By Dan Moren
April 7, 2017 9:52 AM PT
Rolling your own VPN server
Note: This story has not been updated for several years.
With the news that internet service providers may soon start scanning all your personal data and using it to target ads, I decided it was time to investigate setting up a virtual private network (VPN) server.1 I’ve mentioned this in a couple places, including recently on Clockwise, and had more than a few people asking if I’d document my experience.
Why VPN?
There’s been a lot of talk about VPNs in the wake of this recent news, everything from which provider you should pick to why a VPN doesn’t necessarily solve the problem.
Overall, though it’s true that VPNs can help by encrypting the traffic that flows through your ISP (or whatever network you’re on), they are hardly a panacea. For one thing, VPN traffic is not end-to-end encrypted: it eventually emerges, decrypted, somewhere else. That means a third party—in this case, the company providing your VPN—may still be able to keep an eye on your traffic. Those companies may keep logs that can in turn be sold to or accessed by third parties (including the government), depending on their own privacy policies. In effect, you’re moving the problem downstream.
Where VPN?
With all of those caveats in place, I still thought it would make for an interesting experiment. I’d previously set up a VPN on my Mac mini, but that doesn’t help at all in this case, because the data is only encrypted going to my Mac mini…which then sends it all out via my home ISP. (It’s more helpful when I’m working out of the house and want to secure my connection on, say, a public Wi-Fi network.)
So instead I turned to the Linode server that I use to host my website. (Full disclosure: Linode is a regular sponsor of Clockwise, but beyond having signed up using the same discount code that we offer to all listeners, I pay for my own Linode account.) The good news is that, as with so many other tasks, Linode provides extensive guides to setting up a VPN on its service.
The advantage to using Linode is that since it’s a virtual server, rather than a VPN service, I’m completely in charge of the setup and configuration of the VPN server.2 Again, this isn’t foolproof, because my traffic is only encrypted between my Mac and the Linode server, meaning that if Linode decided it wanted to track my outbound traffic, then I’d be in much the same boat as before. (Essentially, Linode becomes my de facto ISP.) Given, however, that Linode’s main business is hosting, and that they have their own pretty strong privacy policy, I’m not particularly concerned on that point. But, again, that’s subject to the vagaries of business.
However, keep in mind that since now all my traffic would effectively originate from my Linode server, which has a static IP address, this again is mostly just shifting the problem. Because if I’m logging in to unencrypted web servers (i.e. those not using the HTTPS protocol), I’m still transmitting information that can then be tied back to a single IP, allowing advertisers (if not my home ISP) to build a targeted advertising profile.3 Granted, that IP is no longer connected to my geographic location, since my Linode is in New Jersey, but if I’m still looking for information about businesses or locations near where I actually am, it’s still not too hard to suss out. In other words, a VPN like this still isn’t a good way to anonymize your connection.
How to VPN?
With all of those caveats in place, I still decided setting up a VPN server was at least an interesting exercise to develop some of my server administration skills. I chose to use the OpenVPN Access Server, since it was described as a more “streamlined and user-friendly solution” to manage a VPN, but I still ended up running into some challenges. Namely, I already have an HTTPS web server running on my Linode and at first it seemed like both it and the VPN server wanted to use the same ports. Eventually I got that ironed out, and everything else seemed to go smoothly.4
OpenVPN is, as far as I can tell, is not supported by the macOS natively, which means you have to use either OpenVPN’s own client or a third-party client like tunnelblick. I’ve found the latter preferable, since it’s pretty easy to set up and supports automatic logon as well as monitoring your external IP address to let you know if your traffic is being routed correctly.
VPNs can take have a negative effect on the speed of your connection, but I’ve been pleasantly surprised at how little of a performance hit mine has seemed to take; I accidentally recorded a couple podcasts with it on before I realized, and I didn’t notice any significant issues.
On the iOS side, although you need to install the OpenVPN Connect app to set it up, it seems to essentially just configure a VPN profile, which you can then activate either via the app or via iOS’s own Settings.
VPNs for all?
So, have I been running my VPN non-stop since setting it up? Not really. It’s a great tool to have at my disposal, but there are still trade-offs, such as the fact that it’s annoying to have to set it up on a bunch of different devices.5 It also, like most VPNs of my experience, runs into connection issues if you try to use it on flakier networks, so turning it on hasn’t exactly graduated to muscle memory yet.
And, as I said up top, it’s really not a catch-all solution. By far the best solution would be to have all the web and mail servers out there running SSL/TLS secured connections, but obviously that’s not going to happen overnight.
So, is a VPN for you? If you’re really worried about your ISP serving up ads (or looking at your web traffic), then this might help assuage that concern. But you’re going to be paying for it, whether you’re setting it up on your own server or subscribing to a service, and, as I’ve said, it’s really just shifting the problem.
Where is a VPN useful? In general, if you’re using an unsecured public wireless network, it’s a good way to make sure nobody’s intercepting your traffic. It’s not even a perfect solution there, but it’s definitely easier to set up. But at that point, you’ll probably be fine with a third-party service, rather than trying to set up your own, unless you’ve got the technical sophistication to not only set it up but to fix it when it breaks.
- I’ll note that Comcast, my ISP, has said that it has no plans to do this. I’ll also note that businesses are subject to the whims of their balance sheets, as well as the people who control them—all of which can change. ↩
- The downside is that I’m completely in charge of the setup and configuration of the VPN server. If something goes wrong, I have to fix it, which means I can be quickly out of my depth. ↩
- In fact, if I log into my VPN every time I’m online, regardless of whether I’m at home or not, it may actually make it easier on advertisers, because I’m always using the same IP. And, moreover, unlike a VPN service, which may have a ton of different people’s traffic going through the same IP and which in turn might at least confuse matters somewhat, I’m the only person using this address. ↩
-
I did take a brief side jaunt when I realized that Ubuntu’s UFW, which was already installed on my server, was a much easier tool for managing my server’s firewall than the old-school
iptablesI was using. Definitely useufwif it’s an option for you. ↩ - I haven’t investigated the possibility of routers that let you run your entire network through a VPN, but it sure isn’t supported by my old AirPort Extreme from what I can tell. ↩
[Dan Moren is the East Coast Bureau Chief of Six Colors. You can find him on Mastodon at @dmoren@zeppelin.flights or reach him by email at dan@sixcolors.com. His latest novel, the supernatural detective story All Souls Lost, is out now.]
If you appreciate articles like this one, support us by becoming a Six Colors subscriber. Subscribers get access to an exclusive podcast, members-only stories, and a special community.