A VPN is a technology for a secure connection to a remote computer or network, and for most users, it's simply a safe way to use the Internet in public Wi-Fi zones: shopping malls, cafes, hotels, and airports.
In this article, we will look at four ways to create your own VPN with a secure protocol for organizing a safe connection.
Let's start with the simplest option, which is manageable even for novice PC users.
Preparation
For all four methods, we will need a virtual server (VPS or VDS).
To order one, go to VDSina and register. If the site doesn't open*, try this virtual browser, and within the 3 free minutes, just register there by entering your email. A password and a link to your personal account will be sent to this address, which should load without any problems. Log in to your account and order a standard server with 1 core and 2GB of RAM. For the operating system, choose Ubuntu 24.04 or Debian 12, and disable automatic backup:
After paying for the server, you will receive the necessary access data – the IP address and root password.
* the site's domain is not on any blacklists, but reports of loading issues are sometimes encountered
Method 1. Amnezia
The easiest and fastest way to set up a VPN yourself. Simply install the client program AmneziaVPN on your computer or phone, and the setup will be performed automatically on the first launch. Just start the application, select 'Self-hosted VPN', and then enter the connection details for your virtual server (IP address and root password). The program will install everything necessary on it, and you can start using your VPN immediately.
You can download AmneziaVPN from GitHub or from here. The application is available for all popular desktop and mobile operating systems, is completely free, and is open-source software.
It's worth noting that Amnezia supports various secure protocols: OpenVPN, WireGuard, IPsec, and others.
Method 2. Virtual server with a pre-installed VPN
Some hosting providers offer to install a ready-made VPN with a web interface for user management when you order a server. In our case, when ordering the server during the preparation stage (see above), this can be done for several VPN protocols, including the two most popular ones – OpenVPN and Wireguard:
After the server is activated, you need to log in to the VPN management web interface, create a new user, and download their configuration file with the connection settings.
Then, you just need to upload or import this file into any VPN client that supports the required protocol. The table below shows the most popular options:
VPN client | Protocol | Supported OS / Hardware |
OpenVPN | Windows, MacOS, Linux, Android, iOS, ChromeOS | |
WireGuard | Windows, MacOS, Linux, Android, iOS, etc. | |
Routers with a built-in VPN client | OpenVPN | Most modern routers, for example, Asus RT-AX53U, RT-AX55, RT-AC68U, RT-AC86U, TP-Link Archer AX55, AX72, AX73, AXE75, and many others |
WireGuard | Some modern routers, for example, Asus RT-AX88U, TP-Link Archer BE900 | |
Routers with alternative firmware (DD-WRT, OpenWrt, etc.) | OpenVPN | Most modern routers* |
WireGuard | Some modern routers* |
* before installing alternative firmware, check for compatibility and the availability of a VPN client on the firmware developer's website
More examples of router models with built-in VPN clients and their compatibility with OpenVPN, WireGuard, and also VLESS protocols can be found in a similar table in another VPN installation guide.
Method 3. Ready-made script
On GitHub, there are ready-made universal scripts for semi-automatic VPN setup. The installation wizard will ask a few questions, configure everything itself, and create a user configuration file for connecting to the VPN.
One of the most popular scripts is for OpenVPN, and also for WireGuard.
Method 4. Make a VPN yourself
The most labor-intensive option, where we will configure the VPN on a server with Ubuntu 24.04 ourselves. For the protocol, we'll choose the time-tested OpenVPN, which is supported by most modern routers.
Connect to the VPS as root, create a new user, and add them to sudo:
adduser user usermod -aG sudo user
Then log in to the server as user and execute all further commands under their name.
Update the package lists and install OpenVPN and Easy-RSA (for managing certificates in a public key infrastructure):
sudo apt update -y sudo apt install openvpn easy-rsa -y
In our user's folder, create a directory with a symbolic link and the necessary permissions:
mkdir ~/easy-rsa ln -s /usr/share/easy-rsa/* ~/easy-rsa/ chmod 700 ~/easy-rsa
Create a configuration file for Easy-RSA and initialize the public key infrastructure (PKI):
cd ~/easy-rsa echo -e 'set_var EASYRSA_ALGO ec\nset_var EASYRSA_DIGEST sha512' > vars ./easyrsa init-pki
Generate the certificate authority keys:
./easyrsa build-ca nopass
The system will ask you to enter a common name; you can just press Enter here.
