The author suggests the following use cases: Mask your IP address, Hide from snooping ISPs, Extra security on public Wi-Fi, Unblock geo-restricted content, Connect to your home network from anywhere
Snooping ISPs, public IP, and geoblocking are not prevented by a VPN server in your home network, which the author does not warn about.
The other two cases work if you make your VPN server accessible from the internet, which the author also does not expand upon or even mentions.
It's a good tutorial but the question about VPN servers is often now how, but where. And this question is not asked.
If you use your own VPN to home then you can access everything on your home network without setting up port forwarding, if you have stuff like that. I used to but not these days.
You could also have the PI run a VPN client and connect to a privacy-promising VPN service, effectively ‘bouncing’ off home.
Not sure if that is even technically possible without pain, or why you wouldn’t connect directly to the privacy-promising VPN.
Some streaming devices. My IP TV service doesn't work through a VPN back to my home. It acquires location information from GPS (or other location sources), not the IP address. I had wanted to watch something from my home town broadcast channel while visiting family in another state. Turns out that wasn't possible.
Wait, someone bothered to put GPS checking? Awful, that's absolutely not required to license a channel, AFAIK only regular IP-based checks are enforced by channel networks to the distributing ISPs.
I'm not sure why an ISP would limit the physical location, and also how would that work if they have users in another state?
I've heard about WISPs putting GPS locks on their CPE devices, but that's pretty useless too, they're setup to connect to one tower only, if you move it, it won't see the tower and won't connect to anything, so ... ??
The specific about it are that I was trying to watch content on a broadcast channel. It was probably a local sports game. But, I was in a different city with a different affiliate. So, the geographic region does actually play into the licensing for these channels. I could otherwise watch whatever (and the local affiliate for the city I was in), but regardless of what my IP address was, I couldn’t watch the affiliate for my city.
It makes sense, but I’m not sure I was expecting the TV provider to be that detailed.
In the U.K. this is done by BT for users of their sport app, so the channels can only be streamed in the U.K. I think this was a requirement of the rights holder (the sports bodies).
Yes, sports are a different thing altogether, the rights holders have draconian rules because piracy is so widespread.
Ironically, a TV show that my ISP's content division made, which is free for it's users, was the most downloaded torrent (in Serbia) in the second half of 2019. I did an analysis of the IPs of everyone who downloaded it, a significant percentage (~20%) were from that ISP.
Basically, people risk fines and warning letters by pirating a TV show that is free for them (cable ISP that doesn't sell Internet without TV, any and all TV packages come with a smart phone app and website where you can watch your channels + a free VOD catalog) because the restrictions on device type, bootloader integrity, IP address are so draconian.
The ISP, of course, looses in the end, because it's users were also uploading the TV show to other torrent clients of non-users, which is lost potential revenue.
For port forwarding, I just SSH into my Raspberry Pi and then tunnel through that. Are there any benefits to using a VPN instead, other than not having to configure individual ports to forward? The only one I ever find myself using is VNC.
I did this for my parents. I got a RasPi 3 and a 3G modem, and setup remote management so I can check modem parameters remotely, even if the Internet is completely dead (using the 3G modem as an out of band connection).
I setup a VPN client on the 3G interface since there's no public IP address, and I connect to it from my own home network as a local IP address (which can't actually access my network due to explicit firewall rules I setup).
This way I can reboot the modem remotely even if the Internet is dead, and I also setup the Pi to reboot itself every night at 3am, in case something goes wrong and the VPN client crashes.
Yes, since it's a "modern" modem, it appears as a RNDIS ethernet interface. My VPN server's IP is constant, so I just set a default route to my VPN server's IP over 192.168.8.1 which is default Huawei mobile broadband gateway IP.
If you trust your home network / ISP / Government more than you trust the Starbucks (or any public) network, you get to at least transfer your risk.
But you also don't get much more than that for using a paid-VPN, you just transfer the risk of being snooped on to their network/ISP as opposed to your own. Same with running a node on AWS/Digital Ocean.
VPNs do not make you anonymous. A shared VPN might give you some plausible deniability but it's hard to trust that your specific traffic isn't being logged.
> VPNs do not make you anonymous. A shared VPN might give you some plausible deniability but it's hard to trust that your specific traffic isn't being logged.
That's true. But unfortunately, a lot of product placements on YouTube suggest exactly that. The claims of companies like NordVPN are highly misleading if not simply wrong. But especially on non-tech related channels, the audience is unlikely to know how VPNs work and what they do.
> A shared VPN might give you some plausible deniability
It might, but it's very feasible to correlate encrypted VPN traffic to outgoing traffic with netflow logs, which the underlying network operator is almost certainly storing.
