Monthly Archives: October 2014

Creating your own VPN Server using OpenVPN

We all face the need for a proxy at one time or the other during our day-to-day Internet lives. To bypass the college firewall, access that websites which is not available in your country, to stream Netflix or other region specific streaming services and the list goes on. So, the question comes now is why should we create our own VPN service when you could buy from a service provider. The simple answer is it is economical to do it on your own if you wish to spend an 30 minutes of your weekend. You can also use the entire port speed of the server to yourself. Also, it feels good to have your own VPN server without having to depend on anyone else!

Let’s start by looking at what we need to implement this project. We would need a VPS with Ubuntu installed from a provider that allows private VPNs on their servers and Nyr’s OpenVPN auto-installer script for Debian based systems. This will get you started.

I recommend NanoVZ for various reasons. They offer 128MB (this is more than enough for our VPN server), 3GB HDD and a Gigabit link with 500GB bandwidth a month for just $3.80 (3 EUR) a year. Pretty cheap, isn’t it? Now, the reason why I prefer this to LowEndSpirit is because of the Gigabit port.

Go to NanoVZ Website and signup for this server.

NanoVZ.png

After successful payment, you will receive your order confirmation, payment receipt and server information. Look into the email carefully. You will see something like –

IPInfo.png

This service doesn’t come with a dedicated IPv4 address, one of the cost-cutting strategy, thereby keeping their operating costs minimum and offer you a VPS at such a low price. However, you will share an IPv4 address with many other clients on their server. You will get 20 ports of the public IPv4 address NAT’ed to your internal IP address and a port specifically mapped to your SSH port on internal IP.

Connecting to your VPS via SSH

In order to configure your server to run OpenVPN server, you first need to login into the server via SSH. Here comes the need of the SSH port on external IP that is mapped to your VPS. Download a program like PuTTY and login into [Public_IPv4]:[Mapped_Port]. In the above case, I will login into [Masked_Public_IP]:15100.

Enabling TUN/TAP

TUN and TAP are virtual network kernel devices in computer networking. For the OpenVPN server to work, we need to enable these for our server. To do this, you will have to login into your SolusVM panel, again, whose details are given in the email that you received with your order.

SolusVM_Details.png

TUN_TAP.png

Installing OpenVPN Server

This is a fairly simple task. I would first recommend updating your server to the latest packages before beginning with configuring your server for VPN.

Go ahead and run the update command –

apt-get update

Once that is done, you just need to run the Nyr’s auto-install script for OpenVPN.

wget git.io/vpn --no-check-certificate -O openvpn-install.sh; bash openvpn-install.sh

The installer will ask you for the IP on which OpenVPN has to listen to. Give your internal IP address here. Check the email for this IP.

Local_IP.png

Then it will ask you to furnish the port number. Make sure the port number you give here is in the range of ports NAT’ed for you. In my case it is 15101 to 15120.

Port.png

The installer will now ask if you would like to enable port 53 also. I would recommend this as a no because you will anyway not be able to use this port as it is not NAT’ed directly from the outside world.

Port_53.png

Now enter the client certificate name that you want to store it as. This is like the username you want to access the server with. If you plan to share this with friends and family members, name the certificates accordingly to be able to identify each user.

client_name.png

That’s all it needs. Just hit Return key to proceed. It takes a while to finish the installation and certificate generation. Get yourself a small break!

It then asks for the external IP and since we are NAT’ed, we need to give the external IP provided by NanoVZ in the email.

External_IP.png

That’s it. Your certificate will be available at /root/[certificate_name].ovpn. Download this certificate using any SFTP program like WinSCP and use it with your favorite OpenVPN Client. I will do a write-up on comparison between various OpenVPN clients soon.

Let me know how it goes!

