your “home” server (which doesn’t need to actually be at your home) to accept VPN connections from your mobile device(s), which will then make that/those device(s) act as if they were part of your “home” network. OpenVPN can do other stuff, but we won’t go into that here.)
(Note 2: if you’re using a server at home, you probably need to configure your modem/router to forward OpenVPN connections to your server. The default OpenVPN port is 1194 (UDP), but it can be changed (it’s specified in the configuration files below.))
First, copy some default configuration files:
[pastacode lang=”bash” manual=”mkdir%20%2Fetc%2Fopenvpn%2Feasy-rsa%2F%0Acp%20-r%20%2Fusr%2Fshare%2Feasy-rsa%2F*%20%2Fetc%2Fopenvpn%2Feasy-rsa%2F” message=”” highlight=”” provider=”manual”/]
Then edit the /etc/openvpn/easy-rsa/vars text file, and change the following variables from the defaults to something that makes sense for you. Most of these are “cosmetic”, so they don’t really matter, but it’s ugly to keep the defaults 🙂 :
[pastacode lang=”bash” manual=”export%20KEY_COUNTRY%3D%22US%22%0Aexport%20KEY_PROVINCE%3D%22CA%22%0Aexport%20KEY_CITY%3D%22SanFrancisco%22%0Aexport%20KEY_ORG%3D%22Fort-Funston%22%0Aexport%20KEY_EMAIL%3D%22me%40myhost.mydomain%22%0Aexport%20KEY_OU%3D%22MyOrganizationalUnit%22%0Aexport%20KEY_NAME%3D%22EasyRSA%22″ message=”” highlight=”” provider=”manual”/]
Add another setting to that file:
[pastacode lang=”bash” manual=”export%20KEY_ALTNAMES%3D%22mysite.mydomain.com%22″ message=”” highlight=”” provider=”manual”/]
(replacing “mysite.mydomain.com” with your server’s external name, of course.)
Then do:
[pastacode lang=”bash” manual=”cd%20%2Fetc%2Fopenvpn%2Feasy-rsa%0Aln%20-s%20openssl-1.0.0.cnf%20openssl.cnf%20%23%20if%20there’s%20a%20file%20for%20a%20newer%20OpenSSL%20version%2C%20use%20that%20one%0Asource%20.%2Fvars%0A.%2Fclean-all%0A.%2Fbuild-ca” message=”” highlight=”” provider=”manual”/]
The last command will ask for details for your private Certificate Authority (CA)’s certificate. Just answer with the same details you entered in the “vars” file above. In particular, “Common Name” must be your server’s public address.
Continuing:
[pastacode lang=”bash” manual=”.%2Fbuild-key-server%20myhostname%20%23%20replace%20if%20desired%3B%20if%20so%2C%20don’t%20forget%20to%20do%20the%20same%20everywhere%20else” message=”” highlight=”” provider=”manual”/]
Again, this will ask for certificate details. It’s OK to use the same you used for the CA. This will also confirm if you want to sign the certificate and commit the certification; answer “yes” both times.
Now enter:
[pastacode lang=”bash” manual=”.%2Fbuild-dh%20%23%20this%20will%20take%20a%20while%0Acp%20keys%2Fmyhostname.*%20%2Fetc%2Fopenvpn%2F%0Acp%20keys%2Fdh2048.pem%20%2Fetc%2Fopenvpn%2F%0Acp%20keys%2Fca.crt%20%2Fetc%2Fopenvpn%0Achmod%20600%20%2Fetc%2Fopenvpn%2F*.key%20%2Fetc%2Fopenvpn%2Feasy-rsa%2Fkeys%2F*.key” message=”” highlight=”” provider=”manual”/]
Now, there are example server configuration files in /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz , but we’ll just create a simple one from scratch. Save the following as /etc/openvpn/server.conf :
[pastacode lang=”bash” manual=”port%201194%0A%0Aproto%20udp%0A%0Adev%20tun%0A%0Aca%20ca.crt%0Acert%20myhostname.crt%0Akey%20myhostname.key%0Adh%20dh2048.pem%0A%0Atopology%20subnet%0A%0Aserver%2010.8.0.0%20255.255.255.0%0A%0Aifconfig-pool-persist%20ipp.txt%0A%0A%23%20replace%20the%20following%20with%20the%20DNS%20server%20your%20server%20uses%0Apush%20%22dhcp-option%20DNS%20192.168.1.1%22%0A%0Apush%20%22redirect-gateway%20def1%20bypass-dhcp%22%0A%0Akeepalive%2010%20120%0A%0Acipher%20AES-256-GCM%0A%0Acomp-lzo%0A%0Apersist-key%0Apersist-tun%0A%0Astatus%20openvpn-status.log%0Averb%203%0A%0Aexplicit-exit-notify%201″ message=”” highlight=”” provider=”manual”/]
Right now, you should be able to restart OpenVPN and have it running with no complaints. But, of course, this is just the server part; we still need to create a configuration file for each of your clients (which can be computers, tablets, mobile phones, etc.). In the following example, we’ll create one for an Android phone (though nothing here will be specific to Android).
On your server, do:
[pastacode lang=”bash” manual=”cd%20%2Fetc%2Fopenvpn%2Feasy-rsa%2F%0A.%2Fbuild-key%20android01%20%23%20replace%20with%20an%20identifier%20of%20your%20choice%2C%20if%20so%20desired” message=”” highlight=”” provider=”manual”/]
As before, it will ask for certificate details. Enter what you’d like, even in the “Common Name” field; here they’re all cosmetic.
