VPNs, or Virtual Private Networks, are a popular way to stay safe online. When you connect to a VPN, all outgoing network traffic is funneled through an external server. Your internet service provider can't tell what sites you visit (only that you're using a VPN) or inject content into webpages. They're also commonly used to bypass blocked websites and to stay safe on public Wi-Fi networks.

Unfortunately, using certain VPN providers can be just as dangerous as going without a VPN in the first place. Many popular providers will log connection details of users, which can then be sold to third parties. Some insecure services also leak connection information, leaving you just as unprotected as you would be without a VPN.

Even though there are a few excellent VPN choices available on the market, hosting your own VPN server is another option. It takes a little bit of work to set up, and it's not the best option for everyone, but it has several benefits. For this guide, we'll be setting up an OpenVPN server on a Linode VPS, which costs $5/month. While you can absolutely run a PC at home with Ubuntu Server instead, you'll get the highest-possible speeds and almost no downtime from a remotely-hosted VPS. You also won't have to worry about hardware failures, and you have multiple region options.

You might be wondering why a post like this is on Android Police. The explanation is pretty simple our smartphones transmit a tremendous amount of personal data. While most of that is sent over encrypted channels, like HTTPS, most phones and tablets still auto-connect to potentially-insecure public Wi-Fi networks. Even if you stick to cellular data, you're still probably subject to data collection by your carrier.

This guide might look long, but it's because I try to fully explain every possible step so no one gets lost. You don't need any previous experience with Linux or server management for this tutorial.

Should I host my own VPN?

There are advantages and disadvantages to making your own VPN server. Here are the main points to keep in mind when deciding what to do.

Advantages

  • You're in control of your data.
  • It's usually cheaper or on-par with paying for a VPN subscription.
  • You can use the VPN server for other things, like hosting a website or Nextcloud installation.
  • Websites that ban VPNs probably won't detect yours, because it won't be on an IP block list. This doesn't apply to Android apps, since they can detect when any kind of VPN/proxy is being used.

Disadvantages

  • Anonymity isn't possible, since the VPS host will have your name and payment information.
  • Your total bandwidth will be limited. Linode gives you 1TB/month, but you effectively get 500GB, because the data has to go from the origin to the VPN and then from the VPN to you.
  • You won't get special features that some VPN services provide, like malware/tracker blocking, unless you have the technical knowledge to set them up yourself.
  • You can't easily switch between different countries/locations.

Set up a Linode VPS

First we need to create a VPS, which is the Linux virtual machine that our VPN server will run on. There are multiple VPS providers, but I personally prefer Linode, so that's what we'll be using (note: this is not a sponsored/promotional post). DigitalOcean is another popular option.

First, go to Linode's website and create an account, if you don't have one already. That's our referral link, which will give us a small credit when you join (we host Android Police and APKMirror on Linode). You'll need to enter billing information. Once you make it to the dashboard, click the 'Create' button and select 'Linode,' or go directly to this link. This is where you'll pick what hardware your server will have, and where it will be hosted.

In the Distribution box, choose 'Ubuntu'. Below that, pick the region you want your VPN to be located in — a handful of countries are available to choose from. It's possible to change the location later, but you'll have to contact Linode support. Then select 'Nanode 1GB' in the Plan box (it should be under the 'Nanode' tab). VPNs don't need much processing power, so this low-spec option will work just fine.

The last thing to do is to enter a password in the 'Root Password' box. Make sure the password is secure and unique. Then click the 'Create' button and wait for it to finish generating. Now you have a fresh server ready to run a VPN on!

Log into the VPS

Your server doesn't have a graphical user interface, like Windows or macOS. It only has a command line, but don't be scared — all these steps are pretty easy to follow. If you've ever used the Terminal on macOS, Linux, or even Android, you'll feel right at home.

Once you have your VPS open, click the 'Launch Console' button at the top-right corner. This will open a web-based terminal, as seen in the screenshot below, and you'll be prompted for a login. Type "root" (without the quotes), press Enter, then enter your root password, and press Enter again.

After that, you should be logged in and greeted with a "Welcome to Ubuntu" message. If you've never used a Terminal on Linux/macOS before, you might find this list of common commands helpful. Now it's time to set up the VPN service!

Set up the VPN

You might be thinking, "Oh geez, I gotta use commands, this is gonna be awful." Thankfully, this is actually the easiest step, since we'll be using the OpenVPN road warrior install script to get everything running. Run this command in the Lish console window (you can usually paste into the web terminal by right-clicking):

wget https://git.io/vpn -O openvpn-install.sh && bash openvpn-install.sh

The script will ask you for your IP address, what protocol to use, and other info. Press Enter when asked for the IP and protocol, but when you're asked for the port, enter 443. Many networks block the default OpenVPN ports, so setting it to 443 (the port used for HTTPS traffic) can prevent some types of blocks. After that, press Enter again when asked which DNS to use, and then enter your name when asked. The script will then install the required software and set everything up.

