Build your OWN WireGuard VPN! Here's how

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

I'm headed to the UK and I need a VPN so I can access my home network and Nas on the go VPN stands for virtual private Network and vpns are used for a lot of different reasons companies have vpns that let employees work from home but using office systems vpns also encrypt traffic to protect your data when you're on public Wi-Fi and some vpns allow you to choose a region to access content that might be region locked but for me today I can't rely on that I need my own VPN this video is going to show you how to build your own private VPN for your home it doesn't take much I built mine using the raspberry pi and the only other thing you need is an internet connection and you don't even need a Raspberry Pi you can run a VPN on a used Mini PC like this one that I bought used for a hundred bucks this thing would run the VPN even faster than the pi of course speed also depends a lot on your internet I have Spectrum gigabit but that gigabit only refers to download speed upload speed which matters a lot more here is stuck at 35 megabits but I can live at that I just have to stop over downloading at least when I'm on my VPN but you also need a public IP address it doesn't have to be static meaning it stays the same forever but it does have to be public if you have 4G or 5G internet your ISP might be using something called cgnet if they do you can't run a private VPN but there are options I'll get to those later but how do you know if you have a public IP address Well Visit icann has ip.com and copy out the IP address it gives you then open Terminal or Powershell and run tracefruit then your IP address oh and on Windows traceroot is actually spelled Trace RT for some reason if it just shows one line like this then you're good to go if it shows more than one line then you're stuck behind CG now I do have an IP address and I have this little Raspberry Pi by the end of this video I'll be able to access my home network the whole time I'm in the UK and best of all I won't use any cloud services to do it and that awkwardly leads me to this video's sponsor surfshark it's ironic because this whole video is about making your own VPN right why would surf shark a cloud VPN provider sponsor this well I still use surfshark in addition to my home VPN because sometimes I need a different kind of VPN sometimes I just want an encrypted connection for when I'm on public Wi-Fi or I want to be able to watch one of my favorite shows that are region locked in the US while I'm over in the UK surf sharks solves both problems and they have a way faster internet connection than I do they also have tons of servers around the world and even some cool features like static IP addresses and even an add-on called dedicated IP that makes it easier to use surfshark even through other secure vpns VPN Inception I'd love it and to top it all off guess what protocol they use by default wireguard just like we're going to set up in a few minutes sign up using my link below or just use the code Redshirt Jeff and you can get an extra three months free plus they have a 30-day money-back guarantee so there's nothing to lose if you try it out so what's the quickest way to build your your own secure private VPN at home Pi VPN on the website it says it's the simplest and fastest way to install and set up an extremely secure openvpn or wireguard server on your Raspberry Pi and you don't have to have a pie you can even install it on a VPS or most any computer running Debian so let's get started I already flashed raspberry pios to this micro SD card with Raspberry Pi's imager and when I did that I also set the hostname to Pi vpn.local and set up a pi user and password I also recommend using an SSH key but you don't have to so I put the card in my pie and plugged it into my network after it booted up I connected with SSH you could also do the setup with a keyboard and mouse but I don't even have my Pi plugged into a monitor so that wouldn't be very easy here your Pi VPN computer should have a static IP address on your home network too and you can do that on your home router or you can set an IP address during the pi VPN setup process I did it on my router because that's how I manage my other home lab servers and this is entirely optional but since I bought a domain name that I use for all my home lab servers I actually changed the localhost name for my Pi VPN to pivpn.gear elite.net so now that I have a persistent internal IP address and the hostname I can log into the pi and run the pi VPN installer I just ran the script from their website and followed the guided installer when I was prompted to pick a VPN option I chose wireguard since it's a lot newer than openvpn and slightly faster on my Pi I kept the default port and since I run pie hole on my network and use it for my home DNS I chose the custom option for DNS provider and I input the IP address of the server running pie hole if you don't run pie hole you could use something like cloudflare DNS instead for the DNS or IP option I chose to assign a public DNS name to my VPN server for one of the domains I own now I won't tell you exactly what that domain is because last time I did that some idiots started ddosing my home internet until my ISP threatened to cut me off I made a whole video about that so yeah not going to do that again but to make that custom domain work I added a dnsa record for my home's public IP address to my domain settings I usually grab my home IP address by running curl I can has ip.com you can also visit that domain in your browser to make sure the traffic gets through to Pi VPN you have to enable port forwarding on your router on mine this is what that looks like and I set up the external UDP port 51820 to point to the internal static IP address I set up for my Pi VPN Now traffic from the public internet can route through the pi to Pi VPN now at this point if all this talk about UDP routers and static IPS has your head spinning I have to give a bit of a warning security is a huge concern here don't set up a VPN if you don't know what you're doing first if someone gets access through the VPN to your home network they could hack into anything in your house along that theme another way people can break in is if you don't have your software up to date Pi VPN helpfully offers to set up automated updates on your computer but I recommend even more security hardening especially since this computer is exposed to the internet for me that means running my ansible security Playbook I have a whole video in my ansible 101 Series where I talk about the first five the first steps you should take securing any Linux server go check it out by clicking the link right up there after Pi VPN finishes setting things up it recommends rebooting so go ahead and do that now now you have a running VPN but no way to connect to it you need to create a new client profile for each