Both hide your IP address and help you browse the internet more privately, but they work in different ways and serve different purposes. From simple security to web scraping for LLM training, both serve various purposes for businesses.

If you have ever wondered which one you should use, this article will help you understand how they work, their main differences, and where residential proxies fit into the picture.

What We’ll Cover

• What is a VPN?

• What is a Proxy?

• The Core Difference Between VPNs and Proxies

• Performance and Speed

• Use Cases for VPNs

• Use Cases for Proxies

• How to Combine VPNs and Residential Proxies

• Which One Should You Choose?

• The Future of Privacy Tools

• Conclusion

What is a VPN?

A Virtual Private Network, or VPN, is a service that creates a secure and encrypted tunnel between your device and the internet.

When you connect to a VPN, all your traffic passes through a remote server operated by the VPN provider. This hides your real IP address and encrypts everything you send or receive.

VPNs are often used by individuals who want to protect their privacy or access content that is restricted in their region.

For example, someone in India can use a VPN to connect to a U.S. server and access websites that are available only in the United States. Because the connection is encrypted, internet service providers and hackers cannot see which websites you visit or what data you exchange.

What is a Proxy?

A proxy acts as a middleman between your device and the internet.

When you connect to a proxy, your request is first sent to the proxy server, which then forwards it to the target website. The website sees the proxy’s IP address instead of your own.

Unlike VPNs, proxies usually do not encrypt your traffic. This means that while your IP address is hidden, the data itself can still be visible to others.

Proxies are often used for tasks like web scraping, managing multiple social media accounts, or accessing geo-restricted sites in a lightweight way.

There are different types of proxies, such as datacenter proxies, mobile proxies, and residential proxies. Among these, residential proxies are the most trusted because they use real IP addresses assigned by internet service providers.

The Core Difference Between VPNs and Proxies

The biggest difference between a VPN and a proxy lies in encryption.

VPNs encrypt all network traffic from your device, while most proxies do not. This means VPNs provide a higher level of security and privacy. Even if someone intercepts your data, they cannot read it.

Proxies, on the other hand, focus more on IP masking rather than full encryption. They are lighter, faster, and more flexible for specific use cases like automation, scraping, or content testing.

For example, a company that needs to collect product data from multiple e-commerce sites will use residential proxies rather than a VPN because proxies allow scalable, distributed access from different IP addresses.

Another key difference is the level of system-wide protection. A VPN encrypts all the traffic coming from your device, including background apps.

A proxy typically only routes traffic from specific browsers or applications. This makes VPNs better for personal privacy and proxies better for targeted tasks.

Performance and Speed

Since VPNs encrypt traffic, they can reduce speed due to the extra processing involved. Proxies, by contrast, are often faster because they skip encryption and route only specific requests.

However, not all proxies are equal. Datacenter proxies may be fast but easier to detect, while residential proxies are slower but far more reliable for tasks that require realism. Businesses often accept this small trade-off in speed for better accuracy and reduced blocking.

VPNs usually have fewer IPs and servers compared to proxy networks, which can limit their flexibility. Proxies can rotate thousands of IPs automatically, which helps avoid bans and distribute requests efficiently.

Use Cases for VPNs

VPNs are ideal for individuals who value security and privacy. They are useful for browsing safely on public Wi-Fi, accessing restricted websites, or hiding browsing habits from internet service providers.

Remote workers often use VPNs to securely access corporate networks. Journalists and activists rely on them to bypass censorship or protect communication in restrictive regions.

For everyday users, a VPN provides a simple and effective way to browse anonymously and encrypt all data traffic.

Use Cases for Proxies

Proxies shine in automation and business scenarios. They are essential for data gathering, web scraping, and digital marketing. By using residential proxies, companies can collect information from multiple websites without getting blocked.

For example, a brand can track how its ads appear to users in different countries. E-commerce businesses can compare competitor prices or monitor product listings in real time. Social media managers use proxies to handle multiple accounts without triggering platform restrictions.

Proxies also help in large-scale web scraping for LLM training. They allow businesses to gather public data anonymously and at scale without getting blocked or throttled by websites.

How to Combine VPNs and Residential Proxies

In some cases, professionals use both. For example, a researcher may connect to a VPN for encryption and then route specific scraping tasks through residential proxies for location diversity. This hybrid setup balances privacy and data collection efficiency.

Combining them also reduces the risk of IP bans. If a target site starts blocking one set of IPs, the user can switch networks seamlessly. This approach is popular in cybersecurity testing, ad verification, and large-scale monitoring.

Which One Should You Choose?

If your goal is privacy, use a VPN. It secures your entire connection and hides all your online activities. If your goal is automation, data collection, or region-specific testing, use proxies.

Residential proxies are especially effective when websites have strong anti-bot protection or region-based restrictions. They combine anonymity with authenticity, making your traffic look like that of a regular home user.

For individuals who need both security and flexibility, a mix of VPN and proxy can work best. You can encrypt your connection with a VPN and use residential proxies for specific tools or scripts that need rotation and scale.

The Future of Privacy Tools

As online tracking becomes more advanced, tools like VPNs and residential proxies are becoming essential for both individuals and businesses. Companies use them to access unbiased market data and protect digital assets, while individuals use them to browse safely and privately.

In the future, we may see hybrid solutions that blend the privacy of VPNs with the scalability of proxy networks. These systems could automatically switch between encryption and proxy routing based on the task at hand, providing a seamless balance between speed and security.

Conclusion

VPNs and proxies both protect your identity online, but they serve different purposes. VPNs focus on privacy and encryption, while proxies , especially residential proxies , focus on scalability and access.

Understanding how each works helps you choose the right tool for your needs. Whether you want to stay anonymous, collect data safely, or test websites from different countries, using the right combination of VPN and residential proxies can give you both privacy and power in the digital world.

Hope you enjoyed this article. Find me on Linkedin or visit my website.

This VPN will allow you to access your home network from anywhere as if you’re still at home. So why is this useful, you might ask? Well, it allows you to use your home network IP, no matter where you are, which is a good for privacy.

In this article, we’ll use Tailscale, an open-source mesh VPN (Virtual Private Network) service that streamlines connecting devices and services securely across different networks. It enables encrypted point-to-point connections using the open-source WireGuard protocol. This means that only devices on your private network can communicate with each other.

Table of Contents

• Prerequisites

• Install Raspberry Pi OS Lite (32-bit)

• Boot The Raspberry Pi

• SSH Into The Raspberry Pi and Login

• Install Tailscale on Raspberry Pi

• Key Expiry

• Configuring the Raspberry Pi as an Exit Node

• Conclusion

Prerequisites

• Raspberry Pi (I am working with a Raspberry Pi 5)

• Raspberry Pi Imager

• A Micro SD Card (8GB is enough)

• A Micro SD Card reader for your computer.

• Home Router

• A Tailscale account

Install Raspberry Pi OS Lite (32-bit)

We’ll start this process by installing the Raspberry Pi OS Lite (32-bit) on the micro SD card we have. We will be making use of the Raspberry Pi Imager software which is available for free here.

When you run the imager software, pick the Raspberry Pi Device, which for me is a Raspberry Pi 5.

Then in Operating System, click on Raspberry Pi OS (other), then scroll down to Raspberry Pi OS Lite (32-bit)

Next, select your SD card which you have inserted into the card reader, and the card reader into the computer. Your screen should look similar to what you see below. Click on next.

After next, you should see a pop-up asking if you would like to apply OS customisation settings.

Next, click on edit settings. Enable set hostname and write the name you want to give the Pi. For this tutorial, I will be using dapivpn. Then enable set username and password. Pick a username and a strong and secure password

You can enable configure wireless LAN if you plan to use Wifi, but if you are team Ethernet cable, you can skip this. I will be using WiFi in this tutorial though.

Now you’ll need to enable set local settings and pick your correct time zone and keyboard layout.

After that, go to the Services tab, then enable SSH and click on “Use password authentication”. Then click save, then yes on the apply customisation screen, and yes again. Remember this will erase all the data on the SD card, so make sure you’re using one without any important files on it.

This is how your Raspberry Pi Imager should look now:

Boot the Raspberry Pi

After this is done, take the SD card and insert it into your Raspberry Pi. Then plug the power cable into the Raspberry Pi and wait some minutes for it to boot properly. You will know it is ready when the green LED light stays on.

