Make a self hosted VPN in 15 minutes.
If you can 'kind of run a server', then you can manage this.
Give all your non-technical friends a free VPN!
Companies like verizon, AT&T, and Comcast already have developed tools to sell police bulk access to your data without a warrant. Isn't this illegal spying? Not if your internet provider does it as a service!
Do you want every corrupt government contractor to have access to your browser history? Right now, they often do.
-
Make an account and get a $10 free credit at digital ocean
- skip this step if you have an account already
- disclaimer: I get some free credit when you use this link. Thanks!
-
Add your
SSH key
toDigital Ocean
- Enter the digital ocean web interface
- go to
settings->security->SSH keys
- Paste your key, found by default
$HOME/.ssh/id_rsa.pub
- tip: make a key with
ssh-keygen
- danger:
ssh-keygen
WILL overwrite your current key without warning
- tip: make a key with
- On server creation, the key will be added in server's
root
user'sauthorized_keys
ansible
uses the default SSH key:~/.ssh/id_rsa.pub
- you can manually set a key as a command line argument in
manage.sh
- you can manually set a key as a command line argument in
-
Create a new server on Digital Ocean
- Choose the
Ubuntu 16.04.1 x64
base image - Use the $5 option
- Choose a datacenter near you for low latency.
- Check your preferred
ssh key
underAdd your SSH keys
- Choose a hostname like
popup-openvpn
- Do not check
use IPv6
- Notes
- You will have 1 terabyte of monthly transfer
- They call a
server
adroplet
- Choose the
-
Configure this repo for your users
- Clone this repository on your local computer
git clone --recursive https://github.com/robbintt/popup-openvpn.git
- Configuration files:
hosts
group_vars/all
- Add the IP address of the server to your
hosts
file- The
IP address
is available in your digital ocean dashboard - In the
[vpnservers]
section, replace the default 1.2.3.4 with your server's IP address
- The
- Add each of the following to your
group_vars/all
- You need at least one user and password
user
- any username is fine in user
password
- use a strong password
openvpn_client
- any name is fine -- the default is
myvpn1
etc.
- any name is fine -- the default is
- Replace or delete the example users and passwords entirely
- You can add as many openvpn_client sections and user/passwords as you wish
- IMPORTANT: Delete any extra user lines and unnecessary example certificates, e.g.
myvpn3
,myvpn4
- Clone this repository on your local computer
-
It's time to automatically set things up!!
- Install
ansible
locally- Follow the official installation guide for your system
- Optional: do this using your preferred method
- execute:
manage.sh
- The ansible script should run without any errors
- (The restarter role fails if it doesn't need to restart or something)
- When you run this playbook for the first time, you will need to restart the server before you can connect.
- todo - just restart the server every time the playbook is run or something
- future - troubleshoot this issue in stouts or OpenVPN
- To reconfigure or update your server you may run
manage.sh
again
- Install
-
email the .ovpn files to all your users
- The ansible playbook transferred the .ovpn files to the computer you ran ansible from
- Each ovpn file is stored in
./openvpn_files/
(inside thepopup-openvpn
project directory) - Each user only needs the ovpn file generated for them. They also need their username and password
- You will open this file in your
OpenVPN Client
-
Install a client on each of your devices. You will need:
user
,password
,.ovpn file
- Client Recommendations
- macos: Tunnelblick
- option: use
brew cask
to install
- option: use
- iphone app store:
OpenVPN
by OpenVPN Technologies - android app store:
OpenVPN Connect
by OpenVPN Technologies
- macos: Tunnelblick
- You will need to follow the client specific instructions
- TODO: Assemble links for client instructions
- All your users need to do this step for all their devices
- Linux
- Arch has a good guide for this. Find a better way.
- Client Recommendations
-
Maintaining your server
- TODO
- Server: Digital Ocean Ubuntu 16.04.1 Release
- Local
~/.ssh/id_rsa.pub
private key deployed to remote rootauthorized_keys
- This is done through Digital Ocean on droplet deployment
- Use ansible vault to encrypt group_vars/all
- Make a workflow for adding a new user and client certificate "for a friend"
- Add an automatic updates tool.
- Move Stouts.openvpn default to 2048 bit certificate.
- People are probably breaking 1024 keys
- Add variables in
group_vars/all
- needs testing
- Test this guide from very beginning to very end.
- Beginning: Create a Digital Ocean Account
- End: Install the ovpn cert and put the password in on all your devices
- Very End: Maintaining your server
- Deploy to the world at large (reddit? digital ocean article?)
The Stouts.openvpn repo is included as a subrepo in /roles/Stoutsopenvpn
.
Some useful links and additions.
You might use this to encrypt your group_vars/all
- Encrypt a file:
ansible-vault encrypt foo.yml bar.yml baz.yml
- Decrypt a file:
ansible-vault decrypt foo.yml bar.yml baz.yml
- View file contents:
ansible-vault view foo.yml
- Run Playbook w/ Vault password:
ansible-playbook site.yml --ask-vault-pass
- This is managed in
manage.sh
in this script
- This is managed in