How to Make and Set Up Your Own VPN
In this article, we will look at four ways to create your own VPN. Let's start with the simplest option, which even novice PC users can handle.
Preparation
For all four methods we will need a virtual server (VPS). A configuration with 1 vCPU and 1GB RAM will be enough. As an operating system for installation we will take the latest Ubuntu 24.04 or Debian 12.
Method 1. Amnesia
The easiest and fastest way to set up a VPN yourself. Simply install the Amnezia client program on your computer or phone. When you first launch it, it will connect to the server and set up all the necessary software.
There are detailed instructions Here.
The Amnezia VPN client is available for all popular desktop and mobile operating systems, it is completely free and is open source software (GitHub).
It is worth noting that in addition to supporting the usual OpenVPN, WireGuard, IPsec and other protocols, Amnezia has its own secure protocol AmneziaWG.
Method 2. Virtual server with pre-installed VPN
Some hosters, when ordering a server, immediately offer to install a VPN on it with a convenient web interface (UI) for managing users.
After activating the server, you need to go to the VPN management web interface, create a new user and download its configuration file with connection settings.
Then this file can be simply downloaded or imported into any VPN client that supports the required protocol. The table below shows the most popular options:
VPN client | Protocol | Supported OS / Hardware |
OpenVPN | Windows, MacOS, Linux, Android, iOS, ChromeOS | |
WireGuard | Windows, MacOS, Linux, Android, iOS, etc. | |
Routers with built-in VPN client | OpenVPN | Most modern routers, such as Asus RT-AX53U, RT-AX55, RT-AC68U, RT-AC86U, TP-Link Archer AX55, AX72, AX73, AXE75 and many others |
WireGuard | Some modern routers, such as Asus RT-AX88U, TP-Link Archer BE900 | |
Routers with alternative firmware (DD-WRT, OpenWrt, etc.) | OpenVPN | Most modern routers* |
WireGuard | Some modern routers* |
* Before installing alternative firmware, check compatibility and availability of a VPN client on the firmware developer's website
Method 3. Ready script
There are ready-made universal scripts for semi-automatic VPN setup on GitHub. The setup wizard will ask a few questions, configure everything itself and create a custom configuration file for connecting to the VPN.
One of the most popular scripts is for OpenVPNand also for WireGuard.
Method 4. Make a VPN yourself
The most labor-intensive option, where we will configure VPN on a server with Ubuntu 24.04 ourselves. From the protocols, we will choose the time-tested OpenVPN, support for which is declared in most modern routers.
Connect to VPS as rootcreate a new user and add him to sudo:
adduser user
usermod -aG sudo user
Then we log into the server as user and execute all further commands on his behalf.
Let's update the package lists and install OpenVPN and Easy-RSA (for managing certificates in the public key infrastructure):
sudo apt update -y
sudo apt install openvpn easy-rsa -y
In our user's folder, we create a directory with a symbolic link and the necessary rights:
mkdir ~/easy-rsa
ln -s /usr/share/easy-rsa/* ~/easy-rsa/
chmod 700 ~/easy-rsa
Let's create a configuration file for Easy-RSA and initialize the public key infrastructure (PKI):
cd ~/easy-rsa
echo -e 'set_var EASYRSA_ALGO ec\nset_var EASYRSA_DIGEST sha512' > vars
./easyrsa init-pki
Let's generate the keys of the certification authority:
./easyrsa build-ca nopass
The system will ask you to enter a universal name, here you can simply press Enter.
Let's issue and sign a key-certificate pair for the server:
./easyrsa gen-req server nopass
./easyrsa sign-req server server
When you run the first command, you will be asked to specify Common Namehere just press Enter. For the second command, the request must be confirmed by entering yes
.
Copy the created files to the OpenVPN directory:
sudo cp ~/easy-rsa/pki/private/server.key /etc/openvpn/server
sudo cp ~/easy-rsa/pki/issued/server.crt /etc/openvpn/server
sudo cp ~/easy-rsa/pki/ca.crt /etc/openvpn/server
For additional security, let's create a pre-shared key (PSK) to use with the directive. tls-crypt:
sudo openvpn --genkey secret /etc/openvpn/server/ta.key
We will issue and sign a key-certificate pair for the client client1:
./easyrsa gen-req client1 nopass
./easyrsa sign-req client client1
In the first command, when asked to indicate Common Name press Enter, when executing the second command, confirm the request by entering yes
.
