How to Make Your Own VPN (And Why You Would Want to)

This video is brought to you by node. This video is divided into several sections and since YouTube has this amazing new feature, you don't even need to leave this comment, which is amazing. It's been almost half a year since I made this video. unfortunately it has become one of the most popular videos on my channel and while I stand by most of the things I said in this video I wish you had argued my point better and provided some of the alternatives to vpn services and this is exactly what I'm going to do in this video.

I

want

to start this video by saying that if you only use vpn to access cornhub or things like that, you might still be interested in what I have to say even if you only use vpn. To watch Netflix or download Linux ISOs, you are still sharing the rest of

your

internet traffic with

your

VPN provider and this could be a problem from a privacy point of view, if you don't care about privacy then that's fine too. I'm not here to give lectures. nor judge you and if you only use VPN for these specific purposes and you are completely okay with that, it's okay, this video is not for you, however, for privacy conscious people, I will tell you how to use your VPN only for some applications and use your isp connection for other applications, the second part of this video will address those specific use cases and it should be available here and if my finger is not pointing at anything, that means this part is currently in progress, so please be patient, so what is this Great VPN video from a guy called Tom Scott and it's much better than my original VPN video and I highly recommend you watch it, however I know you guys are lazy and not going to do that so let me. just summarize this video in quick bullet points and add some of my own thoughts.

VPN services will tell you that your ISP can track your every move and can see everything you do on the internet. This is a lie. Each website with a green padlock on the address. bar has its content encrypted in transit with https https encrypts the content of the websites you visit, as well as the full URLs, so in the end the only thing the isp can see are the domain names of the websites you visit, but that just doesn't sound so scary since your ISP is spying on everything you're doing. VPN companies will tell you that your credit card information and private bank account details are a risk and every time you use a public Wi-Fi network like that at an airport. or coffee, a malicious hacker can steal them.

This is also a lie when https did not exist and websites were not encrypted, a hacker could steal information including banking data, because all this data was not encrypted today, that is simply not the case. because any more or less serious website uses https to encrypt information in transit, yes, even on public wifi networks and when this encryption is broken, your browser will tell you that VPN companies will tell you that they use the latest technology. art military encryption to protect your traffic from cia, nsa and your isp agents, technically that's not a lie, aes is used in some military applications, but it's also used on almost every website you visit daily and In fact, I was quite surprised to see how many people in the comments claiming to be security experts claimed that https doesn't encrypt anything and only serves as a certificate authority, which is really baffling to me, so yeah, it's not a lie. per se, but a fraudulent marketing trick.

However, last but not least, many VPNs. The services will tell you that your ISP is selling your information to the highest bidder and what you need to ask yourself in this situation is to prevent them from doing the same. The websites of major VPN providers like nordvpn, pia, and purevpn are full of promises like We don't sell logs to anyone at all, 100 percent, there is no logging policy audited by a security company, but that's all, they are promises and there is nothing stopping those VPN services from breaking those promises. You could say well, if a company breaks its promise.

It's just going to close because customers won't trust it anymore, but is it true? In 2017, purevpn helped the FBI arrest Ryan Lin on cyberstalking charges. The FBI managed to obtain records from PureVPN that confirmed that the Gmail account he used to use was accessed to send threats from PureVPN's IP, which in turn was linked to his home IP address. Let's take a look at the European registration policy at that time. We do not keep any logs that could identify or help monitor user activity. You are even invisible. We cannot see what you do online, we do not monitor user activity or keep any logs, therefore we have no records of your activities, such as what software you used, what websites you visited, what content you downloaded, what applications you used, etc. ., after connecting. any of our servers and guess what purevpn is still in business and clearly has enough money to run ads for their services.

