This tutorial should help you build a VPN Server using a DigitalOcean Droplet. The same steps should apply to instances
on AWS and Azure. In case you choose to build the server on AWS or Azure, you will also need to setup the security group
and firewall settings to allow the ports that will be exposed through ufw
. I will highlight such information within
the steps as needed.
Required Skills
- Basic knowledge of networking
- Familiarity with Linux terminal and commands
Cost & Benefits
This will cost you about $5/month. The differences between this tutorial and buying VPN from a service provider are:
- You can create unlimited number of accounts for friends and family
- If you're a business, you can create accounts for the whole company
- In cases where VPN providers are blocker by IP range, your Droplet is not within that range
- In case where specific protocols are blocked, you can use SSTP or IP-over-DNS
- Creating the Droplet
- Performing Initial Server Setup
- Server Hardening
- SoftEther Server Installation
- IPsec/L2TP Setup (SoftEther Server Administration GUI)
- Certificate Setup
- SSTP Setup
- Windows 10 Client Configuration
- iOS Client Configuration
- MacOS Client Configuration
- Android Client Configuration
- Ubuntu 19 Client Configuration
- Login to DigitalOcean. If you don't have an account, sign up and do the initial setup
- Create a new Droplet
- In the page that following, ensure that you select
- Distribution: Ubuntu 18.xx (LTS)
- Plan: Standard, $5/month (you may need a bigger droplet if you are a business)
- Block Storage: Do not add any
- Data Center: You may want to pick Frankfurt or New York. I'll explain when to pick which one of them below
- Additional Options: We don't need any
- Authentication: One-time Password
- Finalize & Create: 1 Droplet, pick the name that you like
- Other options can stay default
- Click Create
- You will receive an email with the password and the IP of the new Droplet
For the Middle East: This depends on why you need the VPN. If you are interested in speed only, pick Frankfurt. The VPN server will make your geolocation appear to websites and services as if it was the location of the VPN server. If you wish to appear as if you are in the United States, then pick New York.
In this step, we will do the following:
- Update Ubuntu
- Create a new user instead of the root user
- Install Friendly Editor (optional)
- Disable root access
- Add swap file
- Optimize server performance (slightly)
For the next steps, you will need a Terminal window. If you are on Windows, the easiest way to get this is to use the "Git Bash" terminal which comes with the standard Git for Windows. Linux & Mac users can use the built-in Terminal.
In the email that I received, the IP address for my new Droplet is 161.35.1.111. In my terminal, issue the commands:
ssh root@161.35.1.111
# You will be asked to enter the password from the email
# and to create a new password.
apt update && apt -y dist-upgrade
# When prompted to pick configuration, pick the choice to leave maintainer defaults
reboot
The server will now reboot. In a few seconds, we will connect to it again in order to continue the setup
ssh root@161.35.1.111
adduser softether
usermod -aG sudo softether
We've just created a new user called softether. Let's test that we can use it instead of root.
OPEN A NEW TERMINAL and then
ssh softether@161.35.1.111
sudo apt update
# If this command works, then our new user works fine! If it doesn't review the steps above.
# We can now disable the root user.
The following step is for users with little Linux experience. If you know how to use vim
or nano
, you may skip
this step and use any of them whenever we need to edit some file. I will be using mcedit
within this document for
those who are unfamiliar with vi
and nano
sudo apt install mc
Open a Terminal and ssh as root.
DO NOT CLOSE THIS TERMINAL UNTIL THIS STEP is 100% done!*
ssh root@161.35.1.111
ssh softether@161.35.1.111
sudo mcedit /etc/ssh/sshd_config
- Press
F7
and search forPermitRootLogin yes
- Change it to
PermitRootLogin no
- Press
F2
to save - Press
F10
to quit
If you made mistakes or typos, press ESC
, do not save and try again
sudo service sshd restart
# Leave this Window Open
In a new Terminal, let's try and see if our configuration worked
ssh root@161.35.1.111
# This should FAIL
ssh softether@161.35.1.111
# This should SUCCEED
In this step, we'll create a swapfile, enable it and add it to /etc/fstab
so that it's enabled by default on next reboots
sudo fallocate -l 1G /swapfile
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile
echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab
Tell Linux to us swap as little as possible
sudo sysctl vm.swappiness=10
sudo sysctl vm.vfs_cache_pressure=50
Let's make sure this is done automatically when the system reboots, too.
sudo mcedit /etc/sysctl.conf
- scroll to the bottom and add the lines
vm.swappiness = 10 vm.vfs_cache_pressure=50
- Press
F2
to save - Press
F10
to quit
I will not go into details about the Ubuntu server hardening as there are many guides over the internet. We will just perform the minimal hardening which should be sufficient in most cases.
