Want to set up a DIY VPN server to gain online privacy and enhanced security? Learn how to set up a VPN, and why you might prefer paying for a market-leading VPN.
Whether you're using a VPN to stream Netflix on vacation, work securely on public WiFi, or prevent ISPs from tracking your web visits, the debate between using a commercial VPN and setting up a DIY VPN is ongoing. Many privacy enthusiasts tout the benefits of a roll-your-own VPN, but do they live up to the hype?
In this guide, we explain how to set up a DIY VPN to encrypt your data as it passes over local networks, access public WiFi safely, and shield your online activities from ISPs and government surveillance. If you do it right, you can even use a DIY VPN to change your IP address and access Netflix and other streaming services from abroad.
One advantage of a roll-your-own VPN is that you will get a dedicated IP. However, as we will explain later, this introduces some privacy caveats. Keep reading to learn how to set up your own VPN, and to understand the complexities of DIY VPNs.
What is a DIY VPN?
A DIY VPN is a self-configured VPN server that provides exclusive access to you and anyone you choose to share it with. You could set up a DIY VPN server in your home to access your home IP address while abroad, bypass blocks at work, and use public WiFi safely.
Alternatively, if you want to be able to access websites and services unavailable in your home country, you could set up a DIY VPN on a server you rent abroad. This remote DIY VPN provides similar privacy benefits as a VPN setup in your own home, while also giving you the ability to spoof your location.
Of course, setting up your own VPN is going to be much trickier than renting access via a commercial VPN. A poorly configured VPN could also provide a false sense of security or be vulnerable to attacks. This alone may be enough of a reason to put most people off a DIY VPN.
Comparing DIY VPNs to consumer VPNs
At its core, a DIY VPN offers similar functionality to the VPN services provided by companies like NordVPN or Surfshark. However, a DIY VPN typically restricts you to a single location, unlike consumer VPNs, which offer a global network of servers for you to use.
A key difference is the lack of a custom VPN application in DIY setups. Features such as a kill switch, DNS leak protection, and split tunneling – industry standards in consumer VPNs – are much more difficult to set up on a DIY VPN. Plus, consumer VPNs boast cross-platform apps – ensuring easy connections across all your devices – a convenience you might miss when implementing a DIY solution.
Despite these differences, a DIY VPN can be a cost-effective solution. If your needs are limited to secure public WiFi access or streaming your home Netflix while traveling, a DIY VPN server setup in your home could be the right choice.
However, although tech enthusiasts may find the process of setting up and maintaining a DIY VPN rewarding, most people will find it to be an inconvenience that leads to more problems than it solves.
It is also important to reiterate that when you set up your own VPN, you will only have one server location. Renting a server to host a VPN also costs more than subscribing to a VPN like Surfshark which lets you connect to servers in 100+ countries.
Setting up a DIY VPN: Getting started
If you are prepared for the challenge of setting up your own VPN, we have got you covered. In this section, we will look at what you need and how to set up a DIY VPN. We will cover both a simple home setup and a DIY VPN configured on a rented server.
Choosing the right hardware and software for your DIY VPN
Creating your DIY VPN solution is going to start with making some important choices. First, you must decide whether you want to host the VPN in your own home (or perhaps your workplace if you own a small business) or in a remote location (including abroad if you want to access regional services).
Once you have made that decision, you are ready to move on and choose suitable hardware and software for the task. Remember, the choices you make at this stage will determine your VPN's performance, reliability, security, and what it can be used for. So it is worth reading this entire article to understand the benefits (or drawbacks) of each option before proceeding.
Home VPN setup – hardware options
If you have decided to opt for the cheapest option available, you have probably decided to set up a DIY VPN at home. While this is a cost-effective solution, it does have some privacy and security drawbacks, which we will discuss later in this guide. For now, here are the hardware options for a home-based DIY VPN:
- An old computer. If you have an old laptop or desktop computer lying around gathering dust, a DIY VPN project might be just the ticket. Old computers often have more than enough power to run a VPN server and it’s a great way to put your old machine to use.
- Raspberry Pi. This simple but effective solution can allow you to set up your own VPN at home for as little as $60 (for the latest Raspberry Pi 5 with 4GB of RAM). If you want a bit more power for your home VPN server, you may prefer to opt for the slightly more expensive $80 version with 8GB of RAM.
