/popup-openvpn

Make a self hosted OpenVPN server in 15 minutes

Primary LanguageShellMIT LicenseMIT

Popup OpenVPN

Make a self hosted VPN in 15 minutes.

If you can 'kind of run a server', then you can manage this.

Give all your non-technical friends a free VPN!

Why?

Companies like verizon, AT&T, and Comcast already have developed tools to sell police bulk access to your data without a warrant. Isn't this illegal spying? Not if your internet provider does it as a service!

Do you want every corrupt government contractor to have access to your browser history? Right now, they often do.

Installation Guide

  1. Make an account and get a $10 free credit at digital ocean

    • skip this step if you have an account already
    • disclaimer: I get some free credit when you use this link. Thanks!
  2. Add your SSH key to Digital Ocean

    1. Enter the digital ocean web interface
    2. go to settings->security->SSH keys
    3. Paste your key, found by default $HOME/.ssh/id_rsa.pub
      • tip: make a key with ssh-keygen
      • danger: ssh-keygen WILL overwrite your current key without warning
    4. On server creation, the key will be added in server's root user's authorized_keys
    5. ansible uses the default SSH key: ~/.ssh/id_rsa.pub
      • you can manually set a key as a command line argument in manage.sh
  3. Create a new server on Digital Ocean

    1. Choose the Ubuntu 16.04.1 x64 base image
    2. Use the $5 option
    3. Choose a datacenter near you for low latency.
    4. Check your preferred ssh key under Add your SSH keys
    5. Choose a hostname like popup-openvpn
    6. Do not check use IPv6
    7. Notes
      • You will have 1 terabyte of monthly transfer
      • They call a server a droplet
  4. Configure this repo for your users

    1. Clone this repository on your local computer
      • git clone --recursive https://github.com/robbintt/popup-openvpn.git
    2. Configuration files:
      • hosts
      • group_vars/all
    3. Add the IP address of the server to your hosts file
      • The IP address is available in your digital ocean dashboard
      • In the [vpnservers] section, replace the default 1.2.3.4 with your server's IP address
    4. Add each of the following to your group_vars/all
      • You need at least one user and password
      • user
        • any username is fine in user
      • password
        • use a strong password
      • openvpn_client
        • any name is fine -- the default is myvpn1 etc.
      • Replace or delete the example users and passwords entirely
    5. You can add as many openvpn_client sections and user/passwords as you wish
    6. IMPORTANT: Delete any extra user lines and unnecessary example certificates, e.g. myvpn3, myvpn4
  5. It's time to automatically set things up!!

    1. Install ansible locally
    2. execute: manage.sh
      • The ansible script should run without any errors
      • (The restarter role fails if it doesn't need to restart or something)
    3. When you run this playbook for the first time, you will need to restart the server before you can connect.
      • todo - just restart the server every time the playbook is run or something
      • future - troubleshoot this issue in stouts or OpenVPN
    4. To reconfigure or update your server you may run manage.sh again
  6. email the .ovpn files to all your users

    • The ansible playbook transferred the .ovpn files to the computer you ran ansible from
    • Each ovpn file is stored in ./openvpn_files/ (inside the popup-openvpn project directory)
    • Each user only needs the ovpn file generated for them. They also need their username and password
    • You will open this file in your OpenVPN Client
  7. Install a client on each of your devices. You will need: user, password, .ovpn file

    1. Client Recommendations
    2. You will need to follow the client specific instructions
      • iOS | OpenVPN
        • You're going to want to go through this set-up process for iOS file syncing for the most secure way to share you .ovpn files. While you can send the file(s) through email, this is not recommended as email is often unencrypted, and will be assuming you don't have a prior end-to-end encryption system set up. The guide for iTunes sync in that VikingVPN link is rather outdated, so please refer to this official support page for file syncing in iTunes 12.x (most recent version as or writing).
        • Note: to connect you'll want to go through the OpenVPN app, sign in, and connect in-app after importing your .ovpn profile(s).
      • TODO: Assemble more links for client instructions
    3. All your users need to do this step for all their devices
    4. Linux
      • Arch has a good guide for this. Find a better way.
  8. Maintaining your server

    • TODO

Requirements

  • Server: Digital Ocean Ubuntu 16.04.1 Release
  • Local ~/.ssh/id_rsa.pub private key deployed to remote root authorized_keys
    • This is done through Digital Ocean on droplet deployment

Future

  1. Use ansible vault to encrypt group_vars/all
  2. Make a workflow for adding a new user and client certificate "for a friend"
  3. Add an automatic updates tool.
  4. Test this guide from very beginning to very end.
    • Beginning: Create a Digital Ocean Account
    • End: Install the ovpn cert and put the password in on all your devices
    • Very End: Maintaining your server
  5. Deploy to the world at large (reddit? digital ocean article?)

Stouts.openvpn

The Stouts.openvpn repo is included as a subrepo in /roles/Stoutsopenvpn.

References

Some useful links and additions.

Using Ansible Vault

You might use this to encrypt your group_vars/all

  • Encrypt a file: ansible-vault encrypt foo.yml bar.yml baz.yml
  • Decrypt a file: ansible-vault decrypt foo.yml bar.yml baz.yml
  • View file contents: ansible-vault view foo.yml
  • Run Playbook w/ Vault password: ansible-playbook site.yml --ask-vault-pass
    • This is managed in manage.sh in this script
Links