How to Make and Set Up Your Own VPN
In this article, we will look at four ways to create your own VPN. Let's start with the simplest option, which even novice PC users can handle.
Preparation
For all four methods we will need a virtual server (VPS). A configuration with 1 vCPU and 1GB RAM will be enough. As an operating system for installation we will take the latest Ubuntu 24.04 or Debian 12.
Method 1. Amnesia
The easiest and fastest way to set up a VPN yourself. Simply install the Amnezia client program on your computer or phone. When you first launch it, it will connect to the server and set up all the necessary software.
There are detailed instructions Here.
The Amnezia VPN client is available for all popular desktop and mobile operating systems, it is completely free and is open source software (GitHub).
It is worth noting that in addition to supporting the usual OpenVPN, WireGuard, IPsec and other protocols, Amnezia has its own secure protocol AmneziaWG.
Method 2. Virtual server with pre-installed VPN
Some hosters, when ordering a server, immediately offer to install a VPN on it with a convenient web interface (UI) for managing users.
After activating the server, you need to go to the VPN management web interface, create a new user and download its configuration file with connection settings.
Then this file can be simply downloaded or imported into any VPN client that supports the required protocol. The table below shows the most popular options:
VPN client | Protocol | Supported OS / Hardware |
OpenVPN | Windows, MacOS, Linux, Android, iOS, ChromeOS | |
WireGuard | Windows, MacOS, Linux, Android, iOS, etc. | |
Routers with built-in VPN client | OpenVPN | Most modern routers, such as Asus RT-AX53U, RT-AX55, RT-AC68U, RT-AC86U, TP-Link Archer AX55, AX72, AX73, AXE75 and many others |
WireGuard | Some modern routers, such as Asus RT-AX88U, TP-Link Archer BE900 | |
Routers with alternative firmware (DD-WRT, OpenWrt, etc.) | OpenVPN | Most modern routers* |
WireGuard | Some modern routers* |
* Before installing alternative firmware, check compatibility and availability of a VPN client on the firmware developer's website
Method 3. Ready script
There are ready-made universal scripts for semi-automatic VPN setup on GitHub. The setup wizard will ask a few questions, configure everything itself and create a custom configuration file for connecting to the VPN.
One of the most popular scripts is for OpenVPNand also for WireGuard.
Method 4. Make a VPN yourself
The most labor-intensive option, where we will configure VPN on a server with Ubuntu 24.04 ourselves. From the protocols, we will choose the time-tested OpenVPN, support for which is declared in most modern routers.
Connect to VPS as rootcreate a new user and add him to sudo:
adduser user
usermod -aG sudo userThen we log into the server as user and execute all further commands on his behalf.
Let's update the package lists and install OpenVPN and Easy-RSA (for managing certificates in the public key infrastructure):
sudo apt update -y
sudo apt install openvpn easy-rsa -yIn our user's folder, we create a directory with a symbolic link and the necessary rights:
mkdir ~/easy-rsa
ln -s /usr/share/easy-rsa/* ~/easy-rsa/
chmod 700 ~/easy-rsaLet's create a configuration file for Easy-RSA and initialize the public key infrastructure (PKI):
cd ~/easy-rsa
echo -e 'set_var EASYRSA_ALGO ec\nset_var EASYRSA_DIGEST sha512' > vars
./easyrsa init-pkiLet's generate the keys of the certification authority:
./easyrsa build-ca nopassThe system will ask you to enter a universal name, here you can simply press Enter.
Let's issue and sign a key-certificate pair for the server:
./easyrsa gen-req server nopass
./easyrsa sign-req server serverWhen you run the first command, you will be asked to specify Common Namehere just press Enter. For the second command, the request must be confirmed by entering yes.
Copy the created files to the OpenVPN directory:
sudo cp ~/easy-rsa/pki/private/server.key /etc/openvpn/server
sudo cp ~/easy-rsa/pki/issued/server.crt /etc/openvpn/server
sudo cp ~/easy-rsa/pki/ca.crt /etc/openvpn/serverFor additional security, let's create a pre-shared key (PSK) to use with the directive. tls-crypt:
sudo openvpn --genkey secret /etc/openvpn/server/ta.keyWe will issue and sign a key-certificate pair for the client client1:
./easyrsa gen-req client1 nopass
./easyrsa sign-req client client1In the first command, when asked to indicate Common Name press Enter, when executing the second command, confirm the request by entering yes.