Prevents snooping by your mobile provider and on public networks. If you self-host other services, access to those services without opening them up to the wider internet. Access to "personal cloud" storage.
I have a VPN, which is there to tie everything onto one network, regardless of what "real" network its attached to.
This means that if I'm out and about I can still push and pull to my local gitserver, or access the home control systems.
I have it on my phone as well, so I can control localnetwork things even if I'm on 4G
But unless you have machines running on different networks, or you want to access internal things from outside your home, running a VPN may be mostly pointless(save for the fun learning).
Digitalocean's DNS is free, so you can, at a push create a script to do dynamic DNS, should other systems fail you.
For me, I have a dedicated VPN node, Which depending on what I'm doing is either hosted on a VPS, or a physical box. (depending if I can find somewhere with decent network) that is called something like vpn.mydomain.com
All other nodes are connected to that. I then use Anisble to manage the keys, DNS and installing of packages. This makes things nice and dynamic, and simple to re-create/backup/redeploy.
However, I should add, I'm an SRE by profession, so this is 85% more work than most people would want or need.
Well, for one, if you have any intranet services that you want to access from outside of the network, but aren't sure in their bulletproof security, it's better to firewall everything other than one port on one device for the VPN, and connect via the VPN to access intranet services.
Second, some ISPs offer TV service on mobile devices and even set top boxes, but only inside your LAN on your assigned IP address. My ISP offers up to 3 TV STB devices (that run Android TV) per contract for free (mandated by law, because I can't buy my own STB and get a smart card!), but they only work on my LAN.
Since I live away from my parents, I wanted to have TV in their house without paying twice (that same ISP is not available at my parents' house at all, anyway)
My solution was to install OpenVPN Connect on the set top box, set it to auto start on boot, and to auto connect to my VPN.
From the TV app's point of view, I'm in my LAN, and it can talk to my modem on it's fake "virtual" IP address, and also reach the ISP's servers with proper authorization (they authorize users based on the IP address that was assigned to that user, which is stupid if you share your WiFi without having VPN on the guest SSID, but whatever).
My cable provider lets you watch all the channels over the internet... but only on your home network. This would allow that to work remotely.
Also, services like NBA League pass black out the games for your local teams, based on your IP address. One time I was visiting the in-laws, who happened to be in the market for the game I wanted to watch. VPN to home let me stream the game.
Mainly, my family all use the VPN on our mobiles with openVPN. From my mobiles we can stream and/or download our music and movies from the rp2 server using Kodi+Yatse with trivial set up. It's like having your own Netflix+spotify for your own digital collection.
You can access your own files when you're away. But, personally, that's the only reason I run a VPN on my own network. I use a VPN service when I want a foreign IP or when I'm sitting in a coffee shop.
I don't have a use for a "virtual private network" that just connects me to the public internet. My primary use case is to connect to stuff on my home network (or my work network).
>> Snooping ISPs, public IP, and geoblocking are not prevented by a VPN server in your home network, which the author does not warn about.
It helps for these things when abroad, e.g. when travelling I can stream Netflix content and live TV that are region-locked to where I live. Having the VPN on all the time while not on home WiFi also makes it impossible for sites/services to figure out when I'm moving around and where, and basically thwarts any attempt to derive where I am at any point in time.
I think that will vary based on ISP, etc.. Opening up ports on your home router is not a hugely difficult thing but I can see why it's not in scope of the tutorial..
Mentioning that it's a required step could have been helpful though.
Ah ok, I didn't actually read the article (or all of your comment, apparently ;-). I just assumed it would explain at least that much. What's the point of a VPN server that isn't reachable from the internet?
> What's the point of a VPN server that isn't reachable from the internet?
exactly...
The tutorial only explains how to set up a VPN server but nothing of the surrounding infrastructure to make it useful for any of the use cases the author mentions.
I would never suggest OpenVPN when there is something like Wireguard. I switched to WG few years ago and the performance boost on a old Raspberry Pi v1 was astonishing since it has much lower requirements wrt to the CPU.
It's also way easier to setup, and it covers all basic VPN needs for almost all home-VPN use cases.
I remember spending a whole day configuring OpenVPN, lots of packages, certificates, key files, no clue what half of the things I was doing were for. I also didn't particularly like the OpenVPN iOS client. Setting up WireGuard took less than an hour, every step of the process made sense, and it allowed me to remove a whole lot of cruft from my server.
For things that run on my home server I like to at least have the impression I know what I'm installing and how it is configured, so a magic script like you referred to is not really an option.