- A dedicated machine: If you don’t have an old computer and don’t like the idea of a low-powered Rasberry Pi, then you may decide to purchase a dedicated machine. You could buy a desktop PC or laptop (new or second-hand) to do the job. Alternatively, you could host your VPN server on a network-attached storage (NAS) device.
Each of these options has distinct advantages and disadvantages. Some are cheaper, but ultimately give you less processing power to run your VPN. This could negatively affect your connection speeds when using the VPN to stream, for example.
Remote VPN setup – hardware options
If one of your primary motivations for setting up a DIY VPN is to spoof your IP address to a remote location, then you will need to rent a server located in the country where you want to get an IP address. This kind of remote IP address will allow you to access geo-restricted content and services located in that country.
When it comes to renting a server, there are many different options available, so you will need to do some research to find a server in the location you require. We recommend that during your research you consider things like bandwidth allowance, costs, uptime guarantees, and the provider's reputation.
To help you out, we have included some popular options below:
- DigitalOcean: DigitalOcean offers a range of cloud server options, including Droplets (small servers) that are perfect for individuals. Its transparent pricing means you can rent a server and set up your VPN easily, but it is important to keep a check on how much data you are running through the server, because (as with all of these providers) it will charge you for overages. It has guides for setting up WireGuard. You can get started with a Droplet for just US$4 per month. This gives you access to a server with 512 MB RAM, 1 vCPU, 10 GB SSD storage, and 500 GB transfer.
- Amazon Web Services (AWS): AWS is probably the most well-known server solution used by businesses and individuals worldwide. Its Lightsail service is designed to be easier to use and manage, which makes it a great choice for individuals. You can get started with Lightsail for just US$3.50 per month. This includes 512 MB RAM, 2 vCPU, 20 GB SSD storage, and 1 TB transfer
- Akamai: This service recently changed its name from Linode (and many of its plans are still called Linode plans). It offers high-performance virtual private servers (VPS) at an affordable rate. The standard plan starts at US$5 per month and comes with 1 GB RAM, 1 vCPU, 25 GB SSD storage, and 1 TB transfer.
- Vultr: Vultr lets you pick from server locations in 32+ different countries, and the servers start at just $2.50 per month, one of the best price points we could find. This plan will get you an SSD server with 500 MB of RAM, 1 vCPU, 10 GB of storage, and 500 GB of monthly data transfers. It even has a one-click WireGuard server deploy feature that preconfigures the VPN for you and provides client configs ready to go. This means beginners can get started without needing to know anything technical. However, this will increase the minimum cost of a server to US$5 per month.
- Hetzner Cloud: This is a German cloud provider that rents servers in the EU (Germany or Finland) and America. It has excellent guides for setting up an OpenVPN Access server that you can access from your desktop computer or mobile devices. A Hetzner plan starts at around US$4.08. This includes 2 GB RAM, 1 vCPU, 20 GB SSD storage, and 20 TB traffic. US IP addresses are available for the slightly higher price of $4.69 per month.
Choosing your VPN protocol: Open-source options
To set up a DIY VPN that is secure and reliable, we recommend you stick to one of the two open-source VPN protocols listed below. They come with reliable open-source clients that you can use to connect to your VPN on both desktop machines and mobile devices.
- OpenVPN: This is the most well-known and trusted VPN protocol currently in use by individuals and consumer-facing VPNs. The protocol has been subjected to numerous audits and has been proven to offer robust connections with decent speeds and high levels of data security using AES-256 encryption. OpenVPN is a fantastic option for people who want a VPN that is compatible with many different network types.
- WireGuard: This VPN protocol is newer compared to OpenVPN. It’s much faster and leaner than OpenVPN without sacrificing security. It uses ChaCha20 encryption by default and allows you to connect via Windows, macOS, iOS, Android, and Linux thanks to the official WireGuard clients.
These protocols are also extremely well documented, and there is a huge amount of help online, which means you can easily seek community support. However, it is important to note that whether you are setting up a WireGuard or OpenVPN server at home or on a rented server, you will require fairly high levels of technical know-how.
Setting up a VPN server: A step-by-step guide
In this section, we will explain how to set up a DIY VPN server at home. If you have decided to set up a VPN server on a rented server, the setup process may be slightly different and we recommend that you check any documentation provided by your server hosting company.
Each cloud computing service may have some underlying setup differences, though the process of setting up the VPN server will remain the same.
