What's new

Free OpenVPN server and paid OpenVPN service (ex NordVPN)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Spaghetti_Jack

Occasional Visitor
Hello,


I would like to ask to clarify the difference that I think is important. In tutorial like this below :


where it is shown how to set up your router as a VPN server, meaning that connections from the outside world can be routed and forwarded to the router.


But if I understand it correctly, the ISP of the router/server can still see what happens AFTER the incoming connection has been routed. Is there a free alternative to paid non-log VPN providers like NordVPN / Surfshark / ExpressVPN that use OpenVPN technology that can be used at home?
 
If we're talking about your own OpenVPN server on your router, your ISP can NOT see anything about what's happening on the tunnel. The tunnel's exit is within YOUR private network. All the ISP (or anyone else for that matter) can see is a single connection between a client and your server, all of whose traffic is encrypted. That's what makes a point to point VPN where you control both ends so secure.

OTOH, when it comes to your own OpenVPN client to some commercial OpenVPN provider (server), the provider *can* see your traffic as it exits on the tunnel on his side and before being routed to the internet. In that sense you're just moving the point of trust from your ISP to the VPN provider. But that's the price you pay for not controlling both ends of the tunnel.
 
So what you are saying, is that i dont need VPN provider,
but properly configured ASUS router as a OpenVPN server (which in fact is connected to ISP), to which i would connect devices from my network, and all connections generated on local computers, will be encrypted from ISP? Without necessity of having Paid VPN service?
 
You seem to be conflating two separate use cases wrt the VPN.

You typically use an OpenVPN *client* on your router (or smartphone, laptop, etc.) to connect to a commercial OpenVPN provider (server) in order to hide your traffic from the ISP or anyone else up to the point of the OpenVPN provider's server, which then drops your traffic on the internet. As I said, that moves the point of trust from the ISP (who without the OpenVPN client could see your traffic) up to the OpenVPN provider (who can see your traffic).

You use your own OpenVPN *server* so you can remotely access your home network in a secure, encrypted fashion. All your traffic is hidden from *everyone* from the point of your remote OpenVPN client to your OpenVPN server because YOU control both ends of the tunnel. There's no third-party involvement in this type of connection.

For advanced users, you could even remotely access your OpenVPN server at home, then route that traffic over the OpenVPN client to a commercial OpenVPN provider!

So you only need a paid OpenVPN provider/service when you want/need to secure your traffic from the point of the client to the internet. Anytime you're merely accessing your home network, there's no involvement of a third party, like the commercial OpenVPN provider. YOU are the provider!
 
That is actually what i thought about those VPN in the first place.



For advanced users, you could even remotely access your OpenVPN server at home, then route that traffic over the OpenVPN client to a commercial OpenVPN provider!
Just to confirm i understand you right. Your router is both client (to commercial OpenVPN) and OpenVPN server to those who have SSL certificates.
After you connect to your server remotely (you have both ends), you have access to client (you have one end). So in fact you have remote access to VPN Provider from wherever.
Is that right?

So you only need a paid OpenVPN provider/service when you want/need to secure your traffic from the point of the client to the internet. Anytime you're merely accessing your home network, there's no involvement of a third party, like the commercial OpenVPN provider. YOU are the provider!
I assume that most of us would like to do it by default anyways, not because we do dirty things, but because this is just part of digital-hygiene daily life, and otherwise this data would be stored at ISP till the end of your life.


Thanks for explanations
 
Just to confirm i understand you right. Your router is both client (to commercial OpenVPN) and OpenVPN server to those who have SSL certificates.
After you connect to your server remotely (you have both ends), you have access to client (you have one end). So in fact you have remote access to VPN Provider from wherever.
Is that right?

Correct.
 
Will it be a lot of hassle to set up the 'advanced' option that you mentioned about, or it is automatic?