device you want to connect log back into the pi VPN computer and run the command Pi VPN add It'll ask you for a name and for me I usually set a name like username device type and network identifier so in this case J gearling dash MacBook home doing that lets me remember exactly what client I'm looking at after it generates the config file you need to copy it to your computer I usually use SCP or secure copy like this but you could also use fsfdp or just cut out the file and then copy the contents into a file on your computer now I have a Mac but the process is pretty much the same on anything I installed wireguard from the Mac App Store and opened it inside click import tunnel from file and choose the config file you just copied over now comes the moment of truth to make sure the VPN actually works you should test it on an external network you could tether your mobile phone but since I was with my dad filming a yearling engineering video today I hopped on his Wi-Fi I went into the terminal to check if I can ping one of the computers on my home network and I can't of course because I'm on his network if I turn on the VPN connection though I should be back on my home network but this time from the radio station and if I ping that computer again there it is now I have my own completely private VPN the next thing I wanted to do was see how fast it was there are limitations here from my dad's Wi-Fi speed to spectrum's slow upload speeds but it's helpful to know so while I was connected I ran some speed tests and I got speeds anywhere from 5 to 20 megabits then when I came home I ran a speed test and got over 500 megabits just on the Home Connection so to test the theoretical limits I connected through the VPN while I was on my home connection and got speeds from 30 to 200 megabits so my slow upload bandwidth really slows things down plus there's a little overhead from the tiny Raspberry Pi encrypting the connection but it works for what I need the other main thing I want to do is use home assistant on my phone without relying on any cloud services so to do that the first step is installing wireguard on my phone there are apps for Android and iOS and after I install it I can add a new connection using a QR code to generate one of those let's head back over to Pi VPN first create another client for your phone I called mine J gearling dash iPhone Dash home then run Pi VPN QR to display a QR code right in the terminal point your phone's camera at the terminal window and and there it is just name it the same as you typed in pi VPN and then go ahead and test the connection disconnect from your home Wi-Fi if you're connected then activate the wireguard connection visit icannes ip.com in your browser and it should show your home's IP address this is great now I can make sure Redshirt Jeff's not in the workshop starting a fire or blowing anything up now vpns aren't always simple if you have any issues the first thing to do is run Pi VPN D this runs some self-tests and displays a ton of debug information if everything checks out okay it could be you have DNS issues it's almost always DNS and that's why I have a shirt for that over on redshirtjeff.com another handy command is pi vpn-c that shows a list of all clients and their last connection times with data transfer stats and it's a good idea to backup your VPN configuration in case your little VPN computer ever dies run Pi VPN backup to generate a backup tarball inside the home directory then copy that off to a safe place restoring is as simple as copying all the files from that tarball back to a fresh install of Pi VPN you might be wondering what to do if your home doesn't have a static IP address well me too I mean I have a pretty stable IP address but it does change every few months if your public IP address changes you have to make sure that dnsa record you set up for your VPN is also updated in your domain registrar account and that's not always easy to automate the best way to deal with Dynamic DNS or ddns is to use a service like dying DNS or noip but to do that you have to run something on your router or a computer on your home network that periodically updates their server with your home IP in my case since I'm a little over cautious I publish my IP address to a private VPS I run on digitalocean then if my VPN connection fails I just log into that server and grab the updated IP address then I put it in my domain settings I have a custom shell script that looks a little like what you see on the screen and I have it run on a Cron job on my Pi VPN I could probably make it better though I could make it so it detects when the IP address changes and if it does does I could have it send me a slack telegram a WhatsApp a signal an email a Discord a Skype or whatever chat app is in style these days but I'm a simple man so I don't now at this point you might have what you need and be on your Merry way but there are two different use cases Pi VPN can't cover first what do you do if you're stuck behind cgnat like I mentioned at the beginning of this video and Pi VPN doesn't work and second what if you don't need access to your home network but you just want some of the protections a VPN has to offer like encrypting traffic on public Wi-Fi or bypassing geographical content restrictions first I'll cover cgnat unfortunately if you have cgnat you can't really run a private self-hosted VPN since you don't have a direct gateway to the public internet you could call your ISP and see if there's any way to get a public IP address but don't get your hopes up sometimes it's impossible like with starlink and other times you have to upgrade to a business plan which could cost a lot of money otherwise you could use a service like scale Cloud filler tunnel or twin gate it does mean you're dependent on a cloud service to access your home network but I've used all three and I think they're pretty good but maybe you don't need a private home VPN at all if you just want a little extra security on public Wi-Fi or if you just want to bypass content restrictions there are a bunch of decent and affordable VPN providers and the one I use surfshark and not just because they're sponsoring this video I've been using them for a while now and if you want to try them out make sure you use the link in the description until next time I'm Jeff Gerling

Info

Channel: Jeff Geerling

Views: 282,428

Rating: undefined out of 5

Keywords: vpn, raspberry pi, pivpn, surfshark, sponsored, privacy, private, network, virtual, networking, cg-nat, nat, starlink, internet, access, public, wifi, connection, ethernet, dns, ip, linux, security, home assistant, remote access, corporate, lan, wan, router, utp, forwarding, port, wireguard, openvpn, protocol, guide, assist, help, tutorial, setup, computer, pc, windows, mac, iphone, android, ios, macos, speed, performance, test

Id: 5NJ6V8i1Xd8

Channel Id: undefined

Length: 12min 20sec (740 seconds)

Published: Fri May 05 2023