How to make your own encrypted VPN server in 15 minutes

How to make your own encrypted VPN server in 15 minutes

You may have seen plenty of online ads about paid VPN services. However, as we explained in a previous article, it’s not a good idea to tunnel all your internet traffic through a VPN service.

Unlike what they say on their websites, VPN companies usually don’t care about protecting your privacy. These companies get to see all your web browsing history as they handle your internet traffic and DNS requests. They sometimes even keep logs of your IP address and connection history, which means that they could potentially hand this data over to authorities, or it could be stolen by cybercriminals.

In most cases, you don’t need to enable a VPN connection before browsing the web as nearly all websites are delivered to your browser over a secure and encrypted connection (called HTTPS). 

But VPNs can be useful from time to time, depending on your risk profile, also known as a threat model. Sometimes you can’t access a website from a public network because it’s blocked. Or you could be traveling to a country where the content you want to access, such as the news, or music- and video-streaming services, aren’t available. In those cases, it’s all about minimizing the risk while you use a VPN.

That’s why we are going to highlight a few different methods to set up your own encrypted VPN server at home or in a data center near you.

Easy: Run Tailscale on a spare home computer

Tailscale makes it easy to create a virtual network and connect all your devices to that network. Tailscale is built on top of WireGuard, a rock-solid open source VPN protocol that works on pretty much any device.

There are plenty of use cases for Tailscale. Developers use it for accessing remote servers. Companies use it so that employees can access all kinds of corporate services even when they’re not in the office. In our case, we’re going to use it as an alternative to a VPN service that lets you encrypt and redirect all your internet traffic.

If you have a computer that is always running at home, or an old laptop that you no longer use, download and install Tailscale on that device. The Tailscale app is available for both Windows and macOS. (It’s also available on Linux using the terminal.)

Create a Tailscale account, and create your first tailnet. In Tailscale’s lingo, a tailnet is your own private peer-to-peer mesh network that lets your devices interact with each other.

Click on the Tailscale icon in your menu bar on macOS or in the taskbar on Windows. Turn on Tailscale, and then head to the “Exit nodes” menu. Click on “Run exit node …”

Now, you can install Tailscale on your personal devices that you’re traveling with, such as your laptop or your phone. Install Tailscale, then log into your account. You’ll see your computer running at home in the list of devices in your private network.

Once again, go to the “Exit nodes” section. This time, choose your home computer as your exit node. That’s it! When your devices use your home computer as their exit nodes, all internet traffic passes through that exit node. 

Tailscale’s role is to manage the coordination server that makes this VPN connection possible. This coordination server is responsible for distributing the public keys to all your devices in your Tailscale network so that they can securely communicate with each other. Tailscale doesn’t route traffic through its coordination servers. 

As for private keys, they remain on your devices at all times. Without those private keys, there is no way for anyone else — including Tailscale — to decrypt the data that flows through your VPN tunnel. With this setup, you get all the benefits of an encrypted VPN connection without having to manually generate, distribute, and handle your public keys.

The result is that even if you’re thousands of miles away on a very restricted Wi-Fi network, you can browse the web as if you were located at home. 

At this point you might think, “This is great, but I don’t want to keep a computer running 24/7.” The good news is that Tailscale lets you turn an Apple TV into an exit node. As the Apple TV is designed to be constantly running so that it can be switched on and used at any time, your exit node will also always be constantly available. If you’re not an Apple TV user, you may have an Android-based set-top box or an old Android phone in a drawer. Tailscale lets you run an exit node on an Android device, too.

The exit node sub-menu in Tailscale’s client on macOS (left) and Windows (right). Image Credits:TechCrunch (screenshots)

Medium: Install Tailscale on a Raspberry Pi

If your modem or router is in a peculiar spot, you may want to build yourself a dedicated Tailscale device and plug it into your router with an Ethernet cable.

In that case, you could buy a Raspberry Pi, a tiny, cheap, single-board micro-computer. We recommend a Raspberry Pi 4 or Raspberry Pi 5, as these models have a Gigabit Ethernet port. If you have a fiber connection at home, you’ll be able to get faster speeds with that Gigabit Ethernet port when you switch on the VPN connection.

You can flash a microSD card with Raspberry Pi Desktop, the operating system specifically designed for these computers. You’ll also need a USB keyboard and mouse, as well as a micro-HDMI-to-HDMI cable to set up the Raspberry Pi.

After that, you can plug your Raspberry Pi to a computer display or a TV and turn it on. You’ll have to open the terminal and run a few commands that are detailed on Tailscale’s website to install and run Tailscale.

You also need to enable IP forwarding with the following three commands on Raspberry OS:

echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf

echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf

sudo sysctl -p /etc/sysctl.conf

After the last command, run the following command:

sudo tailscale up --advertise-exit-node

And this completes turning this Raspberry Pi into a Tailscale exit node.

You can now install Tailscale on your personal devices that you’re traveling with, and use the Raspberry Pi as your exit node.

a photo of a Raspberry Pi 5 circuit board
A Raspberry Pi 5. Image Credits:Romain Dillet / TechCrunch

If you like this setup and you’re comfortable in the terminal, you can follow the same instructions with Raspberry Pi OS Lite, the operating system for the Raspberry Pi that doesn’t have a traditional desktop interface.

You can also follow the same instructions to create your own VPN server in a data center near you. Many companies, such as DigitalOcean, Vultr, Linode, Scaleway, Hetzner Cloud, and OVHcloud, offer cheap virtual servers for around $5 per month.

After creating a server with one of those cloud hosting companies, boot up a server and use their web console to install Tailscale. You can also log in using SSH, commonly used for remote access, from your own terminal.

a screenshot of an iPhone running the Tailscale’s iPhone app with the ability to select an exit node at the top.
Tailscale’s iPhone app with the ability to select an exit node at the top.Image Credits:Romain Dillet / TechCrunch

Advanced: Tailscale on Fly.io or WireGuard on a VPS

At this point, you may find that setting up your own encrypted VPN server and routing all your internet traffic through that server isn’t that difficult. So, you can get creative with your setup.

For instance, developer Patrick Recher has built a global network of Tailscale exit nodes on Fly.io, a cloud-hosting company that lets you create virtual machines on the fly based on a configuration file. 

Recher can add a server in a new region with a single command line. And when he’s done, he stops the virtual machine and destroys it. You can find out more in Recher’s GitHub repository.

If you don’t want to rely on Tailscale to coordinate your peer-to-peer network, you could install and configure WireGuard directly. There are several tutorials around the web that will guide you through the WireGuard setup process. Setting up WireGuard is not that complicated, and you’ll learn a few things along the way.

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *