When making decisions as to what to use to make your own VPN, a cool challenge can be to use an old laptop or Raspberry Pie combined with OpenVPN to do everything yourself, and we'll see here how we can do that, but remember there are multiple ways to deploy such a service.

Let's see what do we need to run such a service on our own machine.

Here we'll use an old HP laptop as machine, with Debian 12 as OS, but you could use almost any hardware/software combination, even a VM if you want. We made the choice of a physical machine because we had a spare one, and also because if our hypervisor is down at some point, there may be some problem while trying to starting virtual machines back therefore no more VPN, meaning that we could have to be on site to put the VPN back up.

On your linux distribution, you must have the package curl installed in order to follow the installations. If you don't, here's how to install it using apt:

sudo apt update && sudo apt install curl

First we'll download an installer file, and then run it:

curl -O https://raw.githubusercontent.com/Angristan/openvpn-install/master/openvpn-install.sh

The file won't be seen as an executable, so we need to change that:

chmod +x ./openvpn-install.sh

Then we run it with root privileges:

sudo ./openvpn-install.sh

Now, the installation process has started, and should be pretty simple to follow. Normally, the service should be able to auto complete the options by default, but we'll still go through each of them.

First, you are prompted to enter the machine address, if you use a hosted machine, you shall enter it's public IP. Here we have a machine on our home network, therefore behind NAT, so it'll auto complete with its local IP (192.168.1.2 for example).

Then, if behind NAT (which is our case), you are prompted to enter the public IP of your network. Our was auto completed, but if it wasn't, we could have been to https://www.whatismyip.com (for example) in order to get our public IP and enter it into the prompt. You could also use a public hostname that would point at you.

Next, if your host has IPv6 support, you're asked if you want to use it, you're free to choose any, but we chose yes.

Then you can choose the port for your VPN. We don't recommend to use the default port for security reasons, therefore use a custom or a random one. We chose random, but you may want to choose an easy to remember, or maybe you already have decided which one you'd use. Try to remember the port as it'll be useful later.

Now, select the protocol, UDP is recommended for a VPN, and use TCP only if you don't have any other choice.

The installer now needs you to choose a DNS resolver, if you don't know which one to use you can use the default as we did.

Then you have to choose if you want to use compression and customize encryption, and we said no to both as the first one is used by an attack and the other needs you to know what you are doing with it.

After all that, the installer has everything it needs and you are prompted to press any key for it to start the real setup.

It'll start downloading the right packages for OpenVPN to run and to be secure.

Et voilà, after some time the prompt stops, and OpenVPN is installed and the client configuration starts.

If you followed the last chapter about OpenVPN installation, the scripts directly asks you to enter a client name. If not, you should re-run the openvpn-install.sh script with root privileges.

Here we'll enter the client we'll use outside our place (usually your lab/work/school laptop). For example, if your laptop is named “balthasar” then you enter “balthasar”, simple.

Then, you have to choose if you want to protect the configuration file with a password. The default is no but we are never too secure, so we chose yes.

You will now be prompted to enter the pass phrase to protect the config file, and to repeat the password, which we complied to do.

And there you are, the client configuration file is generated, and put in /root/balthasar.ovpn. Also, the certificate is in /etc/openvpn/easy-rsa/pki/issued/balthasar.crt

Last thing to do server side, the port forwarding. If your server is not behind a NAT, it directly has a public IP and you can skip this step.

So, remember the port you chose when doing the server configuration ? You'll have to use it now. If you don't remember the port you chose, you can check it via the OpenVPN configuration file:

head -n 1 /etc/openvpn/server.conf

Now, you'll have to add a rule to your router for it to redirect packets from it's port to the same port on the machine on your local network. Also remember the protocol you chose, it should be UDP as recommended.

You should now be all set server-side, what a pleasure.

For the connection, you'll have to transfer the OpenVPN profile to the client you want to connect with. If you haven't touched it, the profile is still /root/balthasar.ovpn (or any name you chose). You can transfer it to as many clients as you like and using the method you like, but try not to let it fly on the internet.

Now that you have the profile on the client, you can use OpenVPN Connect (for Windows and Android) or directly use openvpn on Linux, and feed them the profile, enter the password needed if you set one, and now it should connect.

For testing it, we recommend using a phone on cellular data, or any machine connected to a different network. Once connected, you should be able to ping any of the machines that is on the same private network as your VPN.

Et voilà, you now know how to set up your own VPN, create users, and use the VPN, all via the OpenVPN service.