Self-Hosting Your Own Cloud – Part 1: OpenVPN

I recently became very concerned about online privacy when I discovered that Google was maintaining a list of everything I’ve purchased and every flight I’ve taken. I had known that Gmail sorts and filters emails for advertising purposes, but seeing everything consolidated was a big surprise and concern to me.

If you use Chrome and have a Google Account, all of your bookmarks, browsing history, and everything you type into the address bar is sent to and stored on Google servers. Your personal information is stored on servers operated by Google and other companies somewhere on the Internet.

Google also tracks your movements across the web through Google Analytics, Captcha, and Google Public DNS. If you use Google Assistant or have Google products in your home, it can collect even more information about you, which it uses for selling your personal information to advertisers. Of course, Google is not the only company which is collecting this information. A lot of people seem to be willing to trade convenience for privacy without fully realizing what is happening to their data.

This is the first post in a series about protecting your privacy by self-hosting while attempting to maintain the conveniences of public cloud services. See the bottom of this post for a list.

What is Self-Hosting?

Self-hosting is an alternative to the public cloud services that are widely available today. It is about hosting and storing data on your own computers, away from the prying eyes of system administrators, advertisers, and others who might buy, sell, or steal your private data.

These services include email; calendars; contact providers such as Google Gmail and Hotmail; file storage such as Google Drive, DropBox, or Box; photo storage such as Google Photos; music and movie streaming such as Spotify or Apple Music; notes such as Apple Notes; and other services.

When you host your own services, you have complete control and private access to your own data.

How to Self-Host Using a VPN

Most people have high-speed Internet access at their homes and offices. At my home, my connection can achieve 180 Mb/s download and 10 Mb/s upload speeds. Self-hosting mainly relies on your upload speed, and I’ve found that 10 Mb/s upload is adequate for my needs. Of course, the faster the better.

In this setup, you will be running network services on hardware that is under your own control, within your own homes or offices. Later entries in this series will cover how to set up these different services. First, however, you’ll need to have a method of accessing your own private networks remotely. This can be achieved by running your own VPN server.

1. Obtain Hardware

The first step is to purchase appropriate hardware capable of hosting a VPN server. I decided to set up my OpenVPN server on a Raspberry Pi Model 3. The primary reasons I chose it were the low power requirements, low price, and great software support. In addition to the Raspberry Pi board and your Wi-Fi router and cable modem, you’ll want to obtain a case, power supply, and network patch cable.

I also have my Raspberry Pi, Wi-Fi router, and cable modem supported by an Uninteruptable Power Supply (UPS). When the power fails at my home, I can still maintain an Internet and VPN connection for a period of time. Because the power requirements are so low, my connection will last for approximately two hours without power.

2. Install Operating System and Software

At this point, you can choose and install a Linux distribution on the Raspberry Pi. The actual installation is beyond the scope of this blog post, but there are ample resources online for getting your Raspberry Pi up and running.

I am running the Raspbian distribution. I decided to go with the standard distribution primarily for ease of installation and easy access to security updates. However, any distribution should work fine. I recommend that you update all of your installed packages as well. On Raspbian, you can use apt update / apt upgrade.

Once setup is complete, it’s a good time to write down the MAC address of your network interface card on the Raspberry Pi. You can obtain this using ifconfig.

3. Configure Your Router

Now you’re ready to configure your Wi-Fi router’s DHCP server to assign a fixed IP address for your Raspberry Pi. I configured mine to to 10.10.10.1. You can usually do this via a web-based admin console on your router. If you are hosting your own DHCP server, the process is essentially the same but not always web-based.

Next, you’ll configure your router to forward the standard OpenVPN port (typically 1194) to the Raspberry Pi’s IP address (again, 10.10.10.1 in my case.) This will allow external connections to route appropriately into your network.

4. Install and Configure OpenVPN Server

Now comes the fun part. You’ll be installing and configuring OpenVPN. This step is a bit involved and may take some time, especially if this is the first time you’ve ever worked with VPNs and certificates. Rather than duplicating every step here, I will direct the reader to DigitalOcean’s excellent tutorial. The tutorial covers installation on Ubuntu 18, but I found that the steps work just fine on my Raspbian distribution.

I have multiple client devices (macOS, iOS, Windows 10) that I use, but I decided to use the same client certificate for my devices. Generating a different certificate for each device also works just fine, but in my case, the single certificate suits my needs.

To enable multiple connections using the same certificate, you’ll want to uncomment the following line.
/etc/openvpn/server.conf

# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
# UNCOMMENT THIS LINE OUT.
duplicate-cn

Next up, you’ll be pointing your client configuration to your public IP address/host name.

client.ovpn

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote your-host.your-domain-name.com 1194

Most broadband connections don’t change IP addresses too often, and if you want a more reliable connection, you can consider using a dynamic DNS service which typically uses a DNS CNAME record to provide a host name/domain name alias.

