How to Create Your Own VPN – Detailed Instructions

Filed Under: UNIX/Linux
VPN Traffic

VPN – What is It?

VPN is a virtual private network that creates an encrypted tunnel between your device and the Internet connection. There is a double VPN that is the simultaneous use of two different VPN servers. When using VeePN, all incoming and outgoing data is encrypted. When connecting to a VPN server, all your online activity will go through this tunnel and not through the provider. Thus, cyber-criminals who want to scan your traffic will only see the country to which you are connected and will not be able to steal passwords from social networks, credit cards, or any personal information.

VPN is a pretty good tool for fighting cyber intruders, and you are interested in the question, “Can I set up my own VPN server?” You can, of course, set up your own VPN or VPN chaining. By creating your VPN server, you get many benefits:

  • You control your servers and people using VPN.
  • You can be sure that no one owns your data.
  • You will get access to many blocked resources in your region.
  • You will be able to connect on a public Wi-Fi network, and no one will be able to take over your data.
  • You can hide traffic from special services.

Instructions for Creating Your Own VPN Server Based on Linux Debian

Below you will find step-by-step instructions on how to create homemade vpn. Follow all the tips carefully, as your result will depend on the correctness of the steps.

Veepn

Register With Amazon AWS And Connect To Server

Amazon Web Services has a simple signup process and tips for creating a profile so that you can walk through this step yourself. After completing the registration process, go to Lightsail and select the geo-zone in which you want to create your VPN server. Then create a new instance and select this data: “OS Only,” Debian 9.5 operating system. Then you will see an instance plan – the most common one with 512 MB of RAM will suit you.

Some sites are aggressive towards visitors whose IP addresses belong to popular hosters and block them. In their opinion, such visitors take part in DDOS attacks. So that you don’t get blocked and don’t have to share one IP address with thousands of other AWS machines, go to Networking and then be sure to allocate yourself a Static IP. Assign it to the instance you created.

Now you need to download the private key for SSH access. The private key is located in the Account> SSH keys section. Download this key and upload it to the SSH client. We set up a server in Bali using iPad Pro and Termius. However, you can use a different SSH client. For example, a good alternative is the Terminal.app built into macOS. In our instructions, we will consider Terminal, but the algorithm is similar for other SSH clients.

Let’s start simple – open Terminal. Terminal has an all known issue called “locale.” If you are using Termius, this problem is not there. Add a couple of new lines to your local macOS .profile file to eliminate the locale problem. Edit this file using the nano text editor. It would help if you got something like this: nano ~/ .profile. Now you need to insert a few lines there:

export LC_ALL=en_US.UTF-8
export LANG=en_US.UTF-8

You must save this file using the Ctrl+X command. Close the terminal using the command Cmd+Q. After this step, run it again.

Now you need to move the previously downloaded Lightsail private key to a special directory where the SSH keys are stored: mv ~/Downloads/YOUR_DOWNLOADED_KEY.pem ~/.ssh. After this step, limit the rights of the key. Otherwise, macOS will block its use. This can be done using these ciphers:

cd ~/ .ssh/
chmod 600 YOUR_DOWNLOADED_KEY.pem

Finished with this step, you can connect to your Lightsail machine. You will see a special field YOUR_LIGHTSAIL_IP. In it, you need to specify an external static IP address: ssh -i YOUR_DOWNLOADED_KEY.pem admin @ YOUR_LIGHTSAIL_IP. If you did everything correctly, you would see a special inscription with all your data.

Configure Debian

All subsequent steps you need to carry out under the root user. And so, specify sudo su. Then update the index of packages in the repositories. Perhaps you can see for yourself that there are updates: apt-get update. Now your task is to install these updates: apt-get upgrade.

Install strongSwan

Using a special cipher, install strongSwan: apt-get install strongswan. We will talk about how to set up strongSwan a little later. At the moment, the most important thing is to create certificates so that your devices can use VPN.

Generate Access Certificates

In our guide, we use self-signed certificates because only our team will use the VPN server. To make certificates, you need the strongswan-pki package. Install it: package strongswan-pki.

