How to Make Your Own VPN (And Why You Would Want to)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
this video is brought to you by the node this video is broken down into several sections and since youtube has this amazing new function you don't even need to leave this comment which is amazing it's been almost half a year since i made this video which has unfortunately become one of the most popular videos in my channel and while i do stand by most of the stuff that i said in this video i wish you could have argued my point better and provided some of the alternatives to the vpn services and this is exactly what i'm going to do in this video i want to preface this video by saying that if you only use vpn to access cornhub or and stuff you still might be interested in what i have to say thing is even if you only use vpn to watch netflix or download linux isos you're still sharing the rest of the internet traffic with your vpn provider and this might be an issue from privacy standpoints if you don't care about privacy then that's fine too i'm not here to lecture you or judge you and if you only use vpn for these specific purposes and you're completely fine with that that's okay this video is just not for you however for the privacy conscious folks out there i will tell you how to use your vpn only for some applications and use your isp connection for other applications the second part of this video will address those specific use cases and it should be available here and if my finger points at nothing that means this part is currently in the works so be patient so there's this great video about vpns from a guy called tom scott and it's much better than my original video about vpns and i highly recommend you guys go check it out however i know that you guys are lazy and that you're not gonna do that so let me just summarize this video in quick bullet points and add some of my own thoughts vpn services will tell you that your isp can track your every move and can see everything you do on the internet this is a lie every website with a green padlock in the address bar has its contents encrypted in transit with https https encrypts the contents of the websites you visit as well as the full urls so at the end the only thing isp is able to see is the domain names of the websites you visit but that just doesn't sound as scary as your isp is spying on everything you're doing does it vpn companies will tell you that your bank accounts credit card information and private data is a risk and every time you're using a public wi-fi such as airport or cafe a malicious hacker can steal them this is also a lie back when https wasn't a thing and websites weren't encrypted a hacker could actually steal information including banking details because all this data wasn't encrypted nowadays that's just not the case because any more or less serious website uses https to encrypt information in transit yes even on public wi-fi networks and when this encryption is getting tampered with your browser will tell you that vpn companies will tell you that they use state-of-the-art military encryption to protect your traffic from cia agents nsa and your isp technically that's not a lie aes is used in some military applications but it's also used on almost every website that you visit daily and i was actually pretty surprised how a lot of people in the comments claiming to be security experts claimed that https doesn't encrypt anything and only serves as a certification authority thingy which is really baffling to me so yeah not a lie per se but a scammy marketing trick nonetheless last but not least a lot of vpn services will tell you that your isp is selling your information to the highest bidder and what you should ask yourself in this situation is was to keep them from doing the same websites of biggest vpn providers such as nordvpn pia and purevpn are full of promises such as we don't sell you logs to anyone absolutely hundred percent no log policy audited by security company but that's all they are promises and there's nothing to keep those vpn services from breaking those promises you might say well if a company breaks their promise they're just going to be out of business because the clients won't trust anymore but is that true though in 2017 purevpn helped fbi arrest ryan lin on charges of cyber stalking the fbi managed to obtain logs from purevpn which confirmed that the gmail account he used to send threats was accessed from the purevpn ip which was in turn linked to his home ip address let's take a look at european's log policy at the time shall we we do not keep any logs that can identify or help in monitoring users activity you are invisible even we cannot see what you do online we do not monitor user activity nor do we keep any logs we therefore have no record of your activities such as which software you used which websites you visited what content you downloaded which apps you used etc after you connected to any of our servers and guess what purevpn is still in business and clearly have enough money to run ads for their services fun fact they also claim to have undergone a security audit so there's that and sure there are some vpns that were asked by the authorities to hand over the logs and didn't do it such as expressvpn or pia but almost every mainstream vpn provider has a skeleton in the closet private internet access recently got acquired by an israel-based company called cape technologies which is notorious for infecting its users with malware and adware and its owner teddy sagi allegedly has links to israeli intelligence services one of the servers owned by nordvpn got hacked in 2017 yes not physically broken into but hacked using remote access vulnerability according to the company no user data was stolen or compromised but somehow they still felt the need to hide this information from their users for two years so at the end no matter how secure and trustworthy your vpn service seems to you if they tell you that they have undergone security audits that they have no locks policy you have to take their word for that when it comes to better and more private ways to browse the web in my opinion there are only two options tor and self-hosted vpns tor was indeed developed on behalf of the us intelligence community and that raises some uncomfortable questions to say the least but guess what tor is also completely free and open source so if you do have any doubts about how secure and private it is you're always free to examine the call yourself speaking of the us intelligence the nsa is definitely not happy about tor late 2014 report by dash pigel using a new cache of snowden leaks revealed however that as of 2012 the nsa deemed tor on its own as a major threat to its mission and even ranked it as catastrophic leading to a total loss lack of insight into target's communications which says something i guess tor is what you want to use for all the sensitive and private stuff if you want to google something embarrassing that you don't want anyone knowing about or if you want to circumvent the censorship in your country avoid geoblocks or maybe visit a website that could get you in trouble with your local law enforcement tor is the way to go the way it works in layman's terms is it bounces your traffic between different nodes and every node only sees the two nodes adjacent to it so at the end when the traffic comes out at the so-called exit node the website can't see where it initially came from and at the same time your isp can't see where it's actually going we don't have all day though so here's a video from techwiki they're better explaining stuff quickly hence the name although tor is great for privacy and anonymity it's just too slow so if you want to watch netflix or play online games tor won't do self-hosted vpns is what you want to use for all the latency bandwidth and speed sensitive use cases [Music] the difference is that in case of vpn services you're never sure if they keep logs sell you data or monetary traffic whereas in case of self-hosted vpns it's you who decides all those things you're sure that your vpn doesn't keep blocks because it was you who turned them off you're sure that your openvpn binary is not compromised because it was you who downloaded it from official repositories or compiled it from sources yeah you can do that too you're sure that your server is safe from tampering because you enable two-factor authentication on ssh and since your vps uses kvm the only way you can snoop on your activities is by dumping and decrypting ram contents which is tedious and time consuming and in case of vpn services yes they do tell you that they do all those things as well but at this point i can't blame anyone who has trust issues with vpn services besides renting a vps is cheap most starting plans will set you back for about five dollars a month and usually the starting plan is all you want to be honest many big vps providers always have discounts and offers just like vpn services one more thing to keep in mind though is that if your vpn use case relies on changing your location often this is not going to work as well because you pretty much have to rent an additional vps for every location that you want to use so in this case using vpn service will definitely be a better idea so yeah a little change of scenery here but coming back to initial subject if we want to host our own vpn we need to find where we want to host it there are a lot of vps providers that offer plans for as little as two bucks per month but there are a few things that you need to consider before choosing the ps provider the first one is virtualization technology and in this case most of vps providers these days use kvm or zen and those two technologies are good what you want to avoid is open vz this is a container based virtualization technology and virtual machines that run it use a very old version of linux kernel which doesn't support many modern applications such as docker or wire guard apart from that the nature of this technology also makes it very easy for the vps providers to snoop on your activities and this is something you definitely don't want the second one is ipv4 address this is not as important since the overwhelming majority of vps providers will give you a dedicated ipv4 address however since we're now facing a ipv4 address shortage this might become more relevant in the future and even now some very very cheap vps providers will only give you ipv6 address so do keep that in mind and last but not least location it's pretty self-explanatory but still you want to choose it according to your needs according to how you're going to use a vpn so for example if you want to watch american netflix you have to choose american location if you want to use it as a seed box don't choose germany austria or switzerland since those countries have very strict anti-piracy laws if you want to use your vpn for online gaming keep in mind that the further the server is from you physically the bigger your latency is going to be and if you're really serious about privacy make sure to pick a vps location that is outside the 14 eyes now this isn't exactly a high bar to clear but the node which by the way sponsored this video checks all the boxes and they have a lot of locations to choose from they were also kind enough to give you guys 20 credit for your first cloud server for your first vps just because you're cool that being said compensation is always good so if you think that i'm biased feel free to choose something else shop around and do your own research there are a lot of vps providers to choose from so if one doesn't have your preferred location or doesn't have the features that you want there are always a lot of others so what i'm going to do now is i'm going to take the 20 credit from the node set up my account and voila now ready to create our own vpn server after you sign up on the website and confirm your email you're going to need to enter some details including your name address and credit card information that's going to be pretty much the same for all the vps providers though sometimes they do accept bitcoin or other cryptocurrencies next thing we need to do is add a server or as the node calls it lnode [Applause] there is a lot of districts to choose from and if you want you can even go with gento or arch but for this tutorial i'll go with the latest version of ubuntu 20.04 you will also want to choose the location i'm going to choose uk since it's the closest to me physically we're going to take the cheapest nano plan and even if later on you decide to set up mail server the next cloud instance or a personal blog this configuration will still be more than enough the node label is not that important and neither are tags i'll call mine wolfgang's vpn after that you can choose the root password and upload the ssh key which we're not going to do now and i'll explain why later lastly take a box that says private ip and click the create button on the right and there we go our server is now created now you should see the control panel of your server and while the server is starting let's generate the ssh keys for it using a clear text password to log into your server is never a good idea since the password is not encrypted in transit and can be exposed on a hostile network by creating an ssh key we're going to make it so that you can only log into your server if you have the key file and the password and at the same time the password will be encrypted if you're using linux you probably already know how to open a terminal on windows you'll need to open the powershell with administrator privileges and install ssh using this command by the way i will put all these commands down in the video description so if you prefer to have a text version of this tutorial to follow just check the video description the rsa algorithm with 4096 key size so what a person recommends since it's officially secure and widely supported just press enter when asked the key location to save it to the default one and then enter your password of choice by now our server has started up and we're ready to log in copy the ip address from the server control panel go back to the terminal and type in ssh root add ip address type yes enter the root password that you specified in the first step and that's it we're in [Music] first and foremost let's update our operating system and software type in app get update double ampersand app get upgrade i will also install my favorite text editor feel free to use whatever you want though for example nano as much as it's convenient to not have to enter root password every time you have to do something i personally prefer to create a user account that isn't root exposing root login on an ssh server is probably not a good idea even if you have multi-factor authentication call me paranoid but i think having to enter root passwords sometimes is the price that i'm personally willing to pay for some sense of security type user add g sudo m your username of choice dash s bin bash that's going to create a user set bash's default shell for him and permit suited usage die hard linux users might have noticed that i typed in lowercase g instead of capital g make sure that the g is capital because lowercase g is used to specify in the main user group and we don't want that in this case afterwards we'll need to create a password for our user using passwd username enter your password twice and we're good to go [Music] now that we've created our user it's a good time to copy the public ssh key to the server open a second terminal window for your local terminal and enter ssh dash copy dash id username at ap address you'll be prompted to enter your password and once you do go back to the terminal window with your server don't close the other window yet now that we've copied the ssh keys to the server we have to restrict authentication to the public key only let's edit the sshd configuration file first of all let's change the default port this won't do much for security but it will help with those obnoxious ssh scanners that try to log into your server with default credentials it's not much but the security logs will definitely get easier to read you can use any port that's not taken by other services i personally prefer to use the port 69 next we need to disable password only authentication so that you're only able to login using a public key last but not least let's also disable root login now save the file and restart the sshd servers using systemctl restart sshd now without closing the window let's go back to our local machine and try to log in with our key [Music] if you see the prompt to enter your key password that means we're good to go it's also a good idea to verify that we can't log in with our password anymore if i try and log into the server from my hackintosh machine i see this which means we're good you might have noticed that the command that we used