<--

Home VPN

Disclaimer: All content on this blog is intended for educational purposes only. Only you is liable for any consequences resulting from your use of this information. You should always respect laws of your country.

Intro

VPNs are primarily designed to create a secure and encrypted connection between your device and a remote server. This connection can be used to protect online privacy, hide your IP address and enhance security when connecting to the internet, especially on public Wi-Fi networks.

So let’s configure our own, home VPN server without a paid cloud. Pay once ;)

Hardware

Raspberry PI looks like a good option, since it’s a powerful mini-computer with all needed interfaces for the fair price.
The best option to buy it - order in China. I’ve used pi4B with 8Gb of RAM as an example, but you can choose simpler model without Ethernet/USB-A and with 2 Gb RAM - it should serve the needs of a couple users just fine.
I suggest to buy a complete set with the housing and a power unit, like this one.

Raspi configuration

Installing OS:

  • use Raspberry PI Imager and install latest available stable release of Ubuntu Server (Ubuntu server LTS 20.04) –> write the OS image on the micro-sd flash drive
  • don’t forget to specify your wi-fi and ssh password during the configuration. Alternatively, you can create custom configuration and put it to the boot directory on the SD card, check out this small tutorial.
  • mount the SD card into the Raspi and turn on power, then wait a couple of minutes - computer should be ready then

Set-up internet connection:

  • from the previous step, your Pi should automatically connect to the wifi after booting. The wpa_supplicant service is managing networks on the device. You can connect to the new wifi network, by creating new wpa_supplicant.conf file.
  • connect your Raspi to the router via RG45 (that’s better to use for user’s traffic, because of a large bandwidth), and setup dhcpclient:
    • sudo dhclient -v
    • then check that Ethernet interface appeared: ifconfig
    • create the cronjob with that command:
      • sudo crontab -e
      • @reboot dhclient -v

Connecting to Raspi:

  • get the Raspi IP by scanning your local network:
    • install nmap if you don’t have it
    • run: sudo nmap -sn –script banner 192.168.X.X/24
    • the output will show MAC Address of found devices with vendor name. You’re searching for anything related to Raspberry PI. In case you have a lot of Unknown vendors - you can just try to find vendor by MAC address using some service, like https://macvendors.com/
  • from the local network, just use ssh pi@<IP_ADDRESS> and then type previously specified password
  • move to the public key authentication instead of a password for ssh access:
    • generate password-protected ssh keys pair, if you don’t have it yet: ssh-keygen -o -a 64 -t ed25519 -f ~/.ssh/id_ed255194
    • log in to PI and add generated /.ssh/id_ed25519.pub to the /.ssh/authorized_keys
    • Turn off access by password:
      • go to /etc/ssh/sshd_config file and change the PasswordAuthentication to no
      • reload ssh service: sudo systemctl restart ssh
  • configure public access:
    • go to your router’s admin panel (usually sits on 192.168.0.1/192.168.0.0 or check your router box)
    • create port forwarding rule for 22 port (used by default for ssh)
    • apply new port forwarding rule
    • make sure that you have static IP at the place you want to mount Raspi
    • get your routers’ public IP by using some website, like https://www.whatsmyip.org/ - you can use either IP address itself, or DNS, if it exists
    • connect to mobile network to test connectivity
    • connect to PI: ssh ip@<PUBLIC_IP or DNS>
  • configure firewall on Raspi:
    • allow 22 port for ssh access sudo ufw allow 22/tcp
    • then enable ufw if it wasn’t and reboot the device:sudo reboot -h now
    • connect and check the status:sudo ufw status
  • configure “health monitor” shell session:

    • run tmux session and create 4 windows there to run different apps in each

    • run htop for resources consumption monitoring

    • run vcgencmd watch -c -b -d -n 1 – ‘vcgencmd measure_temp’ to control the temperature

    • install nethogs and run it sudo nethogs

    • follow the last n lines of the outline server in docker container: docker logs -f -n=100 <CONTAINER_ID>

    • your screen in the end will look smth like this:

VPN

The problem is that nowadays it’s pretty easy to sniff the traffic with dpi technologies, detect packets of the popular VPN protocols and block them.
The general solution is to built a proxy based on protocol like Shadowsocks, which is designed to be hard to detect, bypass firewalls and have traffic encryption.
Let’s consider two solutions proven to be reliable: outline and XRay (Vless).
Prefer Vless, if you have concerns about stability of outline in your region.

Outline

Outline is a set of applications developed by Jigsaw (a subsidiary of Alphabet Inc., which is also the parent company of Google) that allows to set up VPN servers.
Outline uses the Shadowsocks protocol for communication between the client and server. Traffic is encrypted with the IETF ChaCha20 stream cipher and authenticated with the IETF Poly1305 authenticator.
The main con is that it’s super easy to configure and use out of the box.