Issue and sign a key-certificate pair for the server:
./easyrsa gen-req server nopass ./easyrsa sign-req server server
When executing the first command, you will be asked to specify the Common Name, just press Enter here. For the second command, you need to confirm the request by typing yesyes
Copy the created files to the OpenVPN directory:
sudo cp ~/easy-rsa/pki/private/server.key /etc/openvpn/server sudo cp ~/easy-rsa/pki/issued/server.crt /etc/openvpn/server sudo cp ~/easy-rsa/pki/ca.crt /etc/openvpn/server
For additional protection, create a pre-shared key (PSK) that will be used with the tls-crypt directive:
sudo openvpn --genkey secret /etc/openvpn/server/ta.key
Issue and sign a key-certificate pair for the client client1:
./easyrsa gen-req client1 nopass ./easyrsa sign-req client client1
In the first command, when prompted to specify the Common Name press Enter. When executing the second command, confirm the request by typing yesyes
Create a directory for client configs, copy the necessary files there, and set the appropriate permissions for them:
mkdir ~/openvpn-clients chmod -R 700 ~/openvpn-clients cp ~/easy-rsa/pki/private/client1.key ~/openvpn-clients/ cp ~/easy-rsa/pki/issued/client1.crt ~/openvpn-clients/ sudo cp /etc/openvpn/server/{ca.crt,ta.key} ~/openvpn-clients/ sudo chown user ~/openvpn-clients/*
Configure the OpenVPN config based on the default example. To do this, copy the template file server.conf to the working directory:
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn/server/
Using any text editor, open the file server.conf for editing:
sudo vim /etc/openvpn/server/server.conf
In this file, you need to make the following changes:
replace
dh dh2048.pemtls-auth ta.key 0withtls-crypt ta.keydh noneuncomment the line
push "redirect-gateway def1 bypass-dhcp"uncomment the two lines with DNS servers:
push "dhcp-option DNS 208.67.222.222"push "redirect-gateway def1 bypass-dhcp"push "dhcp-option DNS 208.67.220.220"push "dhcp-option DNS 208.67.222.222"
By default, the addresses of public DNS servers from OpenDNS are specified here. I recommend replacing them immediately with DNS servers from CloudFlare (1.1.1.1, 1.0.0.1) or Google (8.8.8.8 and 8.8.4.4)replace
tls-auth ta.key 0cipher AES-256-CBCwithcipher AES-256-GCMtls-crypt ta.keyreplace
cipher AES-256-CBCauth SHA256withauth SHA256cipher AES-256-GCMand after this line, add another new one –auth SHA256add two lines at the end of the file:
user nobodygroup nogroup
To enable packet forwarding, uncomment (manually or using the sed) the line net.ipv4.ip_forward=1net.ipv4.ip_forward=1/etc/sysctl.conf and apply the changes:
sudo sed -i '/net.ipv4.ip_forward=1/s/^#//g' /etc/sysctl.conf sudo sysctl -p
Now we need to configure forwarding and masquerading in iptables, but first, let's find the name of the public network interface on the server:
ip route list default
An example of the command's output is shown below; the name of the interface we need is displayed right after "dev" :
default via 123.45.67.8 dev ens3 proto static onlink
Here the interface is called ens3, in your case it might be different.
Allow forwarding and enable masquerading in iptables. If necessary, replace the interface name (ens3) in three places with the correct one:
sudo apt install iptables-persistent -y sudo iptables -A INPUT -i tun+ -j ACCEPT sudo iptables -A FORWARD -i tun+ -j ACCEPT sudo iptables -A FORWARD -i ens3 -o tun+ -j ACCEPT sudo iptables -A FORWARD -i tun+ -o ens3 -j ACCEPT sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/8 -o ens3 -j MASQUERADE sudo netfilter-persistent save
Add the OpenVPN service to startup and run it:
sudo systemctl enable openvpn-server@server.service sudo systemctl start openvpn-server@server.service
You can check if the VPN is running with the command:
sudo systemctl status openvpn-server@server.service
All that's left is to create the .ovpn configuration file that the client will use to connect to the VPN.
The .ovpn file must contain the basic parameters, certificates, and keys. To avoid combining all this manually, let's write a small BASH script:
create_client_config.sh
#!/bin/bash # Формат использования: create_client_config.sh <clientname> # Перед использованием в SERVER_IP вместо X.X.X.X необходимо указать IP адрес вашего сервера SERVER_IP=X.X.X.X DIR=~/openvpn-clients cat <(echo -e \ "# Client OpenVPN config file"\ "\nclient" \ "\ndev tun" \ "\nproto udp" \ "\nremote $SERVER_IP 1194" \ "\nresolv-retry infinite" \ "\nnobind" \ "\nuser nobody" \ "\ngroup nogroup" \ "\npersist-key" \ "\npersist-tun" \ "\nremote-cert-tls server" \ "\nkey-direction 1" \ "\ncipher AES-256-GCM" \ "\nauth SHA256" \ "\nverb 3" \ ) \ <(echo -e "\n<ca>") \ ${DIR}/ca.crt \ <(echo -e "</ca>\n\n<cert>") \ ${DIR}/${1}.crt \ <(echo -e "</cert>\n\n<key>") \ ${DIR}/${1}.key \ <(echo -e "</key>\n\n<tls-crypt>") \ ${DIR}/ta.key \ <(echo -e "</tls-crypt>") \ > ${DIR}/${1}.ovpn
In the script, instead of X.X.X.XYOUR_SERVER_IP
chmod +x create_client_config.sh
Create the .ovpn file for client1:
./create_client_config.sh client1
Done! In the ~/openvpn-clients folder, the client1.ovpn file has appeared. Download it and simply import it into any OpenVPN client or a router that supports this function.