selfhosting-blogposts/openvpn/index.md

---
search:
  exclude: true
---
# VPS-Hosted OpenVPN server:

![](../openvpn/logo.png)

You may want a VPS hosted vpn server in case you wish to conduct activities through a trusted vpn server. (which gives you the power over the logs).

![](../openvpn/openvpn.png)

With this solution, you can terminate the server itself if you want after you're done. 
    
    
    -DigitalOcean
    -Droplet (Debian 10)
    -Plan: Basic ($5/mo)
    -Location (a region that isn't where you live)
    -ssh keys or password
    

Once the droplet is created just log into it:
    
    
    
    	[ 192.168.122.1/24 ] [ /dev/pts/13 ] [~]
    	→ ssh root@164.90.155.222
    	The authenticity of host '164.90.155.222 (164.90.155.222)' can't be established.
    	ECDSA key fingerprint is SHA256:m829SX8NOlOUnlm2fzokZJ5XMT6gxJoyNceCYOB8gms.
    	Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
    	Warning: Permanently added '164.90.155.222' (ECDSA) to the list of known hosts.
    	Linux debian-s-1vcpu-1gb-sfo3-01 4.19.0-8-cloud-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64
    	
    	The programs included with the Debian GNU/Linux system are free software;
    	the exact distribution terms for each program are described in the
    	individual files in /usr/share/doc/*/copyright.
    	
    	Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
    	permitted by applicable law.
    	root@debian-s-1vcpu-1gb-sfo3-01:~#
    

## **Angristan's Script:**

Angristan made a very powerful script that allows us to run our own vps hosted vpn server very easily, check him out [here](https://github.com/angristan):
    
    
    wget https://raw.githubusercontent.com/ech1/serverside/master/ovpn/openvpn-install.sh
    chmod +x openvpn-install.sh
    ./openvpn-install.sh
    
    

for starters just hit enter at everything, if you know what you're doing feel free to change options during the installation.

for advanced users, i recommend trying out the openvpn on the 443 custom port to circumvent censorship in traffic restricted environments:
    
    
    root@Temple:~# ./openvpn-install.sh
    Welcome to the OpenVPN installer!
    The git repository is available at: https://github.com/angristan/openvpn-install
    
    I need to ask you a few questions before starting the setup.
    You can leave the default options and just press enter if you are ok with them.
    
    I need to know the IPv4 address of the network interface you want OpenVPN listening to.
    Unless your server is behind NAT, it should be your public IPv4 address.
    IP address: 78.141.239.68
    
    Checking for IPv6 connectivity...
    
    Your host does not appear to have IPv6 connectivity.
    
    Do you want to enable IPv6 support (NAT)? [y/n]: y
    
    What port do you want OpenVPN to listen to?
       1) Default: 1194
       2) Custom
       3) Random [49152-65535]
    Port choice [1-3]: 2
    Custom port [1-65535]: 443
    
    What protocol do you want OpenVPN to use?
    UDP is faster. Unless it is not available, you shouldn't use TCP.
       1) UDP
       2) TCP
    Protocol [1-2]: 12
    Protocol [1-2]: 2
    
    What DNS resolvers do you want to use with the VPN?
       1) Current system resolvers (from /etc/resolv.conf)
       2) Self-hosted DNS Resolver (Unbound)
       3) Cloudflare (Anycast: worldwide)
       4) Quad9 (Anycast: worldwide)
       5) Quad9 uncensored (Anycast: worldwide)
       6) FDN (France)
       7) DNS.WATCH (Germany)
       8) OpenDNS (Anycast: worldwide)
       9) Google (Anycast: worldwide)
       10) Yandex Basic (Russia)
       11) AdGuard DNS (Anycast: worldwide)
       12) NextDNS (Anycast: worldwide)
       13) Custom
    DNS [1-12]: 11
    
    Do you want to use compression? It is not recommended since the VORACLE attack make use of it.
    Enable compression? [y/n]: n
    
    Do you want to customize encryption settings?
    Unless you know what you're doing, you should stick with the default parameters provided by the script.
    Note that whatever you choose, all the choices presented in the script are safe. (Unlike OpenVPN's defaults)
    See https://github.com/angristan/openvpn-install#security-and-encryption to learn more.
    
    Customize encryption settings? [y/n]: n
    
    Okay, that was all I needed. We are ready to setup your OpenVPN server now.
    
    [...]
    
    
    Tell me a name for the client.
    Use one word only, no special characters.
    Client name: nothing
    
    Do you want to protect the configuration file with a password?
    (e.g. encrypt the private key with a password)
       1) Add a passwordless client
       2) Use a password for the client
    Select an option [1-2]: 2
    ⚠️ You will be asked for the client password below ⚠️
    
    Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
    Using SSL: openssl OpenSSL 1.1.1j  16 Feb 2021
    Generating an EC private key
    writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-4185644.tXXER0/tmp.mzvtcc'
    Enter PEM pass phrase:
    Verifying - Enter PEM pass phrase:
    -----
    Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-4185644.tXXER0/tmp.prBOSr
    Check that the request matches the signature
    Signature ok
    The Subject's Distinguished Name is as follows
    commonName            :ASN.1 12:'nothing'
    Certificate is to be certified until Apr 13 15:51:09 2024 GMT (825 days)
    
    Write out database with 1 new entries
    Data Base Updated
    
    Client nothing added.
    
    The configuration file has been written to /root/nothing.ovpn.
    Download the .ovpn file and import it in your OpenVPN client.
    

you can even hide that it's a openvpn server on 443 tcp by using the port-sharing feature:
    
    
    [ nowhere.moe ] [ /dev/pts/8 ] [/etc/openvpn]
    → cat /etc/openvpn/server.conf | grep 443
    port-share 127.0.0.1 443
    
    

IF YOU'RE ON ARCH LINUX DONT FORGET TO DO THIS (as instructed [here](https://github.com/angristan/openvpn-install/issues/788)):
    
    
    sudo  chown -R openvpn.network /var/log/openvpn /etc/openvpn/
    
    systemctl restart openvpn-server@server.service
    
    

## **Getting the .ovpn file:**

To get the ovpn file just use python's simplehttpserver module
    
    
    root@debian-s-1vcpu-1gb-sfo3-01:~# ls -lash | grep ovpn
    4.0K -rw-r--r--  1 root root 2.7K Aug 12 15:41 nothing.ovpn
    root@debian-s-1vcpu-1gb-sfo3-01:~# python -m SimpleHTTPServer 9099
    Serving HTTP on 0.0.0.0 port 9099 ...
    
    

then just download it to your local machine:
    
    
    [ 192.168.122.1/24 ] [ /dev/pts/7 ] [~]
    → wget http://164.90.155.222:9099/nothing.ovpn
    --2020-08-12 18:43:48--  http://164.90.155.222:9099/nothing.ovpn
    Connecting to 164.90.155.222:9099... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 2764 (2.7K) [application/octet-stream]
    Saving to: ‘nothing.ovpn’
    
    nothing.ovpn               100%[=====================================>]   2.70K  --.-KB/s    in 0s
    
    2020-08-12 18:43:48 (52.1 MB/s) - ‘nothing.ovpn’ saved [2764/2764]
    
    
    [ 192.168.122.1/24 ] [ /dev/pts/7 ] [~]
    → ls -lash | grep ovpn
     12K -rw-r--r--  1 nothing nothing 9.3K Aug  3 12:18 nihilist777.ovpn
    4.0K -rw-r--r--  1 nothing nothing 2.7K Aug 12 16:41 nothing.ovpn
    

And that's it, you may now use the .ovpn file with whatever client you wish for example openvpn or your distro's built in vpn utility:

![](../openvpn/001.png)
    
    
    [ 10.99.99.1/24 ] [ /dev/pts/22 ] [~]
    → sudo openvpn nothing.ovpn
    [sudo] password for nothing:
    2022-01-09 16:52:42 Unrecognized option or missing or extra parameter(s) in nothing.ovpn:18: block-outside-dns (2.5.5)
    2022-01-09 16:52:42 OpenVPN 2.5.5 [git:makepkg/869f194c23ae93c4+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Dec 15 2021
    2022-01-09 16:52:42 library versions: OpenSSL 1.1.1m  14 Dec 2021, LZO 2.10
    🔐 Enter Private Key Password: *********
    
    

Now if you want the openvpn service to start at bootup, do the following:
    
    
    [ 10.8.0.5/24 ] [ /dev/pts/22 ] [~]
    → sudo vim /etc/systemd/system/vpn.service
    
    [ 10.8.0.5/24 ] [ /dev/pts/22 ] [~]
    → cat /etc/systemd/system/vpn.service
    [Unit]
    Description=VPN
    After=network-online.target
    Wants=network-online.target
    
    [Service]
    Type=simple
    ExecStart=/usr/sbin/openvpn /home/nothing/nothing0mainpc.ovpn
    ExecStop=kill -9 $(pidof openvpn)
    Restart=always
    
    [Install]
    WantedBy=multi-user.target
    
    [ 10.8.0.5/24 ] [ /dev/pts/22 ] [~]
    → systemctl daemon-reload
    ==== AUTHENTICATING FOR org.freedesktop.systemd1.reload-daemon ====
    Authentication is required to reload the systemd state.
    Authenticating as: nothing
    Password:
    ==== AUTHENTICATION COMPLETE ====
    
    
    

And then from there you can start and stop your vpn like so:
    
    
    [ 10.8.0.5/24 ] [ /dev/pts/22 ] [~]
    → sudo systemctl start vpn
    
    [ 10.8.0.5/24 ] [ /dev/pts/22 ] [~]
    → sudo systemctl stop vpn
    
    

And to enable it at each system bootup:
    
    
    [ 10.8.0.5/24 ] [ /dev/pts/22 ] [~]
    → sudo systemctl enable vpn
    Created symlink /etc/systemd/system/multi-user.target.wants/vpn.service → /etc/systemd/system/vpn.service.
    
    

To avoid your vpn config from routing all traffic to the server, just add this line in the .ovpn file:
    
    
    pull-filter ignore redirect-gateway
    
    

## **Check that the ip is different:**

You can check it on [ipleak.net](https://ipleak.net/):

![](../openvpn/002.png)

And that's it! you now have your own self hosted vpn server.