How to set up a DIY VPN server at home:
1. Pick a machine that you will use to host your VPN
We provided details about your options earlier in this guide.
2. Install an operating system onto your chosen hardware
You can choose between various operating systems:
- Windows (regular home edition).
- macOS (regular home editions).
- Linux (regular distros like Ubuntu. Debian, Fedora, CentOS, and Rocky).
- Windows Server (typically used in more professional or enterprise settings. For a home VPN server, regular Windows is fine)
- Linux server distributions (Ubuntu Server, Debian server, Fedora server, CentOS). These server versions of Linux distros are usually used in enterprise settings so a regular version of Linux will be fine for an at-home DIY VPN setup.
- NAS-specific OS like TrueNAS CORE (previously known as FreeNAS).
If you are setting up your VPN on an old Windows computer, you will be fine installing the VPN on the native Operating System. This will make things easier as it will not require you to get used to a different version of Windows. If you are using a Raspberry Pi, you will also be fine sticking with the regular Linux distro already installed on your device.
If you have purchased or already own A NAS drive, you may not need to install TrueNAS CORE. Many NAS drives come pre-installed with a native VPN server client that you will be able to use to connect to the VPN.
3. Install the VPN server software for your operating system
Next, install the VPN server software onto your chosen operating system. This involves downloading the software package and following the setup wizard (for Windows) or entering the installation commands into the CLI terminal (for Linux-based systems).
You can find the software for a WireGuard server or an OpenVPN server by following the links. OpenVPN Access Server for Linux is slightly different and is available here.
If you set up a DIY VPN on a VPS provided by DigitalOcean, Linode, or some other provider, you may need an SSH Client. On Windows, we recommend PuTTy, which is easier to configure and is available here.
The official WireGuard and OpenVPN apps allow the software to function as both the server and the client, depending on how you configure it.
When you install the OpenVPN client for Windows, you must select manual installation to ensure you install all the components needed for it to act as a server. Once these are selected you can go ahead and install the OpenVPN software onto the machine you have selected to be your server.
Below, we have included the steps needed to install VPN server software for OpenVPN and WireGuard:
OpenVPN installation and configuration:
- Download OpenVPN from the official website and install it. During installation on Windows, choose 'Custom Installation' and ensure that 'OpenVPN Service', 'OpenSSL Utilities', and ‘easy-rsa’ are selected. If easy-rsa is not included in your version of OpenVPN, then you may need to download it separately.
- Generate cryptographic keys and certificates using OpenVPN's easy-rsa package to ensure secure communication. The easy-rsa package usually comes bundled with the OpenVPN program. To run easy-rsa on Windows, open Command Prompt and change directory (cd) to \Program Files\OpenVPN\easy-rsa. You can find a walkthrough for setting up the VPN, with all the code and commands for various operating systems here.
- Next, configure the server.conf file located in the OpenVPN directory. This file dictates server settings, such as port number and client network configurations. Start by editing ca, cert, key, and dh parameters to point to the files you generated using the easy-rsa package. At this point the server configuration file is usable. However, you may want to make additional changes depending on your setup (options include setting up ethernet bridging or switching from UDP to TCP, for example).
- Finally, edit the client configuration file client.ovpn. Edit the ca, cert, and key parameters to point to the files you generated earlier using easy-rsa. Each client should have its own cert/key pair.
After completing the installation of the VPN server software, proceed to install the OpenVPN client software on the devices you wish to use to connect to your VPN. You can download the OpenVPN Connect client for various operating systems from the official OpenVPN website.
You will need to add the .ovpn config file you created to the client to connect to your DIY VPN. This will require you to transfer files because you need server files to be located on the server and client files to be moved to their respective clients.
Bear in mind that easy-rsa generates several files including client.crt, client.key, ca.crt, dh.pem, pfs.key, and ca.key. For enhanced security, we recommend generating these on a separate device if possible. Many people opt to do it on the server for convenience, but this isn't optimal.
Whether you generate the files on the server or a third-party machine, you will need to transfer some files. For instance, you'll need to use an FTP or SFTP client, or a secure cloud storage platform to transfer files from the cloud server.
The process of transferring the certificate and key to the client is necessary each time a new user is added. For security reasons, you should remove the ca.key from the server once all the necessary certificates have been generated. Store this key securely (preferably offline) where it can be retrieved at a later date if you need to temporarily re-add it to the server to add another user.
Please note that this is a basic overview of how to set up OpenVPN. Use the links for details on how to complete each of the steps mentioned on various operating systems.