I used this guide to configure OpenVPN [1], which you could almost publish as a paperback ;-)
I agree that setting up OpenVPN for the first time might be quite messy, so such script can be useful - it is quite simple and lets you do standard setup.
What I am wondering - it is using a pregenerated dh param file (I can understsand why - to make the initial process faster). I am not much into crypto, with all the other elements being created during the setup process, how big no-no is having a predefined dh file?
For me OpenVPN server was not that hard to manually set up, but clients were really messy. I had various problems with both OpenVPN for Android and Tunnelblick (for macOS), where the latter were problematic enough for me to switch to WireGuard with no regret.
I had no problems with OpenVPN Connect which is the "official" client for Android. For a short time I used Mac OS X (before rebranding), Tunnelblick never worked properly. I forgot the exact problems, but mainly crashing of the software that locks up all network interfaces until reboot, constant disconnecting, and one text field which was unfillable.
Only thing stopping me from setting up an Rpi on wireguard as a VPN bridge (I'm using mullvad's excellent application) is that so far I haven't been able to successfully set up the firewall so that all traffic gets into wg0 except for ssh, with which I connect to in SOCKS5 proxy (from work). Some sort of split tunnel.
Seconding this, and that is one of my main points of irritation about the tech world, and the world in general. That we keep permeating outdated solutions in new articles and blog posts and elsewhere, when other actually superior solutions have been found.
This has irritated me for about a decade! Probably unreasonably.
Rasberry Pi was not the first ARM dev board with linux, and most of the "Make your Pi do X!" recipes out there would more reasonably be described as "How to set up your linux server do X", but that's not cool, and had no Pi, so ...
Grrrr mumble mumble, yes I know I'm an old curmudgeon.
I think the reason is that is that Pi has brought Linux in the flavour of Debian to the general public, many won't understand the concept or importance of an OS or how it can be portable; It's Raspberry Pi's "Software".
The second and more likely reason is that Raspberry Pi are keywords that help get you in the hands of your target audience, I'm guilty of it on my blog. If you're running a Debian server on x86, you're probably not the target audience for a "simple" VPN tutorial.
A while ago someone had a "how to set up your own Alexa on a Pi". It was just using Java, so I tried it on Windows, and it worked. I commented so on the guide, which was hosted on Github, and I got many many replies asking "Can you tell us how to do it?".
It annoyed me that these folks have a Github account but can't figure out things without step-by-step instructions...
It immediately runs a script from a site in a bash instance. The script could do anything like exploit some zero day like shellshock or other vulnerability. They would prefer the user read the script first. Most people won't read it either way, but if people don't just pipe it to bash other people will feel like it is more secure. If the script is served over http then there are also ways of replacing it by some mechanisms without you knowing as well which can add danger.
Running untrusted code without even looking at the code first. For all you know, the script asks for root access, and if granted, installs a rootkit, and if not, deletes all the files in your home directory.
Random scripts from the internet should always at least be casually reviewed. Posting something like this just encourages people to trust random scripts on the internet, which is going to end poorly eventually.
What kind of speed can one expect? I've got gigabit fiber and really do get > 950Mbps in both directions. Would this throttle me to 200Mbps? I can't imagine I would be getting full-speed connectivity.
RPi4 is plenty fast for full gigabit VPN performance. Its ethernet interface should also easily reach 950 Mbps. Although it's a different matter whether current VPN software can take full advantage of it. My guess is not.
There's some handicap due to lack of useful crypto HW in RPi4. But if multiple cores are used, it should easily reach 1 Gbit speeds. VideoCore VI could theoretically also be used for crypto acceleration, although I haven't heard anyone doing it — yet.
Edit: Just tried "openssl speed -multi 4 aes-256-cbc" on RPi4.
>RPi4 is plenty fast for full gigabit VPN performance.
Even if it could do a theoretical gigabit...you'd still be sharing that up & down.
I suspect you could get a good 700ish with a USB 3 gigabit dongle though. I ran a rpi4 as router/fw that way for a couple months (250 internet so never found out where the limits are)
With OpenVPN, yes, you'd get around 200 mbit tops - the thing is OpenVPN is single-threaded and a 1.5 GHz ARM core just isn't enough to cut it. I have an 1.8Ghz ARMv8 in a router and it peaks at ~240mbit, pegging a single core at 100%. Similarly clocked x86 core would fare much better and that's what I'm thinking of upgrading to.
With Wireguard you should have a much better performance however as it's multithreaded and rpi4 offers you 4 cores.
So that someone else's ISP can snoop. It's a tradeoff I guess but just to be clear that someone is able to snoop that traffic, you're just moving from your provider to someone elses provider.