Now you should go to your router and set a static IP to the Raspberry Pi. For mine, I set it to 192.168.8.21.

SSH into the Raspberry Pi and Login

Open up your command line terminal. Type “ssh <pi username>@<raspberry_pi_ip_address>”. For me, this would be:

ssh danpi@192.168.8.21

Then type in the password you used. You should see your username and the Pi hostname and this confirms you have logged in successfully to it.

Type in:

sudo apt update && sudo apt upgrade -y

You run this command to make sure everything is up to date locally.

Now reboot your Pi after this by typing:

sudo reboot

Install Tailscale on Raspberry Pi

Now you’re going to add Tailscale’s package signing key and repository.

curl -fsSL https://pkgs.tailscale.com/stable/debian/bookworm.noarmor.gpg | sudo tee /usr/share/keyrings/tailscale-archive-keyring.gpg >/dev/null 
curl -fsSL https://pkgs.tailscale.com/stable/debian/bookworm.tailscale-keyring.list | sudo tee /etc/apt/sources.list.d/tailscale.list

Install Tailscale using these commands:

sudo apt-get update
sudo apt-get install tailscale

Next, you need to connect your Pi to your Tailscale network and authenticate. You can do that with the following command:

sudo tailscale up

Your browser should look like this.

To locate the Tailscale IPv4 address for the Raspberry Pi, run this command:

tailscale ip -4

You can also see it on the Tailscale dashboard in your browser.

At this point, you’re done installing Tailsacle and you just need to do some finishing touches.

Key Expiry

There is something you need to know when it comes to adding a device to Tailsacle. By default, and as a security feature, Tailscale requires devices to re-authenticate after a certain period of time has elapsed, usually 180 days.

If the re-authentication does not occur, keys expire and the connection stops working. It’s up to you to choose what you prefer, as this is a security feature that comes with some inconvenience.

I will be disabling the key expiry on the Raspberry Pi, as I fully trust it. To do this, you need to:

• Open the Machines page of the Tailscale admin console.

• Find the Raspberry Pi on the row and select the option menu there.

• Click on the Disable Key Expiry option. You should see an Expiry Disable label below the machine name.

How to Configure the Raspberry Pi as an Exit Node

Another thing you’ll need to know about when it comes to Tailscale is what an exit node is. A Tailscale exit node is a designated device in your Tailscale network that routes all of your internet traffic through it. No matter where you are, once you have this device activated as an exit node, when you turn on Tailscale, it routes your internet traffic through the device.

Ideally, you want a device that is powered on 24/7 to serve as your exit node. That’s why we are picking the Raspberry Pi, as it is a low-powered computer.

We are already 90% of the way, as we have Tailscale running on our Pi. Remember to also have Tailscale installed on as many devices on your local network as possible. What’s left is to allow your Pi to act as an exit node, so all your internet traffic or LAN traffic routes through it, giving you access to:

• Local network devices at home

• Your home public IP

• Internal services like NAS, printers, cameras, and so on

To do this, SSH into your Raspberry Pi and follow these steps:

• Enable IP Forwarding. IP forwarding allows your Raspberry Pi to pass traffic between its network interfaces. Run the commands below line by line:

    echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
  
    echo "net.ipv6.conf.all.forwarding=1" | sudo tee -a /etc/sysctl.conf
  
    sudo sysctl -p /etc/sysctl.conf
  

• Advertise the Raspberry Pi as an exit node:

    sudo tailscale up --advertise-exit-node
  

• Open the Machines page of the Tailscale admin console.

• Find the Raspberry Pi on the row. You should see an Exit Node label on its name.

• Click on the options menu there and select Edit Route Settings.

• Check the box for Use as an exit node, then save.

Now you should see the option of routing the internet through an exit node when you open up your Tailscale app on mobile or PC or anywhere you have it installed. When you see that option, you will also see the Raspberry Pi as an exit node option. You can also add more devices as an exit node if you want more options.

Conclusion

Using the Tailscale app on other devices, you can now route traffic securely through the Raspberry Pi by selecting it as an exit node. Tailscale also provides clear, step-by-step guides tailored to each device type for setting up and using an exit node.

You can now be away from your home internet but still connect to the internet as if you were home. See you next time.

Well, you might have also heard that you should use a VPN to protect your online privacy. But do you have any idea what it is and how it works?

Don’t worry – in this article, we will go through everything that you need to know to about what and when to use a VPN and when to avoid using it. So, without any further delay, let’s get started.

What is a VPN?

VPN stands for Virtual Private Network. It is a type of network you can connect to which will help you protect your online security and privacy.

A VPN acts as a tunnel through which all your data goes from your location to your destination. It's all properly encrypted and secure so that any outside party can’t see what data you are transferring.

There are many advantages to using VPNs, such as:

• Privacy
• Anonymity
• Security
• Encryption
• Masking or changing your original IP address, so others can’t track you

We'll discuss these advantages and more further down in this article, but first you need to understand how a VPN works so you can use it properly.

How Does a VPN Work?

Image source

A VPN works by routing / forwarding all your data from your laptop or phone through your VPN to the internet, rather than directly through your ISP.

When you use a VPN, it encrypts all your data on the client side. Then after the data is encrypted, it's passed through a VPN tunnel which others can’t access, and then it reaches the internet.

But before going through the VPN tunnel, the request is first sent to your ISP, but as it's encrypted, ISP can’t figure out what you are trying to access. So it forwards your request to your VPN server. Then the VPN sends the request to your desired IP address or website.

Advantages of Using a VPN

Now let's discuss some of the advantages in more detail.

Unblock websites & bypass filters

There might be scenarios where you won’t be able to access certain websites which are blocked by your office or school or college department, but you still want or need to access them.

These websites may include social networking sites, movie downloading websites, or any kind of media streaming websites.

In these cases, a VPN will help you bypass all the blocking filters and let you access the websites that you wish to access without anyone’s help and others will have no idea what you're accessing.

Bypass regional restrictions

People in certain countries cannot access any websites outside their country like YouTube or Google because their government doesn't want them to use any other websites.

If you're in one of these places and still want to access these blocked websites, then a VPN can help by bypassing all the regional restrictions. You'll be able to access all the restricted or blocked content without letting the government know about your activity.

Access geo-blocked websites

There are several websites, special offers, and services which are available for specific countries or regions. But what if you also want to take advantage of that opportunity, but it’s not accessible in your region?

A VPN can help you by changing your IP address which will change your location on the internet. Then you will seem to be a user from that country and you can also have all the benefits that people in that particular region are enjoying.

Change your IP address

Your ISP is tracking your every move on the internet – which websites you are visiting, the amount of time you are spending there, and when you log in and log out from a website.

But sometimes you may need to hide your browsing history/activity from your local network/ISP. In that case, using a VPN can help you keep all your records encrypted, and your ISP will have no idea what you are doing with your internet. All your internet browsing activity will be masked by the VPN.

Online anonymity and privacy

Everything on the internet is tracking you. Website and web servers that you use or visit know your IP and location. That can be used to their advantage and every time you visit the same website, they will know that it’s you, and they will track your usage and your behavior. This isn't necessarily a good thing since you are giving them a lot of information without knowing what.

A VPN can help keep your identity anonymous so you don't need to worry about identity leakage or any kind of tracking activity.

Enhanced security

As discussed above, using VPN can keep your identity safe and also keeps your data encrypted while you browse the internet. As a result, it enhances security and the chances that someone might hack you will be lower.

So, using VPN will keep you safe when you are using any public Wi-Fi or browsing websites which are not secure.

Disadvantages of VPN

There are some downsides to using a VPN as well:

Slows your connections

VPNs tend to slow your internet connection. As the VPN servers might be located far away from you (might be in some other geographic location or country), your data will need to travel farther across the internet and will slow your connection speed.

VPNs log your activities

VPNs keep logs of your activities. You heard right. Regardless of what policies they have, even if they say that they don’t keep any logs, they do. Governments have taken action against VPNs, and the VPN companies tend to deliver all the activity logs of a user in cases of international crime, terrorist activity, or hacking.

So – it goes without saying – make sure you don’t use VPNs for any illegal activities. Use it instead to protect yourself and your identity from malicious hackers.