Install fail2ban
which will block brute force attacks
sudo apt -y install fail2ban
Ensure that firewall is only allowing the ports that we need
sudo ufw allow OpenSSH
sudo ufw allow 443
sudo ufw allow 992
sudo ufw allow 1194
sudo ufw allow 5555
sudo ufw allow 500/udp
sudo ufw allow 1701/udp
sudo ufw allow 4500/udp
sudo ufw allow 1723/tcp
NOTE: If you're using AWS or Azure, the port above will need to be open.
* OpenSSH is listening on port 22
Enable the firewall
sudo ufw enable
Test it
sudo ufw status
Let's start by installing the SoftEther server and basic commands
sudo apt-add-repository -y ppa:paskal-07/softethervpn
sudo apt update
sudo apt -y install softether-vpnserver
And start the SoftEther VPN server
sudo service softether-vpnserver start
Now go to http://www.softether-download.com/en.aspx?product=softether and download
SoftEther VPN Server Manager for Windows without installers - if you're on Mac, you may download the Mac version. Linux users should download
the Windows version and run it with wine
. This is how my download screen looks like after selecting the appropriate options.
- Extract the zip file
- Run
vpnsmgr.exe
- Click "New Setting"
- Enter a name for your "Setting Name" field
- Add the IP Address of your Droplet in the "Host Name" field
- Click OK
You should now return to the main screen. Click "Connect". You will be prompted to create a password for managing the VPN server. Please ensure that you create a secure password. Once this is done, the GUI will automatically start a configuration wizard.
-
Once the Wizard starts, select the option for "Remote Access VPN Server"
-
The wizard will ask you to initialize a HUB, press OK and enter the hub name
-
The wizard will show the Dynamic DNS function. You may enter an easy name for you server for you to remember if you wish. You can do this later, too. Click "Exit" when you're done
-
IPsec/L2TP/EtherIP/.. screen will appear.
- Check the "Enable L2TP Server Function (L2TP over IPSec)".
- Ensure that all other check boxes are unchecked
- Note the IPsec Pre-shared key at the bottom. You can change it now or later if you wish
-
VPN Azure Service: Click "Disable VPN Azure" and then click "OK"
-
- Click "Create Users"
- In "User Name": Enter username for connection
- In "Password": Enter password for this user
- Click OK
- In "Set Local Bridge", ensure that "eth0" is selected and press OK
- You may receive a warning regarding Promiscuous Mode. You can safely ignore this warning.
- Click "Create Users"
-
All done
-
Click "Manage Virtual Hub"
-
Click "Virtual NAT and Virtual DHCP Server (Secure NAT)"
- In this screen, click "Enable SecureNAT"
-
You're all set
At this point, you should test the IPSec/L2TP connection by configuring a client. Try any of the following clients:
- Windows 10 Client Configuration
- iOS Client Configuration
- MacOS Client Configuration
- Android Client Configuration
- Ubuntu 19 Client Configuration
Once you've verified that the IPSec/L2TP connection works, proceed to the configuration of the "Let's Encrypt" certificate in Certificate Setup.
The hostname that I got assigned is vpn225930509.softether.net
. You can check yours from the GUI by clicking
"Dynamic DNS Setting" in the "Virtual HUB Manager" (Step 5.7)
We will also need a valid email address. Let's use this value in the commands below.
sudo apt -y install certbot
sudo ufw allow http
# Then run the command
# sudo certbot certonly --standalone -n -d (your host name) --agree-tos --email "(your email address)"
# In this example, I ran the following command
sudo certbot certonly --standalone -n -d vpn225930509.softether.net --agree-tos --email "(my email address)"
NOTE: If you're using AWS or Azure, you'll need to open port 80
The results were two files in:
/etc/letsencrypt/live/vpn225930509.softether.net/fullchain.pem
/etc/letsencrypt/live/vpn225930509.softether.net/privkey.pem
NOTE: YOUR PATH WILL BE DIFFERENT. IT WILL BE BASED ON YOUR HOSTNAME
The format is:
/etc/letsencrypt/live/< HOST NAME >/fullchain.pem
/etc/letsencrypt/live/< HOST NAME >/privkey.pem
Let's load those two files:
vpncmd localhost:5555 /server /CMD ServerCertSet /LOADCERT:/etc/letsencrypt/live/vpn225930509.softether.net/fullchain.pem /LOADKEY:/etc/letsencrypt/live/vpn225930509.softether.net/privkey.pem
Let's Encrypt will provide us with a three month certificate. Let's ensure that we renew on time...
sudo mcedit /etc/cron.monthly/renew_cert.sh
- Copy and paste the text into the file and replace the missing fields.
