In this article, we will guide you through setting up a personal VPN server and connecting to it from Android and iOS devices. The process is simple: it takes only 10-15 minutes and doesn’t require any server administration expertise. Follow the steps below and you’ll have a personal VPN up and running in just a few minutes.
A personal VPN server ensures your data privacy and security when using Instagram or other online services. In this tutorial, we’ll deploy a Gcore VDS as a server for the VPN. This is a cheap virtual server suitable for hosting simple and low-demand applications, such as a VPN.
Why a Private VPN is Better than a Public VPN
Public VPN servers may seem like a cost-effective solution for securing your internet connection. However, they often come with several limitations:
- Weak privacy: Public VPN servers are notorious for logging user data and leaks—see, for example, the Ivanti Pulse Secure VPN exposure and the leak of three Android VPN services. With your personal VPN server, you have full control over your data and can ensure that it is not being logged or leaked.
- Low level of encryption: Public VPN servers may not publish their VPN configuration, which means that users cannot verify how strong their encryption is. With a private VPN server, you can choose the level of encryption you need to secure your connection.
- Poor performance: Public VPNs share the physical server resources among customers. This is often the case when dozens or hundreds of people are using one server at the same time. That’s why public VPNs don’t always perform well; in particular, they can be slow. With a personal VPN server, all the server’s resources are yours. As a result, you get better performance and a faster connection.
How to Set Up a Private VPN Server
Now that you’re familiar with the benefits of a private VPN server, let’s dive into ordering and setting it up.
Step 1. Order a Server
First, you need to order a server with a Linux-based operating system, Ubuntu 18.04.
- Go to the Virtual Servers page and scroll down to the Virtual Server configurator. Select the preferred location of the Datacenter and other parameters of your server.
Use the parameters shown in Figure 1.
Note that the data center closest to your location is the better choice in terms of latency. However, some of the Gcore locations are cheaper than others, and the closest data center may not be the cheapest.
- Scroll down and click Buy.
- You will see the VM Manager panel and the server you configured in the previous step.
If you don’t have a Gcore Hosting account yet, you will see the registration form to sign up. Go ahead and create your account. Then, find your server order in the Hosting control panel > Products/Services > Virtual private servers.
On the order page (see Figure 3), you can leave default values in all the fields. Just make sure you’ve chosen Ubuntu 18.04.
Click Add to cart and then buy the server using a method that is most convenient for you: a bank card, PayPal, or other. After the payment, your server will be automatically activated. This takes up to twenty minutes.
Step 2. Connect to your Server via SSH
To connect to the server remotely via SSH, you need to use a terminal on your local machine. Here’s how:
- In the Hosting control panel, go to Products/Services > Virtual private servers.
- Click on your server, then click Instructions (see figure 4.)
- You’ll see the tab with instructions. Here, you can find the server IP address, username, and password (see figure 5) which you need to continue this process.
- On your computer, open a terminal (for Linux and macOS) or a command line (for Windows) and enter the following command:
ssh [username]@[server IP]
For example, if the instructions show “server IP address: 185.14.67.190” and “user: root”, then the command will be:
- The connection will prompt you for a password from the instructions. Type or copy and paste the password, then press Enter. Your output will look something like this:
Welcome to Ubuntu 18.04.6 LTS (GNU/Linux 4.15.0-208-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage * Introducing Expanded Security Maintenance for Applications. Receive updates to over 25,000 software packages with your Ubuntu Pro subscription. Free for personal use. https://ubuntu.com/pro Last login: Wed Mar 29 13:49:22 2023 root@joan:~#
That means the connection is established, and you can manage the virtual server.
Step 3. Set the Username and Password
First, you need to set your VPN server’s username and password. These will be used to access and connect to the VPN server after the configuration process (Step 4) is complete. Note that this is not the same as your root password for the Ubuntu server; here you have to create your own username and password.
Make sure your username and password don’t have any special symbols such as ‘*’, ‘$’, ‘#’, ‘^’, etc. Use only letters (AbcDef, etc.) and numbers (01234, etc.). For your password, we recommend using at least twelve symbols to make it stronger and more secure.
For example:
echo 'MY_USERNAME=myvpn' | sudo tee -a ~/.bashrc
echo 'MY_PASSWORD=sdsbUInns40x' | sudo tee -a ~/.bashrc
Here the username is myvpn and the password is sdsbUInns40x.