Specific blockades of VPN services

There are many websites and streaming services like Netflix which will not allow any unusual VPN users to access their content. So, there might be many cases where your VPN will help, but there are many websites and servers which won't allow you to access them using a VPN.

Cost

Although there are many free VPN services which you can use, if you are planning to use VPN on regular basis then you might need to purchase a paid version. Free VPNs don’t provide good speed and the amount of data usage is also limited on a daily basis. VPNs cost around $10 to $15 per month for the premium services.

How a VPN Can Help You Protect Your Online Identity

When you use the internet, the data you send or request through a web browser to any server (for example, when Google searching), along with your request, IP address (for example, your laptop or mobile) and destination IP address (like Google) first reaches your ISP.

The ISP monitors all your activity and then forwards your request to the destination IP address and also gets back the information in the same way.

All your information travels through a middle station, your ISP. They have all your history of using the internet and how you are using the internet. But when you are using a VPN, that's not the case.

Whenever you send any request to any website or server, instead of connecting directly to the server, it first reaches the VPN server. There, all your requests and information are encrypted and then sent forward to your desired website.

Your ISP is still there to monitor things. But if you're using VPN, it will automatically change the IP address of your destination to a different IP address and encrypt the destination IP address. This way, your ISP won’t be able to read it and will assume that all your requests were going to the IP address of the VPN. So it will forward all your requests to the VPN.

When your request or information reaches your VPN, it will be decrypted, and it will forward your request to the website you wish to access. The website or server will get the VPN request and will assume that the request is coming from that VPN server. It will allow the VPN to access the website and you'll be able to visit the website without letting your ISP know.

Similarly, when you download a file, all the traffic or information flows from a web server to the VPN. The VNP encrypts all the information and then forwards it to your ISP – which will still have no idea what’s going on, as the information is encrypted.

Finally, the info gets forwarded to your laptop or mobile. When it reaches your device, it will be decrypted, and you will be able to view the website as it's available to others.

Frequently Asked VPN Questions

Is VPN traffic encrypted?

YES! As explained above, all the traffic passed through VPN is encrypted through various encryption algorithms like the RSA (Rivest–Shamir–Adleman) algorithm, AES (Advanced Encryption Standard), and others.

What is an always-on VPN? What is a kill switch?

I will try to explain this concept in approachable terms. Always on VPN is a service which allows you to automatically connect to a VPN whenever you are connected to the internet. These kinds of services are used by companies which don’t want outside users to access their data and only want their employees to access their data from an outside, remote location.

Whenever an employee, company, or user who has access to the resources tries to access, then they need to enter valid credentials to automatically connect to the VPN. This also allows them to access all their work and resources present inside the company from an outside or remote location.

A VPN kill switch is another major feature offered by VPN service providers. Whenever there is a sudden or accidental loss of a VPN connection, in that case, your information might get exposed.

To deal with that, a VPN kill switch is used to terminate your internet connection when there is no VPN connection. This is a very useful feature for protecting your data from outside users.

So, when the kill switch is ON, internet connections will be terminated. But when the kill switch is OFF, then the internet will not be terminated when there is a loss of VPN connection.

Is a VPN necessary?

A VPN is not strictly necessary depending on your needs and activities, but it's useful.

Using VPN helps protect your online security, privacy, and anonymity. It will also protect you from malicious threats and trackers when you are using an unsecured website or using any unknown wi-fi connection which might be public.

Is a VPN 100% safe?

Nothing on the internet is 100% secure. There are and will always be ways to expose services like VPNs. But using a VPN will typically help you more than it'll harm you.

Is VPN legal in India?

Yes! VPNs are legal in India and can be used freely to access any content on the internet without any restrictions. Just remember that you should not use it for any illegal activity, as there are always ways to track you regardless of what VPN service you use.

Do VPNs log or store my data?

VPNs log all your data and store all information, and it might be able to share your data with government authorities. There have been many cases where VPNs say they have a no logs policy but still keep logs of users and shared them with authorities.

What is the main difference between a firewall and a VPN?

Conclusion

VPNs definitely have their advantages and disadvantages. Organizations use them to protect their private networks and information. You can also use one to access blocked content, and to protect your privacy, anonymity and security. Using a VPN for legal activities is beneficial and adds extra security.

When you are not sure about using or accessing any unknown (public/private) wi-fi or unsecured untrusted website, then you should always use a VPN (free/paid). Although paid VPNs have their advantages, occasionally using free VPNs won’t harm you and will still serve the purpose.

And just remember – don't ever try to use a VPN to perform any illegal activities.

Whether you need to use your phone for banking over a public airport or coffee shop WiFi connection, or you're worried about the wrong people listening in on your online interactions, the tunneled encryption a good VPN gives you can be invaluable.

The trick, however, is finding a VPN that really is "good" – and one that's both convenient and affordable.

There are plenty of commercial VPN services out there, and configuring one of those for your phone or laptop is usually simple enough.

But such services come with two potential down-sides: they're often expensive, with payments averaging around $10 monthly, and you can never be quite 100% sure that they aren't (accidentally or on purpose) leaking or misusing your data.

Also, cheaper VPNs often limit your data use and the number of devices you can connect.

If you like watching video versions of tutorials to supplement your learning, feel free to follow along here:

What WireGuard Delivers

But if you happen to have a cloud-based Linux server running anyway, building a WireGuard VPN can be a simple and free way to add some serious, compromise-free security and privacy to your life.

If you plan to limit the VPN to just devices owned by you and a few friends, you'll probably never even notice any extra resource load on your server. Even if you had to fire up and pay for a dedicated AWS EC2 t2.micro reserved instance, the annual costs should still come out significantly cheaper than most commercial VPNs. And, as a bonus, you'll get complete control over your data.

Right now I'm going to show you how all that would work using the open source WireGuard software on an Ubuntu Linux server.

Why WireGuard? Because it's really easy to use, is designed to be particularly attack resistant, and it's so good at what it does that it was recently incorporated into the Linux kernel itself.

The actual work to make this happen really will take only five minutes - or less. Having said that, planning things out, troubleshooting for unexpected problems and, if necessary, launching a new server might add significant time to the project.

How to Set Up Your Environment

First off, you'll need to open the UDP port 51820 in whatever firewall you're using. Here's how that would look for the security group associated with an AWS EC2 instance:

Now, on the Linux server, using a sudo shell, we'll begin by installing the WireGuard and resolvconf packages.

Technically, we probably won't need resolvconf here, but since that's what you'd need if you wanted to set up a Linux machine as a WireGuard client I thought I'd throw that in here, too.

apt install wireguard resolvconf

How to Generate Encryption Keys

The wg genkey command generates a new private encryption key and saves it as a file in the /etc/wireguard directory. This directory was automatically created when we installed WireGuard.

The chmod command sets the appropriate restrictive permissions for that private key file.

Like everything in Linux, there are other ways to get this done, but just make sure you do it right.

wg genkey | sudo tee /etc/wireguard/private.key
chmod go= /etc/wireguard/private.key

Next, we'll use the value of our private key to generate a matching public key – which will also be saved to the /etc/wireguard directory. The goal is to add the server's public key to the WireGuard configuration on all the client devices we'll be using, and then to add those clients' public keys to the server configuration here.

Private keys should never leave the machines for which they're created – and should always be carefully protected.

cat /etc/wireguard/private.key | wg pubkey | sudo tee

How to Configure the WireGuard Server

We're now ready to create a server configuration file. Following convention, I'll name the file wg0.conf, but you can give it any name you'd like. You can also have multiple configurations (with different filenames) existing at the same time.

Here's what our configuration will look like:

[Interface]
Address = 10.5.5.1/24
ListenPort = 51820
# Use your own private key, from /etc/wireguard/privatekey
PrivateKey = your_key

[Peer]
# Workstation public key
PublicKey = your_key
# VPN client's IP address in the VPN
AllowedIPs = 10.5.5.2/32

[Peer]
# laptop public key
PublicKey = your_key
# VPN client's IP address in the VPN
AllowedIPs = 10.5.5.3/32

Notice that this file has three sections: an Interface, and two peers. The Interface section defines the private NAT network address that our server will use. That's the private address the clients will connect to – after first requesting access through the server's public IP address, of course.

