How to Make Your Own VPN (And Why You Would Want to) ?

This video is brought to you by the node. This video is broken down into several sections and since youtube has this amazing new function? You don't even need to leave this comment, which is amazing. It's been almost half a year since I made this video, which has unfortunately become one of the most popular videos in my channel, and while I do stand by most of the stuff that I said in this video, I wish you could have argued my point better and provided some of the alternatives to the vpn services, and this is exactly what I am going to do in this video. I want to preface this video by saying that if you only use vpn to access, cornhub or and stuff, you still might be interested in.

What I have to say thing is, even if you only use vpn to watch, netflix or download linux, isos you're still sharing the rest of the internet traffic with your vpn provider, and this might be an issue from privacy standpoints. If you don't care about privacy, then that's fine too. I am not here to lecture you or judge you, and if you only use vpn for these specific purposes and you're completely fine with that, that's okay, this video is just not for you, however, for the privacy conscious folks out there. I will tell you how to use your vpn only for some applications and use your isp connection for other applications.

The second part of this video will address those specific use cases and it should be available here and if my finger points at nothing. That means this part is currently in the works, so be patient. So there's this great video about vpns from a guy called tom scott, and it's much better than my original video about vpns and I highly recommend you guys go check it out. However, I know that you guys are lazy and that you're not going to do that. So let me just summarize this video in quick bullet points and add some of my own thoughts. Vpn services will tell you that your isp can track your every move and can see everything you do on the internet.

This is a lie. Every website, with a green padlock in the address bar, has its contents encrypted in transit with https https encrypts. The contents of the websites you visit, as well as the full urls. So at the end, the only thing isp is able to see is the domain names of the websites you visit, but that just doesn't sound as scary as your isp is spying on everything. You're doing. Does it vpn companies will tell you that your bank accounts credit card information and private data is a risk and every time you're using a public wi-fi such as airport or cafe, a malicious hacker can steal them.

This is also a lie back when https wasn't a thing and websites weren't encrypted. A hacker could actually steal information, including banking details, because all this data wasn't encrypted nowadays, that's just not the case, because any more or less serious website uses https to encrypt information in transit. Yes, even on public wi-fi networks and when this encryption is getting tampered with, your browser will tell you that vpn companies will tell you that they use state-of-the-art military encryption to protect your traffic from cia agents nsa and your isp. Technically, that's not a lie. Aes is used in some military applications, but it's also used on almost every website that you visit daily, and I was actually pretty surprised how a lot of people in the comments claiming to be security.

Experts claimed that https doesn't encrypt anything and only serves as a certification authority thingy, which is really baffling to me. So yeah not a lie per se, but a scammy marketing trick. Nonetheless, last but not least, a lot of vpn services will tell you that your isp is selling your information to the highest bidder, and what you should ask yourself in this situation is was to keep them from doing the same websites of biggest vpn providers such as nordvpn, pia and purevpn, are full of promises such as we don't, sell you logs to anyone, absolutely hundred percent, no log policy audited by security company, but that's all they are promises and there's nothing to keep those vpn services from breaking those promises.

You might say: well, if a company breaks their promise, they're just going to be out of business, because the clients won't trust anymore, but is that true, though, in 2017 purevpn helped fbi arrest, ryan lin on charges of cyber stalking? The fbi managed to obtain logs from purevpn, which confirmed that the gmail account he used to send threats was accessed from the purevpn ip, which was in turn linked to his home ip address. Let's take a look at european's log policy at the time shall we we do not keep any logs that can identify or help in monitoring users activity. You are invisible. Even we cannot see what you do online.

We do not monitor user activity, nor do we keep any logs. We therefore have no record of your activities such as which software you used, which websites you visited, what content you downloaded, which apps you used, etc. After you connected to any of our servers and guess what purevpn is still in business and clearly have enough money to run ads for their services fun fact. They also claim to have undergone a security audit. So there's that and sure there are some vpns that were asked by the authorities to hand over the logs and didn't do it, such as expressvpn or pia. But almost every mainstream vpn provider has a skeleton in the closet.

Private internet access recently got acquired by an israel-based company called cape technologies, which is notorious for infecting its users with malware and adware, and its owner, teddy sagi, allegedly has links to israeli intelligence services. One of the servers owned by nordvpn got hacked in 2017, yes, not physically broken into, but hacked using remote access vulnerability. According to the company, no user data was stolen or compromised, but somehow they still felt the need to hide this information from their users for two years. So at the end, no matter how secure and trustworthy your vpn service seems to you if they tell you that they have undergone security audits, that they have no locks policy.

You have to take their word for that when it comes to better and more private ways to browse the web. In my opinion, there are only two options: tor and self-hosted vpns tor was indeed developed on behalf of the us intelligence community, and that raises some uncomfortable questions, to say the least, but guess what tor is also completely free and open source. So if you do have any doubts about how secure and private it is, you're always free to examine the call yourself. Speaking of the us intelligence, the nsa is definitely not happy about tor late 2014 report by dash pigel using a new cache of snowden leaks revealed, however, that, as of 2012, the nsa deemed tor on its own as a major threat to its mission and even ranked it as catastrophic, leading to a total loss.

Lack of insight into target's communications, which says something I guess tor is what you want to use for all the sensitive and private stuff. If you want to google something embarrassing that you don't want anyone knowing about or if you want to circumvent the censorship in your country, avoid geoblocks or maybe visit a website that could get you in trouble with your local law enforcement. Tor is the way to go the way it works in layman's terms. Is it bounces your traffic between different nodes and every node only sees the two nodes adjacent to it? So, at the end, when the traffic comes out at the so-called exit node, the website can't see where it initially came from and at the same time your isp can't see where it's actually going.

We don't have all day, though so here's a video from techwiki they're, better explaining stuff quickly. Hence the name, although tor is great for privacy and anonymity, it's just too slow. So if you want to watch netflix or play online games, tor won't do self-hosted. Vpns is what you want to use for all the latency bandwidth and speed sensitive use cases. The difference is that in case of vpn services, you're, never sure if they keep logs, sell you data or monetary traffic, whereas in case of self-hosted vpns, it's you who decides all those things you're sure that your vpn doesn't keep blocks, because it was you who turned them off.

You're sure that your openvpn binary is not compromised because it was you who downloaded it from official repositories or compiled it from sources yeah. You can do that too. You're sure that your server is safe from tampering, because you enable two-factor authentication on ssh and since your vps uses kvm. The only way you can snoop on your activities is by dumping and decrypting ram contents, which is tedious and time consuming and in case of vpn services. Yes, they do tell you that they do all those things as well, but at this point I can't blame anyone who has trust issues with vpn services. Besides renting a vps is cheap, most starting plans will set you back for about five dollars a month and usually the starting plan is all you want.

To be honest, many big vps providers always have discounts and offers just like vpn services. One more thing to keep in mind, though, is that if your vpn use case relies on changing your location, often this is not going to work as well, because you pretty much have to rent an additional vps for every location that you want to use. So in this case, using vpn service will definitely be a better idea, so yeah a little change of scenery here, but coming back to initial subject. If we want to host our own vpn, we need to find where we want to host it. There are a lot of vps providers that offer plans for as little as two bucks per month, but there are a few things that you need to consider before.

Choosing the ps provider the first one is virtualization technology and in this case most of vps providers, these days use, kvm or zen, and those two technologies are good. What you want to avoid is open vz. This is a container based virtualization technology and virtual machines that run it use a very old version of linux kernel which doesn't support many modern applications such as docker or wire guard. Apart from that, the nature of this technology also makes it very easy for the vps providers to snoop on your activities, and this is something you definitely don't want. The second one is ipv4 address. This is not as important since the overwhelming majority of vps providers will give you a dedicated ipv4 address.