Fun fact, they also claim to have undergone a security audit so that's it and I'm sure there are some VPNs that the authorities asked me to hand over logs to and I didn't, like expressvpn or pia, but almost all the major ones vpn providers have a skeleton in the closet. Private Internet Access was recently acquired by an Israel-based company called Cape Technologies, which is known for infecting its users with malware and adware and its owner, Teddy Sagi, reportedly has ties to Israeli intelligence services. One of the servers owned by nordvpn was hacked in 2017. Yes, it was not physically hacked, but it was hacked using a remote access vulnerability, according to the company, no user data was stolen or compromised, but somehow.

They still felt the need to hide this information from their users for two years, so in the end, no matter how secure and reliable their VPN service seems to you, if they tell you that they have undergone security audits and have no policy of locks, you must do so. I'll take your word for it: When it comes to better, more private ways to browse the web, in my opinion, there are only two options: Tor and self-hosted VPN. Tor was developed on behalf of the US intelligence community and that raises some uncomfortable questions. To say the least, but guess what, Tor is also completely free and open source, so if you have any doubts about how secure and private it is, you're always free to examine the call yourself, speaking of EE intelligence In the US, the NSA is definitely not happy.

The late 2014 Tor report by Dash Pigel using a new cache of Snowden leaks revealed, however, that as of 2012 the NSA considered Tor alone a significant threat to its mission and even classified it as catastrophic, leading to a total loss due to lack of knowledge about the target. communications that say something I guess tor is what you

want

to use for all the sensitive and private stuff if you want to Google something embarrassing that you don't want anyone to know about or if you want to bypass censorship in your country bypass geoblocks or maybe visit a website that could get you in trouble with the local police.

The way to do it is that, in simple terms, your traffic bounces between different nodes and each node only sees the two nodes adjacent to it, so in the end it ends when the traffic leaves through the so-called exit node, the website does not you can see where you initially came from and at the same time your ISP cannot see where you are actually going. We don't have all day though, so here's a video from techwiki, they better explain things quickly, hence the name, although Tor is great for privacy and anonymity, it's too slow, so if want to watch Netflix or play online games, what you want is Tor does not work with self-hosted VPNs. use it for all latency and speed sensitive bandwidth use cases, the difference is that in the case of VPN services you are never sure if they keep logs that sell you data or monetary traffic, while in the case With self-hosted VPNs, you decide all those things.

You are sure that your VPN does not maintain blocks because you were the one who disabled them. are you sure that your openvpn binary is not compromised because you were the one who downloaded it from official repositories or compiled it from sources, yes you can do that. You are also sure that your server is safe from tampering because you enable two-factor authentication in ssh and since your vps uses kvm, the only way to spy on your activities is by dumping and decrypting the contents of RAM, which is tedious and it requires a lot of time. and in the case of vpn services, yes, they tell you they do all those things too, but at this point I can't blame anyone who has trust issues with vpn services, plus renting a vps is cheap, most The starter plans will cost you around five dollars a month and usually the starter plan is all you want, to be honest, many big vps providers always have discounts and offers similar to vpn services, one more thing The thing to keep in mind is that if your vpn use case depends on changing your location.

Often this won't work as well because you pretty much have to rent an additional VPS for each location you want to use, so in this case using the service VPN will definitely be a better idea, so yeah, a little change of scenery here, but come on. Going back to the initial topic, if we want to host our own VPN, we must find where we want to host it. There are many VPN providers that offer plans for as little as two dollars a month, but there are a few things you should keep in mind. Consider before choosing the ps provider, the first one is virtualization technology and in this case most vps providers nowadays use kvm or zen and those two technologies are good, what you want to avoid is open vz , this is a virtualization technology based on containers and virtual machines.

Those running it use a very old version of the Linux kernel that does not support many modern applications such as Docker or Wire Guard. Aside from that, the nature of this technology also

make

s it very easy for VPS providers to spy on your activities and this is something you definitely don't want, the second is the ipv4 address, this is not that important as the vast majority of vps providers will provide you with a dedicated ipv4 address; However, since we are now facing a shortage of IPv4 addresses, this could become more relevant in the future. In the future, and even now, some very very cheap VPS providers will only give you an IPv6 address so keep that in mind and last but not least the location is self explanatory but you still want Choose it according to your needs and how you are.

You are going to use a VPN, so for example if you want to watch American Netflix, you have to choose the American location if you want to use it as a seed box. Don't choose Germany, Austria or Switzerland, as those countries have very strict anti-piracy laws. If you want to use your VPN for online gaming, keep in mind that the farther the server is physically from you, the higher its latency will be, and if you're really serious about privacy,

make

sure you choose a VPN location that's outside of The 14 Mind you, this isn't exactly a high bar to clear, but the node that, by the way, sponsored this video ticks all the boxes and has plenty of locations to choose from.

They were also kind enough to give them 20 credits for their first time. cloud server for your first vps just because ok, that being said the trade off is always good so if you think I'm biased feel free to choose something else, compare prices and do your own research there are plenty of vps providers to choose. So if one doesn't have your preferred location or doesn't have the features you want, there are always plenty of others, so what I'm going to do now is take the 20 credits from the node. I set up my account and that's it, now I'm ready to create our own VPN server.

After registering on the website and confirming your email, you will need to enter a few details including your name, address and credit card information, which will be pretty much the same for all vps providers, although they sometimes accept bitcoins or other cryptocurrencies. The next thing we need to do is add a server or as the node calls it lnode, there are many districts to choose from and if you want you can even choose gento or arch, but for this tutorial I will use the latest version of ubuntu 20.04. You'll also want to choose the location. I'm going to choose the UK as it is the closest physically to me.

We will take the cheapest nano plan. and even if later you decide to configure the mail server, the next cloud instance or a personal blog, this configuration will still be more than enough, the node label is not that important and neither are the labels. I'll call mine Wolfgang's VPN, after that you'll be able to choose the root password and load the ssh key, which we're not going to do now and I'll explain why later, finally, grab a box that says Private IP and do Click the Create button on the right andhere we go, our server is already created.

You should now see your server control panel and while the server starts up let's generate the ssh keys using a clear text password to log in to your server, it is never a good idea as the password is not encrypted in transit and can be exposed. on a hostile network by creating an ssh key, we will make it so that you can only log in to your server if you have the key file and password and at the same time the password will be encrypted if you are using Linux. You probably already know how to open a terminal in Windows.

You will need to open PowerShell with administrator privileges and install ssh using this command. By the way, I'll put all of these commands in the video description, so if you prefer to have text. version of this tutorial to follow just check the video description, rsa algorithm with key size 4096 then what a person recommends as it is officially secure and widely supported just press enter when prompted for the location of the key to save it to the default and then enter your password. of choice now our server has started and we are ready to log in copy the IP address from the server control panel go back to the terminal and type ssh root, add the IP address, type yes, enter the root password that you specified in the first step and that's it, first of all let's update our operating system and software, write the application, get the update, double sign application, get the update.

Also install my favorite text editor, feel free to use whatever you want, for example nano, as much as it is convenient to not have to enter the root password every time I have to do something, I personally prefer to create a user account that does not expose root. Root logging into an ssh server is probably not a good idea even if you have multi-factor authentication, call me paranoid, but I think having to enter root passwords sometimes is the price I'm personally willing to pay for some sense of security. add g sudo m your username of choice dash s bin bash which will create a user, set the default bash shell for it, and allow proper usage.

More demanding Linux users might have noticed that I wrote lowercase g instead of uppercase g, make sure the g is uppercase because the lowercase g is used to specify in the main user group and we don't want in this case to later need to create a password for our user using passwd username, enter your password twice and that's it. Now that we have created our user, it is a good time to copy the public ssh key to the server, open a second terminal window for your local terminal and enter ssh dash, copy the dash id, username to the ap address, it will will ask you to enter your password. and once you return to the terminal window with your server, don't close the other window yet.

