You mainly come across VPN servers in the business world: employees can use them to securely access the company network while on the road or from home. Nevertheless, a VPN server can also come in handy when you are on the road and want to access the internet more securely, or if you want to access files on your home network.
Tip 01: VPN Protocols
There are many VPN services and some you can even use for free without too many restrictions, such as ProtonVPN. Via client software on your mobile device or computer you connect to one of the offered VPN servers, after which you can access the internet via such a server.
The approach of this article is more ambitious: we are going to set up our own VPN server within our home network. VPN stands for virtual private network (in Dutch also called virtual private network) and that means that you connect networks that are physically separated from each other. Such a connection normally runs via the internet and that is not exactly the safest environment. That is why all data traffic is encrypted via such a VPN connection: a virtual tunnel is created between the two networks, as it were.
Several VPN protocols are available, including pptp, sstp, ikev2, l2tp/ipsec, OpenVPN, and WireGuard. The latter is promising, but still in development and not yet widely supported. We choose OpenVPN here because it is open source, has strong encryption and is available on almost all platforms.At the moment, OpenVPN is still seen as the better VPN protocol
In fact, your router is the best place to set up a VPN server in your home network. After all, all data traffic from the websites you visit on the road will first go through your VPN server. If that's your router, that traffic goes straight back to your mobile device. If your VPN server is on a NAS or PC, the data traffic must first go from your router to that device and from there back to your router. An extra intermediate step, but in practice you will not notice this delay much.
Unfortunately, many typical home routers don't have the option to set up a VPN server. If your router does indeed lack a VPN service, the DD-WRT firmware may offer a way out. Surf here and enter your router model. With a bit of luck there will be yes in the column Supported and you can download the firmware file to flash your router with it. Please note, you perform such a sensitive operation entirely at your own risk! You can go here for instructions.
Tip 02: Installation on a NAS
We will first show you how to install an OpenVPN server on a NAS. Well-known NAS manufacturers such as QNAP and Synology offer their own app for adding a VPN server. We'll look at how to do that on a Synology NAS with a recent version of DiskStation Manager (DSM). Make a connection with the web interface of DSM, by default the address is :5000 or :5001.
Open it Package Center, join All packages looking for the app VPN Server and click here to install. After installation click on To open: the server can handle some vpn protocols, listed PPTP, L2TP/IPSec and OpenVPN. In principle, they can even be active at the same time, but we limit ourselves to OpenVPN protocol. click on OpenVPN and put a check next to Enable OpenVPN server. Set a virtual internal ip address for your vpn server. By default this is set to 10.8.0.1, which means that the VPN clients will in principle receive an address between 10.8.0.1 and 10.8.0.254. You can choose from an IP range between 10.0.0.1 and 10.255.255.1, between 172.16.0.1 and 172.31.255.1 and between 192.168.0.1 and 192.168.255.1. Just make sure the range doesn't overlap with IP addresses currently used in your local network.On some nas devices you have an OpenVPN server installed like this
Tip 03: Protocol choice
In the same configuration window, you also specify the maximum number of simultaneous connections, as well as the port and protocol. By default, the port 1194 and the protocol UDP and that usually works fine. If you already have another service running on that port, you will of course set a different port number.
Furthermore, you can also choose tcp instead of udp. Tcp has built-in error correction and checks that each bit has arrived correctly. This provides more connection stability, but is slightly slower. Udp, on the other hand, is a 'stateless protocol' without error correction, which makes it more suitable for streaming services, where the loss of a number of bits is usually less serious.
Our advice: try the udp first. Optionally, you can experiment afterwards and choose tcp port 8080, or even the https port 443, because they are usually less likely to be blocked by a (company) firewall. Keep in mind that you also have to set the chosen protocol in the settings for port forwarding (see tip 5).
You can normally leave the other options of the configuration window untouched. Confirm your choices with To apply.
Tip 04: Export configuration
At the bottom of the window you will find the button Export configuration. This exports a zip file that, when unpacked, yields both a certificate (.crt) and a configuration profile (.ovpn). You need the ovpn file for your OpenVPN clients (see also tips 6 to 8). Open the ovpn file with the Notepad program. In the (third) line, replace the indication YOUR_SERVER_IP in remote YOUR_SERVER_IP 1194 by the external IP address of your router and the designation 1194 by the port you set in the OpenVPN configuration window. A quick way to find out this external IP address is when you go from your internal network to a site like www.whatismyip.com (see box 'Ddns'). Incidentally, you may also replace this IP address with a host name, such as that of a ddns service (see same box).
A little further in the ovpn file you see the line #redirect-gateway def1. Here you remove the hash, so redirect-gateway def1. In principle, this option ensures that all network traffic is routed through the VPN. If this causes problems, you can restore the original line. Learn more about this (and other OpenVPN technical issues) here.
Save the edited file with the same extension.
From the outside, you usually access your home network via the public IP address of your router. You find out that address when you surf from your network to a site like www.whatismyip.com. Chances are that your provider has dynamically assigned this IP address, so you have no guarantee that this IP address will always remain the same. That is annoying if you regularly want to reach your network (and your OpenVPN server) from outside.
