Smoothwall Firewall project

Thursday, 25 January 2024

How to simply build and maintain your own VPN service for complete privacy

TorGuard VPN review: A serviceable VPN | Macworld

One of the best ways of staying safe on the web is to use a VPN(Virtual Private Network), which keeps all your traffic across the internet encrypted, and more importantly away from prying eyes.

Now the easiest way for most people to do this is via a paid for service, and for 95% of the population that's perfectly fine. However, the fact you are using someones else's service for computer professionals leaves a worry that logs(although they claim they don't keep them) could be kept on where you visited and when. This is unacceptable to me.

So I have built my own service using these basic tools.

  1. Amazon EC2 service
  2. Wireguard kernel VPN service docker container
  3. Ubuntu 22.04(soon to be 24.04) operating system built on an Amazon AMI virtual instance
  4. Terraform to build the whole service from scratch
  5. Ansible to configure and constantly keep state of the virtual instance.
  6. Docker and Docker Compose 

Now there is a lot of programming code that is tucked away in my private gitlab instance for this, but I will describe how the process works and how the system gets built from scratch.

Basically the Terraform code builds the infrastructure and Ubuntu Virtual Machine(VM) that the VPN will work on. Once this code has run, it will have created everything - including a static IPv4 and IPv6 address that the VPN can use.

Once the VM is up and running, and I can successfully log onto the machine with SSH, I then run Ansible code to build all the required parts of the system, and upload the docker compose code ready for building the docker container that will be the VPN server endpoint.

Once that has all been completed and the docker container is up and running, I test that the new container is accessible from my local laptop using netcat - via the AWS security groups that were built with Terraform.

The initialisation of the Wireguard docker container creates several user configuration files that are required by any client application that wishes to connect to this VPN. 

With the Wireguard client installed on any laptop or desktop, you can now connect to the VPN anywhere in the world that you created the VM in. This allows for great flexibility and availability.

Also as Docker containers are so efficient and small in size, this allows the VM to be used for many other task's using other docker containers, like OpenVpn, Transmission, Gitlab etc etc.

I have been using this method for many years now and it is rock solid and extremely reliable. 

This supports a small team of users, but could be easily scaled to support many more users, and multiple instances would provide resilience.

Another major advantage is this can all be run on an AWS micro instance, so is inexpensive, though slightly more expensive than just using a paid for service, you have 100% control and know that all logs can be deleted on a daily basis and the VM can be destroyed and re-built in minutes in another region, availability zone or any other reason. 

With the way the Internet is going and every company wishing to snoop on your work and activities, then the more you can keep things private, the better.