Setting up

Install docker: https://docs.docker.com/engine/install/ubuntu/.
Now, we need to use arm-based outline server image, I’ve used slightly outdated one, which could be found by this link. It just uses several binaries that compiled for the arm platform and appropriate node docker image. You just need to execute install shell script in order to run the server.
Allow outline-specific ports in ufw: 14393 - both tcp and udp, 60866 - tcp.
Configure port forwarding on the router, like you did previously for ssh: 14393 - both tcp and udp, 60866 - tcp.
Go to your desktop machine and run the Outline manager to generate access keys:

  • clone the repo that you used to run outline server
  • install node if you don’t have it, presumably via nvm
  • npm install in the root of the repo
  • npm run action server_manager/electron_app/start ${PLATFORM} where PLATFORM is linux/macos/windows
  • generate keys through the UI and share with others! Depending on platform you just need to install the outline client and you’re ready to go (mac/ios, android, win/linux)

XRay (Vless)

VLESS is a lightweight, stateless transport protocol primarily used for secure communication. It is part of Xray, a project that extends and enhances the capabilities of V2Ray. V2Ray can be compared with Shadowsocks protocol and can be called it’s successor (after the original Shadowsocks has been removed from the internet by the call from the government), rather than higher-level vpn/proxy solutions like Outline.
Xray supports VLESS, while V2Ray does not natively include it, making Xray the appropriate choice for this setup.
So, let’s configure XRay server and client.

XRay Server

Install XRay Server:

bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)"

Generate a client ID:
xray uuid
Create that user id for every unique vpn user.
Generate a self-signed certificate and key:

  • install openssl: sudo apt-get install openssl
  • generate certificate and key:
sudo openssl req -x509 -nodes -days 99999 -newkey rsa:2048 -keyout /etc/xray/key.key -out /etc/xray/cert.crt -subj "/CN=<ROUTER_PUBLIC_DNS>"

This creates a certificate valid for 99999 days (think of smaller number for real “prod” usage), stored at /etc/xray/cert.crt with the key at /etc/xray/key.key.
Create a config file at /usr/local/etc/xray/config.json:

{
  "inbounds": [
    {
      "listen": "0.0.0.0",
      "port": 4443, // or another free port
      "protocol": "vless",
      "settings": {
        "clients": [
          {
            "id": generated_id,
            "level": 0,
            "flow": "xtls-rprx-vision"
          }
        ],
        "decryption": "none"
      },
      "streamSettings": {
        "network": "tcp",
        "security": "tls",
        "tlsSettings": {
          "certificates": [
            {
              "certificateFile": "/etc/xray/cert.crt",
              "keyFile": "/etc/xray/key.key"
            }
          ]
        }
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "freedom",
      "settings": {}
    }
  ]
}

Start the service: sudo systemctl start xray
Enable it to start on boot: sudo systemctl enable xray
Check the status: sudo systemctl status xray
Or check logs: journalctl -u xray

Don’t forget to setup port forwarding on your router, as we did before.
Ensure your firewall allows traffic on a selected port using ufw.

XRay Clients

Mac OS

Install xray client: brew install xray
Create a config file:

{
  "log": {
    "loglevel": "debug"
  },
  "inbounds": [
    {
      "port": 1080,
      "protocol": "socks",
      "settings": {
        "auth": "noauth",
        "udp": true
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "vless",
      "settings": {
        "vnext": [
          {
            "address": router_ipv4_address,
            "port": 4443,
            "users": [
              {
                "id": generated_id,
                "encryption": "none",
                "flow": "xtls-rprx-vision"
              }
            ]
          }
        ]
      },
      "streamSettings": {
        "network": "tcp",
        "security": "tls",
        "tlsSettings": {
          "serverName": server_name,
          "allowInsecure": true
        }
      }
    }
  ]
}

Here, serverName is the CN that you’ve used during certs generation.

Run the client:

xray -config /usr/local/etc/xray/config.json

Allow proxy in the network settings: go to wifi details –> set SOCKS as 127.0.0.1 and port 1080 –> toggle allow.

Mobile

Install v2rayNG from the store.
The simplest way to configure would be just to construct a link and paste into the app:

vless://<generated_id>@<router_public_dns>:<port>?security=tls&flow=xtls-rprx-vision&sni=<router_piblic_dns>&allowInsecure=1#<connection_name>

Where all the args could be taken from the previously created configs. The last one - just a connection name, use any name you want.

Enjoy!