A dynamic dns service (ddns) offers a possible way out. This ensures that a fixed domain name is linked to that IP address and as soon as the address changes, the associated ddns tool (which runs locally somewhere in your network such as on your router, nas or PC) announces the new address. to the ddns service, which updates the link immediately. One of the most flexible free ddns providers is Dynu.
Tip 05: Port forwarding
A message will appear telling you to check the port forwarding and firewall settings with regard to the port you have set (default so 1194 udp).
We'll start with the firewall. You are supposed to access the OpenVPN server via udp port 1194 and then you have to be sure that your firewall is not blocking that port. You can find the firewall on your nas via Control Panel / Security / Firewall Tab. With the firewall enabled, check via the button Edit rules that the port in question is not locked. This also applies to the firewall on your router, if it is enabled.
The concept of port forwarding is more complex. If you want to reach your OpenVPN server from outside your internal network, you will have to use the public IP address of your router. When you make a request via this IP address for an OpenVPN connection with udp port 1194, your router must know to which machine it should forward the request for that port traffic and that is in our case the internal IP address of your nose.
Consult your router's manual to find out how to properly set up portforwarding or visit http://portforward.com/router for more instructions.
In general, it goes like this: log in to the web interface of your router, look for a (sub)section like Port forwarding and add an entry with the following information: application name, ip address of the nas, internal port, external port and protocol. For example, that could be: OpenVPN, 192.168.0.200, 1194, 1194, UDP. Confirm your changes.Your OpenVPN server may still require some firewall and router work
Separate OpenVPN server
If you do not have a NAS and your router also does not support OpenVPN, you can still set up such an OpenVPN server yourself on a computer with Linux or Windows.
Such a procedure is a bit cumbersome. You have to go through various steps and also under Windows this happens mainly from the Command Prompt. After installing the OpenVPN Server software (see tip 8) you need to create a CA certificate, followed by creating certificates for the server and the necessary OpenVPN clients. You also need so-called DH parameters (Diffie-Hellman) as well as a TLS key (transport layer security). Finally, you also have to create and modify ovpn files here, and make sure that your server allows the necessary traffic.
Via this link you will find a step-by-step plan for Windows 10, for Ubuntu via this link.
Tip 06: Mobile client profile
Setting up an OpenVPN server is a first step, but after that you have to connect to the server from one or more VPN clients (such as your laptop, phone or tablet). Let's start by connecting a mobile client.
For both iOS and Android, setting up a connection is easiest with an OpenVPN client app if it's free OpenVPN Connect. You can find this app in the official app stores of both Android and Apple.
Let's take Android as an example. Download and install the app. Before you start the app, make sure that the ovpn profile file is on your mobile device (see tip 4). If necessary, you can do this via a detour via a service such as WeTransfer or a cloud storage service such as Dropbox or Google Drive. Start OpenVPN Connect on and choose OVPN Profile. Confirm with To allow, refer to the retrieved VPNconfig.ovpn file and select Import. If you want to add additional profiles afterwards, you can simply do so via the plus button.
Tip 07: Connect client
Give a suitable name to your VPN connection and fill in the correct details username and password. These login details must of course have access to your VPN server, on the Synology NAS you open at VPN Server the category rights and place a check next to the intended user(s) OpenVPN. Optionally, you can choose to have the password remembered, if you deem it safe enough. Confirm with Add. The profile has been added, tap it to start the connection.
The app may complain that the profile file doesn't have a client certificate (it does have a server certificate), since a Synology NAS doesn't just generate it. That is admittedly slightly less secure because it does not verify whether it is an authorized client, but you do need the username and password to actually gain access. So you can here Continue select. If all is well, the connection will be set up after a while. You notice this, among other things, by the key icon at the top of the start screen.
Tip 08: Windows client
For Windows, download the Windows 10 installer from OpenVPN GUI, there is also a version for Windows 7 and 8(.1). Install the tool. If you also plan to install an OpenVPN server in Windows (see box 'Separate OpenVPN server'), check the box during installation. EasyRSA 2 Certificate Management Scripts. Also allow a TAP driver to be installed if requested.
Afterwards you will find the icon OpenVPN GU on your desktop. If not, start the program from the default installation folder C:\ProgramFiles\OpenVPN\bin. The installation should eliminate the need to run the tool as an administrator. If for some reason that didn't work, right-click on the program file and choose Run as administrator.
Show the program the way to your ovpn profile file (see tip 4). Right click on the icon OpenVPN GU in the Windows system tray and choose Import file, then select VPNConfig.ovpn file. In this same menu, click on To connect and enter the required login details. In the status window you can follow the setting up of the VPN connection and you can also read the assigned IP address at the bottom.
If you run into problems, click in the menu on Show log file. By default, the OpenVPN service starts together with Windows: you can arrange this via Settings, on the General. Also check that your firewall is not blocking the connection.