I read a bit about the topic, it seems that i will want to be able to establish openvpn server, where connection to router possibility is based on individually issued 4096 bit SSL certificates - not on passwords - whenever user is in range of router or away.
Afterwards to further extend hardening to openvpn tls-auth.

It is hard to estimate, how much work would that be, to get to the finish line, for someone who haven't done it. Probably more as expected - as usual. I will start with the lecture of the Tutorial mentioned in the first post.
 
Last edited:
Will it be a lot of hassle to set up the 'advanced' option that you mentioned about, or it is automatic?

I wouldn't say it's automatic. For one thing, you can't have all your OpenVPN client traffic back home being routed over the VPN, *and* connect to your OpenVPN server at the same time, *unless* you use PBR (policy based routing) w/ the OpenVPN client. By doing so, it removes the router itself from the OpenVPN client, making the OpenVPN server accessible. And since the ASUS oem/stock firmware doesn't support PBR (NOT as far as I know), that firmware won't work.

Once you are using suitable firmware, you then have to add the OpenVPN server's tunnel IP network to PBR so it too is routed over the OpenVPN client.

Probably a lot of that made no sense. But bottomline, it's NOT automatic. There are some hurdles you need to get past, some settings to deal with, etc. And probably not worth discussing since you're nowhere near that point as yet.

I read a bit about the topic, it seems that i will want to be able to establish openvpn server, where connection to router possibility is based on individually issued 4096 bit SSL certificates - not on passwords - whenever user is in range of router or away.
Afterwards to further extend hardening to openvpn tls-auth.

You can use either client certs or username/passwords for authentication, or both. It's up to you.

Just beware, using your own OpenVPN server *assumes* you have remote access capability, which means a *public* IP from your ISP. Sometimes ISPs, in an effort to minimize the demand for the limited number of IPv4 addresses available, will place you on a *private* network, or use CGNAT (100.64.x.x). If that's the case, remote access is impossible! You *must* have a public IP. In many cases, it just requires making a request to the ISP for an exception (usually w/ no charge). In the worst case, you may have to pay extra for a static public IP.
 
Above all,
is there any linux network hardening path that you follow or would you recommend to read about? Since that was the cornerstone to open the topic.

Both of your answers carry sense, however know-how is still not here.

I wouldn't say it's automatic. For one thing, you can't have all your OpenVPN client traffic back home being routed over the VPN, *and* connect to your OpenVPN server at the same time, *unless* you use PBR (policy based routing) w/ the OpenVPN client. By doing so, it removes the router itself from the OpenVPN client, making the OpenVPN server accessible. And since the ASUS oem/stock firmware doesn't support PBR (NOT as far as I know), that firmware won't work.

Once you are using suitable firmware, you then have to add the OpenVPN server's tunnel IP network to PBR so it too is routed over the OpenVPN client.

Probably a lot of that made no sense. But bottomline, it's NOT automatic. There are some hurdles you need to get past, some settings to deal with, etc. And probably not worth discussing since you're nowhere near that point as yet.

I assume Merlin (my signature) would be suitable for that task.
I had connect to router to check VPN server settings, and compare it to the VPN server tutorial, and i'd notice, that discussed tutorial is 4 years old (however with 15 pages of on going discussion), and there are many changes.

Nevertheless happily i found that there is "TLS control channel security (tls-auth / tls-crypt)", which i read about, to be activated

[image below]
I wouldn't say it's automatic. For one thing, you can't have all your OpenVPN client traffic back home being routed over the VPN, *and* connect to your OpenVPN server at the same time, *unless* you use PBR (policy based routing) w/ the OpenVPN client. By doing so, it removes the router itself from the OpenVPN client, making the OpenVPN server accessible. And since the ASUS oem/stock firmware doesn't support PBR (NOT as far as I know), that firmware won't work.

Once you are using suitable firmware, you then have to add the OpenVPN server's tunnel IP network to PBR so it too is routed over the OpenVPN client.

