Popup OpenVPN
Make a self hosted VPN in 15 minutes.
If you can 'kind of run a server', then you can manage this.
Give all your non-technical friends a free VPN!
Why?
Companies like verizon, AT&T, and Comcast already have developed tools to sell police bulk access to your data without a warrant. Isn't this illegal spying? Not if your internet provider does it as a service!
Do you want every corrupt government contractor to have access to your browser history? Right now, they often do.
Installation Guide
-
Make an account and get a $10 free credit at digital ocean
- skip this step if you have an account already
- disclaimer: I get some free credit when you use this link. Thanks!
-
Add your SSH key
to Digital Ocean
- Enter the digital ocean web interface
- go to
settings->security->SSH keys
- Paste your key, found by default
$HOME/.ssh/id_rsa.pub
- tip: make a key with
ssh-keygen
- danger:
ssh-keygen
WILL overwrite your current key without warning
- On server creation, the key will be added in server's
root
user's authorized_keys
ansible
uses the default SSH key: ~/.ssh/id_rsa.pub
- you can manually set a key as a command line argument in
manage.sh
-
Create a new server on Digital Ocean
- Choose the
Ubuntu 16.04.1 x64
base image
- Use the $5 option
- Choose a datacenter near you for low latency.
- Check your preferred
ssh key
under Add your SSH keys
- Choose a hostname like
popup-openvpn
- Do not check
use IPv6
- Notes
- You will have 1 terabyte of monthly transfer
- They call a
server
a droplet
-
Configure this repo for your users
- Clone this repository on your local computer
git clone --recursive https://github.com/robbintt/popup-openvpn.git
- Configuration files:
- Add the IP address of the server to your
hosts
file
- The
IP address
is available in your digital ocean dashboard
- In the
[vpnservers]
section, replace the default 1.2.3.4 with your server's IP address
- Add each of the following to your
group_vars/all
- You need at least one user and password
user
- any username is fine in user
password
openvpn_client
- any name is fine -- the default is
myvpn1
etc.
- Replace or delete the example users and passwords entirely
- You can add as many openvpn_client sections and user/passwords as you wish
- IMPORTANT: Delete any extra user lines and unnecessary example certificates, e.g.
myvpn3
, myvpn4
-
It's time to automatically set things up!!
- Install
ansible
locally
- execute:
manage.sh
- The ansible script should run without any errors
- (The restarter role fails if it doesn't need to restart or something)
- When you run this playbook for the first time, you will need to restart the server before you can connect.
- todo - just restart the server every time the playbook is run or something
- future - troubleshoot this issue in stouts or OpenVPN
- To reconfigure or update your server you may run
manage.sh
again
-
email the .ovpn files to all your users
- The ansible playbook transferred the .ovpn files to the computer you ran ansible from
- Each ovpn file is stored in
./openvpn_files/
(inside the popup-openvpn
project directory)
- Each user only needs the ovpn file generated for them. They also need their username and password
- You will open this file in your
OpenVPN Client
-
Install a client on each of your devices. You will need: user
, password
, .ovpn file
- Client Recommendations
- You will need to follow the client specific instructions
- iOS |
OpenVPN
- You're going to want to go through this set-up process for iOS file syncing for the most secure way to share you
.ovpn
files. While you can send the file(s) through email, this is not recommended as email is often unencrypted, and will be assuming you don't have a prior end-to-end encryption system set up. The guide for iTunes sync in that VikingVPN link is rather outdated, so please refer to this official support page for file syncing in iTunes 12.x (most recent version as or writing).
- Note: to connect you'll want to go through the OpenVPN app, sign in, and connect in-app after importing your
.ovpn
profile(s).
- TODO: Assemble more links for client instructions
- All your users need to do this step for all their devices
- Linux
- Arch has a good guide for this. Find a better way.
-
Maintaining your server
Requirements
- Server: Digital Ocean Ubuntu 16.04.1 Release
- Local
~/.ssh/id_rsa.pub
private key deployed to remote root authorized_keys
- This is done through Digital Ocean on droplet deployment
Future
- Use ansible vault to encrypt group_vars/all
- Make a workflow for adding a new user and client certificate "for a friend"
- Add an automatic updates tool.
- Test this guide from very beginning to very end.
- Beginning: Create a Digital Ocean Account
- End: Install the ovpn cert and put the password in on all your devices
- Very End: Maintaining your server
- Deploy to the world at large (reddit? digital ocean article?)
Stouts.openvpn
The Stouts.openvpn repo is included as a subrepo in /roles/Stoutsopenvpn
.
References
Some useful links and additions.
Using Ansible Vault
You might use this to encrypt your group_vars/all
- Encrypt a file:
ansible-vault encrypt foo.yml bar.yml baz.yml
- Decrypt a file:
ansible-vault decrypt foo.yml bar.yml baz.yml
- View file contents:
ansible-vault view foo.yml
- Run Playbook w/ Vault password:
ansible-playbook site.yml --ask-vault-pass
- This is managed in
manage.sh
in this script
Links