Now that we have copied the ssh keys to the server, we need to restrict the authentication to the public key, let's just edit the sshd configuration file first. Anyway, let's change the default port. This won't do much for security, but it will help with those nasty ssh scanners trying to log into your server with default credentials. It's not much, but the security logs will definitely be easier to read. You can use them. any port that is not occupied by other services, I personally prefer to use port 69. Next, we need to disable password-only authentication so that you can only log in using a public key.

Last but not least, let's also disable root login. Now save the file. and restart sshd servers using systemctl restart sshd now without closing the window let's go back to our local machine and try to log in with our key if you see the prompt to enter your key password that means we are good to go it is also a It is a good idea to verify that we can no longer log in with our password. If I try to login to the server from my hackintosh machine I see this which means we are good. You may have noticed that the command we use to log into our server is a bit long and annoying to type, so let's fix that.

Create a file in the dot ssh folder in your home directory called config. Here we are going to create an alias for fps. The first line in my case will be the host Wolfgang's VPN. you can choose whatever name you want, user wolfgang, in your case it will be the username you chose in the previous step port 69 identity file tilde dot ssh slash id underscore rsa hostname the ap address of your server saving nearby and Now we can login our server by simply typing ssh wolfgang vpn and if you also don't want to see this wall of text every time you login to your server, type touch dot hush login and press enter to know that wireguard has been the new hot vpn protocol. which everyone has been talking about lately, but in this video I'm going to use openvpn because it has broader support when it comes to client applications and some of the applications that I'll talk about in the second part of this tutorial. use openvpn if you are interested in setting up a wireguard server.

There are many tutorials on the internet about it, so usually setting up an openvpn server takes some time as you need to install the packages, generate the keys, configure iptables, write the configuration. files for the server and client, luckily we won't do any of that in this video and instead use the openvpn road warrior script from a github user named nyr. This script will do all the hard work for us and everything we have. what you need to do is answer some simple questions and download the configuration file at the end, it goes without saying that you shouldn't just run random scripts that you downloaded from the internet, so if you know any bash, read the script first and make sure it doesn't there is nothing suspicious. there if you don't know any bash maybe send it to a friend who will when you're done reading the script click raw and copy the link from your browser log into your server and install wget if you haven't already made.

It already comes with your OS image, but sometimes it doesn't appear, then type wget, press space and paste the link you copied earlier. Now let's start the script. The script will ask you a few questions and in most cases you will want to choose the default answer. The port can choose a default port 1194, but I prefer to choose 443 since 1194 is known as openvpn port and in some cases it can be blocked on your network. 443 is the same port used for https, but while https uses tcp openvpn in this setup uses udp so they don't conflict with each other.

You will also be asked which DNS you want to use. Feel free to choose whatever you want if you have any preference but normally I choose 1.1.1.1 as for the client name choose whatever you want now the setup is done press any key and the installation process will start it is fully automated and in the end you will just get a configuration file which will be downloaded to our local machine later. the problem is that the script places the file in the root directory by default and to download it later we need to move it to our user home directory and give ourselves the correct privileges, with that there is only one thing left to do.

It must be done on the server side and that is to disable logging. Let's edit the configuration file here. Change verb 3 to verb 0. Now restart the openvpn service and there we go, a VPN that doesn't actually keep amazing logs. I just realized that too. the hostname of the server is localhost, which is not good for many reasons, so let's change it to something else. I'll call it Wolfgang's VPN. Now all we have to do is download the config file to our local machine so we can actually use the vpn, open a terminal on your local machine and type the sftp server name, then download the file using the get config command name.ovpn and finally type exit now if you want to use this vpn for all your traffic, which I don't.