You don't have to follow my addressing, as long as you use a valid private IP range that doesn't overlap on any network blocks being used by either your server or client.

Matching the UDP security group rule I set up earlier in AWS, I'm defining the ListenPort as 51820. But I could choose a different address to add a tiny bit more security if I want.

Finally, I would paste the server's Private Key as the value of PrivateKey so WireGuard will be able to authenticate incoming client requests.

The first peer section contains nothing more than the public key and assigned private IP address of one client. The second peer section does the same for a second client machine.

Getting those public keys from the client is the most manual task involved in this whole setup. But, since this is your own VPN, you can usually find a way to copy and paste directly into your server configuration so you don't need to painfully type the whole thing in.

That should be everything. I'll use the wg-quick command to bring the VPN to life. up tells WireGuard to read the wg0.conf configuration we just made and use it to build a new VPN interface.

wg-quick up wg0

Running wg will show us that it worked. Finally, I'll run systemctl enable to tell Linux to load this WireGuard interface automatically each time the server reboots.

systemctl enable wg-quick@wg0

How to Configure WireGuard Clients

That's all we'll need from the server end of things. Getting your client device set up with WireGuard is either going to be much easier or more or less the same.

What does that mean? Well, if you're working with Windows, macOS, Android or iOS, then there are links to GUI apps available from this wireguard.com/install page. Those apps will generate key pairs for you. You'll only need to enter the server's IP address or domain and its public key. You'll then take the client's public key and add it to the server wg0.conf file the way I showed you earlier.

However, if it's a Linux PC or laptop client you want to add, then it's a bit more complicated. You'll basically follow all the steps you saw for the server configuration, including the key generation. You'll even create a configuration file named wg0-conf (if that's the name you like). But here's how that config file should look:

[Interface]
# The address your computer will use on the VPN
Address = 10.5.5.2/32
DNS = 8.8.8.8
# Load your privatekey from file
PostUp = wg set %i private-key /etc/wireguard/privatekey
# Also ping the vpn server to ensure the tunnel is initialized
PostUp = ping -c1 10.47.47.1
[Peer]
# VPN server's wireguard public key
PublicKey = your_key
# Public IP address of your VPN server (USE YOURS!)
Endpoint = 54.160.21.183:51820
# 10.0.0.0/24 is the VPN subnet
AllowedIPs = 10.47.47.0/24
# PersistentKeepalive = 25

The Interface section represents the client machine this time, while the Peer section down below refers to the server. Let's begin with Interface. The private IP address should match the address you give this particular client in the configuration on the server.

If you need your client to by-pass a local DNS server, you can specify a custom DNS server here. This one is the one provided by Google.

Instead of hard-coding your local private key into your configuration file the way we did on the server, you could tell WireGuard to read the privatekey file whenever it loads. This is probably a bit of a security best-practice – and we could just as easily have done it on the server, too. Finally, the configuration script will test our connection with the PostUp ping command.

The Peer – or server – configuration requires the server's public key, which is added here.

The Endpoint is where you tell WireGuard where to find the server. Nothing will work without this one! That would require the server's public IP – or it's domain name – followed by the port you've chosen. Again, 51820 is the WireGuard default.

Finally, the AllowedIPs setting defines the network address range you'll be using, and the optional PersistentKeepalive value can prevent dropped connections.

You launch WireGuard on the client exactly the same why you did on the server, using wg-quick up wg0. Again, though, all those steps will only be necessary for Linux clients. You can use the apps for other platforms.

Wrapping Up

So that's that. Just as I said, a working VPN in around five minute's work. You've now got one less excuse for protecting your online privacy and securing your communications.

For more technology goodness, please do subscribe to my YouTube channel and, when you've got a moment, check out the many Linux, security, data analytics, and AWS books and courses available through my bootstrap-it.com website.

In this article, I'm going to guide you, step-by-step, through the process of setting up a WireGuard VPN on a Linux server. It will let you access secure internet resources from insecure places like coffee shops.

But why a VPN? And why WireGuard?

Whenever you connect to, say, your bank's website from a remote location, you risk exposing password and other sensitive information to anyone listening on the network.

Hopefully, of course, the bank website itself will be encrypted, which means that the key data flowing between the bank and your PC or smartphone will be unreadable to anyone listening along the way.

And what about if you're connecting from your home or office? With a VPN, you can be reasonably sure that those data elements not obscured by regular encryption won't be seen by the wrong people.

But what if you're connecting through a public WiFi router at an airport or coffee shop? Are you sure the network hasn't been compromised or that there aren't hackers watching unnoticed?

To counter this very real threat, you can open a connection on your laptop or phone to a VPN server. This way all your data transfers take place through a virtual tunnel. Every part of your sensitive connections will be invisible to anyone on the local network you're connecting from.

WireGuard is the newest of the three big players in the open source VPN world, with the other two being IPsec and OpenVPN.

WireGuard is built to be simpler, faster, and more flexible than the others. It's the new kid on the block, but it's quickly picked up some important friends. At the urging of Linux creator Linus Torvalds himself, WireGuard was recently incorporated into the Linux kernel.

Where to build your VPN server?

Sure, you can always put together a VPN server at home and configure port forwarding through your ISP's router. But it'll often make more practical sense to run it in the cloud.

Don't worry. I assure you that this way will be a lot closer to a quick and painless "set it and forget it" configuration. And it's highly unlikely that whatever you build at home would be as reliable – or secure – as the infrastructure provided by the big cloud providers like AWS.

However, if you do happen to have a professionally secured internet server lying around the house (or you're willing to take a chance with a spare Raspberry Pi you've got lying around) then it'll work just about the same way.

Thanks to WireGuard, whether in the cloud or on a physical server, making your own home VPN has never been easier. The whole setup can be done in half an hour.

Getting ready

Get your cloud instance up and running, perhaps using a tutorial from here.

Make sure port 51820 is open to your server. This is done with Security groups on AWS and a VPC network firewall on Google Cloud.

With modern Debian/Ubuntu releases, Wireguard is available to be installed from the package managers like this:

sudo apt install wireguard

Or with yum, from the EPEL repository:

sudo yum install kmod-wireguard wireguard-tools

Step one: create the encryption keys

In any directory on the server where you want to create files containing the public and private keys, use this command:

umask 077; wg genkey | tee privatekey | wg pubkey > publickey

Do the same for the client in a different directory or on your local machine. Just make sure you will be able to distinguish between the different key sets later.

For quick setup you can use an online key generator. However I suggest doing it manually the first time. Make sure that files were created with key hashes in them as you will be using them in the next step.

Step two: create the server config

You need to make a .conf file in the /etc/wireguard directory. You can even have multiple VPNs running at the same time using different ports.

Paste the following code in to the new file:

sudo nano /etc/wireguard/wg0.conf

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
# use the server PrivateKey
PrivateKey = GPAtRSECRETLONGPRIVATEKEYB0J/GDbNQg6V0s=

# you can have as many peers as you wish
# remember to replace the values below with the PublicKey of the peer

[Peer]
PublicKey = NwsVexamples4sBURwFl6HVchellou6o63r2B0s=
AllowedIPs = 10.0.0.2/32

[Peer]
PublicKey = NwsexampleNbw+s4sBnotFl6HrealxExu6o63r2B0s=
AllowedIPs = 10.0.0.3/32

Start up the VPN

sudo systemctl start wg-quick@wg0

If you don't have systemd (which might be true if your instance is running Amazon Linux) you could use sudo wg-quick up wg0.

Step three: create the client config

First install Wireguard on your client machine, either the same way on Linux or through an app store if you're using Windows, macOS, Android, or iPhone.

If you used an online-key-generator or QR script in Step One, then you can connect your phone by taking a picture of the QR code.

Once WireGuard is installed on the client, configure it using these values:

# Replace the PrivateKey value with the one from your client interface
[Interface]
Address = 10.0.0.2/24
ListenPort = 51820
PrivateKey = CNNjIexAmple4A6NMkrDt4iyKeYD1BxSstzer49b8EI=

#use the VPN server's PublicKey and the Endpoint IP of the cloud instance
[Peer]
PublicKey = WbdIAnOTher1208Uwu9P17ckEYxI1OFAPZ8Ftu9kRQw=
AllowedIPs = 0.0.0.0/0
Endpoint = 34.69.57.99:51820

There are many optional add-ons that you might want depending on your use-case, such as specifying DNS or pre-shared keys for an extra layer of security.

