-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- ---
title: "$1 a Month Personal VPN"
author: Greg
layout: post
permalink: /2019/03/personal-vpn/
date: 2019-03-29 16:12:44 -0400
comments: True
licence: Creative Commons
categories:
  - Tech
  - Tutorial
tags:
  - tech
  - vpn
- ---

Russia has recently threatened to block popular VPN services unless they join a state IT system that contains a registry of banned websites[¹](https://www.themoscowtimes.com/2019/03/29/russia-threatens-to-block-popular-vpn-services-to-prevent-website-access-a65007). In response, here is a quick tutorial on how to setup a personal VPN for $1 a month. Personal VPNs have advantages over shared VPN services because they are harder for governments to block & you do not share an ip address with possible nefarious users so you get less annoying "Are you a robot" questions.

Prerequisites: being comfort in shell (feel free to reach out in the comments below if you have any issues)

### 1) Setup a Virtual Private Server

There are a few providers that offer $1 Virtual Private Servers. I chose [FDC Servers](https://fdcservers.net) (no affiliation) because they offered servers located in Spain. You don't get much for $1 but we're just creating a glorified web router so 1990's specs are fine. Once I signed up I was provisioned a VPS running Ubuntu with a 5Mbps unmetered connection, 128MB RAM, 10GB SSD, 1 external IP, & 1 CPU Core. It took a couple of hours for them to spin up the box.

```
greg ~ $ssh root@198.16.x.x
root@198.16.x.x's password: 
Welcome to Ubuntu 12.04.5 LTS (GNU/Linux 3.2.0-74-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

  System information as of Fri Mar 29 15:16:55 CDT 2019

  System load:  0.06              Processes:           70
  Usage of /:   13.5% of 8.86GB   Users logged in:     0
  Memory usage: 52%               IP address for eth0: 198.16.x.x
  Swap usage:   0%                IP address for tun0: 10.8.0.1

  Graph this data and manage this system at:
    https://landscape.canonical.com/

New release '14.04.1 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

Last login: Fri Mar 29 15:15:49 2019 from 204.101.x.x
root@118456:~# uptime
 15:16:57 up 0 min,  1 user,  load average: 0.06, 0.01, 0.01
root@118456:~# free -m
             total       used       free     shared    buffers     cached
Mem:           112        102          9          0         31         29
- -/+ buffers/cache:         41         70
Swap:         1023          9       1014
```

Because of the incredibly low specs, the server was provisioned with Ubuntu 12.04.5 LTS. It's not ideal to run an end of life version of Ubuntu. However for $1 & for the purpose of a VPN, it's ok.

For some reason the server didn't have it's DNS name servers set. If you use another service you probably won't have this issue. I quickly added dns-nameservers to network interfaces;

Edit `/etc/network/interfaces` with

`sudo nano /etc/network/interfaces`

and append `dns-nameservers 8.8.8.8 8.8.4.4` to the bottom of the eth0 entry.

Then I was able to run an update (this may take a while).

`sudo apt-get update && sudo apt-get upgrade -y`

### 2) Setup OpenVPN server

[Nyr](https://github.com/Nyr/openvpn-install) has created an awesome script that takes care of all the hard work of configuring OpenVPN. All we have to do is download & run Nyr's script and then answer some questions.

`wget https://git.io/vpn -O openvpn-install.sh && bash openvpn-install.sh`

To make it more difficult to block access to our personal VPN we will leave the hostname blank. Instead we will connect via an ip address so that our VPN can't be blocked at the DNS level. We will also choose TCP on port 443. https uses TCP on 443 making it hard to distinguish your traffic from regular web traffic.

```
Welcome to this OpenVPN "road warrior" installer!

I need to ask you a few questions before starting the setup.
You can leave the default options and just press enter if you are ok with them.

First, provide the IPv4 address of the network interface you want OpenVPN
listening to.
IP address: 198.16.x.x

This server is behind NAT. What is the public IPv4 address or hostname?
Public IP address / hostname: 

Which protocol do you want for OpenVPN connections?
   1) UDP (recommended)
   2) TCP
Protocol [1-2]: 2

What port do you want OpenVPN listening to?
Port: 443

Which DNS do you want to use with the VPN?
   1) Current system resolvers
   2) 1.1.1.1
   3) Google
   4) OpenDNS
   5) Verisign
DNS [1-5]: 1

Finally, tell me your name for the client certificate.
Please, use one word only, no special characters.
Client name: client

Okay, that was all I needed. We are ready to set up your OpenVPN server now.
Press any key to continue...
```

The script will do some magic and create a file called `client.ovpn` (or whatever you choose as your client name).