However, since we're now facing a ipv4 address shortage, this might become more relevant in the future and even now, some very, very cheap vps providers will only give you ipv6 address. So do keep that in mind and last but not least, location. It's pretty self-explanatory, but still you want to choose it according to your needs, according to how you're going to use a vpn. So, for example, if you want to watch american netflix, you have to choose american location. If you want to use it as a seed box, don't choose germany, austria or switzerland, since those countries have very strict anti-piracy laws. If you want to use your vpn for online gaming, keep in mind that the further the server is from you physically, the bigger your latency is going to be, and if you're really serious about privacy make sure to pick a vps location that is outside the 14 eyes.

Now this isn't exactly a high bar to clear but the node which, by the way, sponsored this video checks all the boxes and they have a lot of locations to choose from. They were also kind enough to give you guys, 20 credit for your first cloud server for your first vps, just because you're cool. That being said, compensation is always good. So if you think that I am biased, feel free to choose something else shop around and do your own research, there are a lot of vps providers to choose from. So if one doesn't have your preferred location or doesn't have the features that you want, there are always a lot of others, so what I am going to do now is I am going to take the 20 credit from the node set up my account and voila now ready to create our own vpn server after you sign up on the website and confirm your email you're going to need to enter some details, including your name, address and credit card information.

That's going to be pretty much the same for all the vps providers, though sometimes they do accept bitcoin or other cryptocurrencies. Next thing we need to do is add a server or, as the node calls it lnode. There is a lot of districts to choose from and if you want, you can even go with gento or arch, but for this tutorial I'll go with the latest version of ubuntu 20.04. You will also want to choose the location. I am going to choose uk, since it's the closest to me physically we're going to take the cheapest nano plan and, even if later on, you decide to set up mail server.

The next cloud instance, or a personal blog, this configuration will still be more than enough. The node label is not that important and neither are tags I'll call mine, wolfgang's vpn. After that you can choose the root password and upload the ssh key, which we're not going to do now and I'll explain why later? Lastly, take a box that says private, ip and click the create button on the right and there we go. Our server is now created. Now you should see the control panel of your server and while the server is starting, let's generate the ssh keys for it. Using a clear text password to log into your server is never a good idea, since the password is not encrypted in transit and can be exposed on a hostile network by creating an ssh key we're going to make it so that you can only log into your server if you have the key file and the password and at the same time the password will be encrypted if you're using linux.

You probably already know how to open a terminal on windows. You'll need to open the powershell with administrator privileges and install ssh using this command. By the way, I will put all these commands down in the video description, so if you prefer to have a text version of this tutorial to follow just check the video description, the rsa algorithm with 4096 key size. So what a person recommends since it's officially secure and widely supported just press enter when asked the key location to save it to the default one and then enter your password of choice. By now, our server has started up and we're ready to log in copy the ip address from the server control panel go back to the terminal and type in ssh root.

Add ip address type, yes enter the root password that you specified in the first step, and that's it we're in first and foremost, let's update our operating system and software type in app get update, double ampersand app get upgrade. I will also install my favorite text. Editor feel free to use whatever you want, though, for example nano as much as it's convenient to not have to enter root password every time you have to do something I personally prefer to create a user account that isn't root. Exposing root login on an ssh server is probably not a good idea. Even if you have multi-factor authentication call me paranoid, but I think having to enter root.

Passwords sometimes is the price that I am personally willing to pay for some sense of security, type user. Add g sudo m your username of choice, dash s bin bash, that's going to create a user set bash's default shell for him and permit suited usage die hard. Linux users might have noticed that I typed in lowercase g instead of capital g, make sure that the g is capital because lowercase g is used to specify in the main user group, and we don't want that in this case afterwards, we'll need to create a password for our user. Using passwd username enter your password twice and we're good to go.

Now that we've created our user, it's a good time to copy the public ssh key to the server open, a second terminal window for your local terminal and enter ssh dash copy dash id username at ap address you'll be prompted to enter your password and once you do go back to the terminal window with your server, don't close the other window. Yet now that we've copied the ssh keys to the server, we have to restrict authentication to the public key. Only let's edit the sshd configuration file. First of all, let's change the default port. This won't do much for security, but it will help with those obnoxious, ssh scanners that try to log into your server with default credentials.