5. Install Client Software

Now you can install client software appropriate for your platform.

Platform Product
macOS Tunnelblick
Windows OpenVPN
iOS OpenVPN Connect
Android* OpenVPN Connect

*Please note that I have not tested the Android version, as I do not have an Android device.

6. Copy Client Certificates to your Clients

Copy the client configurations (.ovpn files) to your devices. I recommend transferring them in a secure manner (USB drive, SCP/SFTP). On iOS, you can AirDrop the profiles to your iPhone/iPad, and they will open in the OpenVPN Connect app directly.

7. Test Your Connection

Attempt to connect from your device. Each client typically provides a connection/debug log. You can also monitor from the server side by tailing /var/log/syslog. Both logs can help with debugging your connection if you are having issues.

8. Bonus: Split VPN/Partial VPN Routing

By default, a VPN connection will route ALL of your traffic through the VPN tunnel. This is a common configuration for public or company VPN setups. One major downside of this is that your regular Internet traffic will be significantly slower because it routes through your home network and is limited by your upload speed.

For my purposes, I have found that it is extremely useful to have access to my home network while all other Internet traffic still routes directly out of my normal connection. This is especially useful when using Wi-Fi at work, while at family or friends’ homes, or on my LTE connection on my phone and my LTE 2-in-1.

This setup allows me to connect to anything on my home network as if it were directly accessible to me. I like to call this my “partial VPN.” This is by far the best capability I’ve discovered in configuring my VPN.

I keep my partial VPN connection active all the time on all my devices. This allows me to always have access to my home network and files while maintaining full access to the Internet. This is really my favorite part of using my own VPN. For example, just yesterday, I was walking in my favorite home improvement supply store with my LTE 2-in-1, and I was able to access files directly from my file-share on my home PC/server.

To setup a partial VPN, make a copy of your client configuration client.ovpn generated earlier to client (partial).ovpn, and add the following lines:

client (partial).ovpn

route-nopull
route 10.10.10.0 255.255.255.0

Make sure the subnet and netmask match your home network configuration.

Copy this to your client device just as you did before. I maintain two configurations (“Full” and “Partial”).

Of course, if you are on a public network like a coffee shop, you can use your standard VPN client profile to route all of your traffic through your home connection, preventing people on the public network from snooping on your traffic.

What’s Next?

This is just the first, but extremely important, step in the self-hosting journey. Now that you have a direct way of accessing anything on your home network, you can begin to build your network services.

Later in this series, I’ll cover setting up and hosting alternatives to Google Drive, Google Photos, Gmail and others. See below for a list of the upcoming posts.

Upcoming posts

This is the first in a series about protecting your privacy by self-hosting, while attempting to maintain the conveniences of public cloud services.

  1. Setting up OpenVPN
  2. SMB File Server with Automated Backups using Rsync/Rclone
  3. Note-taking with Nextcloud & Syncthing
  4. Movies and Music using Emby
  5. Protect Yourself Online with Privacy Tools
  6. Ad and Tracker Blocking with Pi-Hole
  7. Email, Contacts, and Calendars
  8. Bookmarks and Browsing History using Firefox Sync and Accounts Server
  9. Photos and Home Movies using Custom Tool
Conversation
  • Hannan says:

    It is the first time I see such an informative article about Self-Hosting Your Own Cloud. You mentioned more than it is needed. I am a PureVPN user and it is really useful to have information on “How to Self-Host Using a VPN”. I’ll try it.

  • ssss says:

    I am trying the exact same setup. But at the end I can’t see the files and folders and other devices from my home network as if I am there. Or may be I don’t know how to?

    I have created OpenVPN server on R-pi model 3 and have 2 OpenVPN clients…one is Android device and another one is Windows PC.

    connection is successfully established between all of these.

    Please help.

    Thanks in advance.

    • Jordan Nelson Jordan Nelson says:

      Hi ssss,

      On your Windows OpenVPN client, are you able to see something like this in the status screen?

      >STATE:1558573125,CONNECTED,SUCCESS,10.8.0.6,111.222.333.444,1194,10.10.10.27,55995

      In my case, the IP address assigned by OpenVPN is 10.8.0.6 (my normal private network is a 10.10.10/24).