to log into our server is kind of long and annoying to type so let's fix that create a file in the dot ssh folder in your home directory called config here we're going to create an alias for fps the first line in my case will be host wolfgang's vpn you can choose whatever name you want user wolfgang in your case it will be the username that you chose in the previous step port 69 identity file tilde dot ssh slash id underscore rsa host name the ap address of your server saving close and now we can log into our server by simply typing ssh wolfgang vpn and if you also don't want to see this wall of text every time you log into your server type in touch dot hush login and press enter [Music] so i know that wireguard has been the hot new vpn protocol that everyone's been talking about lately but in this video i'm going to use openvpn instead why because it has a wider support when it comes to client applications and some of the applications that i'll be talking about in the second part of this tutorial utilize openvpn if you're interested in setting up a wireguard server there are a lot of tutorials on the internet about it so normally setting up an openvpn server takes some time since you need to install the packages generate the keys set up iptables write the configuration files for the server and the client thankfully we won't do any of that in this video and instead we'll use the openvpn road warrior script from a github user called nyr this script will do all the hard work for us and all we have to do is answer a few simple questions and download the configuration file at the end needless to say you shouldn't just go around executing random scripts you downloaded from the internet so if you know some bash read the script first and make sure there's nothing fishy in there if you don't know any bash maybe send it to a friend who does when you're done reading the script click raw and copy the link from your browser log into your server and install wget if you haven't already sometimes it comes with your os image already but sometimes it doesn't next type wget press space and paste the link you copied earlier now let's launch the script the script will ask you some questions and in most cases you'll want to pick the default answer for the port you can either choose a default port 1194 but i prefer to choose 443 since 1194 is known as the openvpn port and in some cases it can be blocked on your network 443 is the same port that is used for https but whereas https uses tcp openvpn in this configuration uses udp so they won't conflict with each other you're also going to be asked which dns you want to use feel free to choose whatever you like if you have any preferences but i normally choose 1.1.1.1 as for the client name choose whatever you like now that the configuration is done press any key and the installation process is going to start it's fully automated and at the end you're only going to get a configuration file which will download to our local machine later on the problem is that the script places the file in the root directory by default and in order to download it later we need to move it to our user home directory and give ourselves the correct privileges with that out of the way there's only one thing left to be done on the server's side and that is to disable the logs let's edit the configuration file here change verb 3 to verb 0. now restart the openvpn service and there we go a vpn that actually doesn't keep logs amazing i also just noticed that the host name of the server is localhost which is not cool for many reasons so let's change it to something else i'm going to call it wolfgang's vpn now all we need to do is download the configuration file to our local machine so that we can actually use the vpn open a terminal on your local machine and type in sftp server name next download the file using the command get config name.ovpn and finally type exit now if you want to use this vpn for all your traffic which i don't recommend you can download tunnel blick on mac open vpn on windows or load it into the network manager on linux as you can see after i connect to the vpn from the network manager the website start thinking that i'm from the uk which means the vpn is working at this point we have a bare-bones cpn server up and running you can stop here and use it like you would normally use a vpn in which case thanks for watching and i'm glad i could help but if you want to know how to make it even more secure and add some features that are nice to have like nintendo upgrades keep watching [Music] now ssh is nice but it does get annoying sometimes especially when you change your network and your connection drops immediately instead i prefer to use mosh there is no complicated configuration file shenanigans or anything like that just install mosh on both your local and your remote machine and after that you can simply use the mosh command as a drop in replacement for ssh public key authentication is probably secure enough for most but if you want to be extra fancy you can also add mfa or multi-factor authentication the way it works is you install an app on your phone there are a lot of open source apps on android like and otp and every time you log in you get a one-time password in the app which you need to enter in order to log in this provides an additional layer of security for your server which can be useful for some of us who are especially paranoid the first thing you have to do is install google authenticator lib pam yes the protocol is made by google but it's completely free in open source and you don't have to actually use the google authenticator app on your phone