Let's create a directory for client configs, copy the necessary files there and set the appropriate rights for them:
mkdir ~/openvpn-clients
chmod -R 700 ~/openvpn-clients
cp ~/easy-rsa/pki/private/client1.key ~/openvpn-clients/
cp ~/easy-rsa/pki/issued/client1.crt ~/openvpn-clients/
sudo cp /etc/openvpn/server/{ca.crt,ta.key} ~/openvpn-clients/
sudo chown user ~/openvpn-clients/*
Let's set up the OpenVPN config based on the default example. To do this, copy the template file server.conf to the working directory:
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn/server/
Open the file using any text editor server.conf for editing:
sudo vim /etc/openvpn/server/server.conf
The following changes need to be made in this file:
replace
dh dh2048.pem
ondh none
uncomment line
push "redirect-gateway def1 bypass-dhcp"
uncomment two lines with DNS servers:
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
By default, the addresses of public DNS servers from OpenDNS are indicated here. I recommend replacing them immediately with DNS servers from CloudFlare (1.1.1.1, 1.0.0.1) or Google (8.8.8.8 and 8.8.4.4)replace
tls-auth ta.key 0
ontls-crypt ta.key
replace
cipher AES-256-CBC
oncipher AES-256-GCM
and after this line add another new one –auth SHA256
add two lines at the end of the file:
user nobody
group nogroup
To enable packet forwarding, uncomment (manually or using the utility sed) line net.ipv4.ip_forward=1
in the file /etc/sysctl.conf and apply the changes:
sudo sed -i '/net.ipv4.ip_forward=1/s/^#//g' /etc/sysctl.conf
sudo sysctl -p
Now we need to configure forwarding and masquerading in iptables, but to do this, first let's look at the name of the public network interface on the server:
ip route list default
An example of the command execution result is shown below, in which the name of the interface we need is displayed immediately after “dev” :
default via 123.45.67.8 dev ens3 proto static onlink
In the example above, the interface is called ens3in your case it may be different.
We enable redirection and enable masquerading in iptables. If necessary, the interface name (ens3) in three places replace with the required:
sudo apt install iptables-persistent -y
sudo iptables -A INPUT -i tun+ -j ACCEPT
sudo iptables -A FORWARD -i tun+ -j ACCEPT
sudo iptables -A FORWARD -i ens3 -o tun+ -j ACCEPT
sudo iptables -A FORWARD -i tun+ -o ens3 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/8 -o ens3 -j MASQUERADE
sudo netfilter-persistent save
Add the OpenVPN service to startup and launch it:
sudo systemctl enable openvpn-server@server.service
sudo systemctl start openvpn-server@server.service
You can check if the VPN is running using the command:
sudo systemctl status openvpn-server@server.service
All that's left for us to do is create the .ovpn configuration file that the client will use to connect to the VPN.
The .ovpn file should contain basic parameters, certificates and keys. To avoid combining all this manually, let's write a small BASH script:
Hidden text
#!/bin/bash
# Формат использования: create_client_config.sh <clientname>
# Перед использованием в SERVER_IP вместо X.X.X.X необходимо указать IP адрес вашего сервера
SERVER_IP=X.X.X.X
DIR=~/openvpn-clients
cat <(echo -e \
"# Client OpenVPN config file"\
"\nclient" \
"\ndev tun" \
"\nproto udp" \
"\nremote $SERVER_IP 1194" \
"\nresolv-retry infinite" \
"\nnobind" \
"\nuser nobody" \
"\ngroup nogroup" \
"\npersist-key" \
"\npersist-tun" \
"\nremote-cert-tls server" \
"\nkey-direction 1" \
"\ncipher AES-256-GCM" \
"\nauth SHA256" \
"\nverb 3" \
) \
<(echo -e "\n<ca>") \
${DIR}/ca.crt \
<(echo -e "</ca>\n\n<cert>") \
${DIR}/${1}.crt \
<(echo -e "</cert>\n\n<key>") \
${DIR}/${1}.key \
<(echo -e "</key>\n\n<tls-crypt>") \
${DIR}/ta.key \
<(echo -e "</tls-crypt>") \
> ${DIR}/${1}.ovpn
In the script instead X.X.X.X
enter the IP address of your server, place the file in any directory and set executable rights:
chmod +x create_client_config.sh
Create .ovpn file for client1:
./create_client_config.sh client1
Done! In the folder ~/openvpn-clients appeared client1.ovpn. Download it and simply import it into any OpenVPN client or router that supports this feature.