      If you run ipconfig in a Command Prompt, you should be able to see something like:

      Ethernet adapter Ethernet 3:
      IPv4 Address. . . . . . . . . . . : 10.8.0.6

      If you can see an assigned IP address on each of those, you could try pinging an IP on your private network. Also try running tracert to an internal IP on your private network. You should see it your VPN connection as the first hop:

      Tracing route to LORULE [10.10.10.50]
      over a maximum of 30 hops:

      1 117 ms 57 ms 58 ms 10.8.0.1
      2 82 ms 43 ms 58 ms LORULE [10.10.10.50]

      If you are at home trying to test it might to tether your computer to your phone/disconnect from your main Wi-Fi/network. Or try from outside your main network. In my case, I am using a Surface Go with a cellular connection so it has helped to try and debug while at home with my Wi-Fi connection turned off.

      I hope some of this helps. Please let me know if you need any further help.

      • ssss says:

        Hi Jordan,

        Thanks for the quick reply.

        Pardon me if I wasn’t clear previously with my query. I have Android connected to VPN with mobile data. Windows PC and R-pi (VPN server) are on same network.

        I did got the IPs 10.8.0.2 and so on from private VPN Network. Everything works fine as expected from online tutorials.

        With this connection I am supposed to see the folders and devices connected to my Windows PC from my android phone and vice versa (which is my goal).

        But I don’t know How to see OR Where to see those folders and devices from one another.

        This is where I need your guidance.

        • Jordan Nelson Jordan Nelson says:

          ssss,

          I don’t believe that you will be able to see the other devices on your network while connected to your VPN through the network discovery built into Windows. At least I have not been able to do this.

          However, you should be able to specify the IP address directly. For example, the IP of my primary workstation/server is 10.10.10.50. You should be able to, after connecting to your VPN, specify \\10.10.10.50 in the Windows address bar.

          Another thing you can test is using Remote Desktop using the same IP address method as above.

          I hope this helps a bit.

  • Gunther Schwenninger says:

    Very informative and helpful article. I was searching a long time for a partial VPN solution. Thank you so much

    In some cases, it might be a good idea to connect from outside to port 443 instead of 1194 (and reroute the incoming traffic to 1194 on the target system), because in some company networks only port 80 and 443 is allowed to connect to the internet and all others ports are blocked by firewall systems.

    • Jordan Nelson Jordan Nelson says:

      That’s a good suggestion – thank you. If that works best for you or others, that’s great, I would go for it and configure my router to redirect port 443 externally to 1194 internally.

      In my particular case, my ISP at home blocks incoming connections on 80 and 443 because they don’t want you to host web servers without having a more business-oriented service plan. Luckily I have no such port restrictions at work so I am able to connect to 1194.

  • Daniel says:

    Hello,

    is there a way to generate .ovpn client files that automatically are set up for particular traffic only? I know that would be luxurious, but with Linux there is always a way to do something :)

    Thanks.

  • Evan says:

    Jordan, thank you for writing this!
    I was hoping you could elaborate on the “3. Configure Your Router” step. I am experienced with linux, rpis, software/dependency setup, but the part that always gets me stuck when trying to figure out self-hosting and home-server setup is the router/IP configuration. I don’t know much about networking or its acronyms (DNS, DHCP, etc..)

    Two questions:
    1) Do you need to have any special service or subscription from your ISP? From what I’ve read, it sounds like you may need to pay extra to get a static IP or to access your server’s IP from outside your home network (eg: you want to ssh into your home server from a cafe’s wifi).

    2) Do you need to have a special router? For example, does it need to support OpenWRT?

    Apologies if my questions are unclear. Here is my idea of a home-server, please let me know if anything is out of scope for your writeup:
    a. single user (me), multiple devices (only one device needs access at any given time)
    b. using just my normal internet with my OpenWRT-supported router, no extra subscriptions or options for static IP
    c. ssh into your server remotely (from outside network)
    d. self-host applications like Wekan, Firefly III, Nextcloud and its suite of applications (to be able to sync and access just like you were using a paid/free hosting provider)
    e. other sync stuff I have less experience with like samba, rsync, rclone, syncthing, etc…

    • Jordan Nelson Jordan Nelson says:

      Evan,

      I am using a cable Internet connection (Comcast here in the US) where my IP address doesn’t change often at all. Actually, I don’t remember the last time it changed and it has been several years now.

      However, if yours does change often, you could use a dynamic DNS service that allows you to have a host name that resolves to current latest IP address. This is typically done via a tool that runs in the background and periodically updates the dynamic DNS server. Try searching for “free dynamic dns.”

      In my case, I have a domain name and host name which resolve to my current IP address. Like I said, since it doesn’t really change often at all, this seems to work well for me.

      Regarding the router, I am not using anything special. Just a Netgear router with the standard firmware. I just set up port forwarding from my router to my Raspberry Pi running the OpenVPN server software. Some ISPs might block certain ports (< 1024) but the higher-numbered ports are usually okay. I hope this helps. Please let me know if you have any other questions.

  • Comments are closed.