WireGuard installation and configuration:
- Download WireGuard from the official WireGuard website.
- Install WireGuard using the installer. There are no separate components to select during installation; the WireGuard app includes both client and server functionalities.
- Configure WireGuard by editing the wg0 file located in the WireGuard directory. This file should include your server's private key and the public keys of the clients.
- Generate key pairs for each device that you want to connect to your VPN. Get the public key for each device that you want to connect to your VPN and add each of them to the server's configuration. Remember to never share private keys.
- Set up the network interface and assign IP addresses for each client in the configuration file. To do this you will need to specify a range of IP addresses that your VPN server can assign to connecting clients. Once this range is set, the WireGuard software will be able to assign IP addresses dynamically.
This is a basic overview of the process required to set up WireGuard. For additional information please navigate to the WireGuard Quick Start guide.
4. Set up firewall and port forwarding
For your VPN to work, you will need to change your firewall settings to allow inbound connections:
- Locate the "Firewall", or "Security" section.
- Look for an option to create a new inbound rule or configure firewall settings. You may want to use PuTTy or a terminal to modify iptables.
- Create a new rule to allow inbound connections on the port used by your VPN protocol (TCP/UDP port 1194 for OpenVPN or 5120 for WireGuard). You will need to specify the protocol (TCP or UDP) and the port number. WireGuard uses UDP exclusively.
- Save the changes to apply the new firewall rule.
If your VPN server is behind a router and/or NAT, then you need to set up port forwarding:
- Navigate to "Port Forwarding" or "NAT" (Network Address Translation) in your router settings.
- Choose to create a new port forwarding rule.
- Specify the port range or single port used by your VPN server (defaults are: 1194 for OpenVPN and 5120 for WireGuard).
- Enter the local IP address of your server (this will be the internal IP address assigned to the computer, Raspberry Pi, or NAS device you are using as a server on your local network).
- Choose the protocol (TCP/UDP) for the port forwarding rule and save the changes.
Once you've completed these steps, your router will be configured to allow incoming VPN connections to reach your server. This will allow you to connect to your VPN server securely from external networks.
Please note that in some countries such as China, Iran, and the UAE, ISPs may be blocking ports that are commonly associated with VPNs. If you experience port blocking by your ISP, you may need to configure your VPN server to use alternative ports rather than the default ones used by WireGuard and OpenVPN.
5. Test the connection
Now that your VPN server and clients are set up, you should attempt to connect. If you did everything correctly, the app should connect and you should gain access to the remote IP address (you can check that your IP is correctly updating using a leak test tool).
Remember that this guide is a general overview. You can find in-depth instructions, including the commands needed to install an OpenVPN or WireGuard, by following the links provided in the relevant steps.
When you set up a DIY VPN server, it is your job as the administrator to ensure it is set up securely. This can be quite technical, but it is a hugely important part of the process of setting up a secure DIY VPN.
With this in mind, it is important to carefully consider and implement appropriate security measures, including robust authentication methods (username/password and certificates).
You could also configure firewall rules to restrict access to trusted devices or networks, but this will only work if you intend always to connect to your VPN from known networks, and will not be possible if you intend to use your VPN to gain privacy when connecting to public WiFi networks.
We also recommend regularly updating your VPN software and router firmware to patch any potential security vulnerabilities. Monitoring VPN traffic can also help you to identify and mitigate any potential security threats.
Is a DIY VPN more secure than a consumer-facing VPN?
This is a largely debated topic, and it is a highly nuanced subject. Some people claim that despite having no-logging policies, it is unwise to trust commercial VPNs. These individuals often throw around accusations – claiming that VPNs are harvesting user data in secret. Although this is often true about dodgy free VPNs, it is not true about reputable no-logs VPNs like the ones recommended in our guides.
Even if you want to play devil’s advocate and decide to take the detractor’s arguments seriously, when you set up a DIY VPN on a rented server, you have no physical control over the hardware. You have no way to know whether the server company is snooping on your activities. As a result, all you are doing is transferring your trust from a VPN company to a server hosting company. Why trust one more than the other?
Potential for error
If you set up your DIY VPN server at home, you will have full control over the server and will have eliminated the need to trust any third parties. However, setting up a VPN server is an in-depth and technical process. Ultimately, you could make a mistake and create an unwanted vulnerability that makes your VPN insecure.