It's not much, but the security logs will definitely get easier to read. You can use any port, that's not taken by other services. I personally prefer to use the port 69 next. We need to disable password only authentication, so that you're only able to login using a public key. Last but not least, let's also disable root. Login now save the file and restart the sshd servers using systemctl restart sshd. Now, without closing the window, let's go back to our local machine and try to log in with our key. If you see the prompt to enter your key password, that means we're good to go.

It's also a good idea to verify that we can't log in with our password anymore. If I try and log into the server from my hackintosh machine, I see this, which means we're good. You might have noticed that the command that we used to log into our server is kind of long and annoying to type. So, let's fix that create a file in the dot ssh folder in your home directory called config. Here we're going to create an alias for fps. The first line in my case will be host wolfgang's vpn. You can choose whatever name, you want user wolfgang. In your case, it will be the username that you chose in the previous step: port 69 identity file, tilde dot, ssh, slash id underscore rsa host name, the ap address of your server saving close, and now we can log into our server by simply typing ssh wolfgang vpn, and if you also don't want to see this wall of text every time you log into your server type in touch dot, hush, login and press enter.

So I know that wireguard has been the hot new vpn protocol that everyone's been talking about lately, but in this video I am going to use openvpn instead. Why? Because it has a wider support when it comes to client applications and some of the applications that I'll be talking about in the second part of this tutorial, utilize openvpn. If you're interested in setting up a wireguard server, there are a lot of tutorials on the internet about it. So normally setting up an openvpn server takes some time since you need to install the packages generate. The keys set up, iptables write the configuration files for the server and the client.

Thankfully we won't do any of that. In this video and instead we'll use the openvpn road warrior script from a github user called nyr, this script will do all the hard work for us, and all we have to do is answer a few simple questions and download the configuration file at the end. Needless to say, you shouldn't just go around executing random scripts. You downloaded from the internet. So if you know some bash, read the script first and make sure there's nothing fishy in there. If you don't know any bash, maybe send it to a friend who does when you're done. Reading the script, click raw and copy the link from your browser log into your server and install wget.

If you haven't already, sometimes it comes with your os image already, but sometimes it doesn't next type wget press space and paste the link you copied earlier now. Let's launch the script. The script will ask you some questions and in most cases, you'll want to pick the default answer for the port. You can either choose a default port 1194, but I prefer to choose 443 since 1194 is known as the openvpn port and in some cases it can be blocked on your network. 443 is the same port that is used for https, but whereas https uses tcp openvpn in this configuration uses udp, so they won't conflict with each other.

You're also going to be asked which dns you want to use feel free to choose whatever you like. If you have any preferences, but I normally choose As for the client name, choose whatever you like. Now that the configuration is done, press any key and the installation process is going to start it's fully automated and at the end, you're only going to get a configuration file which will download to our local machine later on. The problem is that the script places the file in the root directory by default and in order to download it later, we need to move it to our user home directory and give ourselves the correct privileges.

With that, out of the way, there's only one thing left to be done on the server's side, and that is to disable the logs. Let's edit, the configuration file here, change, verb, 3 to verb, 0., now restart the openvpn service, and there we go a vpn that actually doesn't keep logs amazing. I also just noticed that the host name of the server is localhost, which is not cool for many reasons. So let's change it to something else. I am going to call it wolfgang's vpn. Now all we need to do is download the configuration file to our local machine so that we can actually use the vpn open, a terminal on your local machine and type in sftp server, name next download the file using the command, get config, name.

ovpn and finally type exit. Now, if you want to use this vpn for all your traffic, which I don't recommend, you can download tunnel blick on mac, open vpn on windows or load it into the network manager on linux, as you can see after I connect to the vpn from the network manager, the website start thinking that I am from the uk, which means the vpn is working. At this point we have a bare-bones, cpn server up and running. You can stop here and use it like. You would normally use a vpn, in which case thanks for watching and I am glad I could help.