#!/bin/sh certbot renew vpncmd localhost:5555 /server /PASSWORD:[*** YOUR SERVER PASSWORD ***] /CMD ServerCertSet /LOADCERT:/etc/letsencrypt/live/[*** YOUR SERVER NAME ***]/fullchain.pem /LOADKEY:/etc/letsencrypt/live/[*** YOUR SERVER NAME ***]/privkey.pem
- Press
F2
to save - Press
F10
to exit
Let's test the renewal script
chmod +x /etc/cron.monthly/renew_cert.sh
/etc/cron.monthly/renew_cert.sh
The script should run and say that
- The cert doesn't need to be updated.
- The cert (in this case, the one that currently exists) has been loaded. If this is the case, your server is ready to be used with SSTP and even current L2TP/IPSec is also using the new "real" cert..
NOTE: In order for SSTP to work, you will need to setup a certificate as defined in the previous step (Certificate Setup) and to access the server by the hostname instead of the IP address. SSTP will verify the certificate. While IPSec/L2TP can use self-signed certificate which comes with the default installation, SSTP will not!
In the main script for Server Manager, click "OpenVPN / MS-SSTP Setting". It should open the following screen
Ensure the "Enable MS-SSTP VPN Clone Server Function" is checked and click OK. You can now use this from Windows 7 and above by simply changing the connection type to Automatic.
Note: When you connect from Windows, you must use the hostname instead of the IP so that SSL validation doesn't fail Note for Mac users: There are multiple SSTP clients available for download that you can use with this feature.
-
Open Network and Internet Settings
-
Click VPN
-
Click "Add a VPN Connection"
-
Ensure that you select VPN type "L2TP/IPsec with pre-shared key" and enter the details for the connection
- Pre-shared key (from step 5.4)
- Username: Same username that you created (from step 5.6)
- Password: Same password that you created (from step 5.6)
-
Click "Save"
-
Click the connection and click "Connect"
-
Open the Settings App, tap "VPN" and tap "Add VPN Configuration"
-
Tap "Type" to change the VPN type
-
Tap "L2TP" to select L2TP as the connection type
-
Enter the connection details
- Description: Name of the connection
- Server: IP Address of the server (or hostname)
- Account: Username from step (from step 5.6)
- RSA SecureID: off
- Password: Password from step (from step 5.6)
- Secret: Pre-shared key (from step 5.4)
-
Open the Network Settings and click the "+" sign at the bottom.
- Interface: VPN
- VPN Type: L2TP over IPSec
- Service Name: Type in the connection name
-
In the Connection settings:
- Server Address: Put in the hostname or IP address
- Account Name: Username (from step 5.6)
- Click "Authentication Settings"
-
In the Authentication Settings Screen
- Enter the password (from step 5.6)
- Shared Secret: Pre-shared key (from step 5.4)
-
Click Apply
-
Click Connect
-
Open the Settings App, tap "VPN" and tap "Add VPN Profile"
-
In the "Edit VPN Profile" screen
- Name: Name of the connection
- Type: Select L2TP/IPSec PSK
- Server address: IP or hostname of the VPN server
- L2TP Secret: leave empty
- IPSec Identifier: leave empty
- IPSec pre shared key: Pre-shared key (from step 5.4)
- Username: Username (from step 5.6)
- Password: Password (from step 5.6)
-
Save and Connect
-
Open a Terminal and install IPSec/L2TP for Network Manager
sudo apt install network-manager-l2tp network-manager-l2tp-gnome
-
Open Settings
- Click "Network"
- On the VPN frame, click "+"
- Choose "Layer 2 Tunnelling Protocol (L2TP)"
-
In the "ADD VPN" dialog
- Name: Connection Name
- Gateway: IP or hostname of the VPN server
- Username: Username (from step 5.6)
- Password: Password (from step 5.6)
-
Click "IPSec Settings"
- Check "Enable IPSec tunnel to L2TP host"
- Gateway ID: Leave empty
- Pre-shared key: Pre-shared key (from step 5.4)
- Phase 1 Algorithms: Enter
aes256-sha1-ecp384,aes128-sha1-ecp256,3des-sha1-modp1024!
- Phase 2 Algorithms: Enter
aes256-sha1,aes128-sha1,3des-sha1!
-
Click "PPP Settings"
- Check "Use Point-to-Point encryption (MPPE)"
- Check "Allow stateful encryption"
- Click OK
-
Save and Connect