Start up the client in same way as the server if you are on Linux or through the application itself on other systems.

Test your VPN

Type "my ip" in your browser to discover your public IP address. If the IP you get is different from the address your computer had before starting the VPN, then you were successful!

(And if you forgot what it was before, try sudo systemctl stop wg-quick@wg0, checking and starting it again.)

Troubleshooting Guide

Make sure your server is configured for IP forwarding. Check the /etc/sysctl.conf file, or run:

echo 1 > /proc/sys/net/ipv4/ip_forward

Your connection dies often? Add this to the peer section of the client configuration:

PersistentKeepalive = 25

Not sure why it's not working? Try sudo tcpdump -i eth on the server while trying to use the client.

Thanks for reading this guide.

If you want to dive deeper, consider taking my paid Manning course on WireGuard VPN.

If you travel a lot, work in coffee shops with public wifi, or deal with sensitive data - or even if you use online banking, for example - you should consider taking some extra precautions.

One good way to help protect your personal data, and any sensitive info you might send through the interwebs, is getting a VPN. A Virtual Private Network adds an important layer of security when you're using the internet, and it's not hard to get one and set it up in a few minutes.

Let's look at what a VPN is, how it works to protect you, and what you can expect when you use one.

_Photo by [Unsplash](https://unsplash.com/@kenziem?utm_source=ghost&utm_medium=referral&utm_campaign=api-credit">Mackenzie Marco / <a href="https://unsplash.com/?utm_source=ghost&utm_medium=referral&utmcampaign=api-credit)

What is a VPN?

A VPN is a service that allows you to browse the web more safely and anonymously. It's a connection method that essentially places your own private network on top of a public network so that your computer or device can connect to its destination as if connected directly through that private network.

How does it work?

A VPN takes the data that you send through the internet, encrypts it, passes it through its own server, and sends it to its destination.

A couple important things are going on here.

The VPN encrypts your data.

This means that hackers, the government, or your ISP (Internet Service Provider) can't see what you're sending or receiving. And yes, all of those entities can potentially gain access to your data with varying degrees of ease.

Basically, the VPN takes the data packets to be sent, wraps them in an extra layer of security (=encryption) and sends the encrypted packets on their way through an encrypted tunnel. And there's only one way to decrypt that data: with the unique key in the pair provided by the VPN.

So if someone intercepts that data, all they'll see is garbled nonsense that would take a supercomputer many, many years to decrypt without the key.

The VPN uses its own servers

In addition to making your data unreadable to hackers and others, the VPN passes that data through its own server before sending it to its destination. This makes it look like that data came from that server, and makes it virtually impossible to connect it to you.

Why is this important? Well, folks trying to steal your data can get a lot of info just from your IP address (which is unique to your computer). But if that's hidden (and a hacker just sees the VPN's IP address instead), a hacker can't get much info about you out of that.

Why should you get a VPN?

You might think you don't often find yourself in a situation where you need to be that concerned with online security. But a VPN can be helpful in numerous situations.

Frequent fliers

_Photo by [Unsplash](https://unsplash.com/@margobr?utm_source=ghost&utm_medium=referral&utm_campaign=api-credit">Margo Brodowicz / <a href="https://unsplash.com/?utm_source=ghost&utm_medium=referral&utmcampaign=api-credit)

If you travel a lot (or even a little) you'll likely encounter some sketchy or insecure wifi networks. This means that hackers could take advantage of that fact and snoop on your online activity.

If you get online via an insecure network, your data is even less safe than usual. But if you're using a VPN, your data is encrypted and ready to roll securely.

Dealing with sensitive info

_Photo by [Unsplash](https://unsplash.com/@blankerwahnsinn?utm_source=ghost&utm_medium=referral&utm_campaign=api-credit">Fabian Blank / <a href="https://unsplash.com/?utm_source=ghost&utm_medium=referral&utmcampaign=api-credit)

Do you bank online? Maybe you need to check your account balance. What about setting up doctor's visits or emailing a colleague about important research?

There are many instances where you might not want anyone else to see the data you're dealing with online. And using a VPN makes sure that no one (your employer, government agencies, malicious hackers) can capture those private details and use them to harm you.

Concealing/changing your location

_Photo by [Unsplash](https://unsplash.com/@dead____artist?utm_source=ghost&utm_medium=referral&utm_campaign=api-credit">Capturing the human heart. / <a href="https://unsplash.com/?utm_source=ghost&utm_medium=referral&utmcampaign=api-credit)

Certain countries restrict certain websites (like China banning Facebook, for example - but there are many others) and this might prove frustrating if you're traveling or have relocated to such a place.

If you have a VPN based in, for example, the USA where those restrictions don't apply, you should be able to bypass those restrictions and visit your favorite websites and use your favorite streaming services.

Remember why? Because a VPN uses its own servers (based in the USA or wherever the company is located) and websites identify those servers as the source of the device. So you could be in China surfing away via your Connecticut-based VPN.

Protecting your browsing

_Photo by [Unsplash](https://unsplash.com/@plushdesignstudio?utm_source=ghost&utm_medium=referral&utm_campaign=api-credit">Plush Design Studio / <a href="https://unsplash.com/?utm_source=ghost&utm_medium=referral&utmcampaign=api-credit)

Say you'd like to buy your daughter a birthday gift, but you don't want ads for that gift showing up on your family desktop. If you use a VPN, especially one with a no-logs policy (more on that below), that data won't be stored.

Note: If you need more info on private browsing, check out this article on incognito mode.

Different protocols, different levels of security

Different VPN services offer different features and use different protocols. This is definitely something you want to review before choosing a VPN.

Here are a few things to look for and keep in mind:

Choose a VPN that uses OpenVPN or IKEv2/IPSec

There are a number of protocols used by VPNs, but OpenVPN and IKEv2 are the best and most common.

OpenVPN is the most widely used protocol. It's safe, quite fast, and open source. So what's not to love?

IKEv2/IPSec isn't as common yet, but its security, speed, and responsiveness make it a really good choice.

Check the VPN's logging policy

_Photo by [Unsplash](https://unsplash.com/@mvdheuvel?utm_source=ghost&utm_medium=referral&utm_campaign=api-credit">Maarten van den Heuvel / <a href="https://unsplash.com/?utm_source=ghost&utm_medium=referral&utmcampaign=api-credit)

When you're choosing a VPN, check what they say about logs. Logs refer to the data the VPN keeps about you and your browsing sessions. It could be things like:

• Your activity
• Your IP address
• When you get on/offline
• What devices you're using
• Payment history

Some of these things may not be super private, but they can pretty much all be used to learn more about you, which you don't want.

Some VPNs keep some logs. Some don't keep any (which you should definitely prefer). Bottom line: the more info a VPN stores about you, the more some other individual/agency can potentially find out. So look for a "no logs" policy in your VPN's privacy statement.

A VPN doesn't make you invincible

_Photo by [Unsplash](https://unsplash.com/@yogipurnama?utm_source=ghost&utm_medium=referral&utm_campaign=api-credit">Yogi Purnama / <a href="https://unsplash.com/?utm_source=ghost&utm_medium=referral&utmcampaign=api-credit)

You may think that using a VPN makes you completely invulnerable to online attacks. Unfortunately, this isn't the case.

A VPN is only as secure as its parts. So before you choose one, make sure you check for all features discussed in this article, like:

• A solid, secure protocol (OpenVPN or IKEv2/IPSec when possible)
• A no logging policy
• The level of encryption the VPN uses
• Whether they keep logs of your payment history (and potentially identifying info)
• The rules of the country where the VPN is based (some countries may force VPNs to keep/hand over certain info)

Now that you have a bit more information about VPNs, you should be able to make an informed decision about whether to get one and how to choose the right one for you.

Happy safe browsing!

“Zaphod’s just this guy, you know?”

– Halfrunt, Hitchhiker’s Guide to the Galaxy by Douglas Adams. The book, not the movie. Definitely not the movie.

Some people (??‍) are really into cybersecurity, end-to-end encryption, and totally geeked out when they first learned how the Enigma worked. These people are likely to have an innate interest in building a less-than-laughable personal cybersecurity posture.

