Jump to content

Tech tips: Build your own VPN, securing your own internet traffic!


Oicu812
 Share

Recommended Posts

.

 

A virtual private network (VPN) is a technology that creates a safe and encrypted connection over a less secure network, such as the internet. VPN technology was developed as a way to allow remote users and branch offices to securely access corporate applications and other resources. To ensure safety, data travels through secure tunnels and VPN users must use authentication methods -- including passwords, tokens and other unique identification methods -- to gain access to the VPN.

Think of the VPN as a tunnel, where your machine is connected to another machine on the Internet, and the traffic between you and the other end of the tunnel is encrypted.  Only your desktop and your VPN server can decrypt your transmissions.  All everyone else sees is digital garbage, completely unreadable "code groups" as they say on TV.

 

WTH is a VPNhttps://techcrunch.com/2017/01/01/wtf-is-a-vpn/

 

The article that started all of this in my brain:  https://techcrunch.com/2017/04/09/how-i-made-my-own-vpn-server-in-15-minutes/?ncid=txtlnkusaolp00000591&yptr=yahoo&utm_source=fark&utm_medium=website&utm_content=link&ICID=ref_fark

 

There are a lot of pay VPN's out there, and every one I tried was either slow as heck, or did not work at all.

So I decided to build my own, using a Cloud server.  I picked Digital Ocean, because they are inexpensive, VERY easy to use, and they do not log your internet traffic.  This VPN will work for MAC OS X, Windows, Android phones and boxes, iPads, iPhones, etc.  You will be able to use coffee shop wireless networks without any worries, because EVERYTHING you send or receive is encrypted with either 1024 or 2048 bit modern encryption.


That means your ISP cannot read any of the communication sent to and from your computer.  Your web browsing, DNS lookups (which websites you connect to...), file downloads (even torrents), everything you do is sent through the tunnel, and emerges onto the internet from the other machine (VPN server) where you have connected.  For instance, if you have a website in the UK that provides content only for the UK, you can create a VPN server in the London datacenter, and watch the content all you like, because your VPN IP address is in the UK.  From anywhere in the world.

 

I set up an account with DO (Digital Ocean), and created my own "droplet", which is their terminology for one of their virtual servers.  For $5 a month, you get 20GB of online storage (on SSD drives!), 1 CPU, 512MB of RAM, and 1TB of traffic a month.  That amount of RAM is plenty, because all you are doing with the machine is running the VPN software.  I am connected to my VPN right now, and I am getting 190mbps download, and 20 mbps upload speeds.  This is a faster speed than most ISP's provide to their customers.  My connection through Digital Ocean is smooth as glass.  You can also use your server as online picture storage (No more Photobucket bullsquirt).  You can host your own webpages.  You can take control of DNS, so that you can repoint any domains you own to your new online server.

 

Internet_Speed.jpg

 

The beauty of this method is just how fast you can implement a new server, load the VPN software, and configure your desktop OS for this new VPN.  Now that I have gotten the procedure down, it would take me less than 10 minutes to implement a new server, including the 45 seconds it takes for Digital Ocean to create your new OS build.

If you are questioning why I would want to set up another server, the answer is this:  Let's say you wanted to download something via a torrent, but you are worried that the torrent download can be traced back to you.  You set up a new VPN, do your download, and then delete the server, the "droplet".  The torrent tracker will have the hostname and IP address of your droplet having downloaded a file.  Now, because you have deleted that machine, it breaks the trace.  The IP address is no longer assigned to you, and the original server is gone forever.  And since it is so fast to set up another one, it makes the task of covering your bases very easy.

 

Setting up your very own VPN server!

------------------------------------------------------------------------------------

 

There are a few commands you have to run at a command prompt, and a couple of files you need to download.  I will provide direct links to that software, and instructions on how to use them.

The first thing you will need is Putty.  This is a piece of software installed on your desktop, that allows you to log into Unix and Linux boxes:

ftp://ftp.chiark.greenend.org.uk/users/sgtatham/putty-latest/w64/putty-64bit-0.70-installer.msi

Either click the link, or paste the FTP URL into your web browser.  In the resulting dialog box, click either Open or Save.  Once you have downloaded the file, double click it to install Putty.  For ease of use, have the installer place an icon on your desktop.  (I use this software all day, every day for my job...)

Now, go to DigitalOcean, and sign up for a new account:  https://www.digitalocean.com/ ## There is no charge for simply setting up an account.  They charge by the number and size of servers you build and operate.  For our VPN, simply choose the smallest server size, $5 a month.  Pick Ubuntu for the OS.  Type in the hostname you would like to call your server.  That's all you will need for now.  Once you hit the big green "Create" button, 45 seconds later your server is built.  They will send an email to the account you used to sign up, that will include the new hostname, IP address, and the root user password.

 

Create_Droplet.jpg
Hostname.jpg

 

Copy the IP address out of the email into your clipboard.  Run Putty, paste the IP into the "Host names (Or IP's)" box, and then paste it again into the "Saved Sessions".  Hit the "Save" button, and then the "Open" button.  This will open a text based connection to your new server. Type "root" in for the user name, and copy the root password from the email.  Once it is in your clipboard, anywhere in the text area, simply right click to paste, and hit enter on your keyboard.  The next information to come up will be an enforced password change for root.  Right click again, hit enter, and put your new password in twice.  Once the password is changed, it will land you at the command prompt with a flashing cursor.

 

It will look like this:

-------------------------------------------------------------------------------------
login as: root
root@138.197.70.58's password:
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-87-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  Get cloud support with Ubuntu Advantage Cloud Guest:
    http://www.ubuntu.com/business/services/cloud

0 packages can be updated.
0 updates are security updates.


Last login: Tue Aug 15 17:00:02 2017
root@ubuntu-512mb-nyc3-01:~#_
-------------------------------------------------------------------------------------


At the command prompt on your shiny new Ubuntu server:

Copy and paste this line, and hit enter:  apt-get update

Copy and paste this line, and hit enter:  apt-get install zip

Copy and paste this line, and hit enter:  apt-get install build-essential libssl-dev libffi-dev python-dev python-pip python-setuptools python-virtualenv -y

Copy and paste this line, and hit enter:  python -m virtualenv env && source env/bin/activate && python -m pip install -U pip && python -m pip install -r requirements.txt

Type in "exit", hit enter and your Putty window will close.  Run Putty again, log in as root with your new password.  Leave the window open and minimized for the next section.


-------------------------------------------------------------------------------------
This next section is for Windows desktop users - If you are on a different operating system,  follow the instructions on this page:  https://github.com/trailofbits/algo

(Scroll down for different OS instructions)


Run a command prompt as Administrator:  Right click the CMD.exe icon in your Windows start button, and choose run as administrator.  OR:  Windows 10, right click the start button and choose Command Prompt(Admin)

On the Windows command prompt, type in the following:

mkdir c:\tmp

cd \tmp

Leave the command prompt open and switch to your browser.  Go to the website:  https://github.com/trailofbits/algo

 

github.jpg


Click on the green "Clone or Download" button, and choose "Download ZIP".  Save that file in C:\tmp

Alt-TAB back over to your command prompt, where you are in c:\tmp

psftp root@138.197.70.58   <--------------CHANGE THIS TO YOUR NEW BOXES IP ADDRESS!  Log in as root with your password
Using username "root".
root@138.197.70.58's password:
Remote working directory is /root
psftp> cd /tmp   <--------------  The command is:   cd /tmp    ## You are on Linux now, so take note of the forward slashes between directories.
Remote directory is now /tmp
psftp> mput *zip   <--------------The command is:  mput *zip   ## mput allows wildcards
local:algo-master.zip => remote:/tmp/algo-master.zip

Alt-TAB back to your Putty session.  Type in:  

cd /tmp
unzip *zip
cd algo-master
./algo

Follow the prompts, and answer the first question with the number 5.  Answer the rest of the prompts with either Y/N as needed.  I answered one question with both of my wireless network names that I have built here at home.  This allows any traffic for my local machines to be routed locally, bypassing the VPN.

 

Your session will look like this:
-------------------------------------------------------------------------------------
root@ubuntu-512mb-nyc3-01:/tmp/algo-master# ./algo

  What provider would you like to use?
    1. DigitalOcean
    2. Amazon EC2
    3. Microsoft Azure
    4. Google Compute Engine
    5. Install to existing Ubuntu 16.04 server

Enter the number of your desired provider
: 5

Enter the IP address of your server: (or use localhost for local installation)
[localhost]: 138.197.70.58


What user should we use to login on the server? (note: passwordless login required, or ignore if you're deploying to localhost)
[root]: root


Enter the public IP address of your server: (IMPORTANT! This IP is used to verify the certificate)
[138.197.70.58]: 138.197.70.58


Was this server deployed by Algo previously?
[y/N]: n

Do you want macOS/iOS clients to enable "VPN On Demand" when connected to cellular networks?
[y/N]: y

Do you want macOS/iOS clients to enable "VPN On Demand" when connected to Wi-Fi?
[y/N]: y

List the names of trusted Wi-Fi networks (if any) that macOS/iOS clients exclude from using the VPN (e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi)
: BHNTG1682G57D7,BHNTG1682G57D7-5G

Do you want to install a DNS resolver on this VPN server, to block ads while surfing?
[y/N]: y

Do you want each user to have their own account for SSH tunneling?
[y/N]: n

Do you want to apply operating system security enhancements on the server? (warning: replaces your sshd_config)
[y/N]: y

Do you want the VPN to support Windows 10 or Linux Desktop clients? (enables compatible ciphers and key exchange, less secure)
[y/N]: y