there are many open source options as i've already mentioned after that launch the initialization script by typing google dash authenticator there basically answer yes to all the questions except for the one about multiple users and the one about 30 second tokens once you're done with that you might have noticed a big qr code on your command line make sure to write those codes down somewhere safe they'll be very useful in case you lose the access to your phone or to the app after that what you need to do is launch the authenticator app on your phone i'll use otp auth add a new account and choose scan a qr code after you scan the code the account will be added to the app and we're done with the phone part for now let's go back to the server terminal and edit the authentication settings file for sshd here we'll comment out the line that says add include common dash auth normally the two-factor authentication will ask you for your user password and the one-time password but since we're already using a public key with the password having to enter your password twice is slightly annoying that way you'll only have to enter the public key password and the one-time password next we need to add this line to the end of the file auth required pam underscore google underscore authenticator.so let's save the file and quit now we need to edit the sshd configuration file to make ssh aware of the new authentication method here we need to change the following lines change response authentication change it to yes use pam yes as well and add a new line after the use pam line that says authentication methods public key comma password public key comma keyboard dash interactive and now let's restart the ssh servers for the changes to take effect it's always a good idea to try and log in in a separate terminal window without closing the server session otherwise if you messed up you'll be locked out of the ssh and nobody wants that obviously you'll see that apart from the usual public key password you're also going to be asked the one-time password from your app if you're using gnome you won't be prompted for the public key until you log out and log back in again only the one-time password from your phone app let's enter the password and voila now our server is secured by two-factor authentication one last thing that i want to show you today is unattended software upgrades what this means is we're going to have a script that runs apt update and app upgrade regularly thus liberating us from the burden of having to log into the server and do this manually the server will also be rebooted for kernel updates but since the reboot takes less than a minute and since kernel upgrades are not very frequent your vpn won't actually suffer that much from downtime so the first thing that we need to do is install the unattended upgrade package and here just leave it at default next enable the stable security updates after that's done let's edit the config file here we need to set our email address which is going to be used for update notifications and then also enable automatic reboots you can also set up the automatic removal of some junk for example unused kernels or unused dependencies and specify the automatic reboot time in my case i'll set it to 5 am and that's it let's see if it works so now your system and all the packages will be updated automatically and you'll get an email every time an upgrade has been performed and yeah that's it so i'm finally done editing this video it took so long that i had a haircut in the meantime but yeah a lot of people might say that this video is redundant since you know i just said the same stuff that i said in the last video and out of the tutorial but it was really important for me to make this video it just didn't sit right with me that the most viral video in my channel is so poorly researched and this is basically what i wish i uploaded back then in november 2019. so yeah thank you guys for watching this video i hope it was really helpful and i would also like to thank my patrons cujo26 mitchell valentino ramos elis and ray peria and everyone else supports this channel thank you guys for watching once again and i'll see you in the next one goodbye
Info
Channel: Wolfgang's Channel
Views: 981,563
Rating: 4.9246893 out of 5
Keywords:
Id: gxpX_mubz2A
Channel Id: undefined
Length: 25min 54sec (1554 seconds)
Published: Mon Jun 08 2020
Related Videos
Set Up Your Own VPN at Home With Raspberry Pi! (noob-friendly)
Wolfgang's Channel
40K
This Video Is Sponsored By ███ VPN
Tom Scott
3.2M
There's a Hole at the Bottom of Math
Veritasium
2.8M
Network Security 101: Full Workshop
SecureSet
1.3M
Become Anonymous: The Ultimate Guide To Privacy, Security, & Anonymity
Techlore
207K
9 Passive Income Ideas - How I Make $27k per Week
Ali Abdaal
2.1M
You Should Be Using Yubikeys!
Crosstalk Solutions
273K
A $150 Linux Phone with Android App Support? Sony XA2 & Sailfish OS X
Wolfgang's Channel
72K
Switch to these open-source apps...on Windows, macOS or Linux!
InfinitelyGalactic
138K
Faster Internet for FREE in 30 seconds - No... Seriously
Linus Tech Tips
11M
What is a VPN? - Gary explains
Android Authority
1.1M
Inside the mind of a master procrastinator | Tim Urban
TED
39M
Fundamental of IT - Complete Course || IT course for Beginners
Geek's Lesson
1.5M
$649 Dyson Fan vs. $15 Walmart Fan: The Hard Truth
Mark Spurrell
1.8M
DO NOT design your network like this!! // FREE CCNA // EP 6
NetworkChuck
944K
THIS is what Windows 10 should look like! - Custom Windows Image Tutorial
Craft Computing
281K
Should You Make Your Own VPN?
Linus Tech Tips
1.4M
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.