
How to Setup a Secure VPN Server on Raspberry Pi or DigitalOcean - spaceboy
https://blog.hsp.dk/how-to-setup-vpn-server-on-raspberry-pi-or-digitalocean/
======
lwf
The recommendation to use a 1024-bit RSA key worries me. In an era of passive,
bulk surveillance, that seems too weak if you're not going to be using any
additional transport-layer security.

The performance argument is only relevant for the establishment of the VPN
connection and any periodic rekeying ­— it _shouldn 't_ have any impact on the
tunnel's perf.

It's a shame openvpn's easy-rsa doesn't provide a straightforward mechanism to
generate ECDSA certificates, which would've removed any performance concerns.

\--

edit: easy-rsa _does_ support ECDSA[1]:

 _Support for generating an ECDSA certificate chain is available in EasyRSA
(in spite of it 's name) since EasyRSA 3.0. The parameters you're looking for
are '\--use-algo=ec' and '\--curve=<curve_name>'. See the EasyRSA
documentation for more details on generating ECDSA certificates._

[https://github.com/OpenVPN/openvpn/blob/master/README.ec](https://github.com/OpenVPN/openvpn/blob/master/README.ec)

------
fauigerzigerk
Using a socks 5 tunnel over ssh seems like an interesting ad hoc alternative
for web browsing only: [https://www.digitalocean.com/community/tutorials/how-
to-rout...](https://www.digitalocean.com/community/tutorials/how-to-route-web-
traffic-securely-without-a-vpn-using-a-socks-tunnel)

But crucially you'd want to make your browser use the tunnel for DNS as well:
[http://superuser.com/questions/103593/how-to-do-dns-
through-...](http://superuser.com/questions/103593/how-to-do-dns-through-a-
proxy-in-firefox/260658#260658)

Careful if you're using this for something dangerous. I'm not a computer
security expert by any stretch and I don't know whether the people who have
written these articles are. Chances are that this is completely broken and
will reveal your IP address and identity.

~~~
sshtunnels
Yeah, I use SOCKS5 over SSH all the time, although I didn't follow that
particular guide. I am also not an expert but after making sure DNS requests
were tunneled, I wasn't able to see any cleartext at all using Wireshark.

It is not a Tor replacement or anything. I think it should be effective at
simple things like: masking personal browsing at work[0], masking browsing
habits from your ISP.

[0] Obviously if you use a company computer, you could be keylogged/monitored
in other ways. Use your judgement.

~~~
eriknstr
>masking browsing habits from your ISP

What I don't get is why people think that random VPS and VPN providers would
somehow be better for your privacy than to let your ISP see the content of
your traffic.

~~~
kijin
Your ISP and your government have a strong interest in monitoring what you do,
and they are more likely to take action against you if they don't like what
you do.

A random VPS service (preferably in another country) only cares about you
insofar as you pay them and don't cause any trouble to them. They don't have
as much of an incentive to invade your privacy as your home ISP does, and I
trust incentive structures a lot more than I trust boilerplate words on a
privacy policy.

It can also be a matter of opportunistic encryption. Most public wi-fi is
vulnerable to anyone in the vicinity, in addition to the usual ISP and the
NSA. Use a VPN and now you're only vulnerable to the VPS service and the NSA.
That's quite a bit of improvement.

You also have the freedom to choose a VPS service with good connectivity in a
relatively less snoopy country, a luxury you often don't have in choosing your
home ISP.

~~~
viraptor
> They don't have as much of an incentive to invade your privacy as your home
> ISP does

The have a much better opportunity of correlating traffic than anyone else.
It's not separated by an IP anymore. They've got a specific account they can
connect to a specific person. (via billing) I believe if they wanted to sell
the traffic logs, they'd easily find customers.

Also there have been companies like Hola ([https://torrentfreak.com/hola-vpn-
sells-users-bandwidth-1505...](https://torrentfreak.com/hola-vpn-sells-users-
bandwidth-150528/)) that do outright evil things just because you run their
software. Facebook bought Onavo VPN which gave them more traffic visibility.

There's also a few VPN services which will replace / inject ads into pages you
visit without https.

So yeah - a lot of reasons to invade both your security and your privacy here.

~~~
kijin
I said VPS service, not VPN service. I don't trust VPN services at all.

Meanwhile, I doubt that Linode has any interest in injecting ads or selling
traffic logs.

------
noarchy
Regarding DigitalOcean VPNs, I think enough people have been doing this that
it is starting to show in unpleasant ways. While using my DO VPN I've
encountered captchas while using YouTube, of all sites, likely because of
abuse they've seen at the hands of DO VPN users. I've also seen my DO IP range
outright banned by other sites.