Step 4. Configure your VPN Server
If you’re not familiar with setting up a VPN server or using the Linux shell, we recommend pressing the “Enter” button on your keyboard after entering each command. This will ensure that the commands are executed properly.
- To ensure you have the latest security patches and bug fixes in your OS, update the Linux packages on your server. In the terminal, run the following command:
sudo apt-get update && sudo apt-get upgrade -y
- Now, you need perform two installations:
- strongSwan, an open-source Internet Protocol security (IPSec) solution that will form the basis of your VPN server
- The Public Key Infrastructure (PKI) package to activate a Certificate Authority (CA) that provides credentials for the server and your device
Use the following command to install both:
sudo apt install strongswan strongswan-pki -y
- In your home folder, create a directory structure that will store your VPN certificates and private keys:
mkdir -p ~/pki/{cacerts,certs,private}
- Set the permissions on this directory to ensure that only you can access it:
chmod 700 ~/pki
- Set the name of the network interface and the IP address that your server will use for the VPN connection. These commands take your server IP address from the instructions, so you don’t have to type it yourself:
echo 'INTERFACE_NAME="ens3"' | sudo tee -a ~/.bashrc echo "VPN_IP_ADDRESS=$(ip addr show dev "$INTERFACE_NAME" | awk '$1 == "inet" {gsub(/\/.*$/, "", $2); print $2}')" | sudo tee -a ~/.bashrc source ~/.bashrc
- Generate a private key for your VPN root CA and save it to a file in your certificate directory:
ipsec pki --gen --type rsa --size 4096 --outform pem > ~/pki/private/ca-key.pem
- Generate a self-signed root CA certificate using the private key you just generated, and save the CA certificate to a file in your certificate directory:
ipsec pki --self --ca --lifetime 3650 --in ~/pki/private/ca-key.pem \ --type rsa --dn "CN=VPN root CA" --outform pem > ~/pki/cacerts/vpn-cert-ca.pem
This certificate will be valid for 10 years.
- Generate a private key for your VPN server and save it to a file in your certificate directory:
ipsec pki --gen --type rsa --size 4096 --outform pem > ~/pki/private/server-key.pem
- Generate a signed server certificate using the private key you just created, and save it to a file in your certificate directory.
ipsec pki --pub --in ~/pki/private/server-key.pem --type rsa | ipsec pki --issue --lifetime 1825 \ --cacert ~/pki/cacerts/vpn-cert-ca.pem \ --cakey ~/pki/private/ca-key.pem \ --dn "CN=$VPN_IP_ADDRESS" --san "$VPN_IP_ADDRESS" \ --flag serverAuth --flag ikeIntermediate --outform pem > ~/pki/certs/server-cert.pem
This certificate will be valid for 5 years.
- Copy your certificate directory to the strongSwan configuration directory:
sudo cp -r ~/pki/* /etc/ipsec.d/
- Rename the default strongSwan configuration file to a backup file:
sudo mv /etc/ipsec.conf{,.original}
- Specify that you don’t need unique debug options, configure the connection using the IKEv2 protocol, and set up the parameters for the tunnel:
echo "config setup charondebug="ike 1, knl 1, cfg 0" uniqueids=no conn ikev2-vpn auto=add compress=no type=tunnel keyexchange=ikev2 fragmentation=yes forceencaps=yes dpdaction=clear dpddelay=300s rekey=no left=%any leftid=$VPN_IP_ADDRESS leftcert=server-cert.pem leftsendcert=always leftsubnet=0.0.0.0/0 right=%any rightid=%any rightauth=eap-mschapv2 rightsourceip=10.123.45.0/24 rightdns=95.85.95.85,2.56.220.2 rightsendcert=never eap_identity=%identity" > /etc/ipsec.conf
- Set up the IPsec secret file with the username and password to authenticate the client device:
echo ": RSA "server-key.pem" $MY_USERNAME : EAP "$MY_PASSWORD" " > /etc/ipsec.secrets
- Configure the firewall. You want to allow SSH traffic through the firewall and enable the necessary ports for IPsec traffic. Execute these commands one by one:
sudo ufw enable
sudo ufw allow OpenSSH
sudo ufw allow 500,4500/udp
- To allow your device to connect to the server, configure the NAT rules for IPsec traffic:
sed -i "\|^#\s*ufw-before-forward$|a\\ *nat\\ -A POSTROUTING -s 10.123.45.0/24 -o $INTERFACE_NAME -m policy --pol ipsec --dir out -j ACCEPT\n\ -A POSTROUTING -s 10.123.45.0/24 -o $INTERFACE_NAME -j MASQUERADE\n\ COMMIT\n\ \n\ *mangle\n\ -A FORWARD --match policy --pol ipsec --dir in -s 10.123.45.0/24 -o $INTERFACE_NAME -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360\n\ COMMIT" /etc/ufw/before.rules
- Add additional firewall rules to allow IPsec traffic to pass:
sed -i "\|^#\s*End\srequired\slines$|a\\ -A ufw-before-forward --match policy --pol ipsec --dir in --proto esp -s 10.123.45.0/24 -j ACCEPT\\ -A ufw-before-forward --match policy --pol ipsec --dir out --proto esp -d 10.123.45.0/24 -j ACCEPT" /etc/ufw/before.rules
- Improve the IPsec performance using this set of commands, which will modify the system settings:
echo "net/ipv4/conf/all/send_redirects=0 net/ipv4/ip_no_pmtu_disc=1 net/ipv4/ip_forward=1 net/ipv4/conf/all/accept_redirects=0" >> /etc/ufw/sysctl.conf
- To apply the changes, stop and start the ufw and strongSwan services. Use these commands one by one:
sudo ufw disable
sudo ufw enable
sudo systemctl stop strongswan
sudo systemctl start strongswan
Step 5. Copy the CA Certificate to your Device
The root CA certificate is very important to enable the VPN service. You need to copy it to the device from which you want to connect to the server.
- Get the content of the certificate:
cat ~/pki/cacerts/vpn-cert-ca.pem
The output will show you something similar to this:
-----BEGIN CERTIFICATE----- # We’ll skip the rest of the content for brevity -----END CERTIFICATE-----
- Copy all the content of the certificate you’ve got in the output, including the BEGIN and END lines.
- Create a file on your computer with the .pem extension—for example, my-cert.pem.
- Open the file, paste the content of the certificate, and save it. You can send the file to the device from which you want to connect to the server.
Congratulations! Your private VPN server is set up.
How to Connect to a VPN Server from Different Platforms
The way that you connect to a private VPN server depends on the type of platform you’re using. We’ll show you how to do it from Android and iOS.
Connecting from Android
- Send the certificate file to your phone via email, cloud services, or another convenient method. Download it on your phone.
- Install the strongSwan VPN Client application.
- Open the application, add a new VPN Profile, and enter your server IP address.
- Select IKEv2 EAP. Enter the username and password that you created earlier in Step 3 (Set the Username and Password,) and create a profile name of your choice.
- Open the certificate and allow it to be added to the strongSwan VPN Client application.
- Select the certificate you just downloaded. You’ll see this notification:
Tap Import certificate.
- Click on the profile you just created in the strongSwan application, and you’ll be connected to the VPN.
Congratulations! You’ve connected to your private VPN server.
Connecting from iOS
- Send the certificate file to your iPhone (for example, via email or iCloud).
- Open the certificate file. You’ll see a notification “Profile Downloaded. Review the profile in the Settings app if you want to install it.” Tap Close.
- Go to the Settings app, select General > VPN & Device Management > VPN and tap VPN root CA. In the top right corner, tap Install and accept the installation.
- On the VPN & Device Management screen, go to VPN and select Add VPN Configuration at the bottom of the screen to access the VPN connection configuration.
- In Type, select IKEv2.
- In the Description field, enter a name for the VPN connection.
- In the Server and Remote ID fields, enter the IP address of the server. Leave the Local ID field blank and Proxy set to “Off”.
- In the Authentication section, enter the username and password that you created in Step 3 and tap Done.
- Select the VPN connection you just created, toggle the Status switch at the top of the screen, and you’ll be connected to the VPN.
Congratulations! You’ve connected to your private VPN server.
Conclusion
In this tutorial, we explained how to set up a private VPN server using Gcore VDS. Now you can securely access Instagram and other online services from anywhere, without the limitations of public VPN servers.
Check out our article dedicated to setting up your personal VPN server using a preconfigured Gcore Cloud OpenVPN instance: How to Run OpenVPN on Ubuntu Server.