Estimated reading time: 4 minutes

Have you ever connected to a Wi-Fi network that you don't completely trust? I'm talking about public networks like in hotels or clubs. In that case, how could you do to surf safely using a network “weak”? Through a VPN.

A VPN (Virtual Private Network) is a private telecommunications network, established as a connection between subjects using a public and shared transmission protocol, such as the Internet protocol suite.

Taken from Wikipedia

Purpose of VPNs is to offer businesses, at a lower cost, the same possibilities as for private rental lines, but using public shared networks: a VPN can therefore be seen as the geographic extension of a secure private company local network that connects sites within the company itself, variously spread over a large area, by exploiting IP routing for transport on a geographic scale and effectively creating a LAN network, precisely said “virtual” and “private”, equivalent to a physical network infrastructure (that is, with physical connections) dedicated.

Taken from Wikipedia

All clear? In drink connecting to a VPN it will be as if our client was physically in the LAN of the server. We will see the hosts that the server sees, we will have limitations (come firewall o blacklist) that the server has.

There are a variety of VPN services available, each with different characteristics. Google itself recently launched its VPN (you need to subscribe to Google One), others are free. They all differ in speed, security and services offered. Lots of VPNs, also commercial, use OpenVPN as software to manage VPNs.

OpenVPN creates an encrypted tunnel between two points, preventing any “Part Three” to access traffic data. By starting your own VPN server you would become your own VPN provider. Many proprietary services use OpenVPN as a backend, so why bond with one in particular when you could be in full control?

Create a Linux server

There is little to say here. Any Linux distribution must be installed on a PC. The hardware of the PC in question does not have to be of the latest generation if we are to use it only as a VPN server. For our article we will use Fedora, but don't feel tied to this distribution: OpenVPN can be installed on any Linux system.

Network settings

After installing Fedora on our PC we will need to configure the network. To do this we will need to log in via console or SSH.

First we download the updates and reboot the system.

~$ sudo dnf update -y && reboot

Let's log in again and disable the firewall.

~$ systemctl disable firewalld.service

~$ systemctl stop firewalld.service

You may want to enable some of your firewall rules for the internal network. If so, finish first configuring OpenVPN with the firewall down. You will enable the firewall rules later. There is a very detailed post on the RedHat blog.

The IP address

The commands below assume your network interface is coming “call” from the system ens3. In your case they may have another identifier, then check how it is called with the following command.

~$ sudo nmcli connection show
NAME  UUID                                  TYPE      DEVICE
ens3  18916b35-9d58-42bc-bdc6-fc0659480875  ethernet  ens3

You will need to make sure that you can connect to your VPN server remotely. There are two ways: set the IP statically on the LAN (and this is my advice), or let the router do the work “dirty”.

Configure the IP manually

Set the IP as static, the gateway and DNS with the following command (enter the IP of your server).

~$ sudo nmcli connection modify ens3 ipv4.addresses 10.10.10.97/24
~$ sudo nmcli connection modify ens3 ipv4.gateway 10.10.10.1
~$ sudo nmcli connection modify ens3 ipv4.dns 10.10.10.10
~$ sudo nmcli connection modify ens3 ipv4.method manual
~$ sudo nmcli connection modify ens3 connection.autoconnect yes

And finally we set a hostname.

~$ sudo hostnamectl set-hostname OVPNserver

If you have a local DNS server you will need to set a DNS entry with the hostname pointing to the IP of the VPN server.

Restart your PC and make sure that the given settings are effective when you turn it back on.

Make your router configure the IP

The router you use in your network (that you have purchased it, or that it was loaned to you by your ISP) it probably integrates a DHCP server that assigns IP addresses arbitrarily to connected devices. Your new VPN server is exactly one of the devices on the network that the router has assigned an IP to.

The problem arises when the router cannot guarantee that each device can never obtain the same IP at a possible reconnection. The router will most likely try to assign the same address, but it can change it based on the number of connected devices, or to other variables that we do not know (each manufacturer sets arbitrary rules).

However almost all routers nowadays have a configuration web interface where we will reserve the IP addresses for each specific device.

There is no universal interface for routers… each manufacturer has developed the one that according to the marketing department is best suited to their customers. You will need to look in the router settings “Static IP”, the “DHCP” and make sure that every time the PC or router is restarted, the IP assigned to that particular computer always remains the same.

Log in to the server

In addition to integrating a DHCP server, in all likelihood your router will also integrate a firewall. Normally this is great because you never want anyone to break into your LAN. However, we need to configure the router to leave connections to our VPN server open, or we won't be able to connect.

The best situation would be to obtain a static IP from the reference ISP. In Italy, static IPs have a cost in the bill (a few euros actually), so you will more easily want to contact a private but free service such as dynDNS (configurable also on Linux), or a service connected to the router (such as, but not only, service MyFritz by FritzBox!).

OpenVPN uses the UDP portal 1194 di default. You will need to configure your router's port forward to route incoming traffic to the port 1194 at the door 1194 of your VPN server. You can also change the entrance door at will and you will need to remember this when trying to access.

Ah, as before there is no standard interface for all routers. Sometimes it is called “Port forwarding”, sometimes “Virtual server”, the (in some cases) “Qualifications” (or more).