I recommend you can download Tunnel Blick on Mac, open VPN on Windows or load it into network manager on Linux, as you can see after connecting to the VPN from network manager the website starts thinking I'm from the UK , which means the VPN is working at this point we have a basic cpn server up and running. You can stop it here and use it like you normally

would

use a VPN, in which case thanks for watching and I'm glad I can help you, but if you want to know. how to make it even more secure and add some nice to have features like nintendo updates keep watching now ssh is good but sometimes it gets annoying especially when you change your network and your connection drops immediately.

I prefer to use mosh. no complicated shenanigans with config files or anything like that, just install mosh on both your local machine and your remote machine and then you can simply use the mosh command as a drop-in replacement for ssh public key authentication, it's probably secure enough for most, but if you want to be more elegant, you can also add mfa or multi-factor authentication, the way it works is to install an app on your phone, there are many open source apps on android like and otp, and every time You log in you get one. time password in the app that you must enter to log in, this provides an extra layer of security for your server which may be useful for some of us who are especially paranoid.

The first thing you need to do is install Google Authenticator lib pam. Yes, the protocol is made by Google, but it is completely free in open source and you do not need to use the Google Authenticator app on your phone. There are many open source options, as I already mentioned, then start the initialization script by typing. The Google Dash authenticator basically answers yes to all questions except the multi-user question and the 30-second token question. Once you're done, you may have noticed a big QR code on your command line, make sure to type those codes. somewhere safe, they will be very useful in case you lose access to your phone or the app.

After that, what you need to do is launch the authenticator app on your phone. I will use otp auth, add a new account and choose scan. a qr code after scanning the code the account will be added to the app and we are done with the phone part for now let's go back to the server terminal and edit the authentication configuration file for sshd here we will comment out the line that says add Include common script authentication Normally two-factor authentication will ask you for your user password and the one-time password, but since we're already using a public key with the password, having to enter your password twice is a bit annoying that way. manner.

You will only have to enter the public key password and the one-time password. Then we need to add this line to the end of the file. Authentication required. Pam underlined. Google Underscore Authenticator. So let's save the file and exit. Now we need to edit. the sshd configuration file so that ssh knows the new authentication method here we need to change the following lines change the response authentication change it to yes use pam yes too and add a new line after using pam that says authentication methods public key comma password public key comma keyboard interactive script and now let's restart the ssh servers for the changes to take effect, it's always a good idea to try logging in in a separate terminal window without logging out of the server, otherwise if you make a mistake, you will be locked out of ssh and no one wants that, obviously you will see that in addition to the usual public key password you will also be asked for your application's one time password.

If you're using gnome, you won't be prompted. the public key until you log out and log back in only the one-time password of your phone app, let's enter the password and that's it, now our server is protected by two-factor authentication. One last thing I want to show you today is neglect. software updates what this means is that we will have a script that runs apt update and update the application regularly, thus freeing us from the burden of having to log into the server and do it manually, the server will also restart for kernel updates, but since the reboot takes less than a minute and since kernel updates are not very frequent, your VPN won't suffer much from downtime, so the first thing we need to do is install the update package unattended and leave it at the default value and then enable it. stable security updates once this is done, let's edit the configuration file here.

We need to set up our email address that will be used for notifications.update and then enable automatic reboots. You can also configure automatic deletion of some unwanted files, for example, unused kernels. or unused dependencies and specify the auto restart time, in my case I will set it to 5 am and that's it, let's see if it works, so now your system and all packages will be updated automatically and you will receive an email every time The update was done and yes, that's it, so I finally finished editing this video. It took so long that I cut my hair in the meantime, but yeah, a lot of people might say this video is redundant since you know, I just said the same thing. things I said in the last video and outside of the tutorial, but it was very important for me to make this video, it just didn't sit right with me that the most viral video on my channel is so poorly researched and this is basically what I wish I had uploaded in November of 2019.

So yeah, thank you all for watching this video. I hope it was really helpful and I

would

also like to thank my sponsors cujo26 mitchell valentino ramos elis and ray peria and everyone else who supports this channel, thank you. Guys for watching one more time and see you next time, bye.