But if you want to know how to make it even more secure and add some features that are nice to have like nintendo upgrades keep watching now. Ssh is nice, but it does get annoying. Sometimes, especially when you change your network and your connection drops immediately. Instead, I prefer to use mosh. There is no complicated configuration file, shenanigans or anything like that. Just install mosh on both your local and your remote machine and after that you can simply use the mosh command as a drop in replacement for ssh public key authentication is probably secure enough for most, but if you want to be extra fancy, you can also add mfa or multi-factor authentication.

The way it works. Is you install an app on your phone? There are a lot of open source apps on android like and otp, and every time you log in you get a one-time password in the app which you need to enter in order to log in this provides an additional layer of security for your server, which can be useful for some of us who are especially paranoid. The first thing you have to do is install google authenticator lib pam. Yes, the protocol is made by google, but it's completely free in open source, and you don't have to actually use the google authenticator app on your phone.

There are many open source options, as I've already mentioned after that launch the initialization script by typing. Google dash authenticator. There basically answer yes to all the questions, except for the one about multiple users and the one about 30. Second tokens, once you're done with that, you might have noticed a big qr code on your command line, make sure to write those codes down somewhere, safe they'll, be very useful. In case you lose the access to your phone or to the app after that. What you need to do is launch the authenticator app on your phone I'll use, otp auth, add a new account and choose scan a qr code.

After you scan the code, the account will be added to the app and we're done with the phone part. For now, let's go back to the server terminal and edit the authentication settings file for sshd. Here, we'll comment out. The line that says add include common dash auth. Normally the two-factor authentication will ask you for your user password and the one-time password, but since we're already using a public key with the password having to enter your password twice, is slightly annoying. That way, you'll only have to enter the public key password and the one-time password. Next. We need to add this line to the end of the file auth required pam underscore google underscore authenticator.

so, let's save the file and quit now. We need to edit the sshd configuration file to make ssh aware of the new authentication method. Here we need to change the following lines: change response, authentication change it to yes, use pam, yes as well, and add a new line after the use, pam line that says: authentication methods, public key, comma, password, public, key, comma keyboard, dash interactive and now, let's restart the ssh servers for the changes to take effect. It's always a good idea to try and log in in a separate terminal window without closing the server session. Otherwise, if you messed up, you'll be locked out of the ssh, and nobody wants that.

Obviously, you'll see that, apart from the usual public key password, you're, also going to be asked the one-time password from your app if you're using gnome, you won't be prompted for the public key until you log out and log back in again only the one-time password from your phone app. Let's enter the password and voila. Now our server is secured by two-factor authentication. One last thing that I want to show you today is unattended software upgrades. What this means is we're going to have a script that runs apt, update and app upgrade regularly, thus liberating us from the burden of having to log into the server and do this manually.

The server will also be rebooted for kernel updates, but since the reboot takes less than a minute and since kernel upgrades are not very frequent, your vpn won't actually suffer that much from downtime. So the first thing that we need to do is install the unattended upgrade package and here just leave it at default. Next enable the stable security updates. After that's done, let's edit the config file. Here, we need to set our email address, which is going to be used for update notifications and then also enable automatic reboots. You can also set up the automatic removal of some junk, for example, unused kernels or unused dependencies and specify the automatic reboot time in my case, I'll set it to 5 am, and that's it, let's see if it works.

So now your system and all the packages will be updated automatically and you'll get an email. Every time an upgrade has been performed and yeah. That's it so I am finally done editing this video. It took so long that I had a haircut in the meantime, but yeah a lot of people might say that this video is redundant. Since you know, I just said the same stuff that I said in the last video and out of the tutorial, but it was really important for me to make this video. It just didn't sit right with me that the most viral video in my channel is so poorly researched, and this is basically what I wish I uploaded back then in november 2019.

, so yeah. Thank you guys for watching this video. I hope it was really helpful, and I would also like to thank my patrons cujo26 mitchell, valentino ramos, elis and ray peria, and everyone else supports this channel. Thank you guys for watching once again and I'll see you in the next one goodbye.