Let's create a directory for client configs, copy the necessary files there and set the appropriate rights for them:
mkdir ~/openvpn-clients
chmod -R 700 ~/openvpn-clients
cp ~/easy-rsa/pki/private/client1.key ~/openvpn-clients/
cp ~/easy-rsa/pki/issued/client1.crt ~/openvpn-clients/
sudo cp /etc/openvpn/server/{ca.crt,ta.key} ~/openvpn-clients/
sudo chown user ~/openvpn-clients/*Let's set up the OpenVPN config based on the default example. To do this, copy the template file server.conf to the working directory:
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn/server/Open the file using any text editor server.conf for editing:
sudo vim /etc/openvpn/server/server.confThe following changes need to be made in this file:
replace
dh dh2048.pemondh noneuncomment line
push "redirect-gateway def1 bypass-dhcp"uncomment two lines with DNS servers:
push "dhcp-option DNS 208.67.222.222"push "dhcp-option DNS 208.67.220.220"
By default, the addresses of public DNS servers from OpenDNS are indicated here. I recommend replacing them immediately with DNS servers from CloudFlare (1.1.1.1, 1.0.0.1) or Google (8.8.8.8 and 8.8.4.4)replace
tls-auth ta.key 0ontls-crypt ta.keyreplace
cipher AES-256-CBConcipher AES-256-GCMand after this line add another new one –auth SHA256add two lines at the end of the file:
user nobodygroup nogroup
To enable packet forwarding, uncomment (manually or using the utility sed) line net.ipv4.ip_forward=1 in the file /etc/sysctl.conf and apply the changes:
sudo sed -i '/net.ipv4.ip_forward=1/s/^#//g' /etc/sysctl.conf
sudo sysctl -pNow we need to configure forwarding and masquerading in iptables, but to do this, first let's look at the name of the public network interface on the server:
ip route list defaultAn example of the command execution result is shown below, in which the name of the interface we need is displayed immediately after “dev” :
default via 123.45.67.8 dev ens3 proto static onlink
In the example above, the interface is called ens3in your case it may be different.
We enable redirection and enable masquerading in iptables. If necessary, the interface name (ens3) in three places replace with the required:
sudo apt install iptables-persistent -y
sudo iptables -A INPUT -i tun+ -j ACCEPT
sudo iptables -A FORWARD -i tun+ -j ACCEPT
sudo iptables -A FORWARD -i ens3 -o tun+ -j ACCEPT
sudo iptables -A FORWARD -i tun+ -o ens3 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/8 -o ens3 -j MASQUERADE
sudo netfilter-persistent saveAdd the OpenVPN service to startup and launch it:
sudo systemctl enable openvpn-server@server.service
sudo systemctl start openvpn-server@server.serviceYou can check if the VPN is running using the command:
sudo systemctl status openvpn-server@server.serviceAll that's left for us to do is create the .ovpn configuration file that the client will use to connect to the VPN.
The .ovpn file should contain basic parameters, certificates and keys. To avoid combining all this manually, let's write a small BASH script:
Hidden text
#!/bin/bash
# Формат использования: create_client_config.sh <clientname>
# Перед использованием в SERVER_IP вместо X.X.X.X необходимо указать IP адрес вашего сервера
SERVER_IP=X.X.X.X
DIR=~/openvpn-clients
cat <(echo -e \
"# Client OpenVPN config file"\
"\nclient" \
"\ndev tun" \
"\nproto udp" \
"\nremote $SERVER_IP 1194" \
"\nresolv-retry infinite" \
"\nnobind" \
"\nuser nobody" \
"\ngroup nogroup" \
"\npersist-key" \
"\npersist-tun" \
"\nremote-cert-tls server" \
"\nkey-direction 1" \
"\ncipher AES-256-GCM" \
"\nauth SHA256" \
"\nverb 3" \
) \
<(echo -e "\n<ca>") \
${DIR}/ca.crt \
<(echo -e "</ca>\n\n<cert>") \
${DIR}/${1}.crt \
<(echo -e "</cert>\n\n<key>") \
${DIR}/${1}.key \
<(echo -e "</key>\n\n<tls-crypt>") \
${DIR}/ta.key \
<(echo -e "</tls-crypt>") \
> ${DIR}/${1}.ovpnIn the script instead X.X.X.X enter the IP address of your server, place the file in any directory and set executable rights:
chmod +x create_client_config.shCreate .ovpn file for client1:
./create_client_config.sh client1Done! In the folder ~/openvpn-clients appeared client1.ovpn. Download it and simply import it into any OpenVPN client or router that supports this feature.