~~~
tyingq
Probably similar for any other popular VM provider. Many webmasters, for
example, block AWS IP ranges because there tends to be a lot of abusive
traffic, crawlers, etc, from there.

Going with a smaller company for a VPS intended for use as a VPN is a good
idea.

~~~
TuringNYC
Any suggestions on smaller companies that are flying under the radar so far?

~~~
XERQ
I'm the founder of SSD Nodes, Inc., which is a bootstrapped SSD-based hosting
provider for startups that I've been working on since 2011. We have several
locations which are great for VPNs: NYC, Dallas, Seattle, and Montreal. We're
really good about curbing abuse, so our IPs usually don't have any issues
(there's also a 14-day refund if it doesn't work out, we're very generous with
refunds).

[https://www.ssdnodes.com/startup-specials/](https://www.ssdnodes.com/startup-
specials/)

/utterly shameless plug

~~~
yjftsjthsd-h
It might be worth it for the reasons you mention, but the lowest end plan is
still far overpowered for VPN use and that's reflected in pricing.

~~~
tyingq
$5.49 a month seems reasonable to me. I'm sure you could find something
cheaper, but not much cheaper.

------
freestockoption
I prefer to use layer2 bridging in OpenVPN with a separate hardware device
(openwrt on a wallwart router, rackmount atom board). This way my client
machines have no idea they are on a VPN and everything gets tunneled though
the VPN (no DNS leaks unless my router is misconfigured).

In OpenWRT, it's basically:

-setup OpenVPN with a TAP device

-create a VLAN, assign some ports on the switch (optionally, a wifi SSID for VPNed wifi)

-bridge VLAN with TAP device

------
tribby
this is not secure; it will leak your ipv6 address by default. use openvpn's
ipv6 features to route ipv6 traffic as well[0]. using openvpn ipv6 is a PITA
on digitalocean because they only provide a /124, when openvpn requires at
least a /112\. you can get around this using ip6tables to route a /112 address
range you don't actually have access to, and the only consequence will be a
loopback if you try to access one of the digitalocean IPs you are claiming to
have in your available pool while connected to the VPN.

also, 1024 dh prime is unsafe depending on your threat model[1]. use 2048 if
nation states bother you, or 4096 if truly paranoid or at high risk /
performance isn't an issue. no reason not to bump up the RSA keys too.

0\.
[https://community.openvpn.net/openvpn/wiki/IPv6](https://community.openvpn.net/openvpn/wiki/IPv6)

1\. [https://weakdh.org/](https://weakdh.org/)

------
maulwuff
Yet another setup which forgets that there is a world outside IPv4. Any IPv6
traffic will not pass through the VPN but instead bypass it.

------
Perceptes
A good alternative is Algo:
[https://github.com/trailofbits/algo](https://github.com/trailofbits/algo)

~~~
spaceboy
Here's a few more:

[https://github.com/sovereign/sovereign](https://github.com/sovereign/sovereign)

[https://github.com/Nyr/openvpn-install](https://github.com/Nyr/openvpn-
install)

[https://github.com/ttlequals0/autovpn](https://github.com/ttlequals0/autovpn)

[https://github.com/robbintt/popup-openvpn](https://github.com/robbintt/popup-
openvpn)

[https://github.com/jlund/streisand](https://github.com/jlund/streisand)

~~~
cagmz
I usually use Angristan's (improves on Nyr's):

[https://github.com/Angristan/OpenVPN-
install](https://github.com/Angristan/OpenVPN-install)

------
nodesocket
Nice post. I actually just wrote a post myself on setting up a native Cisco
IPsec VPN sever on a Raspberry Pi 3. Cisco IPsec works natively on macOS and
iOS with no 3rd party software which was a requirement for me.

[https://blog.elasticbyte.net/setting-up-a-native-cisco-
ipsec...](https://blog.elasticbyte.net/setting-up-a-native-cisco-ipsec-vpn-
server-using-a-raspberry-pi/)

------
akoster
Another alternative (specific to the pi):
[http://www.pivpn.io](http://www.pivpn.io)

------
hedora
Is there an easy way to enable DNS over OpenVPN? That appears to be the
biggest hole in this tutorial. Untrusted networks get to observe/spoof DNS,
and the clients can't use the LAN DNS server to find stuff behind the
firewall. (Or am I missing something?)

~~~
sigmar
This tutorial includes configuring it as a "redirect-gateway" which will
include all DNS traffic.

------
suprjami
This seems a bit pointless to me.

If your aim is to hide your traffic from third-party networks you might be on
(free wifi, school, hotels, etc) then a yearly VPN subscription is almost
certainly cheaper than the cheapest DigitalOcean droplet. If you get a good
provider (I use PIA but am not affiliated with them) then you get unlimited
traffic, multiple clients, endpoints all over the world, tech support, all
without having to setup and administer the server yourself.

If your aim is to disassociate traffic with yourself, your DigitalOcean IP
will be tied back to you anyway.

If your aim is to stop government snooping, DigitalOcean is hosted in the USA
so you may as well just send the NSA your browsing history.

