diff --git a/vpsvpnrouting/index.md b/vpsvpnrouting/index.md
index 2c38677..d2e3e82 100644
--- a/vpsvpnrouting/index.md
+++ b/vpsvpnrouting/index.md
@@ -1,100 +1,340 @@
-```
-author: Anonymous
+---
+author: Anticonformist
date: 2025-01-31
gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/320"
xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
+---
+
+# Using a VPS to route the traffic to a Self-hosted service (hiding your home public IP from the users)
+
+
+## Serverside Remote Setup : Openvpn server
+
+First we log on the VPS, to install the openvpn server using agristan's openvpn install script:
+```sh
+root@remoteserver ~ # curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
+root@remoteserver ~ # chmod +x openvpn-install.sh
+
+root@remoteserver ~ # ./openvpn-install.sh
+Welcome to the OpenVPN installer!
+The git repository is available at: https://github.com/angristan/openvpn-install
+
+I need to ask you a few questions before starting the setup.
+You can leave the default options and just press enter if you are okay with them.
+
+I need to know the IPv4 address of the network interface you want OpenVPN listening to.
+Unless your server is behind NAT, it should be your public IPv4 address.
+IP address: 65.199.39.253
+
+Checking for IPv6 connectivity...
```
-Tutorial: Using a VPS to Route Traffic to a Self-Hosted Service (Hiding Your Home Public IP)
-Importance of Hiding Your Home Public IP
+```sh
+Do you want to enable IPv6 support (NAT)? [y/n]: n
- Privacy and Security: Exposing your home public IP can lead to potential security risks, including targeted attacks, hacking attempts, and unauthorized access to your home network. By hiding your IP, you reduce the risk of these threats.
+What port do you want OpenVPN to listen to?
+ 1) Default: 1194
+ 2) Custom
+ 3) Random [49152-65535]
+Port choice [1-3]: 1
- Anonymity: When you host services from your home, users can trace back to your home IP address. Using a VPS (Virtual Private Server) allows you to maintain anonymity, making it harder for users to identify your physical location.
+What protocol do you want OpenVPN to use?
+UDP is faster. Unless it is not available, you shouldn't use TCP.
+ 1) UDP
+ 2) TCP
+Protocol [1-2]: 1
- Access Control: A VPS can act as a gatekeeper, allowing you to control who accesses your services. You can implement firewalls, VPNs, and other security measures to restrict access.
+What DNS resolvers do you want to use with the VPN?
+ 1) Current system resolvers (from /etc/resolv.conf)
+ 2) Self-hosted DNS Resolver (Unbound)
+ 3) Cloudflare (Anycast: worldwide)
+ 4) Quad9 (Anycast: worldwide)
+ 5) Quad9 uncensored (Anycast: worldwide)
+ 6) FDN (France)
+ 7) DNS.WATCH (Germany)
+ 8) OpenDNS (Anycast: worldwide)
+ 9) Google (Anycast: worldwide)
+ 10) Yandex Basic (Russia)
+ 11) AdGuard DNS (Anycast: worldwide)
+ 12) NextDNS (Anycast: worldwide)
+ 13) Custom
+DNS [1-12]: 11
- Performance and Reliability: VPS providers often offer better bandwidth and uptime compared to residential internet connections. This can lead to improved performance for your self-hosted services.
+Do you want to use compression? It is not recommended since the VORACLE attack makes use of it.
+Enable compression? [y/n]: n
-Solution Overview
+Do you want to customize encryption settings?
+Unless you know what you're doing, you should stick with the default parameters provided by the script.
+Note that whatever you choose, all the choices presented in the script are safe (unlike OpenVPN's defaults).
+See https://github.com/angristan/openvpn-install#security-and-encryption to learn more.
-The solution involves setting up a VPS that acts as a reverse proxy for your self-hosted service. This means that all traffic to your service will go through the VPS, which will then forward the requests to your home server. This way, users will only see the VPS's IP address, not your home IP.
-Steps to Complete the Setup
+Customize encryption settings? [y/n]: n
- Choose a VPS Provider:
- Select a reputable VPS provider (e.g., DigitalOcean, Linode, AWS, or Vultr).
- Create an account and choose a plan that fits your needs (consider CPU, RAM, and bandwidth).
+Okay, that was all I needed. We are ready to setup your OpenVPN server now.
+You will be able to generate a client at the end of the installation.
+Press any key to continue...
+```
- Set Up the VPS:
- Deploy a new server instance with a Linux distribution (Ubuntu is a popular choice).
- Access your VPS via SSH using a terminal or command prompt:
+Then let it install the openvpn server as intended, then we need to create the client in the openvpn server directly, where we mention that its for the selfhosted-privatevm client:
-bash
+```sh
+Tell me a name for the client.
+The name must consist of alphanumeric character. It may also include an underscore or a dash.
+Client name: selfhosted-privatevm
- ssh root@your_vps_ip
-
+Do you want to protect the configuration file with a password?
