This story was originally published and last updated .
- 1 Should I host my own VPN?
- 2 Set up a Linode VPS
- 3 Log into the VPS
- 4 Set up the VPN
- 5 Download the login info
- 6 Connect to the VPN
- 7 Secure the server
- 8 Manage your VPN
VPNs, or Virtual Private Networks, are a popular way to stay safe online. When you connect to a VPN, all outgoing network traffic is funneled through an external server. Your internet service provider can't tell what sites you visit (only that you're using a VPN) or inject content into webpages. VPNs are also commonly used to bypass blocked websites and to stay safe on public Wi-Fi networks.
Unfortunately, using certain VPN providers can be just as dangerous as going without a VPN in the first place. Many popular providers will log connection details of users, which can then be sold to third parties. Some insecure services also leak connection information, leaving you just as unprotected as you would be without a VPN.
Even though there are a few excellent VPN choices available on the market, hosting your own VPN server is another option. It takes a little bit of work to set up, and it's not the best option for everyone, but there are several benefits. For this guide, we'll set up an OpenVPN server on a Linode VPS, which costs $5/month. While you can absolutely host a VPN from a PC at home (even a $30 Raspberry Pi can do the job), you'll get the highest-possible speeds and virtually no downtime from a remotely-hosted VPS. You also won't have to worry about hardware failures, and you have multiple region options.
You might be wondering why a post like this is on Android Police. The explanation is pretty simple — our smartphones transmit a tremendous amount of personal data. While most of that is sent over encrypted channels, like HTTPS, most phones and tablets still auto-connect to potentially-insecure public Wi-Fi networks. Even if you stick to cellular data, you're still probably subject to data collection by your carrier.
Should I host my own VPN?
There are advantages and disadvantages to making your own VPN server. Here are the main points to keep in mind when deciding what to do.
- You're in control of your data.
- It's usually cheaper or on-par with paying for a VPN subscription.
- You can use the VPN server for other things, like hosting a website or Nextcloud installation.
- Websites and services that ban VPNs probably won't detect yours, because it won't be on an IP block list. This doesn't apply to Android apps, since they can detect when any kind of VPN/proxy is being used.
- Anonymity isn't possible, since the VPS host will have your name and payment information.
- Your total bandwidth will be limited. Linode gives you 1TB/month, but you effectively get 500GB, because the data has to go from the origin to the VPN and then from the VPN to you.
- You won't get special features that some VPN services provide, like malware/tracker blocking, unless you have the technical knowledge to set them up yourself.
- You can't easily switch between different countries/locations.
Set up a Linode VPS
First we need to create a VPS, which is the Linux virtual machine that our VPN server will run on. There are many different VPS providers, but Linode is a good general option that isn't too complicated, so that's what we'll be using (note: this is not a sponsored/promotional post). DigitalOcean is another popular option.
First, go to Linode's website and create an account, if you don't have one already. That's our referral link, which will give us a small credit when you join — we host Android Police and APKMirror on Linode. You'll need to enter billing information. Once you make it to the dashboard, click the 'Create' button and select 'Linode,' or go directly to this link. This is where you'll pick what hardware your server will have, and where it will be hosted.
In the Distribution box, choose the newest available Ubuntu LTS release — as of the time of writing, that's 20.04 LTS. Below that, pick the region you want your VPN to be located in. It's possible to change the location later, but you'll have to contact Linode support. For the plan, select 'Nanode 1GB' from the list of Shared CPU options. VPNs don't need much processing power, so this low-spec option will work just fine.
The last thing to do is to enter a password in the 'Root Password' box. Make sure the password is secure and unique. Then click the 'Create' button and wait for the VPS to finish generating and booting. Now you have a fresh server ready to run a VPN on!
Log into the VPS
Your server doesn't have a graphical user interface, like Windows or macOS. It only has a command line, but don't be scared — all these steps are easy to follow. If you've ever used the Terminal on macOS, Linux, or even Android, you'll feel right at home.
Once you have your VPS open, click the 'Launch Console' button at the top-right corner. This will open a web-based terminal, as seen in the screenshot below, and you'll be prompted for a login. Type "root" (without the quotes), press Enter, then enter your root password, and press Enter again.
After that, you should be logged in and greeted with a "Welcome to Ubuntu" message. If you've never used a Terminal on Linux/macOS before, you might find this list of common commands helpful. Now it's time to set up the VPN service!
Set up the VPN
You might be thinking, "Oh geez, I gotta use commands, this is gonna be awful." Thankfully, this is actually the easiest step, since we'll be using the OpenVPN road warrior install script to get everything running. Run this command in the console window (that's the letter "O" after VPN, not a zero):
wget https://git.io/vpn -O openvpn-install.sh && bash openvpn-install.sh
The script will ask you for your IP address, what protocol to use, and other info. Press Enter when asked for the protocol and DNS server, but when you're asked for the port, enter 443. Many networks block the default OpenVPN ports, so changing it to 443 (the port used for HTTPS traffic) can prevent some types of blocks. After that, enter your name when asked. The script will then install the required software and set everything up.
