Make a self hosted VPN in 15 minutes.
If you can 'kind of run a server', then you can manage this.
Give all your non-technical friends a free VPN!
Companies like verizon, AT&T, and Comcast already have developed tools to sell police bulk access to your data without a warrant. Isn't this illegal spying? Not if your internet provider does it as a service!
Do you want every corrupt government contractor to have access to your browser history? Right now, they often do.
-
Make an account and get a $10 free credit at digital ocean
- skip this step if you have an account already
- disclaimer: I get some free credit when you use this link. Thanks!
-
Add your
SSH keytoDigital Ocean- Enter the digital ocean web interface
- go to
settings->security->SSH keys - Paste your key, found by default
$HOME/.ssh/id_rsa.pub- tip: make a key with
ssh-keygen - danger:
ssh-keygenWILL overwrite your current key without warning
- tip: make a key with
- On server creation, the key will be added in server's
rootuser'sauthorized_keys ansibleuses the default SSH key:~/.ssh/id_rsa.pub- you can manually set a key as a command line argument in
manage.sh
- you can manually set a key as a command line argument in
-
Create a new server on Digital Ocean
- Choose the
Ubuntu 16.04.1 x64base image - Use the $5 option
- Choose a datacenter near you for low latency.
- Check your preferred
ssh keyunderAdd your SSH keys - Choose a hostname like
popup-openvpn - Do not check
use IPv6 - Notes
- You will have 1 terabyte of monthly transfer
- They call a
serveradroplet
- Choose the
-
Configure this repo for your users
- Clone this repository on your local computer
git clone --recursive https://github.com/robbintt/popup-openvpn.git
- Configuration files:
hostsgroup_vars/all
- Add the IP address of the server to your
hostsfile- The
IP addressis available in your digital ocean dashboard - In the
[vpnservers]section, replace the default 1.2.3.4 with your server's IP address
- The
- Add each of the following to your
group_vars/all- You need at least one user and password
user- any username is fine in user
password- use a strong password
openvpn_client- any name is fine -- the default is
myvpn1etc.
- any name is fine -- the default is
- Replace or delete the example users and passwords entirely
- You can add as many openvpn_client sections and user/passwords as you wish
- IMPORTANT: Delete any extra user lines and unnecessary example certificates, e.g.
myvpn3,myvpn4
- Clone this repository on your local computer
-
It's time to automatically set things up!!
- Install
ansiblelocally- Follow the official installation guide for your system
- Optional: do this using your preferred method
- execute:
manage.sh- The ansible script should run without any errors
- (The restarter role fails if it doesn't need to restart or something)
- When you run this playbook for the first time, you will need to restart the server before you can connect.
- todo - just restart the server every time the playbook is run or something
- future - troubleshoot this issue in stouts or OpenVPN
- To reconfigure or update your server you may run
manage.shagain
- Install
-
email the .ovpn files to all your users
- The ansible playbook transferred the .ovpn files to the computer you ran ansible from
- Each ovpn file is stored in
./openvpn_files/(inside thepopup-openvpnproject directory) - Each user only needs the ovpn file generated for them. They also need their username and password
- You will open this file in your
OpenVPN Client
-
Install a client on each of your devices. You will need:
user,password,.ovpn file- Client Recommendations
- macOS: Tunnelblick
- option: use
brew caskto install
- option: use
- iOS (iPhone/iPad) App Store:
OpenVPN Connectby OpenVPN Technologies - Android/Google Play store:
OpenVPN Connectby OpenVPN Technologies
- macOS: Tunnelblick
- You will need to follow the client specific instructions
- iOS |
OpenVPN- You're going to want to go through this set-up process for iOS file syncing for the most secure way to share you
.ovpnfiles. While you can send the file(s) through email, this is not recommended as email is often unencrypted, and will be assuming you don't have a prior end-to-end encryption system set up. The guide for iTunes sync in that VikingVPN link is rather outdated, so please refer to this official support page for file syncing in iTunes 12.x (most recent version as or writing). - Note: to connect you'll want to go through the OpenVPN app, sign in, and connect in-app after importing your
.ovpnprofile(s).
- You're going to want to go through this set-up process for iOS file syncing for the most secure way to share you
- TODO: Assemble more links for client instructions
- iOS |
- All your users need to do this step for all their devices
- Linux
- Arch has a good guide for this. Find a better way.
- Client Recommendations
-
Maintaining your server
- TODO
- Server: Digital Ocean Ubuntu 16.04.1 Release
- Local
~/.ssh/id_rsa.pubprivate key deployed to remote rootauthorized_keys- This is done through Digital Ocean on droplet deployment
- Use ansible vault to encrypt group_vars/all
- Make a workflow for adding a new user and client certificate "for a friend"
- Add an automatic updates tool.
- Test this guide from very beginning to very end.
- Beginning: Create a Digital Ocean Account
- End: Install the ovpn cert and put the password in on all your devices
- Very End: Maintaining your server
- Deploy to the world at large (reddit? digital ocean article?)
The Stouts.openvpn repo is included as a subrepo in /roles/Stoutsopenvpn.
Some useful links and additions.
You might use this to encrypt your group_vars/all
- Encrypt a file:
ansible-vault encrypt foo.yml bar.yml baz.yml - Decrypt a file:
ansible-vault decrypt foo.yml bar.yml baz.yml - View file contents:
ansible-vault view foo.yml - Run Playbook w/ Vault password:
ansible-playbook site.yml --ask-vault-pass- This is managed in
manage.shin this script
- This is managed in