+(e.g. encrypt the private key with a password)
+ 1) Add a passwordless client
+ 2) Use a password for the client
+Select an option [1-2]: 1
-Install Required Software:
+```
- Update the package list and install necessary software (e.g., Nginx or Apache for web services):
+From there the openvpn install script finished the serverside setup, and as we can see it created the openvpn client file for the privatevm in the root directory:
-bash
+```sh
+root@remoteserver ~ # cat selfhosted-privatevm.ovpn
+client
+proto udp
+explicit-exit-notify
+remote 65.199.39.253 1194
+dev tun
+resolv-retry infinite
+nobind
+persist-key
+persist-tun
+remote-cert-tls server
+verify-x509-name server_vCg0SCcC1z7L5umn name
+auth SHA256
+auth-nocache
+cipher AES-128-GCM
+tls-client
+tls-version-min 1.2
+tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
+ignore-unknown-option block-outside-dns
+setenv opt block-outside-dns # Prevent Windows 10 DNS leak
- sudo apt update
- sudo apt install nginx
-Configure the Reverse Proxy:
+verb 3
+
+-----BEGIN CERTIFICATE-----
+[REDACTED]
+---END CERTIFICATE-----
+
+
+-----BEGIN CERTIFICATE-----
+[REDACTED]
+-----END CERTIFICATE-----
+
+
+-----BEGIN PRIVATE KEY-----
+[REDACTED]
+-----END PRIVATE KEY-----
+
+
+#
+# 2048 bit OpenVPN static key
+#
+-----BEGIN OpenVPN Static key V1-----
+[REDACTED]
+-----END OpenVPN Static key V1-----
+
+```
- Edit the Nginx configuration file to set up the reverse proxy. Open the configuration file:
+Before we go forward, i recommend to edit it to avoid redirecting all traffic from the client to the server, since it's only a matter of enabling remote accesses, rather than using the openvpn as an actual clientside VPN:
-bash
+```sh
+root@remoteserver ~ # vim selfhosted-privatevm.ovpn
+root@remoteserver ~ # cat selfhosted-privatevm.ovpn
-sudo nano /etc/nginx/sites-available/default
+[...]
-Add the following configuration, replacing your_home_ip and your_service_port with your actual home IP and service port:
+ignore-unknown-option block-outside-dns
+setenv opt block-outside-dns # Prevent Windows 10 DNS leak
-nginx
- server {
- listen 80;
- server_name your_vps_domain_or_ip;
+### DONT REDIRECT ALL TRAFFIC VIA THE VPS ###
+pull-filter ignore "redirect-gateway"
+#############################################
- location / {
- proxy_pass http://your_home_ip:your_service_port;
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Forwarded-Proto $scheme;
- }
+verb 3
+
+[...]
+
+```
+
+## Serverside Self-hosted PrivateVM Setup : OpenVPN client
+
+Now that the openvpn server is setup properly we can log on the private vm that we [previously](../hypervisor_selfhosted/) setup on our homeserver:
+```sh
+user@clientside ~ $ ssh privatevm
+
+Linux localhost 6.1.0-34-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.135-1 (2025-04-25) x86_64
+Welcome to Kicksecure (TM)!
+https://www.kicksecure.com
+
+Kicksecure Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC
+Kicksecure is Freedom Software, and you are welcome to redistribute it under
+certain conditions; type "kicksecure-license" for details.
+Kicksecure is a compilation of software packages, each under its own copyright and
+license. The exact license terms for each program are described in the
+individual files in /usr/share/doc/*/copyright.
+
+Kicksecure GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
+permitted by applicable law; for details type "kicksecure-disclaimer" .
+
+Kicksecure is a derivative of Debian GNU/Linux.
+
+Kicksecure is a research project.
+
+default user account: user
+default password: No password required. (Passwordless login.)
+
+Type: "kicksecure" for help.
+
+user@privatevm_selfhosted:~% curl 127.0.0.1
+welcome to the privatevm web server!
+
+user@privatevm_selfhosted:~%
+```
+
+From there, we install openvpn and import the openvpn client file:
+
+```sh
+user@privatevm_selfhosted:~% sudo apt install openvpn
+[sudo] password for user: ********************
+
+user@privatevm_selfhosted:~% cat privatevm_selfhosted.ovpn
+client
+proto udp
+explicit-exit-notify
+remote 65.199.39.253 1194
+dev tun
+resolv-retry infinite
+nobind
+persist-key
+persist-tun
+remote-cert-tls server
+verify-x509-name server_vCg0SCcC1z7L5umn name
+auth SHA256
+auth-nocache
+cipher AES-128-GCM
+tls-client
+tls-version-min 1.2
+tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
+ignore-unknown-option block-outside-dns
+setenv opt block-outside-dns # Prevent Windows 10 DNS leak
+
+### DONT REDIRECT ALL TRAFFIC VIA THE VPS ###
+pull-filter ignore "redirect-gateway"
+#############################################
+
+verb 3
+
+```
+
+From there, we can create the following systemd service to make sure that the openvpn service stays connected in the background:
+
+```sh
+user@privatevm_selfhosted:~% sudo vim /etc/systemd/system/vpn.service
+user@privatevm_selfhosted:~% sudo cat /etc/systemd/system/vpn.service
+
+[Unit]
+Description=VPN
+After=network-online.target
+Wants=network-online.target
+
+[Install]
+WantedBy=multi-user.target
+
+[Service]
+Type=simple
+ExecStart=/usr/sbin/openvpn /home/user/privatevm_selfhosted.ovpn
+ExecStop=kill -9 $(pidof openvpn)
+Restart=always
+
+user@privatevm_selfhosted:~% sudo systemctl daemon-reload
+user@privatevm_selfhosted:~% sudo systemctl enable --now
+```
+
+From there, you can check if the VPN connection was successful:
+
+```sh
+user@privatevm_selfhosted:~% ip a
+
+[...]
+
+3: tun0: mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
+ link/none
+ inet 10.8.0.2/24 scope global tun0
+ valid_lft forever preferred_lft forever
+ inet6 fe80::71c7:e80c:740f:7db5/64 scope link stable-privacy
+ valid_lft forever preferred_lft forever
+```
+
+Here as you can see, the private VM has the 10.8.0.2 IP on the new tun0 interface that was created by openvpn, which indicates that it works as intended. Let's see if we can ping the remote server aswell via the VPN tunnel directly, via it's 10.8.0.1 IP:
+
+```sh
+user@privatevm_selfhosted:~% ping 10.8.0.1
+PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
+64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=48.5 ms
+64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=48.2 ms
+64 bytes from 10.8.0.1: icmp_seq=3 ttl=64 time=47.6 ms
+```
+
+There you go! we just validated that both servers can now communicate with each other.
+
+## Serverside Remote Setup : Nginx reverse proxy
+
+You can also test from the remote server if you can access the openvpn client via it's 10.8.0.2 IP:
+```sh
+root@remoteserver ~ # curl 10.8.0.2
+welcome to the privatevm web server!
+```
+
+Now that the connection between the 2 servers has been correctly established via openvpn, we'll setup nginx on the remote server and configure it to act like a reverse proxy to make sure that the self-hosted web service is accessible from the outside, without revealing your home public IP to the end users:
+
+```sh
+root@remoteserver ~ # sudo apt install nginx -y
+root@remoteserver ~ # cd /etc/nginx
+root@remoteserver ~ # rm sites-*/default
+root@remoteserver ~ # vim /etc/nginx/sites-available/rproxy-selfhosted-privatevm.conf
+root@remoteserver ~ # cat /etc/nginx/sites-available/rproxy-selfhosted-privatevm.conf
+server {
+ listen 80;
+ listen [::]:80;
+
+ server_name test.yourdoma.in;
+
+ location / {
+ proxy_pass http://10.8.0.2:80/;
}
+}
+root@remoteserver ~ # ln -s /etc/nginx/sites-available/rproxy-selfhosted-privatevm.conf /etc/nginx/sites-enabled/
+root@remoteserver ~ # nginx -t
+nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
+nginx: configuration file /etc/nginx/nginx.conf test is successful
- Save and exit the editor.
+root@remoteserver ~ # nginx -s reload
+```
-Test the Configuration:
+## Testing from the Clientside
- Test the Nginx configuration for syntax errors:
+And now that the nginx service has been setup on the remote server to act like a reverse proxy, let's test if we can access the self-hosted web server as intended:
-bash
+```sh
+user@privatevm_clientside:~% curl http://test.yourdoma.in:80
+welcome to the privatevm web server!
-sudo nginx -t
+```
+And that's it! Now to highlight why this setup is important, as an end user, when i try to see what the public IP of the service is, i can only see that it is this remote server:
-If there are no errors, restart Nginx to apply the changes:
+```sh
+user@privatevm_clientside:~% ping test.nowhere.moe
+PING test.nowhere.moe (65.199.39.253) 56(84) bytes of data.
+64 bytes from test.nowhere.moe (65.199.39.253): icmp_seq=1 ttl=56 time=61.8 ms
-bash
+```
- sudo systemctl restart nginx
+This is ideal because that way you are hiding your home public IP from your end users as intended. Unlike how it would have been in case if you had port-forwarded your self-hosted services via your home router, which would've exposed your house public IP.
- Set Up Dynamic DNS (Optional):
- If your home IP address changes frequently, consider using a Dynamic DNS service (like No-IP or DuckDNS) to keep your home IP updated.
- Install a Dynamic DNS client on your home server to automatically update the DNS records.
-
- Secure Your VPS:
- Implement security measures such as setting up a firewall (using UFW or iptables), disabling root login, and using SSH keys for authentication.
- Consider setting up HTTPS using Let's Encrypt for secure connections.
-
- Access Your Service:
- Now, you can access your self-hosted service through the VPS's domain or IP address. Users will not see your home IP, only the VPS IP.
-
-Conclusion
-
-By following these steps, you can successfully route traffic to your self-hosted service through a VPS, effectively hiding your home public IP. This setup enhances your privacy, security, and control over your services.
\ No newline at end of file