Hosting your WebSite on LowEndSpirit

For those of you who are not aware of LowEndSpirit (LES), I highly recommend that you visit LowEndSpirit Website. In short, LES offers Virtual Private Servers (VPS) for bare minimum prices. You can get a VPS in each of the locations (US, UK, NL, IT, JP) for  3 EUR each ($3.80) which is really very cheap. The configuration of these servers is about 128MB RAM (256MB in case of US location),  2GB or 3GB HDD (SSD drive in some locations), 100 Mb/s port in all locations, 50 – 500 GB data transfer cap (varies by location). The catch is you don’t get a dedicated IPv4 address with any of the servers. You get IPv6 addresses and a NAT’ed IPv4 address with 20 ports forwarded to your VPS.

Usually people spend tens to hundreds of dollars on shared hosting every year even when they have the basic skills to deploy a web server and maintain their own website/blog. When the website gains some public attention, the shared hosting provider suspends the hosting account for heavy usage of server resources. Usually, these providers throttle you when you hit 30% CPU usage continuously for 3 minutes. Also you are restricted to only 64MB of RAM. I, personally, feel that a LES VPS for $3.80/year is much better than a shared hosting that would cost at least $4/month, if you are willing to take that extra step of configuring your own server.

People who knew about LES would mostly use it for private VPN. For example, someone who lives in India uses a US LES VPS as an OpenVPN server and uses it to stream US only content streaming services like Netflix or Hulu. They usually don’t use it for hosting websites. One of the most prominent reason is because they LES doesn’t offer a dedicated IPv4 address. But, here is a solution to this problem. You can use your IPv6 address that is supplied to you. Here is how –

Deploy a webserver

You can deploy one of Nginx or Apache webserver software. There are numerous number of tutorials available to do this. Just do a Google search. The tricky part here is to make sure that the server listens to port 80 on IPv6 addresses. By default, these webserver software are configured to listen to IPv4 addresses only. You can do this in the following way:

For Nginx, open the file /etc/nginx/nginx.conf and uncomment the line that says –

listen [::]:80;

This will enable the server to listen on all IPv6 addresses available to that VPS. If you want the server to listen to a specific IPv6 addresses out of the many that are assigned, modify the line to look like –

listen [2607:f0d0:1004:2::2]:80;

Point your domain to CloudFlare DNS

Signup with CloudFlare if you don’t have an account already and point your domain to their DNS. Now, add an AAAA record to the DNS entries of your domain. Just like A records point to the server’s IPv4 address, AAAA records point to the IPv6 address of the server.

Enable automatic IPv6 in CloudFlare

This IPv6 gateway by CloudFlare enables users from non IPv4 networks also to access your website on IPv6. This option is available under CloudFlare Settings –> Settings Overview. Be sure to double check that CloudFlare is enabled for all the AAAA records (the grey clouds should turn flame red).

automatic-ipv6

Once this step is done, your website on IPv6 is good to go.

Let me know if things go wrong. May be I can suggest you some quick fixes.

Please note that LES doesn’t do backups or snapshots of your data. In the event that a server crashes due to hardware failure, your data is prone to be lost. Take proper measures to backup your data from time-to-time.

Why documenting?

I have been experimenting with many things over the past many years. In this process I've learned things which my school or my books didn't teach. And I know, for a reason, that there are many more people like me who are trying to learn things that I have learned already or trying to learn now. This learning process is time consuming. It's not straight enough like a question and an answer in the exam. Everything is an experiment. And experiments take a great deal of time and carry a risk factor with them. Even after spending numerous hours trying to do something, you still may end up not succeeding.

This is an effort to make things a bit straight for those of you who don't want to spend time experimenting, instead want to get things done. This comes with its own advantages and disadvantages. You will not be going through all those resources that I have been through to accomplish these tasks. Therefore you will not be gaining the same experience as I did through searching and learning all those things that are connected to that task that I want to accomplish. But then, the advantage is that you will not have to spend all the time that I have already spent researching about the task.

Anyway, one other motive behind this blog is that I will have documentation to stuff I did in the past or doing right now. In my experience, in a significant number of cases, I had to revisit my old stuff to get a current task done. However, my old stuff had no/little documentation and that too not in an organized manner. I, therefore, wanted a  way to document my learnings and revisit them whenever I want in the future.

With this, let me end the story behind my thoughts of starting a blog.

Get in touch if you have any questions on things that I have documented.