With all the discussion using VPN’s for privacy, I decided to set up a VPN for our family. Using a minimum virtual private server at Digital Ocean (I included a referral link) at $5 a month, if you have adequate home bandwidth, you can waste some of the bandwidth with encryption overhead.
What this VPN service will do: If you use HTTPS on your browser, and If you use the VPN software on your machine, then all traffic through ISP will be encrypted. This will not improve the privacy of facebook, amazon, google, gmail, etc. It will simply make the traffic leaving your house unreadable by outside parties until it leaves Digital Ocean.
This is a little nerdy, but the instructions are straightforward. All of Digital Ocean products use unix. Unix is the base of any Macintosh running OSX: if you launch the terminal application you’re using unix.
If you’ve never used unix before, then if you have a mac, bring up terminal, and if no mac, then you could sign up for a $5 per month digital ocean droplet, and start playing with unix. I’d recommend Lynda.com online courses and I can suggest two: Basic Unix on a mac, and using the nano editor (or if you used unix years ago use the vim editor). That should make you dangerous enough to complete this process.
If at any time you screw up your digital ocean server (they call it a droplet), you can simply delete it, you’ll be charged for the fraction of a month that you used it.
Ready? Let’s get started:
Now, Create an account on Digital Ocean, you should use 2 factor authentication and use your smartphone to verify your identity. Choose a $5 droplet and locate it in the US, as close to you as possible (SF or NY), chose ubuntu as an unix system. You’ll get an email with login credentials.
Using their tutorial, set up an OpenVPN server. Google ‘Digital Ocean VPN’ and go to the one for the latest version of ubuntu. As of this writing the ubuntu version is 16, here’s the current tutorial if you use this link, it may be out of date (because it supports multiple versions of ubuntu, Digital Ocean doesn’t delete old tutorials).
If you run into an error using their instructions it’s because you didn’t create a few directories. Unix command is ‘mkdir <name>’. Also, they want you to set up client1 as the name of your vpn credentials, use your first name and set up one for each person who will access the VPN.
After you finish the tutorial, if your using a mac, get an applications called filezilla (which allows file transfers between computers) and connect to your droplet using SFTP, and look in the files directory for a file called <your first name>.ovpn and transfer it to your mac. There is a free mac program call tunnelblix which I found to be almost unusable, I spent $9 a mac on a program call viscosity which I found very easy to configure. Each mac should have their own copy and you can use the same credentials on each mac.
I played with OPENVPN app on an ipad and found it to be deadly slow. I wouldn’t recommend it.
After all this, you need to secure your droplet more since you are now the systems administrator of your VPN 🙂
The next step in this process is to create RSA keys for you to create a digital ocean account. Normally on unix to administer the machine you do it from an account called ‘root’. Having a password that isn’t hackable can be a concern; so we are going to create a link between your home computer and digital ocean that will allow you to ‘login’, but eliminate others from logging in.
So here’s the first step, creating keys on your mac, if you have a PC the article has a link. Create the keys as in the article. BEFORE you eliminate root password access, make sure that you’ve set up RSA access from all the computers you’ll use to access the server. Then disable root access.
Finally, ubuntu will not automatically update and you might never login again :), so it’s critical to automatically install updates, tutorial here.
My last suggestion is don’t save $5 a month by adding anything else to this server, including a domain name. You’ll access it by it’s ip address which will be encoded in the ovpn file (ip addresses are nn.nn.nn.nn). You can’t access it by name without a domain name, but that might attract attention on the net and bad people might poke at your server. So no websites, etc. etc. etc. on this droplet. Pay another $5 if you want something else.
My next goal is find a hardware device that can connect my house to digital ocean so nothing needs use VPN’s while in my house….
let me know if I forgot anything.
Update: The default DNS servers for OPENVPN are opendns and I noticed a long dns delay, so I changed the DNS servers to google (126.96.36.199) and things are going better. This this article for changing the DNS settings of OPENVPN, I used the google public dns servers.