Once the script is done, it will export a .ovpn file in the /root/ folder. That file contains the connection and login info for your VPN, so we need to get that file off the server (and not give it to anyone!).

Download the login info

The easiest way to download the OVPN file to your computer is to use Firefox Send, a free service by Mozilla for sending encrypted files over the web. First, install the ffsend application on your server with this command:

snap install ffsend

Next, we'll upload the OVPN server with a password. We'll also set the download limit to 1, so it will be completely deleted from Mozilla's servers once it has been downloaded. Run this command, replacing "file.ovpn" with the name of the file you generated earlier (if you've already forgotten, run "ls" to check):

ffsend upload file.ovpn --download-limit 1 --password

Enter a password when asked, and you'll get an 'Upload complete' message when it's done. Next, run this command to get the link:

ffsend history

This will print a list of all the links you've generated. The first link is the most recent one.

Just copy and paste that link into your browser to download the file. Once you have it, feel free to copy it to all your devices using whatever (secure) method you prefer.

The OVPN file allows anyone to connect to your VPN, so keep it safe! If you think someone is accessing your VPN who shouldn't be, run the VPN setup command again to revoke the existing file and generate a new one.

Connect to the VPN

You've set up your VPN and downloaded the connection file, so now you're ready to try it out. There are OpenVPN clients available for every major operating system. For this guide, we'll only go over how to connect using an Android device (or Chromebook with the Play Store). For Windows/Mac/iOS, VPNGate has an excellent guide here.

There are a few different OpenVPN clients for Android, but my favorite is OpenVPN for Android, because it works well and is fully open-source. Once you download it from the Play Store, tap the import button in the top-right corner (it looks like a box) and select your .ovpn file.

Once you find the .ovpn file and tap it, press the Save button in OpenVPN. A new connection option will be added to the main screen. Once you tap it, you will be connected to your VPN! Now that Chrome OS supports Android VPNs, this will also work for Chromebooks — you should see a lock icon next to the WiFi indicator.

Secure the server

Since this is an always-on server that will be receiving and transmitting personal data, there are a few extra steps you should take to reduce possible security issues.

Enable automatic updates

The first thing you should do is enable automatic package updates. This way, you won't have to log in occasionally to perform updates, and your server will stay secure on its own. First, run this command to install any updates that are already available:

apt update && apt upgrade -y

Once that's done, run this command to install the automatic updater:

apt install -y unattended-upgrades

And you're done! Your server will now check for and install updates automatically, with minimal (if any) downtime to your VPN. If you're already familiar with Linux, Ubuntu has extra documentation that explains all the options, but the default configuration will work fine for our needs.

Turn off SSH access

If you won't be using this server for anything else, it's a good idea to disable remote access via SSH. This will prevent anyone (including you) from logging into the server remotely, except from the console in the Linode dashboard. This will also prevent brute-force login attacks on your server.

First, run this command to disable the SSH server from starting when the server boots up:

systemctl disable ssh.service

Then, stop the currently running server with this command:

systemctl stop ssh.service

Now your server is only accessible from the Linode console. If you want to revert this later, just run these commands:

systemctl enable ssh.service
systemctl start ssh.service

Set up two-factor authentication

Lastly, you should enable two-factor authentication for your Linode account, to make it even harder for someone to obtain access to your server. With the Linode dashboard open, click your profile icon at the top-right, select 'My Profile,' and click the 'Password & Authentication' tab.

You can enable 2FA with your app of choice, including Google Authenticator and Authy. A code from the app will be required when you log into Linode.

Google Authenticator
Google Authenticator
Developer: Google LLC
Price: Free

Authy 2-Factor Authentication
Authy 2-Factor Authentication
Developer: Authy
Price: Free

Manage your VPN

Congratulations, you now have your own functional VPN server! For the most part, you don't have to do anything else, except install the OpenVPN client on whatever other devices you have. Even if your server is rebooted (when Linode performs maintenance, for example), the VPN will automatically restart.

That being said, there are a few things you can do after you're done, like adding/removing profiles and updating the server.

Troubleshooting

If something isn't working, rebooting your server might fix it. Go to your Linode dashboard, click the VPN server, click the 'Running' button at the top-right, corner, and select 'Reboot.' This will send a reboot command to your server, allowing it to shut down safely and start again.

Add or remove VPN profiles

You already have an OpenVPN profile for yourself (which is linked to the .ovpn file), but you can create more profiles to let other people access your VPN. You can also remove a profile later, if you want to revoke someone's access. Just run the VPN setup script again:

wget https://git.io/vpn -O openvpn-install.sh && bash openvpn-install.sh

You should see a series of options — just type the number for the one you want and press Enter. The script will then walk you through the action.

Deleting your VPS

If you decide you don't want your own VPN anymore, you can easily delete the server. Go to your Linode Dashboard, click the VPN server, select the 'Settings' tab at the top, and click 'Delete Linode'. Couldn't be easier.