Once the script is done, it will export a .ovpn file in the /root/ folder. That file contains the connection and login info for your VPN, so we need to get that file off the server (and not give it to anyone!).
Download the login info
The easiest way to transfer the .ovpn file to your device is to temporarily start a web server, so you can download the file using any web browser. After you have the file downloaded, you can stop the server and store the .ovpn file somewhere safe.
To start the web server, run this command:
python3 -m http.server 80
Once the server is running, paste the IP address of your server (located on the Linode Summary page) in your browser's address bar. Make sure the address doesn't start with "https://", because the server doesn't have a security certificate. You should see a simple directory listing with a few files. Click on the .ovpn file to download it.
After the file is downloaded, you need to shut down the server, so no one else can access the data. Press the CTRL and C keys on your keyboard at the same time to end the server — you should see a "exiting" message. If that doesn't work, rebooting your VPS from the Linode dashboard will also stop the server.
Connect to the VPN
You've set up your VPN and downloaded the connection file, so now you're ready to try it out. There are OpenVPN clients available for every major operating system. For this guide, we'll only go over how to connect using an Android device (or Chromebook with the Play Store). For Windows/Mac/iOS, VPNGate has an excellent guide here.
There are a few different OpenVPN clients for Android, but my favorite is OpenVPN for Android, because it works well and is fully open-source. Once you download it from the Play Store, tap the import button in the top-right corner (it looks like a box) and select your .ovpn file.
Once you find the .ovpn file and tap it, press the Save button in OpenVPN. A new connection option will be added to the main screen. Once you tap it, you will be connected to your VPN! Chrome OS fully supports Android VPNs, so this app will also work for Chromebooks — you should see a lock icon next to the WiFi indicator.
Secure the server
Since your VPN is an always-on server that will be receiving and transmitting personal data, there are a few extra steps you should take to reduce possible server-side security vulnerabilities.
Enable automatic updates
The first thing you should do is enable automatic package updates. This way, you won't have to log in occasionally to perform updates, and your server will stay secure on its own. First, run this command to install any updates that are already available:
apt update && apt upgrade -y
Once that's done, run this command to install the automatic updater:
apt install -y unattended-upgrades
And you're done! Your server will now check for and install updates automatically, with minimal (if any) downtime to your VPN. If you get a message saying something like "unattended-upgrades is already the newest version," it was already installed in the system image provided by Linode.
Turn off SSH access
If you won't be using this server for anything else, you should disable remote access via SSH. This will prevent anyone (including you) from logging into the server remotely, except from the console in the Linode dashboard. This will also prevent brute-force login attacks on your server.
First, run this command to disable the SSH server from starting when the server boots up:
systemctl disable ssh.service
Then, stop the currently running server with this command:
systemctl stop ssh.service
Now your server is only accessible from the Linode console. If you want to revert this later, just run these commands:
systemctl enable ssh.service systemctl start ssh.service
Set up two-factor authentication
Lastly, you should enable two-factor authentication for your Linode account, so that it's even harder for someone to obtain access to your server. With the Linode dashboard open, click your profile icon at the top-right, select 'My Profile,' and click the 'Password & Authentication' tab.
You can enable 2FA with your app of choice, including Google Authenticator and Authy. A code from the app will be required when you log into Linode.
Manage your VPN
Congratulations, you now have your own functional VPN server! For the most part, you don't have to do anything else, except install the OpenVPN client on whatever other devices you have. Even if your server is rebooted (when Linode performs maintenance, for example), the VPN will automatically restart.
That being said, there are a few things you can do after you're done, like adding/removing profiles and updating the server.
If something isn't working, rebooting your server might fix it. Go to your Linode dashboard, click the VPN server, click the 'Running' button at the top-right, corner, and select 'Reboot.' This will send a reboot command to your server, allowing it to shut down safely and start again.
Add or remove VPN profiles
You already have an OpenVPN profile for yourself (which is linked to the .ovpn file), but you can create more profiles to let other people access your VPN. You can also remove a profile later, if you want to revoke someone's access. Just run the VPN setup script again:
wget https://git.io/vpn -O openvpn-install.sh && bash openvpn-install.sh
You should see a series of options — just type the number for the one you want and press Enter. The script will then walk you through the action.
Deleting your VPS
If you decide you don't want your own VPN anymore, you can easily delete the server. Go to your Linode Dashboard, click the VPN server, select the 'Settings' tab at the top, and click 'Delete Linode'.
This guide has been updated with new screenshots and replaced instructions for transferring the .ovpn file (since Firefox Send is now discontinued).