Most people, unfortunately, consider cybersecurity optional. Most people say things like:

“There’s no one targeting lil ol’ me.”
“I have nothing to hide, anyway.”
“I’m too busy to learn all this stuff. Why can’t someone just give me a simple summary of best practices that I can skim in approximately seven minutes?”

To those people, I say, hello, hypothetical incorporeal reader! Here is a simple summary of best practices that you can skim in approximately seven minutes.

Wait why do I care

You may have a hard time understanding why cybersecurity matters when you’re just an average person. Sure, you don’t want your devices hacked or your personal data stolen, but it’s not like anyone is coming after you, specifically, right?

Hey Alex, I’ll take “right,” for $400. It’s unlikely anyone is attempting to steal your particular stuff, although I must admit that Persian rug of yours would really tie the room together. Instead, it can help to understand cybersecurity if you think of it in terms of low-hanging fruit.

You’ve got some fruit, I’ve got some fruit. Joe from down the block has a 1.21 gigawatt flux-capacitor-powered fruit-snatching robot. Joe doesn’t know either of us exist, but his robot goes (very quickly) from door to door, all the way around the block, looking for fruit. If my front door is locked and yours is standing open, whose fruit is Joe’s robot going to snatch?

If that sounds like boring, old, regular security, you’re correct! Cybersecurity isn’t about finding some magic spell that makes your fruit maximally secure. It’s about making your fruit more secure than the fruit next to you. You do this by employing some thoughtful habits, in much the same way as you learned to lock your front door to guard against fruit-snatching robots.

Security breaches and incidents happen every day. Most of them occur because an automated scanner cast a wide net and found a person or company with lax security that a hacker could then exploit. Don’t be that guy.

Wait what's a security posture anyway

Here is how the National Institute of Standards and Technology defines security posture:

The security status of an enterprise’s networks, information, and systems based on information assurance resources (e.g., people, hardware, software, policies) and capabilities in place to manage the defense of the enterprise and to react as the situation changes. (NIST Special Publication 800–30, B-11)

The important bit above is, “capabilities in place to manage the defense of the enterprise.” In the context of personal security, you are the enterprise. Congratulations. May you boldly go where no man has gone before.

Before you explore strange new worlds (it is the Internet, after all), there are steps you can take to manage your defenses. The word “capabilities” is apt, as having certain things in place will pretty much give you cybersecurity superpowers. Here are the three steps I consider most important and beneficial:

1. Use multifactor authentication
2. Use a VPN
3. Develop healthy skepticism

With these three keys in hand, your cybersecurity posture goes from being robot lunch to War Games — where the winning move for an attacker is not to play.

1. Use multifactor authentication

Passwords are dead. Computationally, they are a solved problem, and cracking passwords is just a matter of time. Unfortunately, many people still help to speed up the process by using the same compromised passwords for multiple accounts, putting themselves at risk for inconceivable benefit. Pass phrases are longer and more complicated, and would take a lot more time to crack. I highly recommend them; even so, your password ultimately doesn’t matter.

The answer, at least for now, is multifactor authentication (MFA). MFA is made up of three kinds of authentication factors:

1. Something you know, like a pass phrase;
2. Something you have, like a chip pin card or phone; and
3. Something that you are, like your face or fingerprint.

Two or more of these factors are infinitely better than a password alone, especially if your password is on this list.

Multiple authentication factors are now widely supported by account providers and social media sites. If you have the choice, avoid using text messages as a way of receiving authentication codes. SMS authentication leaves you vulnerable to the SIM swap attack — please direct further questions to Jack Dorsey. Instead, use an authenticator app like Google Authenticator to generate codes on your device. This ensures that you alone, using that particular device, will have the correct authentication code. No power in the ‘verse can stop you.

The Google Authenticator app works with the specific device you set it up on, so when you get a new device you will need to move Google Authenticator to your new phone. Hardware authentication keys such as the YubiKey may present less hassle when switching devices, but aren’t yet as widely supported as authentication apps.

2. Use a VPN

The difference between using a VPN and not using one is like how The Dark Knight Rises was really good and Batman v Superman was really, really bad. Same franchise, totally different standards.

Let’s say you send a lot of mail, but never bother to put your letters in envelopes or even fold them in half. Anyone who bothers to look will know that you’re not really the Dread Pirate Roberts after all. When you use a Virtual Private Network, especially if you often connect to public WiFi, it’s like putting your letters into cryptographically-sealed envelopes and sending them via a special invisible courier service. No one but the intended recipient can read your letters, and no one but you and the courier know to whom the letters are sent.

VPNs prevent others from reading your communications, like opportunistic attackers who scan open WiFi, and even your own Internet Service Provider (ISP) who may sell your usage data for advertising dollars.

Choosing a trustworthy VPN provider requires some research, and is in itself material enough for a separate article. As a starting point, look for providers with firm policies against logging, and expect to pay between $5-$10 USD monthly for the service. Avoid free VPN apps and services with ambiguous privacy policies; they’ll typically cost you much more than you’ll know.

3. Develop healthy skepticism

Ultimately, the weakest link in your cybersecurity defense is you. All the MFA and VPNs on the Internet won’t protect you if a scam or malware bot can trick you into opening the front gates. Yes, I know it’s a very nice looking wooden horse. Also free. Did you order it? No? Then it can stay outside.

Always look a Trojan gift horse in the mouth.

Develop the habit of second-guessing things delivered to your virtual doorstep. Email, phone, and messaging scams range in sophistication, from rickety robot-assembled shotgun blasts to elaborate social engineering attacks that use cognitive biases very effectively. Don’t assume you’re too clever for them; humans are very predictable creatures. After all, nobody expects the Spanish Inquisition.

Instead, ask questions. Double check communications that ask you to click on links or visit a website, even if they come from someone you know or a company you use. If you’re not certain, based on a previous in-person interaction, that your friend or bank or mother sent this email, pick up the phone and call them. Even if you think you are certain, pick up the phone and check. You don’t call your mother enough, anyway.

Oh, and if the person on the phone is from your local tax office or the IRS or the CRA and they’re about to freeze your accounts because a case of mistaken identity has resulted in you being criminally charged for not repaying a loan on a 600-foot yacht in Malibu, just hang up. You know better than that. Tax agencies don’t have phones.

Your personal cybersecurity starter pack

You now have three keys to open three gates to a robust personal cybersecurity posture. If those keys have also unlocked your curiosity, there’s plenty more rabbit hole to go down. I highly recommend the Security in Five podcast for Binary Blogger’s great advice, which inspired much of this post. Surveillance Self Defense offers the Electronic Frontier Foundation’s tips on securing online communication. Troy Hunt also has a YouTube series entitled Internet Security Basics that goes into more depth on how to protect yourself online.

For now, I hope you use your newfound cybersecurity powers for good. Mind what you have learned. Save you it can.

Do you sometimes need to connect to resources you’ve got running on Amazon Web Services? Accessing your public EC2 instances using SSH and encrypting your S3 data is, for all intents and purposes, secure enough. But what about getting into a back-end RDS database instance or working with AWS-based data that’s not public? There are all kinds of reasons why admins keep such resources out of reach of the general public. But if you can’t get at them when you need, what good are they likely to do you?

So you’ll need to find a safe and reliable way around the ACLs and security groups protecting your stuff. One solution I cover in my “Connecting On-prem Resources to your AWS Infrastructure” course on Pluralsight is Direct Connect. But if Direct Connect’s price tag is a budget-buster for your company, then some kind of VPN tunnel might do the trick.

What’s a Virtual Private Network?

Virtual Private Networks (VPNs) are often used to allow otherwise restricted network activity or anonymous browsing. But that’s not what this article is about.

A VPN is a point-to-point connection that lets you move data securely between two sites across a public network. Effectively, a tunnel can be designed to combine two geographically separated private sites into one single private network. In our context, that would mean connecting your local office network with the AWS VPC that’s hosting your private resources.

There are two ways to do this:

• A managed VPN Connection built on top of an AWS Virtual Private Gateway
• Using your own VPN.

This article will focus on the do it yourself method.