#### Optional

You can run the bash script again to create more ovpn config files for other users or devices.

`bash openvpn-install.sh`

```
Looks like OpenVPN is already installed.

What do you want to do?
   1) Add a new user
   2) Revoke an existing user
   3) Remove OpenVPN
   4) Exit
Select an option [1-4]: 

```

### 3) Setup OpenVPN client

copy `client.ovpn` to your local machine. An easy way to do that is to use the cat command to output the contents of the file and then copy and paste it to a local version.

```
root@118456:~# cat client.ovpn 
client
dev tun
proto tcp
sndbuf 0
rcvbuf 0
remote 198.16.x.x 443
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
setenv opt block-outside-dns
key-direction 1
verb 3
<ca>
- -----BEGIN CERTIFICATE-----
FOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO=
- -----END CERTIFICATE-----
</ca>
<cert>
- -----BEGIN CERTIFICATE-----
BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAR=
- -----END CERTIFICATE-----
</cert>
<key>
- -----BEGIN PRIVATE KEY-----
BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZ=
- -----END PRIVATE KEY-----
</key>
<tls-auth>
- -----BEGIN OpenVPN Static key V1-----
01234567890abcdef0123456789abcde
01234567890abcdef0123456789abcde
01234567890abcdef0123456789abcde
01234567890abcdef0123456789abcde
01234567890abcdef0123456789abcde
01234567890abcdef0123456789abcde
01234567890abcdef0123456789abcde
01234567890abcdef0123456789abcde
01234567890abcdef0123456789abcde
01234567890abcdef0123456789abcde
01234567890abcdef0123456789abcde
01234567890abcdef0123456789abcde
01234567890abcdef0123456789abcde
01234567890abcdef0123456789abcde
- -----END OpenVPN Static key V1-----
</tls-auth>
```

Install an OpenVPN client on your [Mac](https://tunnelbrick.net), [Android](https://play.google.com/store/apps/details?id=net.openvpn.openvpn), Windows, or [iOS](https://itunes.apple.com/ca/app/openvpn-connect/id590379981) device and add the `client.ovpn` file.

### 4) Browse freely!

You can ensure you're safely connected to your VPN by visiting [ipleak.net](https://ipleak.net/) and checking for DNS leaks. Leaks occur when DNS requests are not tunnelled through the VPN. If you identify leaks, ensure that DNS settings are not manually set in your network settings.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEESYClA57JitMYg1JBb8nUVLEJtZ8FAmIc1z8ACgkQb8nUVLEJ
tZ8ZCw/+PI1M67Qz113zN/bBttqlbg4L2cwmz9k8K9hx3rVG4GmjbLdYSqo6jUD1
vrgCSmxApfMMxxafDUjozLUOw1CxExFv9jzn/l6vpDsg2NVutp6AOd+t+VejVPyN
rzltBZiIEgTmswfjB7O+lTaLfBHEyLLBpzWHMbAV9sH56A0XvwWrXnDNNV4xTQau
WuBj9WeKcdmdErMC3dZF+1Q/A0B8yaYNBLFWE0UiZkUxjvMBxs5wq1se3ygZJJTf
Ls1wAa945MRUE2bGd3ZvPTSycaEw350QzTaEZVMISjKkhDq6gYZ2Xk+xpkASeu2G
1e9dGwEDx15GVr/S9sLGwCmzX2eCt1ows0Ze944s25ZBVuMI2cfuBBFEWD956B3L
OqvZeP9RYh7RvbtwJZwGXLRRTeJtJuMsiF6+sygvDRzoWc6pTb97L3orTcVBfyPM
3KVGIH6tfmk/HZd3e+Ctwi6B0suRJb0pizQ+ZLw2294ddwVPm8V4vn0DTon0f4AG
NYQChXGXsbtV/sLza9zdV6iDuRDydM18LFDsNnlxWo1q9ZbQd8rNjnaW0GL2gdQm
6DmJi9FIRSiHWJHrjq33XnUxj4cPhc2F+pB/vE4RZARzI46ThQ9PAJZPveq2Sy1n
5gbD9g6GFQ7A5qIAq95WnLmOWd54+8b0z5CmXE5M5uzQkgow3VE=
=v1CO
-----END PGP SIGNATURE-----