Not applicable in this case, since it's talking about using the RasPi on the home network as a VPS when you're on a different network. It will hide activity from the ISP of the network you're using, but not from the ISP of your home network.
If you find that necessary, feel free to do that, but do it as a conscious choice.
I've worked in datacenters that hosted VPS providers, that had Verizon and Centurylink/L3 as their cross connects. Here's a nice list of Tier1 internet providers, these guys are going to do the bulk of transit for most data centers. https://en.wikipedia.org/wiki/Tier_1_network#List_of_Tier_1_...
There's still going to be direct connect at the various peering points, so in this case, you'll get a direct connect from your provider to say google, but that's already in a TLS connection and google already has your IP address or probably your specific street address as does your VPN provider. So I'm not sure what the point is. You'll get the same thing for amazon and netfilx and facebook but again, all TLS and I don't know that you're gaining much since you've already got a positive ID on you with the tracking these days. If, in fact, they don't have a positive id, They'll have one pretty quickly and perhaps tag you to a VPN IP which they will know is a VPN because the positive tracking has matched you with your CC and your real address as well as all the other people connecting through said VPN from geographically disparate locations. Basically if you sign into a single account over your VPN, then the cats out of the back and if you don't then the cat is PROBABLY out of the bag.
I check out these VPS providers that pop up here and there but there's never a mention of their transit, they are just using whatever the datacenter has, and most of them have the same backbone providers as the last mile. So, while this may be necessary for some people, You'll often see people make this decision thinking it grants the privacy when it doesn't really change that part of their situation.
I think it can be a dangerous part of discussion since it's not clear to most people what's actually happening.
We are using this at the office. We and our clients often use IP restriction to servers as first line defense, so Pi in the office lets us access office static IP while outside.
This has helped tremendously and is super easy to set up.
Bonus is while traveling we can access services without firewalls from our home country and everyone sees us as "still in the office". This includes clients, government, banks, etc. Additionally while using it we are not detected to be using VPN so far.
It is against their law to use vpn. Hence 1 person “solution” is not a real solution dealing with totalitarian state. But as any individual you should do two. One this. The other one somehow get a political solution if available to you.
Or go with something that can do a bunch of different solutions: https://github.com/StreisandEffect/streisand Streisand sets up a new server running your choice of WireGuard, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, or a Tor bridge. It also generates custom instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists.
For better performance and more flexibility I'd recommend an ESPRESSObin v7 over a Pi. 3xGbE ports and a dedicated topaz switch offer something much more akin to a true router than the Pi.
Do you know if Debian/Armbian is working on Espressobin? Last time I played with one, I couldn't get Armbian loading and went with Arch instead, following this tutorial:
It works like a charm indeed, I run the WireGuard client on all my devices (laptop, phone, tablet) in on-demand activation mode (VPN activates whenever I leave my home WiFi), and configured them them to use the PiHole server as DNS, so I have ad-blocking on all my devices, all the time. I don't perceive any kind of negative effect on network performance (it helps to have fiber with symmetric up/down speeds for this setup)
Is it possible to set it up like this: I want to use mullvad VPN, so my IP/location is obfuscated, but still to have PiHole? So something like I connect my laptop and mobile to my router -> RPi -> mullvad VPN -> internet. If it is, how can I achieve it?
With Wireguard you set DNS server IP directly in the config file, it is not negotiable over the connection. So you can edit the config to set it to your pihole's ip. Or remove the DNS line altogether and then it won't touch your DNS settings at all.
I had a raspberry pi vpn server. serveed traffic over UDP, used port knocking to open it up. blocked everything else, worked pretty good, but damn SD cards kept dying. :-/
The Pi is notorious for murdering SD cards, but if you use an "endurance" card, which are often sold for use in dashcams, you should find it lasts a lot longer.
If you 'dd' the sd card over to a usb key, and add 'program_usb_boot_mode=1' to the config.txt, you'll get a more robust filesystem and a speed-up bonus as well.
To be fair. The claim that it makes you more secure by masking your IP is wrong. But securing you connection in public Wi-Fi networks is probably the main VPN use-case for the average user.
Yeah, these micro pcs are really nice, thinking of getting one like that myself. But rpi4 costs an order of magnitude less ($35), it's in a different price class I'd say.
Snooping ISPs, public IP, and geoblocking are not prevented by a VPN server in your home network, which the author does not warn about.
The other two cases work if you make your VPN server accessible from the internet, which the author also does not expand upon or even mentions.
It's a good tutorial but the question about VPN servers is often now how, but where. And this question is not asked.