Now create an .ovpn file for the new client. Put the following in an /etc/openvpn/android01.ovpn text file:
[pastacode lang=”bash” manual=”client%0A%23%20replace%20the%20following%20with%20your%20external%20address%0Aremote%20mysite.mydomain.com%0Aport%201194%0Aproto%20udp%0Adev%20tun%0Adev-type%20tun%0Ans-cert-type%20server%0Areneg-sec%2086400%0Aauth-nocache%0Aauth-retry%20interact%0Acomp-lzo%20yes%0Averb%203″ message=”” highlight=”” provider=”manual”/]
But this is not complete. For laziness’s sake (and, in my experience, required for iOS devices), we’ll also add the certificates (CA and client) and the client key here. Assuming they’re where the tutorial so far left them,
[pastacode lang=”bash” manual=”echo%20%22%3Ccert%3E%22%20%3E%3E%20%2Fetc%2Fopenvpn%2Fandroid01.ovpn%0Acat%20%2Fetc%2Fopenvpn%2Feasy-rsa%2Fkeys%2Fandroid01.crt%20%3E%3E%20%2Fetc%2Fopenvpn%2Fandroid01.ovpn%0Aecho%20%22%3C%2Fcert%3E%22%20%3E%3E%20%2Fetc%2Fopenvpn%2Fandroid01.ovpn%0Aecho%20%22%3Ckey%3E%22%20%3E%3E%20%2Fetc%2Fopenvpn%2Fandroid01.ovpn%0Acat%20%2Fetc%2Fopenvpn%2Feasy-rsa%2Fkeys%2Fandroid01.key%20%3E%3E%20%2Fetc%2Fopenvpn%2Fandroid01.ovpn%0Aecho%20%22%3C%2Fkey%3E%22%20%3E%3E%20%2Fetc%2Fopenvpn%2Fandroid01.ovpn%0Aecho%20%22%3Cca%3E%22%20%3E%3E%20%2Fetc%2Fopenvpn%2Fandroid01.ovpn%0Acat%20%2Fetc%2Fopenvpn%2Feasy-rsa%2Fkeys%2Fca.crt%20%3E%3E%20%2Fetc%2Fopenvpn%2Fandroid01.ovpn%0Aecho%20%22%3C%2Fca%3E%22%20%3E%3E%20%2Fetc%2Fopenvpn%2Fandroid01.ovpn%0A” message=”” highlight=”” provider=”manual”/]
You also need a masquerading rule in your firewall. For instance (using the default OpenVPN network of 10.8.0.0/24):
[pastacode lang=”bash” manual=”iptables%20-t%20nat%20-A%20POSTROUTING%20-s%2010.8.0.0%2F24%20-o%20eth0%20-j%20MASQUERADE%0A” message=”” highlight=”” provider=”manual”/]
Replace “eth0” with your public/outgoing network interface. And make it permanent, of course. If using ufw, just add:
[pastacode lang=”bash” manual=”-A%20POSTROUTING%20-s%2010.8.0.0%2F24%20-o%20eth0%20-j%20MASQUERADE” message=”” highlight=”” provider=”manual”/]
to /etc/ufw/before.rules .
You must also have IP forwarding enabled. If your server acts as a firewall, it’s probably already on. You can check it with the command:
[pastacode lang=”bash” manual=”sysctl%20net.ipv4.ip_forward” message=”” highlight=”” provider=”manual”/]
If it’s “1”, you’re fine. If not, you can do:
[pastacode lang=”bash” manual=”sysctl%20-w%20net.ipv4.ip_forward%3D1″ message=”” highlight=”” provider=”manual”/]
to enable it, and:
[pastacode lang=”bash” manual=”echo%20%22net.ipv4.ip_forward%20%3D%201%22%20%3E%3E%20%2Fetc%2Fsysctl.conf” message=”” highlight=”” provider=”manual”/]
to make it permanent.
And that should be it. You now need to transfer this new .ovpn file (keep it safe, by the way, including from any other local users on your server!) to your Android (or other) device, and then open it in the OpenVPN client (which you need to install, of course — don’t worry, it’s free.) Each device has a specific way to import the .ovpn file, and the client typically helps you in doing so, so you’ll eventually succeed. 🙂 If everything goes well, you’ve just connected your phone (or some other device) to your own network, and everything between the two is fully encrypted. You may now want to play around with shortcuts so that you can “VPNize” your phone at the click of a button (say, when connecting to a public hotspot.)
As implied in this (now quite long) post’s introduction, this won’t do anything for your privacy; any site you access will see your home/server address, no matter where you are. So don’t use it to communicate with other insurgents, or hack government sites, or anything. 🙂 The point is simply to “make” even unknown hotspots as trustworthy as if you were home. (It may also help you get around some firewalls or traffic shaping, but you didn’t read that here. 🙂 )
Any comments/suggestions, please let me know in the comments.
Thanks to Reddit user ZeusHoldsMyJockstrap for reminding me about the missing IP forwarding part. 🙂 My home server has had IP forwarding enabled since 2007, so I totally forgot about it when writing this guide.
you should look into wireguard. openvpn is like 1990s 😉