If you have the technical ability to set up a VPN, you are free to do so. However, it is important to be cognizant of all the potential risks involved. For most people, the solution provided by a reputable consumer VPN is an easier and more reliable way to get access to VPN servers worldwide, at a similar if not cheaper cost than renting a VPS.
Shared dynamic IPs
When you use a trusted consumer-facing VPN like NordVPN, Surfshark, or ExpressVPN, you are connecting to shared IPs (unless you rent a dedicated IP). In this kind of setup, your data is mixed with that of dozens if not hundreds of other users. This helps to provide additional privacy for your activities by making it harder to monitor your traffic in real-time. IPs are also dynamic, so you can get a different one each session.
When you use a DIY VPN, you may be the only person connecting to that VPN server, and you are the only person using the IP address associated with your VPN. Furthermore, it wouldn’t take much digging to figure out who the VPN server’s administrator is. This makes it much easier to link activities performed through the VPN back to you. This kind of attack is not possible when using a no-log VPN, which means you get higher levels of privacy when using a secure, consumer-facing VPN.
What are the downsides of setting up a DIY VPN using a VPS?
Although the starting price for rented servers is as low as US$2.50 to US$5 per month, your data allowance is capped, and overages can be costly. You’ll need to monitor how much you’re using your VPN. If you go over your data allowance, then you will be charged overages.
If you are the only person using the VPN, this may not be an issue. However, if you open your VPN up to family members and friends, you could soon find yourself with a larger bill. These hidden charges won’t occur when using a reliable consumer VPN, because they allow you to use their VPN servers on an unlimited basis.
Consumer-facing VPNs also offer access to servers optimized for activities like streaming and torrenting. These servers have a huge amount of bandwidth to ensure that your internet speed is not negatively affected. Unfortunately, this is not the case with a cheap VPS.
Many people on Reddit complain that servers rented from AWS Lightsail and other providers (even when using the speedy WireGuard protocol) are inconsistent and slow. According to Redditors, in some instances, users can expect a burst speed of up to 5 Gbps as little as 3% of the time, with a baseline of just 0.063 Gbps around 90% of the time. This is likely to be caused by the lack of RAM and CPU that is allocated to micro server instances rather than bandwidth, which explains why so many people are having issues with their VPN.
Unfortunately, this means that you may need to upgrade from a basic server plan to something more substantial, which will almost certainly raise your costs beyond what you pay for a commercial VPN service.
DIY VPN FAQs
How hard is it to set up a DIY VPN?
Unfortunately, setting up a DIY VPN is a lengthy and technically challenging process. This makes it hard for the average home user to create their own VPN.
The good news is that some VPS companies, such as Vultr, have implemented VPS servers with a one-click WireGuard setup. This removes the need for users to know anything technical and provides a way for the average Joe to set up their own VPN if they want to.
This type of solution aside, however, it seems fair to point out that setting up a DIY VPN is not going to be suitable for the vast majority of people. This is why we generally recommend that most home internet users stick to using a reputable commercial VPN.
Can I use a DIY VPN for streaming services like Netflix?
In theory, you should be able to use a DIY VPN to connect to your Netflix account and stream it on vacation. If you set up a VPN at home, you will be able to access your home IP address to watch your usual catalog, and if you set up a DIY VPN using a rented server in a remote location you should be able to watch the Netflix library for that specific region (such as the US).
However, it is important to remember that Netflix is actively engaged in blocking IPs associated with VPNs and potentially also IP address ranges controlled by VPS companies. This means that your DIY VPN might not work as well as a commercial VPN that has streaming-optimized servers for Netflix.
What are the cost differences between a DIY VPN compared to a commercial VPN?
Renting a VPS server will cost you between US$2.50 and US$5 per month for a basic server that you can use to set up a DIY VPN. Setting up a VPN server at home that you can connect to remotely will cost you nothing, other than the hardware it runs on and your internet subscription.
A reputable commercial VPN with servers in up to 100 different countries (including servers in around 20 different US cities) can cost as little as US$2 per month. This makes a commercial VPN a much more versatile and cost-effective solution for most people.
How does a DIY VPN impact internet speeds and reliability?
Many people who set up a DIY VPN complain that it is slow and inconsistent. They often have problems using their VPN for data-intensive activities such as gaming, HD streaming, and torrenting. Ultimately, this tends to lead them back to commercial VPNs with super-fast servers.
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now