
Show HN: Poor Man's VPN With a Cheap VPS - tlongren
http://longren.io/poor-mans-vpn-with-a-cheap-vps/
======
yogo
Or just

 _ssh -D localport -fN user@vps_

Then for chrome/chromium:

 _chromium --proxy-server= "socks5:localhost:localport"_

If you need multiple instances running different proxy connections use
different data directories like:

 _chromium --user-data-dir= "other-dir" \--proxy-
server="socks5:localhost:localport"_

Edit: sshuttle covers more than port forwarding but the article was geared at
browsing the web through a vps hence my comment.

~~~
bluedino
GUI version of doing the same thing:

[https://calomel.org/firefox_ssh_proxy.html](https://calomel.org/firefox_ssh_proxy.html)

~~~
tlongren
Where's the GUI?

------
colinbartlett
For $20 LESS per year than this "poor man's VPN", I can get an actual VPN that
I don't have to maintain, has multiple world-wide POP's, and doesn't log
customer usage:
[https://www.privateinternetaccess.com](https://www.privateinternetaccess.com)

~~~
chime
True. However, the idea with this is that you probably have a spare low-end
VPS that you can use for VPN also.

~~~
nissehulth
You can get a low-end VPS for even less if you look at some VPS companies
special offers, like $15/year for 1GB RAM, 20GB disk, 1TB transfer/month. Yes,
low-end and most likely overbooked servers, but still decent enough for a
proxy.

~~~
rahimnathwani
You don't need so much RAM for a VPN sever with a few users. You can get by
with 128MB (or even less if you're ruthless), and get such servers for
$7.50-$15.00 per year.

Check out: [http://www.lowendstock.com/](http://www.lowendstock.com/)
[http://www.lowendbox.com/](http://www.lowendbox.com/)
[http://www.lowendtalk.com/categories/offers](http://www.lowendtalk.com/categories/offers)

~~~
Istof
wow, I never knew you could get a vps for that cheap, thanks.

------
borski
We built an incredibly easy single click OpenVPN setup tool for DigitalOcean
and Rackspace during Sochi:
[http://www.tinfoilsecurity.com/vpn](http://www.tinfoilsecurity.com/vpn)

Enter API key creds, it makes the box for you, sets it up, and hands you a
config you can use for your client of choice. (The script is open source for
those of you that don't want to enter creds - we don't store them, and
actually remove access whenever we can; for example, we delete our own SSH key
from DO because they let us).

~~~
mrfusion
That's brilliant! Does it really work? How would one connect to it?

~~~
borski
Works great. :) we give you, at the end, a config file you can use for your
OpenVPN client of choice. We like viscosity on win/Mac:
[https://www.sparklabs.com/viscosity/](https://www.sparklabs.com/viscosity/)

~~~
rahimnathwani
Out of curiosity - why not TunnelBlick on Mac?

~~~
borski
Have you used it? The Viscosity UI is, in my opinion, bounds better - easier
to use, more obvious configuration options, etc.

~~~
rahimnathwani
I started using TunnelBlick before I had heard of Viscosity. The UI isn't
great but it was easy enough to install and configure.

I will check out Viscosity, as I don't particularly like having to use the
config files directly each time I want to make a small change. Do you know
whether the performance (throughput, latency) differs between the two?

~~~
borski
I haven't noticed any difference, but I don't have any statistics for that.
Just "feel."

------
kh_hk
Always wonder how come _tinc_ is not as popular as other VPN solutions. Peer
to peer network routing via tun/tap interfaces, all traffic encrypted, each
host has a public/private key pair.

I have been using it to build an VPN network with cheap VPS from different
providers and found it really reliable and easy to set up. Besides that, once
used it to watch some south park at UK and also worked wonders, no need to
even setup a proxy, just route your traffic through the interface.

Link for the interested: [http://www.tinc-vpn.org/](http://www.tinc-vpn.org/)

~~~
codexon
Tinc is difficult to setup and uses a custom protocol which may not be
thoroughly vetted.

~~~
p8952
I can't comment on the protocol, but tinc is very easy to set up. You just
need to generate pub/priv keys and then add your routes in /etc/tinc/vpn/tinc-
up. We're running it in production with ~30 nodes worldwide and using puppet
to dynamically add/remove nodes on the fly.

What is great is it's able to re-route around any peering issues suffered by
local ISPs. Say you have three nodes in the US, UK, JP and your JP ISP loses
routing to your US ISP. If both can still route to the UK then tinc will
automatically keep traffic flowing.

~~~
codexon
Of course if you manage to get a template setup it is easy.

But now that I haven't setup tinc for awhile I have no idea how to do it again
and the examples are horrible.

Every node needs to have a copy of every other node's configuration file and
it is annoying to add a file to N servers when you are adding the N+1th
server.

~~~
kh_hk
For the setup I will say it is on the same level of difficulty as it would be
to setup iptables and routes manually. Yes, tinc does not abstract any of
these things from you. But if you know what you are doing (not saying I always
know what I am doing) it can be a powerful tool to build the exact network you
want without any provider lock-in.

Now, I must agree on that, it might not be a friendly solution for dead easy
routing to an exit node as a proxy with dns-tunneling built in. I just wanted
to know why tinc does not get enough love, and you answered accordingly. But
if you are building a serious network I do think tinc hits the sweet spot
between being easy and allowing for any network you can think of without being
tied to a particular server provider that might offer private IPs.

As for the configuration I use git, which makes it super easy to setup the
N+1th server. None of the private keys are committed to the repo, of course.
My infrastructure is not that big so I am still doing some things by hand, but
it should be easy to automate some parts by using git hooks +
puppet|ansible|chef.

About the protocol I do not understand why it would be a problem, other than
not being ssh or the possibility of being filtered over the network. Doesn't
most VPN solutions have their own protocol?

~~~
codexon
If you put your configuration files on github then someone can figure out
which IPs they can ddos.

The problem with a non-vetted protocol is that it could have flaws.

~~~
kh_hk
s/github/git/

------
Spittie
Like everyone else here, I've been using ssh -D. Which is awesome especially
because I have my hosts organized into my ~/.ssh/config file, so if I need a
connection in the USA, I'll just type "ssh -D 4444 us".

I have a similar setup on my Android phone, by using Vx ConnectBot
([http://connectbot.vx.sk/](http://connectbot.vx.sk/)) plus ProxyDroid
([https://github.com/madeye/proxydroid](https://github.com/madeye/proxydroid)).

If anyone need some of the advanced features provided by OpenVPN, I can
suggest this script: [https://github.com/Nyr/openvpn-
install](https://github.com/Nyr/openvpn-install) I've successfully used it to
install OpenVPN several times, and it's mostly effortless.

As for the VPSs, I can suggest
[http://lowendspirit.com/](http://lowendspirit.com/), awesome owner and can't
beat the 3€/year (yes, year) price. You don't get a public dedicate ipv4, but
if you need only a VPN then it's not really needed.

~~~
jzelinskie
You can actually specify the -D in your .ssh/config with "Dynamic Forward
1234". Now whenever you connect, it'll also open up a proxy to which you can
optionally connect.

Another neat trick is having a wildcard for a host to set global options, like
compression.

Here's a little sample of what my ~/.ssh/config looks like:
[https://gist.github.com/jzelinskie/10675197](https://gist.github.com/jzelinskie/10675197)

------
driverdan
This should be called a lazy man's VPN, not poor. You can run a VPN on the
same $5/m VPS.

~~~
scottlinux
Or lazy man's ssh tunnel. :)

~~~
tlongren
I think that's the most succinct name so far. Like it. Maybe I should re-title
the post.

------
Karunamon
OpenVPN is nice too and will work on the same cheap VPS. They have a command
line version, and a paid product, Connect, which has a web UI for
configuration.

It's free for a low number of users, though. And it also has clients for
Android.

I find that I get better speeds through OVPN than through an SSH tunnel. YMMV
:)

~~~
reedalex01
OpenVPN defaults to tunneling over UDP, but optionally supports TCP. SSH is
always over TCP. Here's a bit of info from the man page [1] for anyone who's
curious:

" OpenVPN is designed to operate optimally over UDP, but TCP capability is
provided for situations where UDP cannot be used. In comparison with UDP, TCP
will usually be somewhat less efficient and less robust when used over
unreliable or congested networks."

[1]
[https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage](https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage)

More detailed info: [http://sites.inka.de/sites/bigred/devel/tcp-
tcp.html](http://sites.inka.de/sites/bigred/devel/tcp-tcp.html)

------
robk
SoftEther is really simple to configure and works very well using normal VPN
clients, which is easier for non-tech friends/colleagues to access vs SSH.

~~~
erbo
+1 to SoftEther. I've been using it as a replacement for Hamachi (which
recently went pay-only), allowing my godsons to log into my Minecraft server.
I have it set up with a server running on a DigitalOcean VPS and the bridge to
my internal network running on a Raspberry Pi.