Now you can start creating certificates. The first step is to create a root certificate. Most of all, it is known as CA (Certificate Authority). This certificate will issue you the other certificates you need. You can create a certificate in the ca.pem file:

cd /etc/ipsec.d
ipsec pki --gen --type rsa --size 4096 --outform pem > private/ca.pem
ipsec pki --self --ca --lifetime 3650 --in private/ca.pem --type rsa --digest sha256 --dn "CN=YOUR_LIGHTSAIL_IP" --outform pem > cacerts/ca.pem

To create a certificate for your VPN server, you need a debian.pem file:

ipsec pki --gen --type rsa --size 4096 --outform pem > private/debian.pem
ipsec pki --pub --in private/debian.pem --type rsa | ipsec pki --issue --lifetime 3650 --digest sha256 --cacert cacerts/ca.pem --cakey private/ca.pem --dn "CN=YOUR_LIGHTSAIL_IP" --san YOUR_LIGHTSAIL_IP --flag serverAuth --outform pem > certs/debian.pem

To create a certificate for your devices, you need a me.pem file:

ipsec pki --gen --type rsa --size 4096 --outform pem > private/me.pem 
ipsec pki --pub --in private/me.pem --type rsa | ipsec pki --issue --lifetime 3650 --digest sha256 --cacert cacerts/ca.pem --cakey private/ca.pem --dn "CN=me" --san me --flag clientAuth --outform pem > certs/me.pem

You don’t need the ca.pem file anymore, so for security and reliability, delete it: rm /etc/ipsec.d/private/ca.pem. You have completed the process of creating certificates – congratulations, you are almost at the end!

What To Do If Certificates Are Taking Too Long Time?

What do we mean by too long a time? For example, your certificates are generated for more than 5 seconds. These data indicate a low amount of entropy. Note that creating certificates can take from 40 to 60 minutes due to the low amount of entropy, which is not very good for your work. Therefore, to check the amount of entropy, you can start another session in the next tab:

Using the above command, you will see the amount of entropy at the time of the request. If you want to control entropy in real-time, you can use this command: watch -n 0.25 cat /proc/sys/kernel/random/entropy_avail.

If the result shows less than 200 entropies, we recommend that you change your hosting provider. Also, many experts advise installing the haveged package, whose task is to generate entropies. However, the usefulness of this package has not been proven, so further, everything will depend on you. When you use Amazon Lightsail, these problems do not arise, and you can quickly generate keys. To exit the request, you need to use the Ctrl + Z keys.

Configure strongSwan

To properly configure strongSwan, you need to clear the default strongSwan config. Use this command: > /etc/ipsec.conf. Then you can create your own in the nano text editor: nano /etc/ipsec.conf.

You will see the YOUR_LIGHTSAIL_IP field, and your task is to replace it with the external IP address of the machine in AWS Lightsail. Now you can insert text like this:

include /var/lib/strongswan/ipsec.conf.inc

config setup
    	uniqueids=never
    	charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2,  mgr 2"

conn %default
    	keyexchange=ikev2
    	ike=aes128gcm16-sha2_256-prfsha256-ecp256!
    	esp=aes128gcm16-sha2_256-ecp256!
    	fragmentation=yes
    	rekey=no
    	compress=yes
    	dpdaction=clear
    	left=%any
    	leftauth=pubkey
    	leftsourceip=YOUR_LIGHTSAIL_IP
    	leftid=YOUR_LIGHTSAIL_IP
    	leftcert=debian.pem
    	leftsendcert=always
    	leftsubnet=0.0.0.0/0
    	right=%any
    	rightauth=pubkey
    	rightsourceip=10.10.10.0/24
    	rightdns=8.8.8.8,8.8.4.4

conn ikev2-pubkey
    	auto=add

Important! strongSwan is very strict about all the indentations in the config. Therefore, when you enter commands, separate each section of the config using the Tab key. In our example, we specified how this should look. You can use our model or do just one indent. Otherwise, strongSwan will not work.

Save the created file using the Ctrl + X keys. In the ipsec.secrets file, which stores all references to certificates and authentication keys, add a special pointer to your server certificate:

nano /etc/ipsec.secrets
include /var/lib/strongswan/ipsec.secrets.inc

: RSA debian.pem

If you followed all the steps, the Strongswan setup is complete. It would be helpful if you restart the service: ipsec restart. Provided that you entered all the commands correctly, the server will start with the below message:

Starting strongSwan 5.5.1 IPsec [starter]…

If you notice that the program is throwing an error, read the system log to determine what the problem is. The command will display the last 50 lines of the log: tail -n 50 > /var/log/syslog.

