Hosting a Home VPN

If you’re like me, you have a number of resources on your home network that you may like to access when you’re not home, but do not wish to expose to the internet. A VPN is one option – allowing secure access over a tunnel to your network, with more control compared to, for example, just a DDNS set to your home IP. I have hosted my own VPN at home for some time in order to access some of my home infrastructure remotely, but honestly also just for the challenge of setting up and managing my own VPN service.

It is definitely fun, and a learning experience. You should have the dedication, though, to making sure that you follow security guidelines carefully, and have a basic understanding of networking concepts. Here are my thoughts and experiences on my home VPN experience.

Choosing Software

I iterated through software a few times. There are several free options available, before you even begin to consider some of the closed-source enterprise options. The good news is, a lot of the open-source options are highly capable and have even set standards for security and features in the VPN space.

There are three main options I considered:

OpenVPN

OpenVPN is a major open-source project that has been around a long time. It was my first choice, and I did implement this for a while. OpenVPN is very basic in terms of its end-user functionality, and even in terms of configuration options, but it is solid and secure. I found it difficult to configure and understand.

Pritunl

Pritunl is actually based on the OpenVPN code. It actually runs OpenVPN instances in the background, which means it fully supports the OpenVPN standard. The advantage to Pritunl comes in management tools, end user experience, and ease of setup/configuration. Pritunl is SIGNIFICANTLY easier to understand, and way simpler to configure and get running. So it has the security of OpenVPN, but with much simpler installation. This was my ultimate choice, and is what I have implemented currently.

SoftEther VPN

SoftEther VPN is the leader in features. Like the other two, it is free to install on your own system. SoftEther supports a TON of standards, including the non-public ones like Cisco. It also has endless configuration options. That being said, having more complexity in your system can increase attack surfaces, and for me personally, I found it best to go with something simpler that I can more easily understand.

Installation

I ultimately decided to install Pritunl. I had run OpenVPN for some time, but had trouble with its stability (keep in mind that is almost certainly due to bad configuration on my part). It was just too arcane for me to really feel comfortable with it. My experience with Pritunl was much better, and the nice thing is it allows me to connect via the OpenVPN Android app so it is a similar process when connecting via mobile.

Choose Hardware (Or Cloud)

When setting up your own VPN, it can be done either on a virtual server (like an AWS instance) or on your own hardware at home. Which one you choose will depend on what you want it to do – are you trying to reach your home network? Then you’ll have to go with something on your home network. If you’re just looking for extra connection security, or a partially-obscured connection, you can just as easily configure the VPN in a cheap cloud server. For my purposes, I have a home server already built that runs a number of things for me.

My home server – an inexpensive Ryzen 5 2600X build

My home server runs Windows, which is not an option if you’re going for Pritunl. So, I set up a Hyper-V VM on this machine (just 4gb RAM) and installed the latest release of Ubuntu Server. The VM runs nicely and really uses very little system resources.

Software Setup

Installing Pritunl, I found, was a pretty straight-forward thing. Configuration was equally simple. In that case, I will just share the things I had some trouble with. This was all done with Pritunl running on a Hyper-V instance of Ubuntu Focal Fossa 20.04.

You can find the Pritunl installation and configuration guide here: https://docs.pritunl.com/docs/installation

Now, a few notes on installation:

  • SELinux Support – Pritunl recommends this, but seeing as the Linux distributions that support it are very enterprise-focused, I chose not to deal with it.
  • Automatic Updates – there is a section in the guide on automatic updates. If you’re using Ubuntu, I would recommend skipping this section and instead setting up automated updates via the unattended-upgrades package (directions here). This will allow you to optionally choose whether or not to update certain applications.
  • Ubuntu Install Commands
    • The final section on the installation page are the commands for installing Pritunl:
    • Note that currently MongoDB does not have a full-support repository for Ubuntu Focal Fossa yet, so you’ll need to follow the directions to install MongoDB separately.
    • When retrieving keys from the keyserver with sudo apt-key adv, you will run into an error – keyserver receive failed: Server indicated a failure
      • Change the address of the keyserver to use port 80 – i.e. hkp://keyserver.ubuntu.com:80 and you should be able to download
    • It is important, then, to modify some commands in the list – you no longer want to install mongodb along with Pritunl. So do not include MongoDB in the sudo apt-get
      • You might accidentally install two instances of MongoDB, which will get confusing.

Configuration

Configuration of Pritunl, I found, was MUCH simpler than OpenVPN. For one, it includes a webserver that creates a browser-based management interface. So pretty much all the configuration and management can be done via the browser interface. I followed Pritunl’s instructions on configuration pretty much directly, so no extra notes here.

However – it is important to remember that there is some extra networking work you will likely have to do, such as forwarding the Pritunl used ports to the local machine running the service. These steps will be specific to your router and/or gateway.

You should also consider, if setting this up on your home network, whether your IP address given to you by your ISP changes at all (or how often). If you know it does, I would use a DDNS service to point to your router – multiple routers include the ability to forward whatever WAN IP is assigned to it, to a DDNS service. This will allow you to reference your home network via a DNS name even when your IP changes.

Connecting First Time

The beauty of Pritunl is that it makes setting up new users a breeze. With OpenVPN, you kind of have to manage the certificates etc. used to connect more manually, and have to create the files that contain all the connection info manually. With Pritunl, it creates client configuration files automatically based on the information used at setup. So simply create a new user, then click to download the profile:

A zipped folder with an OVPN file will be downloaded. You can then download this file onto your phone or other device you wish to connect with. This file contains all the info needed to connect. You should be able to just import the file into the OpenVPN app (downloaded from the app store), and then connect for the first time!

If you have trouble connecting, it is likely that there is a firewall rule on either your router or your local machine blocking traffic over the needed ports (the Pritunl UI shows which port it attempts to use).

If all is successful, you should be able to access your home resources remotely! I mainly use it for remote desktop so that I can access my home server and my desktop for various purposes, and so that I can access my file share. So far, it has worked seamlessly.

0 thoughts on “Hosting a Home VPN

Leave a Reply

Your email address will not be published.