The OpenVPN Access Server

As the name suggests, OpenVPN is an open source project, and you’re always able to download the free community edition and set things up on your own VPN server. But the OpenVPN company also provides a purpose-built OpenVPN Access Server as an EC2 AMI which comes out of the box with AWS-friendly integration and automated configuration tools.

From what I can see, launching the AMI within your AWS VPC and opening it up for controlled remote connections has pretty much become the “right” way to get this job done.

What does it cost? If you’re only testing things out and don’t plan to access the VPN using more than two connections at a time, then the AMI itself is free. You’ll still be on the hook for the regular costs of an EC2 instance, but if your account is still eligible for the Free Tier, then you can get that for free, too.

Once you put your VPN into active production, the license you purchase will depend on how many concurrent connections you’ll need. This page has the details you’ll need.

Here’s what we’re going to do in this guide:

• Select, provision, and launch an Ubuntu AMI with OpenVPN Access Server pre-installed into my VPC
• Access the server using SSH and configure the VPN
• Set up an admin user
• Set up a local machine as an OpenVPN client and connect to a private instance in my AWS VPC

Ready?

Launching an OpenVPN Access Server

From the EC2 dashboard — and making sure we’re in the right AWS region — launch an instance to act as our VPN server. Rather than using one of the Quick Start AMIs, I’ll click on the AWS Marketplace tab and search for “openvpn access server”. OpenVPN provides a number of official images that are tied to licenses offering escalating numbers of connected clients.

I’m going to go with this Ubuntu image that works through a “Bring Your Own License” arrangement. As I wrote earlier, we won’t actually need a license for what we’re going to be doing.

OpenVPN Access Server AMIs available from the AWS Marketplace

Selecting the AMI opens a popup telling us how much this image will cost us per hour using various instance types and EBS storage choices. Those are only regular AWS infrastructure costs, however, and don’t include license fees.

OpenVPN Access Server AMI costs — billed directly by AWS

When it comes to instance type, I’ll downgrade to a t2.micro to keep it within the free tier. A busy production server might require a bit more power.

Because I’m going to want to start up a second instance in the same subnet in a few minutes, I’ll select, say, “us-east-1b” from the Configure Instance Details page, and make a note for later.

Choose a subnet and note for later

Now the Security Group page is where the OpenVPN AMI settings really shine. We’re presented with a security group that opens up everything we’ll need. Port 22 is for SSH traffic into the server, 943 is the port we’ll use to access the admin GUI, 443 is TLS-encrypted HTTP traffic, and OpenVPN will listen for incoming client connections on port 1194.

The Security Group that comes with the OpenVPN AMI

Note: If practical, it would normally be a good idea to tighten those rules so only requests from valid company IP address ranges are accepted, but this will be fine for short-term testing.

From here, I’ll review my settings, confirm that I’ve got the listed SSH encryption key, and pull the trigger.

Once the instance is launched, I’ll be shown important login information — including the fact that the user account we’ll use to SSH into the server is called openvpnas — and a Quick Start guide. I’ll also receive an email containing links to the same information.

Back in the EC2 instances console, while the new machine finishes booting, we’re shown our public IP address. If we would ever need to reboot the instance, there’s no guarantee that we’d get that same IP again, which could cause a reasonable amount of mayhem. So it’s a good idea to assign the instance an Elastic IP.

To do that, I’ll click Elastic IPs and then Allocate new address. Note the new address and close the page. Now, with that address selected, click Actions, and “Associate Address”. I’ll click once in the Instance box and my OpenVPN instance — with its helpful tag — is listed. I only need to select it, click “Associate” and I’m done. From now on, that will be the permanent public IP for accessing our server.

Associate your new Elastic IP address with your instance

Accessing the server

I’ll paste the public IP address into the terminal as part of my SSH command that calls the key pair I set for this instance.

ssh -i KeyPairName.pem openvpnas@<PublicIPAddress>

If you’re accessing from a Windows or macOS machine, things might work a bit differently, but the documentation will give you all the help you’ll need.

Before I leave the Instances console, however, I’ll perform one more important function. With the OpenVPN instance selected, I’ll click Actions and then Networking and then “Change Source/Dest checking”. I’ll make sure that checking is disabled. Nothing much will be possible unless I do this.

Now over to my SSH session. As soon as it begins, I’m confronted by the OpenVPN EULA license agreement, and then the setup wizard. If you need to change a setting later you can always run the wizard again using this command:

sudo ovpn-init — ec2.

Most of the wizard’s defaults will work fine, but it’s worth quickly explaining what’s happening. Here are the questions and some color commentary where necessary:

primary Access Server node? yes [You’d answer no if you were setting up a backup or failover node.]
specify the network interface and IP address to be used by the Admin Web UI [1 — For all interfaces; can be changed to static later.]
specify the port number for the Admin Web UI [default]
specify the TCP port number for the OpenVPN Daemon [default]
Should client traffic be routed by default through the VPN? [no--That’s   not the kind of VPN we’re building here. What we’re doing is only about getting remote clients safely and securely into our VPC. The same applies to client DNS traffic.]
Should client DNS traffic be routed by default through the VPN? [no] 
Use local authentication via internal DB? [no — can be useful, but we’ll use Linux/AWS authentication for simplicity.]
Should private subnets be accessible to clients by default? [yes — that’s the whole point of the VPN, after all.]
login to the Admin UI as “openvpn”? [yes]
Provide OpenVPN Access Server license key [Unnecessary for testing.]

When the wizard completes, I’m shown some connection information and advised to install the network time daemon NTP. That won’t be necessary on this Ubuntu box, as it’s already installed and running by default.

As I mentioned earlier, I will need to give the openvpn user a password so I can use it to log into the web GUI. I do that as sudo with the passwd command.

sudo passwd openvpn

That’s all the server-side stuff we’ll need. Now I’m going to use a browser to log into the web GUI. I use our server’s public IP address with the secure https prefix, followed by slash and admin.

https://<PublicIPAddress>/admin

You’ll get a “Your connection is not private” warning because we’re using a self-signed certificate rather than one provided by a Certificate Authority.

This is normal when using self-signing certificates

That’s not a problem for us, since we’re only exposing our VPN to select users from within our company, and they should be able to trust our certificate. So I’ll click through the warning, sign in, and agree to the EULA .

Feel free to spend some time exploring the features provided by the OpenVPN admin console on your own.

The OpenVPN admin console

Setting up a VPN client

Right now, however, I’m going to open the client UI page using the web access address we were shown before, but this time without the slash admin. This is nothing more than a login screen where you can authenticate using the same openvpn user as before. (You can always create new users back in the admin console.)

Behind the login screen, there’s just this set of links with directions for installing the OpenVPN client app on any of those platforms. The final link, however, is called “Yourself.”

The OpenVPN client page

Clicking it will prompt you to download and save a file called client.ovpn. This file contains the configuration settings to match the server and the actual keys we’ll use to authenticate. You definitely want to treat this file with care so it doesn’t fall into the wrong hands. That would include not sending it through plain email across unencrypted connections.

I’ll open the file locally and copy the contents. Then, in a shell within a Linux virtual machine running in my local network, I’ll create a new file called client.ovpn and paste the contents in. If you had clicked through to the “OpenVPN for Linux” link in the client UI earlier, you would have seen that the only additional step necessary was to install OpenVPN using the Apt package manager — or Yum if you’re on a CentOS or Red Hat machine. Well that’ll take just one command. When it’s done its job, we’ll be all set.

nano client.ovpnsudo apt updatesudo apt install openvpn

Next we’ll open the VPN connection. As root — using sudo — I’ll type openvpn with the config flag pointing to the client.ovpn configuration file I just created.

sudo openvpn — config client.ovpn

When prompted to authenticate, use the openvpn account along with the password you created for it back on the server.

Now I’ll open a second shell session on my local client so I can try to ssh in to the OpenVPN server using its local IP address — something that would be impossible without a working VPN connection.

First though, run ip a to list all the network interfaces active on this machine.

ip a

Besides your local network, you should also see one called tun0. This interface was created by OpenVPN and will usually lie within the 172.16.x.x range.

I’ll ssh into the remote server using my private key — which, of course, needs to exist locally — and the server’s private IP address. If it works, you’ll have yourself a VPN!

ssh -i KeyPairName.pem openvpnas@<PrivateIPAddress>

Finally, I’ll demonstrate that the VPN, as it’s currently configured, will allow us access to other private resources within our Amazon VPC. This could be useful if, for instance, you’ve got a database instance running in the VPC that you can’t expose to the public network.