~~~
guyinblackshirt
+1 for SoftEther, also works better in China because of the protocols
supported.

Another noteworthy script for instantiating an openvpn server quickly is this:

[http://scramblevpn.wordpress.com/2013/09/22/raspberry-pi-
and...](http://scramblevpn.wordpress.com/2013/09/22/raspberry-pi-and-patched-
openvpn-server/)

Again, this has emphasis on scrambled connections (ie china)

------
wernerb
I can also recommend Docker + joyent/digital ocean with Openvpn. [0] Just
paste a few commands, install tunnelblick and you are ready to go.

[0] [http://blog.docker.io/2013/09/docker-joyent-openvpn-
bliss/](http://blog.docker.io/2013/09/docker-joyent-openvpn-bliss/)

------
babuskov
Am I crazy for using PPP over SSH for this?

I enabled masquerading on the server for ppp0 interface and then I'm doing
this on the client:

    
    
        route del default
        route add -host vps.host gw my_local_gateway eth0
    
        pppd pty "ssh vps.host -t -e none -o 'Batchmode yes' sudo /usr/sbin/pppd" 192.168.16.1:192.168.16.254 local nodetach silent
    
        route add default ppp0
    

I guess some of this could be automated in ppp-options but I never bothered as
it's a simple script I can run at any time.

~~~
plantain
>Am I crazy for using PPP over SSH for this?

Yes. You'll get all kinds of performance weirdness running TCP-over-TCP[1]

[1] [http://sites.inka.de/~W1011/devel/tcp-
tcp.html](http://sites.inka.de/~W1011/devel/tcp-tcp.html)

~~~
babuskov
Interesting. I guess I do not use it often enough to encounter those issues.

Thanks for the link, it's really useful to know this.

------
sitkack
This sort of VPN is useful for getting around filtering and blockades but is
not good for deniability. Tor and or a commercial VPN that doesn't keep logs
is for being more anonymous.

~~~
computer
How is a commercial VPN that _claims_ not to keep logs more deniable than
running your own VPS that definitely doesn't keep logs?

~~~
probably_wrong
Well, the commercial VPN may or may not log traffic, so let's say it's 50/50.

Your VPS, on the other hand, is _your_ VPS. If the police comes to your
server, the company has no reason to hide who you are. That's 0% deniability,
they'll come straight to you as the owner of the server. You'll then have to
prove somehow it wasn't you (and you were, so it's a tough one). At the very
least you'll get lawyers involved.

------
quasque
Seems like an easier solution would be to run Tor on the VPS instead of via
his home internet connection. Nice to learn about sshuttle though.

~~~
tlongren
I have a VPS specifically setup for a Tor relay, as well. :) We're moving soon
and will likely retire the "home" Tor relay.

Not poor yet, but on my way to being there it'd seem.

~~~
ztnewman
I'm pretty sure most VPS hosts wouldn't be too happy with that

------
rahimnathwani
I thought this would be an article about setting up PPTP and/or OpenVPN on a
low end VPS. For anyone doing this for the first time, these shell scripts may
be helpful:

[https://github.com/cwaffles/ezpptp](https://github.com/cwaffles/ezpptp)

[https://github.com/cwaffles/ezopenvpn](https://github.com/cwaffles/ezopenvpn)

------
chewxy
I was setting up my connections before going to China. I found this guide
useful: [https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-
ubuntu-1...](https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-
ubuntu-12-04-on-amazon-ec2/)

------
vpnwebistes
There are top cheap VPN providers, to find a decent one check out list of
[http://vpnwebsites.com/](http://vpnwebsites.com/).

------
tlongren
Thank you for all the responses. It's apparent there's MANY other options, and
probably much cheaper options.

Given me a LOT to think about. Thank you all. :)

------
kayman
openvpn access server takes only a few minutes to setup. Digitalocean has an
article on how to as well.
[https://www.digitalocean.com/community/articles/how-to-
insta...](https://www.digitalocean.com/community/articles/how-to-install-
openvpn-access-server-on-ubuntu-12-04)

------
gprasanth
Ssh -d along with proxy chains - been doing this for ages.