Configure Network Kernel Settings

To the /etc/sysctl.conf file, you have to make some changes: nano /etc/sysctl.conf. Using the two keys Ctrl + W, find the following variables in the file and make changes there:

  • Uncomment this option to enable packet forwarding: net.ipv4.ip_forward = 1
  • Uncomment this parameter to prevent MITM attacks: net.ipv4.conf.all.accept_redirects = 0
  • Uncomment this parameter to disable sending ICMP redirects: net.ipv4.conf.all.send_redirects = 0
  • Add this parameter anywhere in the file, on a new line, disabling PMTU searches: net.ipv4.ip_no_pmtu_disc = 1

Load the new obtained values: sysctl -p. You are done configuring the kernel network parameters.

Configure iptables

iptables is a special tool that manages and controls Linux’s built-in netfilter firewall. Install the iptables-persistent package, which will allow you to save iptables rules to a file and load them on every system startup: apt-get install iptables-persistent.

After installing this package, the system will ask you to keep the current IPv4 and IPv6 rules. You need to specify “no,” because you have a new system and no data to save.

Now start creating your iptables rules. To ensure safety and reliability, clear all chains:

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -Z

In order not to lose access to the system, allow SSH connections on port 22:

iptables -A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

The next step is to allow connections on the loopback interface: iptables -A INPUT -i lo -j ACCEPT. Then allow incoming IPSec connections on UDP ports 500 and 4500:

iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT

Allow ESP traffic forwarding:

iptables -A FORWARD --match policy --pol ipsec --dir in  --proto esp -s 10.10.10.0/24 -j ACCEPT
iptables -A FORWARD --match policy --pol ipsec --dir out --proto esp -d 10.10.10.0/24 -j ACCEPT

A VPN server is like a thread between the Internet and VPN clients, so you need to configure traffic masking:

iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o eth0 -m policy --pol ipsec --dir out -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE

Configure the maximum packet segment size:

iptables -t mangle -A FORWARD --match policy --pol ipsec --dir in -s 10.10.10.0/24 -o eth0 -p tcp -m tcp --tcp-flags SYN, RST SYN -m tcpmss --mss 1361: 1536 -j TCPMSS --set-mss 1360

Deny all third-party connections to the server using the commands:

iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP

Save the created rules so that they exist after each reboot:

netfilter-persistent save
netfilter-persistent reload

Reboot the system: reboot, and check if the rules you created are working.

Allow Connections in Lightsail Firewall

AWS Lightsail has created its firewall to protect systems. Select your instance, go to Networking and allow connections on UDP ports 500 and 4500. Remove port 80 at the same time – you won’t need it.

Create .mobileconfig For iPhone, iPad, Mac

Your devices are iPhone, iPad, and Mac so that you can use one VPN profile .mobileconfig. It would help if you created an On-Demand config. If a service or application tries to go offline, the VPN connection will continue to work automatically. You will avoid the situation when you hammered to establish a VPN connection, and the traffic went through the provider. Use the script that will generate this config for you:

wget https://gist.githubusercontent.com/borisovonline/955b7c583c049464c878bbe43329a521/raw/966e8a1b0a413f794280aba147b7cea0661f77a8/mobileconfig.sh

Install the zsh package for the script to function properly: apt-get install zsh. Edit the server name based on your ideas and write the external IP address of the Lightsail machine that you previously specified when creating the certificates:

nano mobileconfig.sh
SERVER="AWS Frankfurt" FQDN="YOUR_LIGHTSAIL_IP"

Now run the script and get the iphone.mobileconfig file:

chmod u+x mobileconfig.sh
./mobileconfig.sh > iphone.mobileconfig.

Delete this file from the server by connecting with Transmit or Cyberduck – send it to all your devices via Airdrop. Confirm the installation of the configuration on the devices. You will establish connections to the VPN server automatically.

Be sure to clean up after yourself:

rm mobileconfig.sh
rm iphone.mobileconfig
close
Generic selectors
Exact matches only
Search in title
Search in content