If you’re a road warrior like me, you’re often accessing the internet from insecure hotspots. All traffic that traverses an open wireless connection is subject to inspection, but furthermore even on untrusted secured wirelesses, you’re activity is subject to monitoring by those providing the internet (trusted or otherwise), as well as ISP providers, etc.
To help keep what you’re doing private, I suggest always using a secure VPN tunnel for all your roaming activity. This guide will show you how to setup your own VPN tunnel using Linode for only $5 per month! That’s right, why pay a third party company money for your privacy which costs more, and you get unlimited usage for yourself and whoever else you decide to provide access for.
Now to be clear upfront, the purpose of this setup is to provide secure tunneling when you’re on the road with untrusted networks such as hotels or coffee shops. Some of the reasons people use VPNs is to provide general internet privacy, which this setup will NOT provide. It does, however, allow you to appear to be connecting to the internet from another geographical location. They have 8 datacenters, spanning the US, Europe, and Asia Pacific. So when you’re on the internet you can configure it so that it appears your connecting from a different location then you’re actually located. There are other benefits available such as giving you an always fixed WAN IP address, so when you’re configuring security for your services, you can now lock down access to a specific remote IP. Think of only allowing remote connections to your server/services/etc from a single IP address. That provides much stronger security instead of just leaving remote access open.
Let’s get started with the configuration:
This post is going to assume you already have a basic Linode setup. Here is how to install the OpenVPN Server in a very simple way. That way, these instructions will work with any Ubuntu Linux Server. Leave comments if you’d like a full setup guide and I’ll throw it together for you.
- Remotely connect to your server (such as SSH)
- Login as root (or someone with sudo rights)
- Run the following from the command prompt:
wget https://git.io/vpn -O openvpn-install.sh && bash openvpn-install.sh
- When prompted I suggest the following configuration:
- UDP (default)
- Port 1194 (default)
- DNS of 188.8.131.52 (see this link for more info)
- Enter a name for your first client name – this is unique for each client. So for example, I’ll call my first one Laptop
- The file is now available at /root/ under the filename equal to the client name you specified in step 4.4 — in our example /root/Laptop.ovpn
- Download that file to your local computer using the transfer method best for your system:
- Linux/MacOS use SCP
- Windows use Windows SCP
- You’ll want to download the OpenVPN client from https://openvpn.net/community-downloads/
- Install the Laptop.ovpn file you downloaded into OpenVPN client – for Windows, right click on the systray icon, choose import – from file. Choose the Laptop.ovpn file you copied from the server. After you choose the file it might take a minute or so, and you should see a notice that the file was imported successfully. Then check the systray icon again and you’ll now see the server WAN IP address listed. Then you simply click that IP address then connect, and you’re all set.
- The first time you initiate a connection you may be prompted to trust this unverified connection, this is because you’re using a self-signed certificate. For basic road warriors, this is sufficient. If you’re a corporate IT department, you might want to consider using your own certificate, either trusted or enterprise certs.
You can simply repeat steps 1-3 above, and at step 4 you’ll only be prompted for the client name. Do this for every device and/or user that needs to remotely access this server. For me, I use a separate key for my laptop, phone, and tablet. If they’ll be connected at the same time, you’ll need separate keys. You can also run through the same steps to revoke certificates – so you want to make sure you name them something logical, such as myAndroid, kidsiPhone, wifesLaptop, etc.