5 Comments

Self-Hosting Your Own Cloud – Part 1: OpenVPN

I recently became very concerned about online privacy when I discovered that Google was maintaining a list of everything I’ve purchased and every flight I’ve taken. I had known that Gmail sorts and filters emails for advertising purposes, but seeing everything consolidated was a big surprise and concern to me.

If you use Chrome and have a Google Account, all of your bookmarks, browsing history, and everything you type into the address bar is sent to and stored on Google servers. Your personal information is stored on servers operated by Google and other companies somewhere on the Internet.

Google also tracks your movements across the web through Google Analytics, Captcha, and Google Public DNS. If you use Google Assistant or have Google products in your home, it can collect even more information about you, which it uses for selling your personal information to advertisers. Of course, Google is not the only company which is collecting this information. A lot of people seem to be willing to trade convenience for privacy without fully realizing what is happening to their data.

This is the first post in a series about protecting your privacy by self-hosting while attempting to maintain the conveniences of public cloud services. See the bottom of this post for a list.

What is Self-Hosting?

Self-hosting is an alternative to the public cloud services that are widely available today. It is about hosting and storing data on your own computers, away from the prying eyes of system administrators, advertisers, and others who might buy, sell, or steal your private data.

These services include email; calendars; contact providers such as Google Gmail and Hotmail; file storage such as Google Drive, DropBox, or Box; photo storage such as Google Photos; music and movie streaming such as Spotify or Apple Music; notes such as Apple Notes; and other services.

When you host your own services, you have complete control and private access to your own data.

How to Self-Host Using a VPN

Most people have high-speed Internet access at their homes and offices. At my home, my connection can achieve 180 Mb/s download and 10 Mb/s upload speeds. Self-hosting mainly relies on your upload speed, and I’ve found that 10 Mb/s upload is adequate for my needs. Of course, the faster the better.

In this setup, you will be running network services on hardware that is under your own control, within your own homes or offices. Later entries in this series will cover how to set up these different services. First, however, you’ll need to have a method of accessing your own private networks remotely. This can be achieved by running your own VPN server.

1. Obtain Hardware

The first step is to purchase appropriate hardware capable of hosting a VPN server. I decided to set up my OpenVPN server on a Raspberry Pi Model 3. The primary reasons I chose it were the low power requirements, low price, and great software support. In addition to the Raspberry Pi board and your Wi-Fi router and cable modem, you’ll want to obtain a case, power supply, and network patch cable.

I also have my Raspberry Pi, Wi-Fi router, and cable modem supported by an Uninteruptable Power Supply (UPS). When the power fails at my home, I can still maintain an Internet and VPN connection for a period of time. Because the power requirements are so low, my connection will last for approximately two hours without power.

2. Install Operating System and Software

At this point, you can choose and install a Linux distribution on the Raspberry Pi. The actual installation is beyond the scope of this blog post, but there are ample resources online for getting your Raspberry Pi up and running.

I am running the Raspbian distribution. I decided to go with the standard distribution primarily for ease of installation and easy access to security updates. However, any distribution should work fine. I recommend that you update all of your installed packages as well. On Raspbian, you can use apt update / apt upgrade.

Once setup is complete, it’s a good time to write down the MAC address of your network interface card on the Raspberry Pi. You can obtain this using ifconfig.

3. Configure Your Router

Now you’re ready to configure your Wi-Fi router’s DHCP server to assign a fixed IP address for your Raspberry Pi. I configured mine to to 10.10.10.1. You can usually do this via a web-based admin console on your router. If you are hosting your own DHCP server, the process is essentially the same but not always web-based.

Next, you’ll configure your router to forward the standard OpenVPN port (typically 1194) to the Raspberry Pi’s IP address (again, 10.10.10.1 in my case.) This will allow external connections to route appropriately into your network.

4. Install and Configure OpenVPN Server

Now comes the fun part. You’ll be installing and configuring OpenVPN. This step is a bit involved and may take some time, especially if this is the first time you’ve ever worked with VPNs and certificates. Rather than duplicating every step here, I will direct the reader to DigitalOcean’s excellent tutorial. The tutorial covers installation on Ubuntu 18, but I found that the steps work just fine on my Raspbian distribution.