I’m going to launch a standard Ubuntu EC2 instance but I won’t give it a public IP. I’ll specify the same us-east-1b subnet we used for the OpenVPN server to keep things simple. The security group I’ll use will permit SSH access through port 22 but nothing else.

Once that’s running, I’ll note its private IP address and head back to my local client. Once I’m sure the instance is fully launched, I’ll ssh in using the same private key, the “ubuntu” username — since that’s the default for normal Ubuntu EC2 instances — and the private address I just copied.

Again. If it works, you’ll have a fully-configured VPN connection into your AWS private resources. Savor the moment.

Don’t forget to shut down all your servers and release your Elastic IP address when you’re done using them. You don’t want to incur costs unnecessarily.

_This article was adapted from part of my new Pluralsight course, “Connecting On-prem Resources to your AWS Infrastructure.” There’s lots more where that came from at my Bootstrap IT site, including links to my book, Linux in Action, and a hybrid course called Linux in Motion that’s made up of more than two hours of video and around 40% of the text of Linux in Action._

My Raspberry, serving as an OpenVPN server

Hello everyone!

In this short article I will explain how to setup your own VPN (Virtual Private Network) server on a Raspberry PI with OpenVPN. After we setup the server, we will setup an obfuscation server in order to disguise our traffic indicating that we’re using a VPN. This will help us evade some form of censorship.

Why use a VPN?

First, let’s talk about why you may want to use a VPN server:

1. Avoid man in the middle attacks. If you have a malicious user on your local network — even your roommate — that person is able to monitor your unencrypted traffic and tamper with it.
2. Hide your internet activity from your ISP (Internet Service Provider) or University, in my case.
3. Unblock services. My University blocks all UDP (User Datagram Protocol) packets. This means that I cannot use any application that communicates via UDP. I can’t use my email client, play games, or even use Git!

I decided to setup a VPN on my home internet using a Raspberry Pi. This way I can connect to my home network while I’m at the University. If you need a VPN server in another country, you can buy a 5$/month virtual private server from DigitalOcean. You can use my referral link in order to get $10 off — that’s two months of free VPN. But you don’t have to use it if you don’t want to.

Installing OpenVPN

This step is really easy, because we will use a shell script to do it for you. So you just have to “press” next and finish.

The installation will take a long time, depending on the key-size you chose. On my Raspberry Pi 3 Model B, it took about 3 hours.

Please go this repository and then follow the instructions

Angristan/OpenVPN-install
_OpenVPN-install - Set up your own OpenVPN server on Debian, Ubuntu, Fedora CentOS, and Arch Linux_github.com

If you don’t know the IP address of your server, just put 0.0.0.0 . I’ve chosen 443 for the port and TCP (Transmission Control Protocol) for the protocol.

Note: This is very important because my university only allows TCP/80 and TCP/443 ports, the rest are pretty much blocked. Also Obfsproxy only works with TCP, so make sure you chose TCP!

After the script has finished, you’ll get an .ovpn file. It can be imported in your favourite VPN client, and everything should work out of the box.

Testing the connection

Import the .ovpn file in your VPN client and change the ip 0.0.0.0 to the local ip of your Raspberry PI. Depending on your network configuration it may be of the form192.168.*.* .

Note: This will only work if you are connected to the same WiFi as the Pi is.

Viscosity successfully connected to my VPN server.

I’ve configured my router so the PI always gets a reserved IP address. You may have to check out your router settings if you want to do something similar.

If the connection is successful, congratulations, you now have a VPN server! But, you cannot access it from outside… yet.

If you only want an OpenVPN server without the obfuscation proxy, then you can skip to Port Forwarding.

Obfuscation Proxy Install

Obfs4 is a scrambling proxy. It disguises your internet traffic to look like noise. Somebody who snoops on your traffic won’t actually know what you’re doing, and it will protect you from active probing attacks which are used by the Great Firewall of China.

Note: This method won’t work if your adversary allows only whitelisted traffic :(

Let’s install the proxy server now.

0. Install the required package:

apt-get update && apt-get install obfs4proxy

1. Create a directory that will hold the configuration.

sudo mkdir -p /var/lib/tor/pt_state/obfs4

2. Create the configuration file.

sudo nano /var/lib/tor/pt_state/obfs4/obfs4.config

In the configuration file, you will paste the following things:

TOR_PT_MANAGED_TRANSPORT_VER=1TOR_PT_STATE_LOCATION=/var/lib/tor/pt_state/obfs4TOR_PT_SERVER_TRANSPORTS=obfs4TOR_PT_SERVER_BINDADDR=obfs4-0.0.0.0:444TOR_PT_ORPORT=127.0.0.1:443

TOR_PT_SERVER_BINDADDR is the address on which the proxy will listen for new connections. In my case it is it 0.0.0.0:444 — why 444 and not 443? Well, because I don’t want to change the OpenVPN server configuration which is currently listening on 443. Also, I will map this address later to 443 using Port Forwarding.

TOR_PT_ORPORT should point to the OpenVPN server. In my case, my server runs on 127.0.0.1:443

3. Create a SystemD service file.

sudo nano /etc/systemd/system/obfs4proxy.service

Then paste the following contents into it:

[Unit]Description=Obfsproxy Server[Service]EnvironmentFile=/var/lib/tor/pt_state/obfs4/obfs4.configExecStart=/usr/bin/obfs4proxy -enableLogging true -logLevelStr INFO[Install]WantedBy=multi-user.target

4. Start the Obfuscation proxy.

Now, make sure that OpenVPN is running and run the following commands in order to start the proxy and enable it to start on boot.

sudo systemctl start obfs4proxysudo systemctl enable obfs4proxy

5. Save the cert KEY

After the service has started, run the following command and save the cert KEY.

cat /var/lib/tor/pt_state/obfs4/obfs4_bridgeline.txt

The key is of the form Bridge obfs4 <IP ADDRESS>:<PORT> <FIN**GER**PRINT> cert=KEY iat-mode=0 . You will need it when you’re connecting to the VPN.

6. Testing the connections.

Open up your VPN client and change the ip from 443 to 444 in order to connect to the proxy instead of the OpenVPN server.

After that, find the Pluggable Transport option in your OpenVPN client and see if it supports obfs4.

Viscosity supports different Obfuscation methods such as: obfs2, obfs3, obfs4 and ScrambleSuit

If everything works, then you’re all set! Congratulations! Only a few more things to tweak before using this VPN from the outside world.

Port Forwarding

In order to access the OpenVPN server from the outside world we need to unblock the ports, because they are most likely blocked. As you remember, I have reserved my PI’s IP address on my router to always be 192.168.1.125 so it doesn’t change if the PI disconnects or if the router reboots.

This way I have defined the following rules in my Port Forwarding table:

TL-WR841N’s Port Forwarding settings page.

The outside port 443 will point to the obfuscation’s server port 444. If you don’t have an obfuscation server, then leave 443->443.

The port 25 will point to the PI’s SSH port 22. This is only for my own convenience.

In case I want to access the OpenVPN server directly without the obfuscation proxy, I have created a rule 444->443

The service port is the OUTSIDE port that will be used with your PUBLIC IP address. To find your public IP, use a service like whatsmyip.com.

The internal port is the INSIDE port. It can be used only when you are connected to the network.

_Note: The first rule is saying redirect all the connections from PUBLIC_IP:443 to 192.168.1.125:444_

Testing

1. Find your public IP and replace your old IP with the public IP in the .ovpn file or in the VPN client.
2. Connect to the VPN.

That’s it.

Dynamic DNS

In most cases, your IP will change because it’s a dynamic IP. A way to overcome this is to create a small program on the PI that saves your IP and sends you an email every day or so. You may also store the IP in an online database such as Firebase.

My router has Dynamic DNS setting. This way I can use a service provider like NoIP and get a domain like example.no-ip.com that will always point to my public IP address.

TL-WR841N DDNS settings page

Other Resources:

• A Childs Garden Of Pluggable Transports
• Viscosity-Obsfurcation/
• https://www.pluggabletransports.info/transports/

If you have any questions hit me up on Twitter.