Probably a lot of that made no sense. But bottomline, it's NOT automatic. There are some hurdles you need to get past, some settings to deal with, etc. And probably not worth discussing since you're nowhere near that point as yet.



You can use either client certs or username/passwords for authentication, or both. It's up to you.

Just beware, using your own OpenVPN server *assumes* you have remote access capability, which means a *public* IP from your ISP. Sometimes ISPs, in an effort to minimize the demand for the limited number of IPv4 addresses available, will place you on a *private* network, or use CGNAT (100.64.x.x). If that's the case, remote access is impossible! You *must* have a public IP. In many cases, it just requires making a request to the ISP for an exception (usually w/ no charge). In the worst case, you may have to pay extra for a static public IP.
Discussing static IP from my ISP, i will have to call them, but i wouldn't give it big chance.

I guess it cut me out from possiblity of having access to network from outside.
However i still assume that i am able of building safe infrastructure at home, where one of the pillar of the network would be
"OpenVPN server's tunnel IP network to PBR, so it too is routed over the OpenVPN client".

router_merlin_vpnserver_openvpn.png
 
Above all,
is there any linux network hardening path that you follow or would you recommend to read about? Since that was the cornerstone to open the topic.

I use whatever hardening is provided by the router (i.e., its native firewall) and OpenVPN itself (TLS connections, client certs, username/password, HMAC, etc.). If there's one thing OpenVPN has done particularly well, it's adding multiple layers of security to minimize the attack surfaces.

I assume Merlin (my signature) would be suitable for that task.

Yes.

Discussing static IP from my ISP, i will have to call them, but i wouldn't give it big chance.

Remember, the requirement for remote access is a *public IP* (dynamic or static). But when ISPs limit you to a *private IP*, they may require you to purchase a *static* public IP. Hopefully that's not the case, and they'll just change your account to use a *dynamic* public IP (DHCP), usually at no extra charge. But if they insist on only providing you w/ a private IP, you're out of luck. Remote access just isn't possible. At least not without some other, more complex trickery.

Notice in the snapshot of the OpenVPN server GUI you posted, it specifically mentions the fact your WAN ip is presently using a private IP. And if that router is the primary router (iow, there is no other router upstream of it, say the ISP's modem+router, which would be a double NAT situation), then indeed you have to deal w/ this issue.

I guess it cut me out from possiblity of having access to network from outside.
However i still assume that i am able of building safe infrastructure at home, where one of the pillar of the network would be
"OpenVPN server's tunnel IP network to PBR, so it too is routed over the OpenVPN client".

If you can't access your OpenVPN server due to NOT having a public IP, how can you expect to route the traffic from its tunnel through your OpenVPN client back home?

Now when it comes to the home network, yes, you can route all or only some of it (using PBR) over the router's OpenVPN client. It just won't include anything from the OpenVPN server since it's NOT operational w/o a public IP.
 
Last edited:
Allright,

You're explanations are very clear, you have talent to descirbe complex things in a simple way.
I called IPS (with big companies, it takes time and patience to dig through automatic system...) - it is *public* *dynamic* IP.

So this problem is solved!


My signature is upgrded, i have a DLS router before my Asus router.

Are there any known to you topics, which briefly sketch me architecture, of what i am suppose to do ( to let me understood where i am going),
and then do how-to explanation?

(i am posting it as much for you as for mysefl)
about the layers of security of OpenVPN, i found this :

Hardening OpenVPN
part#1
part#2

books:
OpenVPN Cookbook 2nd Edition
Mastering OpenVPN
 
I don't have any specific advice or recommendations about futher hardening OpenVPN (other than the obvious). But the OpenVPN documentation itself is a pretty good starting point. Many ppl never bother to visit the site, or even realize it's there. If they did, they probably wouldn't need to be asking half the questions they do in this and other similar forums!
 
Absolutely,

thanks for link, it is very detailed.

i will read it, set up my server, and come back with error questions after making my hands dirty.

Till then
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top