~~~
withzombies
I trust Digital Ocean much more than I trust PrivateInternetAccess. I also
don't want to be associated with the _other_ traffic going through PIA or
similar VPNs.

~~~
dbg31415
Curious, why don't you trust PIA? Have they done anything shady?

------
dboreham
Interesting. I have set up a few VPN servers of various kinds (and other
network trickery) in Virtual Machine hosting services, and ultimately gave up
due to issues with TSO (TCP Segmentation Offload
[https://en.wikipedia.org/wiki/Large_receive_offload](https://en.wikipedia.org/wiki/Large_receive_offload))
interacting badly with PMTUD
([https://en.wikipedia.org/wiki/Path_MTU_Discovery](https://en.wikipedia.org/wiki/Path_MTU_Discovery)).
The result was that TCP streams (often Downton Abbey, fwiw) inbound from a
remote server, tunneled to me via the VPN, would stall and generally suffer
from poor QoS.

I spent some time submitting support tickets to all the hosting providers I
had tried (many). Every one of them told me that they had no way to disable
TSO and the other common TCP offload features on their hosts.

So now I use Packet.net which gives me a honest to goodness actual bare metal
machine (over which I have complete control), for much the same price.

------
no_wizard
This reminded me of [https://www.softether.org](https://www.softether.org)
which is purported to be a faster and just as secure Alternative to openVPN
and looks pretty straightforward to setup. I did post another thread in this
but I'm not sure if it's inappropriate to post here too....wondering if anyone
has had experience with it

Also shoutout to Dr Duh who gave a nice run down of setting up vpn on a VPS

[https://github.com/drduh/Debian-Privacy-Server-
Guide/blob/ma...](https://github.com/drduh/Debian-Privacy-Server-
Guide/blob/master/README.md#openvpn)

Edit: Just realized that others have already noted and commented about
SoftEther. Sorry guys!

------
git-sgmoore
These are the steps I take: [https://github.com/git-
sgmoore/OpenVPN_Ipsec_L2tp_server_on_...](https://github.com/git-
sgmoore/OpenVPN_Ipsec_L2tp_server_on_Digital_Ocean)

------
btgeekboy
If it's just for yourself, install the OpenVPN AS (Access Server), and call it
a day. You get 2 free simultaneous users, and it deals with all of the
certificates, etc for you.

------
leni536
I use zerotier instead of openvpn, I really like the p2p aspect of it.

------
jonatbergn
I use [https://www.softether.org/](https://www.softether.org/). Setup of a VPN
server never was easier.

~~~
unsignedint
I like SoftEther, too. Braoad support of protocols (including OpenVPN) works
well, too.

------
scandox
I did a reasonably detailed tutorial for setting up your own VPN with
Softether

[http://www.selectedintelligence.com/post/128701492804/softet...](http://www.selectedintelligence.com/post/128701492804/softether)

------
caspereeko
You can check oh-my-vpn to setup openvpn server in a oneliner command.
[https://github.com/alaa/oh-my-vpn](https://github.com/alaa/oh-my-vpn)

------
rtnyftxx
just in case [https://bettercrypto.org/](https://bettercrypto.org/)

------
pyed
... or just use a docker container.

------
118383
Not really that knowledgeable about maintaining servers, but is it really
enough, but is it really enough to just straight away 'apt-get openvpn'.

Surely for it to be a 'secure VPN server' there has got to be some stuff set
up first, like setting up key only login, disabling root ssh login, disabling
everything ssh, setting up firewall, disabling ipv6 entirely in the case of
openvpn?

I run a vpn on digital ocean and its amazing looking at the logs and seeing
how quickly, and how many attempts there are to break into the server straight
after setting it up. As a person who isnt completely sure of what i am doing
when it comes to firewalls and setting up 'jails' or whatever, this kinda
makes me uneasy. I wouldnt even be sure how to tell if anyone had broken in to
my server...

[https://www.linode.com/docs/networking/vpn/set-up-a-
hardened...](https://www.linode.com/docs/networking/vpn/set-up-a-hardened-
openvpn-server)

This has been the most useful guide that I have found on setting up an openvpn
server. It has a bunch of steps to go through before you get to actually
installing openvpn. But as I said, I am not that knowledgeable myself when it
comes to running a server, so this may all just be unnecessary.

~~~
spaceboy
That's good advice. It's necessary and worth it to harden any server that you
deploy bash recipes on. The amount of tutorials online that leave out the IPV6
advice in that Linode article is astonishing.