I have multiple client devices (macOS, iOS, Windows 10) that I use, but I decided to use the same client certificate for my devices. Generating a different certificate for each device also works just fine, but in my case, the single certificate suits my needs.

To enable multiple connections using the same certificate, you’ll want to uncomment the following line.
/etc/openvpn/server.conf

# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
# UNCOMMENT THIS LINE OUT.
duplicate-cn

Next up, you’ll be pointing your client configuration to your public IP address/host name.

client.ovpn

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote your-host.your-domain-name.com 1194

Most broadband connections don’t change IP addresses too often, and if you want a more reliable connection, you can consider using a dynamic DNS service which typically uses a DNS CNAME record to provide a host name/domain name alias.

5. Install Client Software

Now you can install client software appropriate for your platform.

Platform Product
macOS Tunnelblick
Windows OpenVPN
iOS OpenVPN Connect
Android* OpenVPN Connect

*Please note that I have not tested the Android version, as I do not have an Android device.

6. Copy Client Certificates to your Clients

Copy the client configurations (.ovpn files) to your devices. I recommend transferring them in a secure manner (USB drive, SCP/SFTP). On iOS, you can AirDrop the profiles to your iPhone/iPad, and they will open in the OpenVPN Connect app directly.

7. Test Your Connection

Attempt to connect from your device. Each client typically provides a connection/debug log. You can also monitor from the server side by tailing /var/log/syslog. Both logs can help with debugging your connection if you are having issues.

8. Bonus: Split VPN/Partial VPN Routing

By default, a VPN connection will route ALL of your traffic through the VPN tunnel. This is a common configuration for public or company VPN setups. One major downside of this is that your regular Internet traffic will be significantly slower because it routes through your home network and is limited by your upload speed.

For my purposes, I have found that it is extremely useful to have access to my home network while all other Internet traffic still routes directly out of my normal connection. This is especially useful when using Wi-Fi at work, while at family or friends’ homes, or on my LTE connection on my phone and my LTE 2-in-1.

This setup allows me to connect to anything on my home network as if it were directly accessible to me. I like to call this my “partial VPN.” This is by far the best capability I’ve discovered in configuring my VPN.

I keep my partial VPN connection active all the time on all my devices. This allows me to always have access to my home network and files while maintaining full access to the Internet. This is really my favorite part of using my own VPN. For example, just yesterday, I was walking in my favorite home improvement supply store with my LTE 2-in-1, and I was able to access files directly from my file-share on my home PC/server.

To setup a partial VPN, make a copy of your client configuration client.ovpn generated earlier to client (partial).ovpn, and add the following lines:

client (partial).ovpn

route-nopull
route 10.10.10.0 255.255.255.0

Make sure the subnet and netmask match your home network configuration.

Copy this to your client device just as you did before. I maintain two configurations (“Full” and “Partial”).

Of course, if you are on a public network like a coffee shop, you can use your standard VPN client profile to route all of your traffic through your home connection, preventing people on the public network from snooping on your traffic.

What’s Next?

This is just the first, but extremely important, step in the self-hosting journey. Now that you have a direct way of accessing anything on your home network, you can begin to build your network services.

Later in this series, I’ll cover setting up and hosting alternatives to Google Drive, Google Photos, Gmail and others. See below for a list of the upcoming posts.

Upcoming posts

This is the first in a series about protecting your privacy by self-hosting, while attempting to maintain the conveniences of public cloud services.

  1. Setting up OpenVPN
  2. SMB File Server with Automated Backups using Rsync/Rclone
  3. Notes using Nextcloud and Syncthing (coming soon)
  4. Movies and Music using Emby
  5. Photos and Home Movies using Custom Tool
  6. Bookmarks and Browsing History using Firefox Sync and Accounts Server
  7. Email
  8. Self-Hosting Contacts and Calendars