Do you want to retain the CA key? (required to add users in the future, but less secure)
[y/N]: y

 

<Bunches of output>

 

 "\"#----------------------------------------------------------------------#\"",
        "\"#                          Congratulations!                            #\"",
        "\"#                     Your Algo server is running.                     #\"",
        "\"#    Config files and certificates are in the ./configs/ directory.    #\"",
        "\"#              Go to https://whoer.net/ after connecting               #\"",
        "\"#        and ensure that all your traffic passes through the VPN.      #\"",
        "\"#                    Local DNS resolver 172.16.0.1                     #\"",
        "\"#                The p12 and SSH keys password is XXXXXXXX             #\"",
        "\"#----------------------------------------------------------------------#\"",


-------------------------------------------------------------------------------------


Now flip back to your command prompt where psftp is still running.

Type in:

cd algo-master/configs

mget *                  

quit

powershell -ExecutionPolicy ByPass -File windows_<user>.ps1 Add

##The powershell command adds the cert to your windows desktop, you will have to look at the files in c:\tmp to catch the full name of the ps1 file you downloaded.  Use one of the file names with .ps1 in this command.
-------------------------------------------------------
Certificate "ron" added to store.

CertUtil: -importPFX command completed successfully.
-------------------------------------------------------


Now, we are almost home!!!


Click your Windows Start button, hit the icon that looks like a gear wheel called "Settings"

Click on "Network & Internet", and then in the left hand column click on VPN

In the VPN list, upper right of the box, you should see an entry for Algo VPN <YourIP> IKEv2.  Click it once, and then choose "Connect".  Because you downloaded and installed a certificate, you do not have to enter a password to use your new VPN.


Congratulations, you are now on the Internet.  Hidden from your ISP!  And once you have practiced a few times deleting and creating a server, it will become very easy!

 

If you have any trouble with my instructions, or issues with something not working correctly, please let me know.  Especially if I have any typos or problems within my information.
.

  • Like 1
Link to comment
Share on other sites

3 hours ago, dirtmudd said:

so how do you know if vpn provider is not a government agent ?

 

You don't.  But if you pick a website hosting service and build your own VPN like I did in my post, you are reasonably certain that everything is okay.

 

 

3 hours ago, tigerwoodKhorns said:

Great guide, but it does look complicated. 

 

Does a VPN provide any level of security for your home network? 

 

It is mildly complicated, but if you follow the guide step by step it will work just fine.

 

As for network security, yes it does form another layer of protection for your private network.  Due to the fact that you are only using the VPN connection, it makes it darned near impossible for someone to crack your network because all of your communication only happens on the VPN outlet.  They would have to break into that machine, and then into your router from there.  Could it be done?  Possibly, if you had a team of the best spend a LONG time.

 

Other targets are much easier, and attackers will move on.

  • Like 2
Link to comment
Share on other sites

8 minutes ago, Oicu812 said:

 

You don't.  But if you pick a website hosting service and build your own VPN like I did in my post, you are reasonably certain that everything is okay.

 

 

 

It is mildly complicated, but if you follow the guide step by step it will work just fine.

 

As for network security, yes it does form another layer of protection for your private network.  Due to the fact that you are only using the VPN connection, it makes it darned near impossible for someone to crack your network because all of your communication only happens on the VPN outlet.  They would have to break into that machine, and then into your router from there.  Could it be done?  Possibly, if you had a team of the best spend a LONG time.

 

Other targets are much easier, and attackers will move on.

 

One more piece of advice.  On your wireless router, turn on Access Control.  This makes it impossible for new devices to be connected to your wireless network, until you add their hardware address to your router configuration.  The information that you must obtain is called the MAC address, which is part of the properties of every network device.  Every single network card in existence needs to have a unique identifying address for the card to obtain an IP address.  If you have two devices on the network with the same MAC address, neither will work properly.

 

Why is this important?  No one can do a drive by on your wireless network.  They can't get an IP address without first being added to your network security.  No IP, no workie.  Simple.

  • Like 1
Link to comment
Share on other sites

On 11/19/2021 at 2:29 PM, rockhound said:

This looks fun will give it a go over Thanksgiving break. Thanks for putting together a well written guide.

 

You're quite welcome, rockhound!  It's a minor aspect in what I do, and fun to share with people I like.

Link to comment
Share on other sites

  • 1 month later...

How helpful VPN is? I would like to try it for myself. Because I want to hide my original location. I also want to know more about using a web hosting service along with how to drive traffic for a new website. Can you please help me here? The better thing is I am going to launch my first website soon. One of friend suggested me to read online articles based on how to choose a drive legitimate traffics to a website or blog https://sitecreator.io/blog/Online courses/Top-6-online-advertising-tips-for-your-site/1616684883025 I'm going to focus on them. Thanks for your reply.

Edited by LorraineSilver
Link to comment
Share on other sites

  • 5 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...